Information gathering and working with databases in metasploit 03-07-2012, 05:52 PM
#1
also called intelligence gathering...
It's the first step for all of your hacks and it is one of the most important skills a penetration tester can have.It's ability to learn about a target,including how it behaves,how it operates and how it ultimately can be attacked.If you don't do a thorough job of information gathering you may miss vulnerable systems or viable attack vectors.Doing this phase you need to think like "an attacker". Useful tip is record all info you get.
So lets start...Basically there are 2 types of information gathering we distinguish:
1) Passive information gathering
2)Active information gathering
1)PASSIVE I.G.
- ok so basically this would be a legal method, using "legal" word i mean you can discover information without touching enemies system. Using these techniques you can identify network boundaries,identify network main-tainers and even learn what operating system and web server software is in use on targets network.
1)1. Whois lookups
-all Backtrack users will know about this command. So let's start, for an example i'll be using "secmaniac.net"
> if you try you will see where DNS (Domain Name System) servers are hosted,in this example that would be "DOMAINCONTROL.COM" so this is the example of system that wouldn't be included in our penetration test because we wouldn't have authority to attack them. DOMAINCONTROL.COM isnt owned by secmaniac.com so we shouldn't attack...
1) 2. NETCRAFT
- web-based tool that we can use to find the IP address of a server hosting,a particular website.
Netcraft picture
as we can see we got alot of info about our page ( IP,domain,country etc.)
>so lets try with another whois search with IP we got with netcraft
whois lookup for IP
as we can see this IP (WIDEOPENWEST) appears to be a legitimate servise provider,while subnet range isn't sepcifically registered. so we can say that this site appears to be be hosted inside of authors home. We can use Nslookup BackTrack tool and get information like mail servers or something like that but i suggest lets move to active information gathering. Don't forget with passive we got targets IP and some more interesting things....
2) ACTIVE INFORMATION GATHERING!
I will be quick about it, here we interact directly with system to learn more about it...
2)1. PORT SCANNING WITH NMAP
COMMANDS WE'LL USE:!
-sS -Runs a stealth TCP scan that determines whether a specific TCP-based port is open
-Pn - order Nmap not to use ping to determinate.
Nmap scan
as you can see there are a list of open ports with description. Lets try scan with " -A " comand which will attempt advanced service enumeration and banner grabbing.
http://img51.imageshack.us/img51/1395/nmap2.jpghttp://nmap -Pn -sS -A Ip results
ye and i forgot about 1 abit important command -oX which generate .XML file which we can later import into metasploit framework.
WORKING WITH DATABASES IN METASPLOIT FRAMEWORK
1) first of all you should decide which DB (database) you want to run.Deafult is PostgreSQL.
we can start database subsystem using the build-in BackTrack init.d
2) after postreSQL has started, lets make an order to framework to connect to the database instance. This requires username,password and name of host on which the database is running. Deafult BackTrack postgreSQL username is "postgres" , password "toor" . We'll use msfbook as database name...
if you're connecting in for the first time don't get scared when you see a bunch of text output because that's msf settin' up all necessary tables.
3) now we'll use db_status to see is it correctly connected.If it's all ok you will get response like "postgresql connected to msfbook (or any name u gave for database). If you stuck anywhere in msf you can use "Help" to get all options you are able to do.
4) Now we can import a nmap seasion into msf
that command will generate XML file named subnet1.xml
now lets import it in msf
db_hosts verify that import works correctly if it list addresses...
How it looks like!
5) now we can go for advanced nmap scanning: TCP idle scan
that method allow us to scan a target stealthily by spoofing the IP address of another host on network. first we need to locate an idle host on the network which uses incremental IP ID's . While scanning target's responses from open ports,use the framework's "scanner/ip/ipidseq" module to scan for a host that fits the TCP idle scan requirements.
ipidseq module pic
RHOST at ➊ , can take IP ranges( such as ...1.20 - ....1.30) ;
CIDR ranges such as 192.168.1.0/24 , 192.168.3.0/24
and a text file witch one host per line (such as file/tmp/hostlist.txt)
THREADS at ➋ sets the number of current threads to use while scanning.By deafult all scanner modules are set to 1.
We can increase THREADS to speed up scanning or lower to reduce network traffics.In general we shouldn't set value greater then 16 when running on WINDOS,or greater than 128 on LINUX
example about threads and how to do it!
We'll try scan now a host at ➊ using -sI command in nmap
that would be how it looks lke
by using the idle host we're able to discover open ports without sending a single packet.
6) Now connnect db postgres as i explained before and then we should be able to run db_nmap
look like this
Notice services at open ports ➊ , software version at ➋ and prediction about the target's operating system at ➌
7) db_services
how it looks like
now we can see exposed ports to use an attack vectors.
8) as we've seen in last steps victim is using microsoft windows so lets try to haunt for poorly configured SQL services.
When MS SQL is installed it listens a random dynamic TCP port (deafult is 1433)
Msf has a module "mssql_ping" what can make use of this"
how it looks like....
-i used THREADS on 255 cuz its on lan just to speed it put,if you're attacking real victim take that rule up about THREADS
-as you can see we located MS SQL server at ➊ ,instance name at ➋ , SQL server version on ➌ , TCP port at ➍ on which is listening.
With this targeted scan we saved up alot of time instead of running nmap against all ports on all machines...
Thats all i would say about information (intelligence gathering) and about databases in metasploit....
Thanks for time reading this much ^^
It's the first step for all of your hacks and it is one of the most important skills a penetration tester can have.It's ability to learn about a target,including how it behaves,how it operates and how it ultimately can be attacked.If you don't do a thorough job of information gathering you may miss vulnerable systems or viable attack vectors.Doing this phase you need to think like "an attacker". Useful tip is record all info you get.
