Active Information Gathering with Metasploit-Framework
Using Nmap to perform port scanning
Using -sT scanning mode is the default scanning mode of Nmap. The status of the target port is accurately judged through the TCP three-way handshake packet. Since three connections are established, it is extremely easy to be captured by the target firewall.
msf> nmap -sT 127.0.0.1
The -sS scan mode does not perform three-way handshake, it is called semi-open scan, also known as stealth scan. Compared to TCP scanning, it is faster and more secure.
msf> nmap -sS 127.0.0.1
The –sU scan mode is the fastest scan method, because UDP only sends and receives, but there may be some errors between the scan results and the above two scan methods.
msf> nmap -sU 127.0.0.1
Operating system identification.
Nmap can identify the target operating system in two ways:
1. The commonly used -O parameter, the -O parameter is an advanced parameter provided by Nmap, which is usually used alone.
msf> nmap -O 127.0.0.1
2. The -sV parameter can be used together with the above port scan parameters, and nmap will add the identification result of the system version at the end of the scan result.
msf> nmap -sSV 127.0.0.1
Nmap security scan
Usually, the scan initiated on the target site or host will be recorded by the WAF or IDS, which is extremely insecure for the tester, so the intrusive and deceptive scans are hidden from the tester. IP information is necessary, Nmap provides the -D advanced parameter, if you provide 2 IP addresses, then Nmap will leave 3 IP addresses in the WAF log to confuse the audience and ensure the test as much as possible the safety of the user.
msf> nmap -sS 127.0.0.1 -D 10.10.20.100,10.10.20.101
1. TCP port scan
2. SYN port scan
3. Call nmap
In metasploit-framework use db_nmap to do a complete banner grabbing, use the following command:
msf> db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 127.0.0.1 -p - 22
The -Pn parameter tells Nmap that the target site has been determined to be online, no further detection is required, and the detection process of whether it is online or not is skipped. -sTV means to scan in TCP mode, and to determine the banner information and version of each port at the same time. The port, the –min-parallelism parameter executes a minimum number of 64 parallelisms, the –version-all parameter indicates that all probes of nmap are used to identify the service details, and the -p parameter is set to – indicates that all ports of the target are scanned.
4. Use ARP for live host scanning
msf>use auxiliary/scanner/discovery/arp_sweep set RHOST set THREADS 10 run
5. Use UDP to detect live hosts
msf>use auxiliary/scanner/discovery/udp_sweep set RHOST set THREADS 10 run
6. Use SMB to detect live hosts
msf>use auxiliary/scanner/smb/smb_enumshares set RHOSTS set THREADS 10 run
7. SMB version scan
8. SMB brute force (dictionary required)
9. SSH version scan
10. FTP version scan
11. SMTP enumeration
12. SNMP login
13. SNMP login
14. WinRM scan
15. WinRM brute force cracking