قالب وردپرس درنا توس
Home / Tips and Tricks / How To Discover Open Ports With Metasploit's Built-In Port Scanner «Zero Bytes :: WonderHowTo

How To Discover Open Ports With Metasploit's Built-In Port Scanner «Zero Bytes :: WonderHowTo



One of the first steps in enlightenment is determining the open ports of a system. Nmap is widely regarded as the undisputed king of port scanning, but certain situations require different tools. Metasploit makes it easy to perform port scans directly in the framework, and we'll show you three types of port scans: TCP, SYN, and XMAS.

What is Port Scanning?

Port scanning is the process of checking a range of ports to determine the state of these ports – generally open or closed. There are 65,536 available ports on a host, with the first 1

,024 ports reserved for known services. Ports can communicate over the TCP protocol, UDP, or both.

The first type of scan we will examine is the TCP scan, also known as the TCP connection. This type of scan uses a system call to connect, much like web browsers or other networked applications. When a port is open, the TCP scan initiates and terminates a full three-way handshake and then closes the connection. This type of scan is effective, but noisy, because the IP address can be logged.

The second type of scan is the SYN scan. This is the default Nmap scan and is considered the most commonly used port scan type. Unlike the TCP Connect scan, a SYN scan uses raw packets instead of system calls to make connections to ports. This is advantageous because the connection is never completely completed, which makes it relatively furtive and firewalls more likely to evade. There is also more control over the requests and responses, since access to the raw network is possible.

The third type of scan we'll go through is the XMAS scan. This scan sets the flags FIN, PSH and URG on the package that lights up like a Christmas tree (hence the name). XMAS scans can be even more furtive than SYN scans, though modern intrusion detection systems can still detect them. Nevertheless, it is worth trying out if other scanning methods fail.

Option 1: TCP Scan

The first thing we need to do before performing scans is Metasploit by typing msfconsole in the terminal. A random banner is displayed, as well as version information and the number of modules currently loaded.

  msfconsole

,,
/ 
((__--- ,,, ---__))
(_) O O (_) _________
 _ / | 
o_o  M S F | 
 _____ | *
||| WW |||
||| |||

= [ metasploit v4.17.8-dev                          ]
+ - - = [ 1803 exploits - 1027 auxiliary - 311 post       ]
+ - - = [ 538 payloads - 41 encoders - 10 nops            ]
+ - - = [ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf> 

Scanners are a kind of helper module in Metasploit, and to locate the port scanners, we can type search portscan at the command prompt.

  msf> search portscan
[!] Module database cache has not yet been created with slow search

Matching modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
Help / scanner / http / wordpress_pingback_access normal wordpress pingback locator
auxiliary / scanner / natpmp / natpmp_portscan normal NAT-PMP external port scanner
Help / scanner / portscan / ack normal TCP ACK Firewall Scanner
auxiliary / scanner / portscan / ftpbounce normal FTP Bounce Port Scanner
Auxiliary / scanner / portscan / syn normal TCP SYN port scanner
Auxiliary / Scanner / Portscan / TCP normal TCP port scanner
Auxiliary / Scanner / Portscan / Xmas normal TCP "XMas" port scanner
auxiliary / scanner / sap / sap_router_portscanner normal SAPRouter Port Scanner 

This yields some results, including the three types of port scans that we will examine. Let's start with a simple TCP scan. Enter to load the module. Use auxiliary / scanner / portscan / tcp . We can now view the module settings by typing options :

  msf auxiliary (scanner / portscan / tcp)> options

Module Options (Utility / Scanner / Portscan / TCP):

Name Current setting required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of ports to be tested simultaneously per host
DELAY 0 yes The delay between connections per thread in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (eg 22-25, 80, 110-900)
RHOSTS yes The destination address range or the CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes Socket connection timeout in milliseconds 

Here we can see the current settings and their descriptions. Unlike many exploit modules, this scanner can record a range of destination addresses in addition to a single IP address. Since we only have one target computer in this case, one single address is sufficient.

The number of threads can also be increased to speed up the scanning process. It is recommended to keep this value below 256 for Unix systems and below 16 for native Win32 systems. To be sure, we can set this to about 8. All other options can be retained as a default.

  msf auxiliary (scanner / portscan / tcp)> sets the rhosts 172.16.1.102
rhosts => 172.16.1.102
msf auxiliary (scanner / portscan / tcp)> Setting Topics 8
threads => 8 

Now we can start the scan. In Metasploit, the command run is simply an alias for exploit so it will do exactly the same thing. Since we only do scans, run seems to be more fitting, though that does not really matter.

  msf auxiliary (scanner / portscan / tcp)> run

[+] 172.16.1.102: - 172.16.1.102:21 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:23 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:22 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:25 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:53 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:80 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:111 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:139 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:445 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:513 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:514 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:512 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:1099 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:1524 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:2049 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:2121 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:3306 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:3632 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:5432 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:5900 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:6000 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:6667 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:6697 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:8009 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:8180 - TCP OPEN
[+] 172.16.1.102: - 172.16.1.102:8787 - TCP OPEN
[*] Scanned 1 of 1 Hosts (100% complete)
[*] Submodule Completion Completed 

The TCP scan is performed fairly quickly, and once completed, we can see that there are many open ports on the target.