So lets start...Basically there are 2 types of information gathering we distinguish:
1) Passive information gathering
2)Active information gathering
1)PASSIVE I.G.
- ok so basically this would be a legal method, using "legal" word i mean you can discover information without touching enemies system. Using these techniques you can identify network boundaries,identify network main-tainers and even learn what operating system and web server software is in use on targets network.
1)1. Whois lookups
-all Backtrack users will know about this command. So let's start, for an example i'll be using "secmaniac.net"
Code:
>whois secmaniac.net> if you try you will see where DNS (Domain Name System) servers are hosted,in this example that would be "DOMAINCONTROL.COM" so this is the example of system that wouldn't be included in our penetration test because we wouldn't have authority to attack them. DOMAINCONTROL.COM isnt owned by secmaniac.com so we shouldn't attack...
1) 2. NETCRAFT
- web-based tool that we can use to find the IP address of a server hosting,a particular website.
Code:
http://searchdns.netcraft.comas we can see we got alot of info about our page ( IP,domain,country etc.)
>so lets try with another whois search with IP we got with netcraft
Code:
whois 75.118.185.142as we can see this IP (WIDEOPENWEST) appears to be a legitimate servise provider,while subnet range isn't sepcifically registered. so we can say that this site appears to be be hosted inside of authors home. We can use Nslookup BackTrack tool and get information like mail servers or something like that but i suggest lets move to active information gathering. Don't forget with passive we got targets IP and some more interesting things....
2) ACTIVE INFORMATION GATHERING!
I will be quick about it, here we interact directly with system to learn more about it...
2)1. PORT SCANNING WITH NMAP
COMMANDS WE'LL USE:!
-sS -Runs a stealth TCP scan that determines whether a specific TCP-based port is open
-Pn - order Nmap not to use ping to determinate.
Nmap scan
as you can see there are a list of open ports with description. Lets try scan with " -A " comand which will attempt advanced service enumeration and banner grabbing.
http://img51.imageshack.us/img51/1395/nmap2.jpghttp://nmap -Pn -sS -A Ip results
ye and i forgot about 1 abit important command -oX which generate .XML file which we can later import into metasploit framework.
WORKING WITH DATABASES IN METASPLOIT FRAMEWORK
1) first of all you should decide which DB (database) you want to run.Deafult is PostgreSQL.
Code:
> etc/init.d/postgresql-8.3 startwe can start database subsystem using the build-in BackTrack init.d
2) after postreSQL has started, lets make an order to framework to connect to the database instance. This requires username,password and name of host on which the database is running. Deafult BackTrack postgreSQL username is "postgres" , password "toor" . We'll use msfbook as database name...
Code:
db_connect postgres:toor@127.0.0.1 /msfbookif you're connecting in for the first time don't get scared when you see a bunch of text output because that's msf settin' up all necessary tables.
3) now we'll use db_status to see is it correctly connected.If it's all ok you will get response like "postgresql connected to msfbook (or any name u gave for database). If you stuck anywhere in msf you can use "Help" to get all options you are able to do.
4) Now we can import a nmap seasion into msf
Code:
nmap -Pn -sS -A -oX Subnet1 192.168.1.0/24now lets import it in msf
Code:
db_connect postgres:toor@127.0.0.1/msf3
db_import Subnet1.xml
db_hosts -c addressdb_hosts verify that import works correctly if it list addresses...
How it looks like!
5) now we can go for advanced nmap scanning: TCP idle scan
that method allow us to scan a target stealthily by spoofing the IP address of another host on network. first we need to locate an idle host on the network which uses incremental IP ID's . While scanning target's responses from open ports,use the framework's "scanner/ip/ipidseq" module to scan for a host that fits the TCP idle scan requirements.
ipidseq module pic
RHOST at ➊ , can take IP ranges( such as ...1.20 - ....1.30) ;
CIDR ranges such as 192.168.1.0/24 , 192.168.3.0/24
and a text file witch one host per line (such as file/tmp/hostlist.txt)
THREADS at ➋ sets the number of current threads to use while scanning.By deafult all scanner modules are set to 1.
We can increase THREADS to speed up scanning or lower to reduce network traffics.In general we shouldn't set value greater then 16 when running on WINDOS,or greater than 128 on LINUX
example about threads and how to do it!
We'll try scan now a host at ➊ using -sI command in nmap
Code:
namp -Pn -sI 192.168.1.109 192.168.1.155that would be how it looks lke
by using the idle host we're able to discover open ports without sending a single packet.
6) Now connnect db postgres as i explained before and then we should be able to run db_nmap
look like this
Notice services at open ports ➊ , software version at ➋ and prediction about the target's operating system at ➌
7) db_services
how it looks like
now we can see exposed ports to use an attack vectors.
8) as we've seen in last steps victim is using microsoft windows so lets try to haunt for poorly configured SQL services.
When MS SQL is installed it listens a random dynamic TCP port (deafult is 1433)
Msf has a module "mssql_ping" what can make use of this"
Code:
use scanner/mssql/mssql_ping
show options
set RHOST 192.168.1.0/24
set THREADS 255
runhow it looks like....
-i used THREADS on 255 cuz its on lan just to speed it put,if you're attacking real victim take that rule up about THREADS
-as you can see we located MS SQL server at ➊ ,instance name at ➋ , SQL server version on ➌ , TCP port at ➍ on which is listening.
With this targeted scan we saved up alot of time instead of running nmap against all ports on all machines...
Thats all i would say about information (intelligence gathering) and about databases in metasploit....
Thanks for time reading this much ^^
Grades doesn't measure intelligence and age doesn't define maturity
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
great! this is really helpfull,.
