metasploit

[moudy]

hello every one, how is every thing going with u?
Iv been wondering about this application, metasploit...
I downloaded the application and have set it up...
my question is, how much is it possible for this app to actually connect to a foreign box ?
I mean, there is a machine, and its owner doesn't mind me trying on his box... so i just want to know how much doable is this thing?
Also I'm learning how to use nmap, though im starting with the GUI interface, but im trying to learn
any advice for me from the experts

[computathug]

Hey moudy!

All is as good as can be this side of the world

K ya got 5 mins of my time then i have to nip out.

First i gather you are using a windows pc if you are using the gui. Its been a while so you may have to bear with me and i haven't time to install to the box to explain so here goes what i remember. If you are using the gui then everything is already done for you except add the ip address. Its up to you what type of scan you run, but each one has a different way of scanning so notice the code that goes to each scan ie, -sT -P0 -v etc etc. Scan your friends machine and see what ports you find open. There is a link somewhere on suck-o to scan yourself with nmap. Also try scanning your router ip and see what info that gives out.

The only thing i will say is what ever you do dont scan suck-o. It is a sure way to get your ip blocked

Once you know what ports are open you can then check for known vulnerabilities. If you want to do some testing on yourself i suggest setting up a home lab and install something you can find which is well known to be vulnerable and get a feel of what is happening as you do it.
Once you have a vuln you can then update metasploit and search for the exploit you are looking for.

Any problems just let us know

[bad_brain]

well, the exploits in Metasploit are of course no 0day ones, the older they are the less likely you will find working ones (depending on the target system of course, talking about a halfway well maintained one).

if you want to use Metasploit simply for fun and learning (which is recommended, better not try it on random servers on the net) you can simply install an outdated version of an OS on the target system.

[moudy]

you are using a windows pc if you are using the gui.

yes i am using a windows vista

The only thing i will say is what ever you do don't scan suck-o. It is a sure way to get your ip blocked

sure thing, ill never do some thing like that...

Any problems just let us know

sure thing computathug

depending on the target system of course, talking about a halfway well maintained one

well the target computer has windows vista as an OS, i dunno if u can give me more feedback about this, shall modify the target to some thing old ? or shall try on this target...?

[DNR]

if the target is a desktop PC, a client, you are wasting time scanning for usable open ports. If that desktop even has zone alarm or some host based firewall, it'll never respond to a scan.

You should pick a server, something that will allow connections to be made to it. Big, popular servers like google or even suck-o.com is not a good idea either, they have been scanned so many times, they now block scans (block response or even provide fake banners).

Start with something big enough to host all services like a college network - they would do everything themselves and not farm it out to a network solutions company.

http://www.utoledo.edu/ = 131.183.2.39
nslookup 131.183.2.39
Canonical name: web00cv00.utad.utoledo.edu

OrgName: University of Toledo
NetRange: 131.183.0.0 - 131.183.255.255
(a class 'B' sized network)

I picked 131.183.2.0 to 131.183.2.255 - just a segment of their network
and scanned it. Make sure you select to scan for ports if the computer does not respond to a ping (typical trick to hide the box from the internet)

IP:131.183.2.73
Ping: Dead
Hostname: SQL2K8TST.utad.utoledo.edu
Note: the naming conventions the sysadmin used can give away what the server is used for, here SQL2K is sounding like a Win2kSQL server..
or this one?
IP:131.183.2.55
Ping: Dead
Hostname: sql03cv00.utad.utoledo.edu
Note: remember the name of the webserver:web00cv00.utad.utoledo.edu, could sql03cv00 the database for the webserver?

IP:131.183.2.70
Ping: Dead
Hostname: emailsso.utoledo.edu
Note: naming convention, perhaps email server eh?

IP:131.183.2.71
Ping: Dead
Hostname: stuweb00.utad.utoledo.edu
Note: naming convention, STUdent webserver perhaps?

IP:131.183.2.188
Ping: Dead
Hostname: oraclevm00.utoledo.edu
Note: naming convention, oracle db?

IP:131.183.2.207
Ping: Dead
Hostname: emailrelay.utoledo.edu
etc

IP:131.183.2.213
Ping: Dead
Hostname: smtpin1.utoledo.edu
Note: possible SMTP server

Ok, so I have a few servers to try.. with the weak naming convention (never name the computer for what its used for like email, FTP, web, etc.)
I can assume what ports will be open, the above smtpin1. I expect to have the SMTP port 25 open, so I'll Nmap it for port 25.

Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-16 22:33 Eastern Daylight Time
Interesting ports on smtpin1.utoledo.edu (131.183.2.213):

PORT STATE SERVICE VERSION

25/tcp open smtp?
1 service unrecognized despite returning data.

I was right, I get a hit on port 25, and since it returned something unexpected (admin changed banner)

SF-Port25-TCP:V=4.76%I=7%D=5/16%Time=4A0F7794%P=i686-pc-windows-windows%r(
SF:NULL,E3,"554-smtpin1\.utoledo\.edu\r\n554\x20Your\x20access\x20to\x20th
SF:is\x20mail\x20system\x20has\x20been\x20rejected\x20due\x20to\x20the\x20
SF:sending\x20MTA's\x20poor\x20reputation\.\x20If\x20you\x20believe\x20tha
SF:t\x20this\x20failure\x20is\x20in\x20error,\x20please\x20contact\x20the\
SF:x20intended\x20recipient\x20via\x20alternate\x20means\.\r\n.......................

You can read the results of the output from nmap connecting with port 25, read between the white spaces 'x20'

You can telnet to that port too
telnet> open 131.183.2.213 25
you'll get a 554 code - 554 Transaction failed
And you'll see the above message..

