Today we are going to continue with our Metasploit walkthrough.
The current version of Metasploit has a Web managed vulnerability scanner incorporated into the Project page of the web server. Starting with the project we created yesterday, we will scan the local network for vulnerabilities.
To do this, open the “Overview” tab under the Project page.
Select and click “Scan”. This tab is on the left hand side of the page under the “Discovery” column.
Here we can start a scan. To do this, enter the target addresses or networks into the data field on the page. by clicking “Show Advanced Options” you can exclude addresses and change the way the scan is run.
It is always a good idea to exclude the system you are running the scan from if you are scanning the local network. If you do not, it could be that you crash the machine and loss all of the work you have completed thus far.
Once you have selected all of the networks and configured the scan (including exclusions) click “Launch Scan” to start nmap.
This will take some time, but you can follow the progress of the scan in the page (displayed below).
Metasploit uses NMap as the default scanner. This is far less powerful than a full vulnerability scanner such as Nessus, but will do for our purposes today.
Once the scan has completed, it will display a green tick and say “Complete.”
For automated exploitation, you will need a Metasploit Pro license (the commercial version). I will run through this today (there is a trail license available) and continue with the free version tomorrow.
You can see from the image above that we have several services and a few hosts.
From here we can either go to exploits or brute-force.
Clicking brute-force allows us to manage credentials and configure which services we will try and break into. Metasploit is not the best brute-forcer, so I will not spend too much time here (and will go into alternatives another time).
Automated Exploit Settings
Clicking Exploit on the main page takes you to the Automated Exploit page. Here you can just click (or configure the exploit and payload in a more traditional manner).
Once that has been done (and you should have a look through the options and learn what the different exploits and payloads are (for another post) you can click “Exploit” and begin the process.
This is a messy approach and we really need to scan and select to make sure we do things right. This is really a script kiddies wet dream, though in reality it is far less effective than actually knowing what you are doing.
Tomorrow… Back to the free version.
To do this, we need a vulnerable service and for that I may have to transgress into Nessus … We will see.
But, when you do have a potentially vulnerable service, the next step is to select the module to use to exploit. To start this, click on Modules and enter a search term.
Here I have searched for RPC. You can see the results listed below:
I clicked a SAMBA vulnerability and then we can start to configure the host and payload details.