In this article we will learn about Information gathering using Metasploit.
What is Information gathering using Metasploit?
Your goal while gathering information should be to get accurate information about your targets without revealing your presence or your intentions, learn how the organization works, and determine the best course of action. Metasploit is the best intelligence gathering console because it is a very comprehensive penetration testing tool. In this article, I’ll be covering all of network intelligence gathering using Metasploit.
Gathering information requires careful planning, research, and most importantly, the ability to think like an attacker. In this step, you try to gather as much information as possible about the target environment.
There are two types of information gathering: passive and active.
1) Passive collection of information
Using passive information gathering, you can discover information about targets without touching their systems. For example, you can identify network boundaries, operating systems, open ports, and web server software being used on a target without touching their system.
2) Active information gathering
When actively collecting information, we communicate directly with the system to learn more about it. We can perform port scans for open ports on the target or scan to see what services are running. Every system or running service we discover gives us another opportunity to exploit.
But be careful, if you’re careless while actively gathering information, you could get caught by an IDS or Intrusion Prevention System (IPS).
•First, we start the database
#service postgresql start
•then start metasploit service
#service metasploit start
•now start msfconsole.
•now, we’ll use db_status to make sure that we’re connected correctly.
Importing Nmap Results into Metasploit
When working with other team members, with different individuals scanning at different times and from different locations, it helps to know how to import the basic XML export file generated by nmap into the Framework.
First, we scan the Windows virtual machine using the -oX option and generate a Target.xml file.
#nmap -Pn -sS -A -oX Target 192.168.20.0/24
After generating the XML file, we import it into our database using the db_import command. We can then verify that the import went through using the “hosts” command, which lists the system entries that were created, as shown here:
msf > db_import Subnet1.xml
Running Nmap from MSFconsole
We’ve done advanced enumeration on our target, now let’s connect Nmap to Metasploit. First, we should be able to issue the db_nmap command from msfconsole to have Nmap run and its results automatically saved to our new database.
#msf > db_nmap -sS -A 172.16.32.131
To check that the results from the scan are stored in the database, we run db_services.
#msf > db_services
Port Scanning with Metasploit
Metasploit has several port scanners built into its helpers that integrate directly with most aspects of the framework. We will use these port scanners to exploit compromised systems to access and attack.
To see the list of port scanning tools that the Framework offers, type the following.
#msf > search portscan
Let’s perform a simple single host scan using the Metasploit SYN Port Scanner. In the following listing, we start the scan with use scanner/portscan/syn, set RHOSTS to 192.168.20.0/24, set THREADS to 100, and then run the scan.
#msf > use scanner/portscan/syn
Server Message Block Scanning
Metasploit can attempt to identify versions of Microsoft Windows using its smb_version module.so we use smb_version.
And set RHOSTS, and begin scanning.
#msf > use scanner/smb/smb_version
The results of this scan are stored in the Metasploit database for use at a later time and to be accessed with the “hosts” command.
Also read:Ethical Hacking Interview Questions 2023
#msf auxiliary(smb_version) > hosts
We have discovered a system running Windows XP without having to do a full scan of the network.
Gathering My SQL server information
Many sysadmins don’t even realize they even have MS SQL Server installed on their workstations because the service is installed as a prerequisite for some common software like Microsoft Visual Studio.
When MS SQL is installed, it listens by default on either TCP port 1433 or a random dynamic TCP port. If MS SQL is listening on a dynamic port, simply query UDP port 1434 to see which dynamic TCP port MS SQL is listening on.
Metasploit has a module that can take advantage of this “feature”: mssql_ping. It uses UDP. Metasploit will find MS SQL servers, display all the details it can extract from them, including, perhaps most importantly, the TCP port the server is listening on.
Now use mysql_ping:
#msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(mssql_ping) > set THREADS 255
THREADS => 255
msf auxiliary(mssql_ping) > run
As you can see, not only does the scanner locate an MS SQL server, but it also identifies the instance name, the SQL server version, and the TCP port number on which it is listening.
Gathering SSH Server Information
If you are targeting computers running Secure Shell (SSH) during the scan, you should determine which version is running on the target.
SSH is a secure protocol, but vulnerabilities have been identified in various implementations. You never know when you’ll get lucky and come across an old machine that hasn’t been updated. You can use the framework’s ssh_version module to determine the version of SSH running on the target server.
#msf > use scanner/ssh/ssh_version
Scanning FTP version
FTP servers are often the easiest route to the target network, and you should always locate, identify, and print all FTP servers running on your target. Depending on the vulnerability, you can launch an attack and get into the target system.
Here we use the ftp_version module to scan the FTP server.
#msf > use scanner/ftp/ftp_version
The scanner successfully identifies the FTP server. Now let’s see if this FTP server allows anonymous login. Here we use “scanner/
The scanner reports that anonymous access is enabled and that anonymous users have read access to the server. In other words, we only have read access to the remote system and the ability to read any file that the FTP server has access to.
This is how we collect information using the Metasploit console. I will probably move on to vulnerability scanning in my next article and exploits later.