Lab 3

Vulnerability Scanning with Metasploit

Discovery Through Vulnerability Scanning

• Vulnerability scanning will allow you to quickly scan a target IP

range looking for known vulnerabilities, giving a penetration tester
a quick idea of what attacks might be worth conducting.
• When used properly, this is a great asset to a pen tester, yet it is
not without it’s draw backs. Vulnerability scanning is well known
for a high false positive and false negative rate. This has to be
kept in mind when working with any vulnerability scanning
software.
• Lets look through some of the vulnerability scanning capabilities
that the Metasploit Framework can provide.
SMB Login Check
• A common situation to find yourself in is being in possession of a
valid username and password combination, and wondering where
else you can use it. This is where the SMB Login Check Scanner
can be very useful, as it will connect to a range of hosts and
determine if the username/password combination can access the
target.
• Keep in mind that this is very “loud” as it will show up as a failed
login attempt in the event logs of every Windows box it touches.
• Be thoughtful on the network you are taking this action on. Any
successful results can be plugged into the windows/smb/psexec
exploit module (exactly like the standalone tool), which can be
used to create Meterpreter Sessions.
Cont.

• Usage
– use auxiliary/scanner/smb/smb_login
– set RHOSTS 192.168.1.0/24
– set SMBUser Bit
– set SMBPass 123456
– set THREADS 50
– run
VNC Authentication Check with the None Scanner

• The VNC(Virtual Network Computing) Authentication None

Scanner is an Auxiliary Module for Metasploit.
• This tool will search a range of IP addresses looking for targets
that are running a VNC Server without a password configured.
• Pretty well every administrator worth his/her salt sets a password
prior to allowing inbound connections but you never know when
you might catch a lucky break and a successful pen-test leaves
no stone unturned.
Cont.

• Usage
– use auxiliary/scanner/vnc/vnc_none_auth
– set RHOSTS 192.168.1.0/24
– set THREADS 50
– run
Vulnerability Scanning with WMAP
• WMAP is a feature-rich web application vulnerability scanner.
• This tool is integrated with Metasploit and allows us to conduct
web application scanning from within the Metasploit Framework.
• We begin by first creating a new database to store our WMAP
scan results in, load the wmap plugin, and run help to see what
new commands are available to us.
– load wmap
– help
Cont.

• Prior to running a web app scan, we first need to add a

new target URL by passing the -a switch to wmap_sites.
Afterwards, running wmap_sites -l will print out the
available targets.
– wmap_sites -a https://45.33.49.119
– wmap_sites -l
• Next, we add the site as a target with wmap_targets.
– wmap_targets -t https://45.33.49.119/book/man-target-
specification.html
Cont.
• Using the wmap_run command will scan the target system
– wmap_run -t
– wmap_run -e
• we can see that WMAP has reported one vulnerability. Running vulns
will list the details for us.
– vulns
• Because of our vulnerability scanning with WMAP, we can now use
these results to gather further information on the reported vulnerability.
• As pentesters, we would want to investigate each finding further and
identify if there are potential methods for attack.
Lab report(from 6 point in group)

• Show necessary step how to scan vulnerability using

nexpose
• Show necessary step how to scan vulnerability using
nessus