03. Metasploit Information Gathering Auxiliary Scanner
Metasploit Framework provides an extensive library of tools for penetration testing, and its auxiliary modules are particularly effective for information gathering. Among these, auxiliary scanners are highly versatile and allow testers to scan and identify vulnerabilities, services, and other useful information about target systems.
Overview of Auxiliary Scanners¶
Auxiliary scanners are Metasploit modules used for reconnaissance and enumeration. Unlike exploit modules, auxiliary modules are non-exploitative and serve purposes such as scanning for open ports, identifying services, fingerprinting operating systems, and testing for specific vulnerabilities.
Why Use Auxiliary Scanners?¶
- Preliminary Reconnaissance: Identify potential targets and services before exploitation.
- Service Enumeration: Gather detailed information about running services.
- Efficiency: Automate repetitive tasks, saving time during the reconnaissance phase.
- Customization: Modify and adapt to specific needs using Metasploit's extensibility.
Key Auxiliary Scanner Modules¶
1. Port Scanning¶
- Module:
auxiliary/scanner/portscan/tcp - Purpose: Scan target systems for open TCP ports.
Usage:
Example:
This command scans the 192.168.1.0/24 subnet for open TCP ports.
2. Service Enumeration¶
- Module:
auxiliary/scanner/smb/smb_version - Purpose: Identify the version of SMB (Server Message Block) running on a target.
Usage:
Example:
This identifies the SMB version on the target 192.168.1.5.
3. Web Server Scanning¶
- Module:
auxiliary/scanner/http/http_version - Purpose: Detect the HTTP server type and version.
Usage:
Example:
This command reveals the HTTP server version running on the target.
4. FTP Banner Grabbing¶
- Module:
auxiliary/scanner/ftp/ftp_version - Purpose: Enumerate FTP service version.
Usage:
Example:
This command gathers version information about the FTP server on 192.168.1.15.
5. SNMP Enumeration¶
- Module:
auxiliary/scanner/snmp/snmp_enum - Purpose: Enumerate SNMP services on the target.
Usage:
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS <target_IP>
set THREADS <number_of_threads>
set COMMUNITY <community_string>
run
Example:
This gathers SNMP information using the community string public.
6. DNS Enumeration¶
- Module:
auxiliary/scanner/dns/dns_enum - Purpose: Perform DNS enumeration for subdomains.
Usage:
Example:
This command enumerates subdomains for example.com.
Best Practices for Using Auxiliary Scanners¶
- Define Clear Goals:
- Identify what information you aim to gather.
- Set Proper Thread Count:
- Optimize
THREADSto balance speed and server load.
- Optimize
- Avoid Detection:
- Use caution and respect target system policies to minimize detection risks.
- Document Findings:
- Maintain proper records of the gathered information for later use.
Common Errors and Troubleshooting¶
- No Response from Target:
- Ensure the target is reachable.
- Verify network configurations.
- Authentication Issues:
- Use valid credentials or proper community strings (e.g., for SNMP).
- Slow Scanning:
- Adjust
THREADSto improve performance.
- Adjust
Auxiliary scanners are a cornerstone of reconnaissance in penetration testing, enabling testers to gather detailed and actionable information about target environments. Understanding and utilizing these modules effectively lays the groundwork for successful exploitation and analysis.