Jump to content


Photo
- - - - -

How to search metasploit based on ports?


  • Please log in to reply
8 replies to this topic

#1 aperfectcircle1

aperfectcircle1

    DDP Fan club member

  • Members
  • 49 posts
  • Gender:Male

Posted 26 May 2010 - 06:28 PM

say I scan a system and find port 80 open, and a certain OS. What command could I use to search metasploit for matching exploits?

#2 bsd-roo

bsd-roo

    SUP3R 31337

  • Members
  • 175 posts

Posted 28 May 2010 - 05:36 AM

say I scan a system and find port 80 open, and a certain OS. What command could I use to search metasploit for matching exploits?



well, if the database is set up for metasploit to use with nmap properly then it should really do that automatically.
so you should probably read more of their documentations, particularly the nmap bit. not sure if its the right thing for me to give
you step by step instructions as you can potentially be using it maliciously so im gonna leave that to somebody else.

Edited by bsd-roo, 28 May 2010 - 05:38 AM.


#3 SchippStrich

SchippStrich

    SUP3R 31337 P1MP

  • Members
  • 293 posts
  • Country:
  • Gender:Male
  • Location:USA

Posted 28 May 2010 - 12:25 PM

If you know what service is running on that port you can:
search <service name>
You can also use AutoPwn which is what was mentioned above in a much more subtle form.

#4 aperfectcircle1

aperfectcircle1

    DDP Fan club member

  • Members
  • 49 posts
  • Gender:Male

Posted 28 May 2010 - 06:56 PM

If you know what service is running on that port you can:

search <service name>
You can also use AutoPwn which is what was mentioned above in a much more subtle form.


autopwn is very noisy... and can trigger firewall.. Thanks for the search query. How would you use grep on your database to find port-specific exploits etc. thats what I was asking :S I dont quite understand the | operator in grep

#5 zandi

zandi

    SUP3R 31337 P1MP

  • Members
  • 263 posts
  • Location:michigan

Posted 28 May 2010 - 09:25 PM

assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.

#6 aperfectcircle1

aperfectcircle1

    DDP Fan club member

  • Members
  • 49 posts
  • Gender:Male

Posted 28 May 2010 - 09:36 PM

assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.


say port 80 is open, and the service is http. I find a matching exploit for port 80, what payloads can I attatch to it? like if I bind a reverse tcp shell payload, does it talk to the OS or the service?

#7 bsd-roo

bsd-roo

    SUP3R 31337

  • Members
  • 175 posts

Posted 28 May 2010 - 10:15 PM


assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.


say port 80 is open, and the service is http. I find a matching exploit for port 80, what payloads can I attatch to it? like if I bind a reverse tcp shell payload, does it talk to the OS or the service?



Since we are already this far into the conversation and presuming you were using it as a pen testing tool on a server you own even though you did comment that it is too noisy. there are different kinds of payloads for different needs, injecting VNC, spawning a shell,setting up nc at home waiting for a reverse shell or whatever. depends what you want to do and ofcourse depending also on what kind of exploit you used. not all exploits are going to give you root, some will probably just crash the system or do wierd stuff.

#8 zandi

zandi

    SUP3R 31337 P1MP

  • Members
  • 263 posts
  • Location:michigan

Posted 28 May 2010 - 10:20 PM



assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.


say port 80 is open, and the service is http. I find a matching exploit for port 80, what payloads can I attatch to it? like if I bind a reverse tcp shell payload, does it talk to the OS or the service?



Since we are already this far into the conversation and presuming you were using it as a pen testing tool on a server you own even though you did comment that it is too noisy. there are different kinds of payloads for different needs, injecting VNC, spawning a shell,setting up nc at home waiting for a reverse shell or whatever. depends what you want to do and ofcourse depending also on what kind of exploit you used. not all exploits are going to give you root, some will probably just crash the system or do wierd stuff.

also, you would have to know what service (and likely what version of that service) is running. for example, an exploit for apache wouldn't work on lighttpd. they're both http servers, but you'd have to know which one was in use before you could choose an exploit to try.

#9 bsd-roo

bsd-roo

    SUP3R 31337

  • Members
  • 175 posts

Posted 29 May 2010 - 11:11 PM




assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.


say port 80 is open, and the service is http. I find a matching exploit for port 80, what payloads can I attatch to it? like if I bind a reverse tcp shell payload, does it talk to the OS or the service?



Since we are already this far into the conversation and presuming you were using it as a pen testing tool on a server you own even though you did comment that it is too noisy. there are different kinds of payloads for different needs, injecting VNC, spawning a shell,setting up nc at home waiting for a reverse shell or whatever. depends what you want to do and ofcourse depending also on what kind of exploit you used. not all exploits are going to give you root, some will probably just crash the system or do wierd stuff.

also, you would have to know what service (and likely what version of that service) is running. for example, an exploit for apache wouldn't work on lighttpd. they're both http servers, but you'd have to know which one was in use before you could choose an exploit to try.



hehe, remember this is presuming that he knows exactly what server hes up against because he owns it.. right? otherwise he wouldn't have been performing this vulnerability assessment. And I don't think companies hire black box security testers if they don't know their tools. :p




BinRev is hosted by the great people at Lunarpages!