Sign in to follow this  
Followers 0
aperfectcircle1

How to search metasploit based on ports?

9 posts in this topic

say I scan a system and find port 80 open, and a certain OS. What command could I use to search metasploit for matching exploits?

0

Share this post


Link to post
Share on other sites

say I scan a system and find port 80 open, and a certain OS. What command could I use to search metasploit for matching exploits?

well, if the database is set up for metasploit to use with nmap properly then it should really do that automatically.

so you should probably read more of their documentations, particularly the nmap bit. not sure if its the right thing for me to give

you step by step instructions as you can potentially be using it maliciously so im gonna leave that to somebody else.

Edited by bsd-roo
0

Share this post


Link to post
Share on other sites

If you know what service is running on that port you can:

search <service name>

You can also use AutoPwn which is what was mentioned above in a much more subtle form.

0

Share this post


Link to post
Share on other sites

If you know what service is running on that port you can:

search <service name>

You can also use AutoPwn which is what was mentioned above in a much more subtle form.

autopwn is very noisy... and can trigger firewall.. Thanks for the search query. How would you use grep on your database to find port-specific exploits etc. thats what I was asking :S I dont quite understand the | operator in grep

0

Share this post


Link to post
Share on other sites

assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.

1

Share this post


Link to post
Share on other sites

assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.

say port 80 is open, and the service is http. I find a matching exploit for port 80, what payloads can I attatch to it? like if I bind a reverse tcp shell payload, does it talk to the OS or the service?

0

Share this post


Link to post
Share on other sites

assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.

say port 80 is open, and the service is http. I find a matching exploit for port 80, what payloads can I attatch to it? like if I bind a reverse tcp shell payload, does it talk to the OS or the service?

Since we are already this far into the conversation and presuming you were using it as a pen testing tool on a server you own even though you did comment that it is too noisy. there are different kinds of payloads for different needs, injecting VNC, spawning a shell,setting up nc at home waiting for a reverse shell or whatever. depends what you want to do and ofcourse depending also on what kind of exploit you used. not all exploits are going to give you root, some will probably just crash the system or do wierd stuff.

0

Share this post


Link to post
Share on other sites

assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.

say port 80 is open, and the service is http. I find a matching exploit for port 80, what payloads can I attatch to it? like if I bind a reverse tcp shell payload, does it talk to the OS or the service?

Since we are already this far into the conversation and presuming you were using it as a pen testing tool on a server you own even though you did comment that it is too noisy. there are different kinds of payloads for different needs, injecting VNC, spawning a shell,setting up nc at home waiting for a reverse shell or whatever. depends what you want to do and ofcourse depending also on what kind of exploit you used. not all exploits are going to give you root, some will probably just crash the system or do wierd stuff.

also, you would have to know what service (and likely what version of that service) is running. for example, an exploit for apache wouldn't work on lighttpd. they're both http servers, but you'd have to know which one was in use before you could choose an exploit to try.

0

Share this post


Link to post
Share on other sites

assuming that | works the same in the metasploit console as it does in bash, it will "pipe" one program to another. for example, if you had a text file you wanted to search for "X", then you could run a command such as this: "cat text_file | grep X"

cat will show the file "text_file" on the screen, the pipe sends the output of the cat command to grep's input, and grep searches its input for "X". so in metasploit, if you used "search" to get a list of exploits, you could pipe its output to grep to further refine the search.

i will mention that i think you might be getting tripped up on port numbers. simply because port 80 is open doesn't necessarily mean a web server is running. it usually will because people won't typically change port numbers, but i'd recommend investigating the service further to find out what it actually is. nmap's -sV option is good, it will probe open ports to try and determine what service is listening, but you might have to do a bit more to find out for sure.

say port 80 is open, and the service is http. I find a matching exploit for port 80, what payloads can I attatch to it? like if I bind a reverse tcp shell payload, does it talk to the OS or the service?

Since we are already this far into the conversation and presuming you were using it as a pen testing tool on a server you own even though you did comment that it is too noisy. there are different kinds of payloads for different needs, injecting VNC, spawning a shell,setting up nc at home waiting for a reverse shell or whatever. depends what you want to do and ofcourse depending also on what kind of exploit you used. not all exploits are going to give you root, some will probably just crash the system or do wierd stuff.

also, you would have to know what service (and likely what version of that service) is running. for example, an exploit for apache wouldn't work on lighttpd. they're both http servers, but you'd have to know which one was in use before you could choose an exploit to try.

hehe, remember this is presuming that he knows exactly what server hes up against because he owns it.. right? otherwise he wouldn't have been performing this vulnerability assessment. And I don't think companies hire black box security testers if they don't know their tools. :P

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0