Cityscape
Girl

Fundamentals of Penetration Testing

Using modules

Medium
10 min

Next, we will practice using more Metasploit modules. In this exercise, we will search for a suitable module for SSH version identification and use it.

Start the lab (if it is not already running) and follow along as you read on.

Metasploit Practice

In this lab, there are several different vulnerable web services that you can search for with Metasploit.

Finding the Suitable Module

Metasploit has quite a lot of modules. You can search for them using the search command.

For example, we would like to find a scanner module for SSH version. Let's run the search command:

msf6 > search scanner ssh

Matching Modules
================

   # Name Disclosure Date Rank Check Description
   - ---- --------------- ---- ----- -----------
   0 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal No Apache Karaf Default Credentials Command Execution
   1 auxiliary/scanner/ssh/karaf_login normal No Apache Karaf Login Utility
   2 auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal No Cerberus FTP Server SFTP Username Enumeration
   3 auxiliary/scanner/http/cisco_firepower_login normal No Cisco Firepower Management Console 6.0 Login
   4 auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal No Eaton Xpert Meter SSH Private Key Exposure Scanner
   5 auxiliary/scanner/ssh/fortinet_backdoor 2016-01-09 normal No Fortinet SSH Backdoor Scanner
   6 auxiliary/scanner/http/gitlab_user_enum 2014-11-21 normal No GitLab User Enumeration
   7 auxiliary/scanner/ssh/juniper_backdoor 2015-12-20 normal No Juniper SSH Backdoor Scanner
   8 auxiliary/scanner/ssh/detect_kippo normal No Kippo SSH Honeypot Detector
   9 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
   10 auxiliary/scanner/ssh/ssh_identify_pubkeys normal No SSH Public Key Acceptance Scanner
   11 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
   12 auxiliary/scanner/ssh/ssh_enumusers normal No SSH Username Enumeration
   13 auxiliary/scanner/ssh/ssh_version normal No SSH Version Scanner
   14 auxiliary/scanner/ssh/ssh_enum_git_keys normal No Test SSH Github Access
   15 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal No libssh Authentication Bypass Scanner

There are quite a lot of results, let's narrow down the search a little:

msf6 > search scanner ssh version

Matching Modules
================

   # Name Disclosure Date Rank Check Description
   - ---- --------------- ---- ----- -----------
   0 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal No Apache Karaf Default Credentials Command Execution
   1 auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal No Cerberus FTP Server SFTP Username Enumeration
   2 auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal No Eaton Xpert Meter SSH Private Key Exposure Scanner
   3 auxiliary/scanner/ssh/ssh_enumusers normal No SSH Username Enumeration
   4 auxiliary/scanner/ssh/ssh_version normal No SSH Version Scanner
   5 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal No libssh Authentication Bypass Scanner


Interact with a module by name or index. For example info 5, use 5 or use auxiliary/scanner/ssh/libssh_auth_bypass

Looks promising auxiliary/scanner/ssh/ssh_version.

Module deployment

The module is enabled with the use command.

msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) >

And if you want to return back, you can do so with the back command.

msf6 auxiliary(scanner/ssh/ssh_version) > back
msf6 >

Enable the module.

msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) >

Module settings

All Metasploit modules have settings that define the module. They can be displayed using show options command.

msf6 auxiliary(scanner/ssh/ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name Current Setting Required Description
   ---- -------------- -------- -----------
   RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT 22 yes The target port (TCP)
   THREADS 1 yes The number of concurrent threads (max one per host)
   TIMEOUT 30 yes Timeout for the SSH probe


View the full module info with the info, or info -d command.

The settings for this module are as follows:

  • RHOSTS: Very common in Metasploit modules. This setting determines the target, which can be an IP address or IP range. In this case, we set the value of RHOSTS to the target's IP address (see the section "Internal Network Targets" in the lab view).
  • RPORT: Also general, specifies the port on which the service is. We can leave the default (22) in this case, which is the SSH default port.
  • THREADS: If we had a lot of IP addresses to scan, we could do it multi-threaded with the THREADS setting. Let's leave it at one for now.
  • TIMEOUT: Again, if there were a lot of targets, we wouldn't necessarily want to wait the whole day to see if the SSH port responds or not. We can leave the default to be 30 seconds.

The setting is set with the set command.

msf6 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 10.0.2.197
RHOSTS => 10.0.2.197

Let's make sure that we are happy with the settings:

msf6 auxiliary(scanner/ssh/ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name Current Setting Required Description
   ---- -------------- -------- -----------
   RHOSTS 10.0.2.197 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT 22 yes The target port (TCP)
   THREADS 1 yes The number of concurrent threads (max one per host)
   TIMEOUT 30 yes Timeout for the SSH probe

Executing the module

The final step, when the settings have been set and checked, is to run the module. This is done with the "run" command.

msf6 auxiliary(scanner/ssh/ssh_version) > run

[+] 10.0.2.197:22 - SSH server version: SSH-2.0-OpenSSH_...
...

Exercises

What was the OpenSSH version?

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.