Option 2: SYN Scan

Next, we go to a SYN scan. Type back to return to the main prompt, followed by to load the module using auxiliary / scanner / portscan / syn . Again, we can enter options to display the current settings for this module:

  msf auxiliary (scanner / portscan / syn)> options

Module Options (Utility / Scanner / Portscan / Syn):

Name Current setting required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections per thread in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (eg 22-25, 80, 110-900)
RHOSTS yes The destination address range or the CIDR identifier
SNAPLEN 65535 yes The number of bytes to be captured
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The response timeout in milliseconds 

There are a few different options compared to the TCP scan, but they are largely similar, including the option to accept a number of destination addresses and the number of threads

] When performing multiple scans or exploits on a single target, it can be tedious to set the same options over and over again. Fortunately, there is a command that will set one option globally, which means that it does not have to be reentered when using another module. Use setg to set a global option.

  msf auxiliary (scanner / portscan / syn)> setg rhosts 172.16.1.102
rhosts => 172.16.1.102
msf auxiliary (scanner / portscan / syn)> setg threads 8
threads => 8 

Now enter run to start the scan.

  msf auxiliary (scanner / portscan / syn)> run

[+] TCP OPEN 172.16.1.102:21
[+] TCP OPEN 172.16.1.102:22
[+] TCP OPEN 172.16.1.102:23
[+] TCP OPEN 172.16.1.102:25
[+] TCP OPEN 172.16.1.102:53
[+] TCP OPEN 172.16.1.102:80
[+] TCP OPEN 172.16.1.102:111
[+] TCP OPEN 172.16.1.102:139
[+] TCP OPEN 172.16.1.102:445
[+] TCP OPEN 172.16.1.102:512
[+] TCP OPEN 172.16.1.102:513
[+] TCP OPEN 172.16.1.102:514
[+] TCP OPEN 172.16.1.102:1099
[+] TCP OPEN 172.16.1.102:1524
[+] TCP OPEN 172.16.1.102:2049
[+] TCP OPEN 172.16.1.102:2121
[+] TCP OPEN 172.16.1.102:3306
[+] TCP OPEN 172.16.1.102:3632
[+] TCP OPEN 172.16.1.102:5432
[+] TCP OPEN 172.16.1.102:5900
[+] TCP OPEN 172.16.1.102:6000
[+] TCP OPEN 172.16.1.102:6667
[+] TCP OPEN 172.16.1.102:6697
[+] TCP OPEN 172.16.1.102:8009
[+] TCP OPEN 172.16.1.102:8180
[+] TCP OPEN 172.16.1.102:8787
[*] Scanned 1 of 1 Hosts (100% complete)
[*] Completing the add-on module 

The SYN scan takes a little longer compared to the TCP scan, but once it's done, we can see that we've got similar results compared to the previous scan.

Option 3: XMAS Scan

The third type of scan we perform is the XMAS scan. Type back to exit the current module, and then to load the module using auxiliary / scanner / portscan / xmas . Since we have previously set global remote host and thread options, these settings should already be filled when we now see options .

  msf auxiliary (scanner / portscan / xmas)> Options

Module Options (Auxiliary / Scanner / Portscan / Xmas):

Name Current setting required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections per thread in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (eg 22-25, 80, 110-900)
RHOSTS 172.16.1.102 yes The destination address range or the CIDR identifier
SNAPLEN 65535 yes The number of bytes to be captured
THREADS 8 yes The number of concurrent threads
TIMEOUT 500 yes The response timeout in milliseconds 

The other options are largely identical to the SYN scan, so we can keep them by default. Feel free to play around with the other settings and see how they affect timing and accuracy. Now we can run the scan

  msf auxiliary (scanner / portscan / xmas)> run

[*] TCP OPEN | FILTERED 172.16.1.102:21
[*] TCP OPEN | FILTERED 172.16.1.102:22
[*] TCP OPEN | FILTERED 172.16.1.102:23
[*] TCP OPEN | FILTERED 172.16.1.102:25
[*] TCP OPEN | FILTERED 172.16.1.102:53
[*] TCP OPEN | FILTERED 172.16.1.102:80
[*] TCP OPEN | FILTERED 172.16.1.102:111
[*] TCP OPEN | FILTERED 172.16.1.102:139
[*] TCP OPEN | FILTERED 172.16.1.102:445
[*] TCP OPEN | FILTERED 172.16.1.102:512
[*] TCP OPEN | FILTERED 172.16.1.102: 513
[*] TCP OPEN | FILTERED 172.16.1.102: 514
[*] TCP OPEN | FILTERED 172.16.1.102:1099
[*] TCP OPEN | FILTERED 172.16.1.102:1524
[*] TCP OPEN | FILTERED 172.16.1.102:2049
[*] TCP OPEN | FILTERED 172.16.1.102:2121
[*] TCP OPEN | FILTERED 172.16.1.102:3306
[*] TCP OPEN | FILTERED 172.16.1.102:3632
[*] TCP OPEN | FILTERED 172.16.1.102:5432
[*] TCP OPEN | FILTERED 172.16.1.102:5900
[*] TCP OPEN | FILTERED 172.16.1.102: 6000
[*] TCP OPEN | FILTERED 172.16.1.102:6667
[*] TCP OPEN | FILTERED 172.16.1.102:6697
[*] TCP OPEN | FILTERED 172.16.1.102: 8009
[*] TCP OPEN | FILTERED 172.16.1.102:8180
[*] TCP OPEN | FILTERED 172.16.1.102: 8787
[*] Scanned 1 of 1 Hosts (100% complete)
[*] Submodule Completion Completed 

Again, we obtained results similar to the other scans, with additional information on whether the port is filtered or not. Depending on the target (or targets) and the type of environment, these scans can sometimes give different results, so it certainly does not hurt to try multiple scans.

These find open ports with ease

In In this guide, we covered three types of port scans – TCP, SYN, and XMAS – directly from Metaploit's interactive console. These scanners are quick and dirty, but can achieve the goal of finding open ports relatively easily. This shows that Metasploit is packed with features that make it easier for white-hat hackers to do the best they can.

Do Not Miss: The Ultimate Command Cache for Metasploit's Meterpreter

Title image of drd_ / zero byte

Source link