Ok, lets try another server

Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-16 22:49 Eastern Daylight Time
Interesting ports on stuweb00.utad.utoledo.edu (131.183.2.71):

PORT STATE SERVICE VERSION

80/tcp open http Microsoft IIS webserver 5.0
Service Info: OS: Windows

---

ok, this should get you started, go find your own network..

DNR

[moudy]

if the target is a desktop PC, a client, you are wasting time scanning for usable open ports. If that desktop even has zone alarm or some host based firewall, it'll never respond to a scan.

true
I tried to scan that friend's PC, it always show IP down...
but is this always the case?
i mean isn't it possible in any way to scan a desktop PC ?
i scanned my IP, and showed me several ports open, dunno how it worked, but it showed almost 7 open ports... that's why I'm interested to know more about desktop PC's.
Any way DNR, ill start scanning simple servers, and check the results

[Lyecdevf]

i scanned my IP, and showed me several ports open, dunno how it worked, but it showed almost 7 open ports... that's why I'm interested to know more about desktop PC's.
Any way DNR, ill start scanning simple servers, and check the results

I set up a virtual environment and set up multiple operating systems which I could scan. Of course when I scan my windows box I always am told that all the ports are filtered. While if I scan my linux box I have no such problems.

So when ever you come across such a situation where all the ports are said to be filtered than you can assume it is a windows box. Now lets say that you are on LAN you can also do what is called passive scanning. Which means that you sniff the internet connection of the windows machine and by doing so you find out what ports are open when you see various communication over the internet across that given port.

[bad_brain]

when scanning a system with nmap always use the -P0 switch to skip the ping, most systems block ICMP packets completely because they can be abused for attacks (ICMP 4 source quench for example)...and that's why the systems are shown as "offline" and the scan is skipped when not disabling the initial ping (ICMP 0 echo request).

and about trying to use Metasploit against a Vista box:
well, there are some exploits that might work IF the vulnerable applications are installed (black ice firewall for example), but it's mostly focused on services that usually don't run on a Vista systems...

[moudy]

when scanning a system with nmap always use the -P0 switch to skip the ping

or u can use -PN
btw i scanned a target and it showed the following ports open

Code: Select all

Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-18 01:56 Middle East Standard Time

Interesting ports on rev-155-166.globalproof.net (194.146.155.166):

Not shown: 991 closed ports

PORT     STATE    SERVICE

22/tcp   open     ssh

23/tcp   open     telnet

135/tcp  filtered msrpc

139/tcp  filtered netbios-ssn

445/tcp  filtered microsoft-ds

3128/tcp filtered squid-http

8080/tcp filtered http-proxy

8291/tcp filtered unknown

8888/tcp open     sun-answerbook



Nmap done: 1 IP address (1 host up) scanned in 37.11 seconds

so how can i interpret this out-put further more?
is it possible to connect to one of these ports? and my question about metasploit comes here, does it have a role in this process? and how to research more about the specific topic that im asking about, what direction shall i go through ?
thanks for the help

[blast]

I just have one simple question. How to make my ip invisible to the ones I'm nmapping?
Or is it necessary ?

...just for the start

and edit: I have just scanned my router ip and here's what I'd like to know : "Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port"
..but it found at least 5 opened ports and 995 closed (filtered) :s

[moudy]

if ur using the zenmap (gui version of nmap) in the command constructor wizard there is source options, they are:
1- Use decoys to hide identity (-D)
2- Set source IP address (-S)
3- Set source port (--source_port)

In case ur using the in-line command application, then use the between brackets option followed by the value that u want to use, for example

-S 123.45.67.890
--source_port 80
etc etc etc....

[bad_brain]

I have just scanned my router ip and here's what I'd like to know : "Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port"
..but it found at least 5 opened ports and 995 closed (filtered) :s

hm, well, is there maybe port forwarding enabled but on the endpoint there is no service running? example: incoming requests to port 80 are forwarded to your computer but you don't have a webserver running.
in this case the port is "open" (at least on the router) but there can be no service determined which would be needed for the OS detection.

it might also be caused by your scan method, the most reliable results are provided by connect scans ( -sT switch), but of course such scans are not stealthy at all.

[DNR]

yea I am finding a lot of bad scan results. I can't really blame nmap, its just better server administration me thinks. If it says no services are running, it means the port is not acting like the expect service for that particular port. Changing the expected response of the port, example - logging into a SMTP port 25, the admin disables the "helo" - thus the nmap or scanning app gets confused and lables it no service.
The best way to check is to telnet to the port and see the response yourself.

I'll try to look at the host name, and map out the network - and determine the purpose of the device - so I can narrow down the port/service I think it is running. This is why its important to firewall the rest of the network from the internet and use good naming conventions to hide the purpose of the computer or server.

I also either have it scan regardless of ping response, or not do the ping to keep it quiet.

DNR

[blast]

I have just scanned my router ip and here's what I'd like to know : "Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port"
..but it found at least 5 opened ports and 995 closed (filtered) :s

hm, well, is there maybe port forwarding enabled but on the endpoint there is no service running?[\b] example: incoming requests to port 80 are forwarded to your computer but you don't have a webserver running.
in this case the port is "open" (at least on the router) but there can be no service determined which would be needed for the OS detection.

...

That's it..
thanks very much brain, DNR and moudy.. very comprehensive approach
..thumbs up
Actually I don't know how to use Zenmap and nmapping yet completely .. but I will.. I will

[moudy]

hm, well, is there maybe port forwarding enabled but on the endpoint there is no service running? example: incoming requests to port 80 are forwarded to your computer but you don't have a webserver running.

bad brain how do i enable forwarding port 80 ? coz i have set up apache on my box, but i wanted to eperiment on it by accessing ot from an another box.. im sure my problem is about forwarding port 80, can u tell me more about this issue, coz im not sure i know alot about it, i only have general info