Metasploit Basics, Part 5: Using Metasploit for Reconnaissance (nmap, EternalBlue, SCADA, and MS SQL
Updated: Dec 16, 2022
Welcome back, my rookie hackers!
As you know, reconnaissance is a crucial part of the hacker/pentester's job. Without good reconnaissance, it is likely that all your work and effort will go for naught. As Metasploit has evolved from strictly an exploitation framework to a multi-faceted, penetration testing tool, it has added additional capabilities, including reconnaissance. No longer do you need to carry separate tools for reconnaissance and then exploitation. Metasploit can do it all.
In addition, with the postgresql database attached to Metasploit, we can save our results from port scanning and vulnerability scanning into the database and then use those results in the next phase of the penetration test.
Step #1 Fire Up Metasploit
The first step, of course, is to fire up Kali and start the msfconsole.
kali > msf
Step # 2 nmap and db_nmap
Usually, before starting a hack, we want to gather as much info on the target as possible. Let's begin by finding out what ports are open. Metasploit enables us to run nmap right from the msf prompt. Let's try scanning a systems on our local area network with a TCP scan (-sT) looking for open ports between 1 and 1000 (-p1-1000).
msf > nmap -sT 192.168.1810/24 -p1-1000
As you can see above, nmap was able to scan all the machines on our internal network and return the results of the open ports.
As I demonstrated in Metasploit Basic, Part 4, you can also use the db-nmap command to scan and save the results into Metasploit's postgresql attached database. In that way, you can use those results in the exploitation stage later.
Let's scan our targets with db_nmap.
msf > db_nmap 192.168.181.0/24
As we can see above, the nmap scanner within Metasploit was able to do a port scan of every system on our subnet, find their open ports and store that information into the database for later use.
Step #3: Scanning Modules
Metasploit has a multitude of scanning modules built in. If we open another terminal, we can navigate to Metasploit's auxiliary modules and list all the scanner modules.
cd /usr/share /metasploit-framework/modules/auxiliary
kali > ls -l
Note in the screenshot above, the numerous directories containing modules for all sorts of auxiliary purposes. Let's navigate to the scanner directory and look inside.
kali > cd scanner
kali > ls -l
As you can see below, there are hundreds of scanner modules each inside a directory of a specific target type.
The SMB protocol has been problematic for over two decades on all operating systems. In 2017, the ShadowBrokers released a stolen NSA exploit that attacked SMB and gave the attack sysadmin privileges. This exploit became known as EternalBlue or MS17-010 in Microsoft parlance (for more information on EternalBlue see the Network Forensics article here).
To determine whether a Windows 7/Server 2008 system is vulnerable to this exploit, there is a scanner in Metasploit to determine as such.
If we navigate to the SMB sub-directory and do a long listing on it, we see a scanner named "smb_ms17_010".
kali > cd smb
kali > ls -l
Let's load that scanner into our framework and run it against a Windows 7 system.
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 > set RHOSTS 192.168.1.102
msf5 > run
As you can see above, this scanner sent probes to the target system and came back and reported that it IS likely vulnerable! We will exploit that vulnerability in Part 8 of the Metasploit Basics series.
Next, let's go to the scada directory and look inside there.
As you can see there are 11 scada scanner modules.
Step #4 Conducting a SCADA Scan
Let's try using one of those scada scanner modules to conduct a scan on a SCADA system (for more on SCADA Hacking, see my SCADA series here).
msf > use auxiliary/scanner/scada/modbusclient
We need to set the RHOST, the NUMBER of coils to read and READ_COIL parameters.
As you can see in the screenshots above, we used this scada scanner to read the coils (the coils are ON/OFF switches inside the SCADA facility) on a remote SCADA system. This would be the first step before exploiting this system.
Step #5 MS SQL Login Scan
Among the numerous scans within Metasploit is one that can enumerate logins on Microsoft's flagship database server, SQL Server.
We can use this module by typing;
msf > use auxiliary/admin/mssql/mssql_enum_sql_logins
After loading the module, we learn more about this scanner by typing info.
msf > info
As you can see in the description, this module can be used to fuzz available SQL Server logins providing us with logins that can then be brute forced with one of many different password cracking tools.
Once we provide it an RHOST, it begins scanning for available logins on the database server.
msf > set RHOST 192.168.181.129
msf > exploit
As you can see above, this scanner was able to find the login "sa" account or the sysadmin of this SQL Server installation!
Reconnaissance is a crucial phase of the hacking/penetration testing process. Metasploit has added hundreds of reconnaissance modules, so that we may complete most of our reconnaissance right from Metasploit. Here, I have demonstrated just a few reconnaissance modules in Metasploit, but there are literally hundreds more so take some time to explore the many recon modules in Metasploit and it will likely save you hundreds of hours in your hack/pentest.