Skip to content

Metasploit Tidbits

I’ve been working through Metasploit Unleashed in preparation for the PWK course and the ensuing OSCP exam. Looks like I’ll be signing up for that in early July. While you can’t use Metasploit on the OSCP exam, they do teach it in the PWK course itself, and it’s a very powerful tool anyway, so learning it now seemed like a good idea.

I’ve been taking a lot of notes in OneNote as I progress on all things OSCP, but I thought I’d share some of the handier Metasploit tricks that I might find myself using from day to day. Additionally, writing all this out and thinking about it as I do so helps me commit it to memory, so this blog post isn’t an entirely selfless effort.

    __  __________________   _____ ____  __    ____  __________
   /  |/  / ____/_  __/   | / ___// __ \/ /   / __ \/  _/_  __/
  / /|_/ / __/   / / / /| | \__ \/ /_/ / /   / / / // /  / /   
 / /  / / /___  / / / ___ |___/ / ____/ /___/ /_/ // /  / /    
/_/  /_/_____/ /_/ /_/  |_/____/_/   /_____/\____/___/ /_/     

Find Hosts on Your Network

The arp_sweep auxiliary module comes in handy to find hosts on your network. In the below example, you select the arp_sweep tool, show its options, then set the RHOSTS variable accordingly for you your network range.

msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 INTERFACE no The name of the interface
 RHOSTS yes The target address range or CIDR identifier
 SHOST no Source IP Address
 SMAC no Source MAC Address
 THREADS 1 yes The number of concurrent threads
 TIMEOUT 5 yes The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set RHOSTS
msf auxiliary(arp_sweep) > run

Running the above will return some output that looks something like this:

[*] appears to be up (UNKNOWN).
[*] appears to be up (UNKNOWN).
[*] appears to be up (UNKNOWN).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

If you want to be sneaky when you do this (and why would you need to be sneaky on your home network? šŸ˜‰ ) you can spoof the source host (you) and the source MAC address so that it doesn’t look like you have been scanning anything. Typically, you might set this to appear to be coming from your router.

msf> set SHOST
msf> set SMAC (some random MAC addy, or that of your router)

Scan a Host

Metasploit lets you scan hosts that you discover.

msf> use auxiliary/scanner/portscan/tcp
msf> show options
msf> set RHOSTS
msf> run

You can set THREADS (10) and CONCURRENCY (20) too, to help speed things up without getting too crazy.

You can even use nmap from within Metasploit, and store the results in the database, or import normal nmap results (saved as xml) into the Metasploit database. The advantage of doing this is that you can save your work and results in workspaces in Metasploit. Workspaces let you create projects and keep things organized, which is useful when working on many targets, or with a team.

I will provide some examples of this soon. Stay tuned. For now, here’s what looks like a great reference for this.

Published inctfHackingOSCPPentestingSecurityTech

Be First to Comment

    Leave a Reply

    %d bloggers like this: