Open source tools fing and Metasploit can help software pros conduct security testing, without having to invest in commercial tools.
Tracking down weaknesses in software can seem like a demanding task. You've got to find the top security threats for your domain, and understand each exploit, from SQL injections to buffer overflows and cross site scripting errors. The port scanners Metasploit and fing can help address this problem.
These tools can first identify every node on a network, then loop through them trying to find out which network ports are open, along with the type of machine. Metasploit can go further than that, cross-checking its list of open ports and machines with a list of known security exploits, allowing you, the penetration tester, to perform the attack. That might mean getting access to the network and the file system, as well as command line access, FTP access or super user access.
In this tip, I explain how to use these open source offerings, starting with Metasploit, the more powerful tool, before moving to fing, the easier one.
Downloading and installing Metasploit
No, you don't need to convert your operating system to Linux -- or even install Linux on a partition. Most security professionals recommend keeping Metasploit off your hard drive entirely; it is, after all, a tool invented by professional system crackers. Instead, put BackTrack on a DVD, thumb drive or virtual machine running in a sandbox without access to your hard drive. I chose to install it on Virtual Box running the Web Security Dojo, an enhanced version of BackTrack with a few more tools.
Once the virtual machine is running, getting Metasploit to run is as simple as selecting the applications icon on the top-left, then tools -> metasploit from the menus. That brings up a terminal window.
Performing the attack
I want to discover all the hosts on my local area network, so I scan the 192.169.x.0/24 network range and perform a ping on every possible host (192.168.x.0/24 is the internal network IP address). Every internal network has an address like this; the difference is the x. In my case, x is ‘1', as it will be on most simple networks. To find out the hosts on the network, I use nmap; it will discover every IP address. Db_nmap goes further and stores the results in a database, to enable that cross-check I told you about.
db_nmap -sP 192.168.1.0/24
Running this command gets me two IP addresses on the internal network:
Nmap scan report for 192.168.1.1
Host is up (0.014s latency).
Nmap scan report for 192.168.1.106
Host is up (0.075s latency).
With those IP addresses in hand, I can run another scanner to get more detail on those machines:
auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
Note that RHOSTS is the discovered network host; my next move is to run RHOSTS 192.168.1.1-18.104.22.168 to set up scanning, then use the run command. Eventually, I get results like this:
msf auxiliary(tcp) > run
[*] 192.168.1.1:80 - TCP OPEN
[*] 192.168.1.106:80 - TCP OPEN
This tells me that the only open port on my machines is port 80, the default port for Internet traffic. Since that doesn't tell me much, I turn on remote login for all users on my laptop and run the scan again, with these slightly different results:
[*] 192.168.1.1:80 - TCP OPEN
[*] 192.168.1.106:21 - TCP OPEN
[*] 192.168.1.106:80 - TCP OPEN
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
The problem is that newer operating systems (and older systems that have been hardened) do not reply to a request for identification. That means that when I run ‘show exploits' in Metasploit, it gives me the entire list for port 80 and 21, mostly Windows exploits and buffer overflows for application programs I am not running.
I need something insecure to test against.
Once you've downloaded Metasploit, installed it and played with it, you will eventually want something to attack, something vulnerable to practice on. You could go buy some Windows 98 or Windows 2000 machines from eBay. Or you could download Metasploitable, a free Linux version that is designed to be insecure and to run as a virtual machine. The staff at Rapid7, the company behind Metasploit, has even designed a configuration and attack guide to Metasploitable.
With Metasploitable running in a different virtual machine, I run a command to scan all the ports from 1 to 100 and report back details:
db_nmap -v -sV 192.168.1.0/24
db_nmap -p0-100 192.168.200.138
[*] Nmap: Starting Nmap 6.25 ( http://nmap.org ) at 2013-02-15 00:13 EST
[*] Nmap: Nmap scan report for 192.168.200.138
[*] Nmap: Host is up (0.0055s latency).
[*] Nmap: Not shown: 95 filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 21/tcp open ftp
[*] Nmap: 22/tcp open ssh
[*] Nmap: 23/tcp open telnet
[*] Nmap: 25/tcp open smtp
[*] Nmap: 53/tcp open domain
[*] Nmap: 80/tcp open http
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.98 seconds
These specific ports have known vulnerabilities I can Google or research with 'show exploits.' My next idea is to go after the FTP service.
Sometimes you don't want a full attack system; you just want a single button called ‘scan the network.' In that case, Fing is your friend.
If you search the Apple app store for ‘fing', you'll find a free port scanning tool. Double-clicking fing brings up a list of networks in range. I click one, and it scans the entire network and provides a list -- and clicking on a specific IP address gets me the vulnerabilities for that device. Because it runs on an iPhone, you can do this to any network you can connect to, including branch offices or your local coffee bar, so check network policies before doing a full port scan, please.
Where to go for more information
Once you find the open ports, the next step is to see if they are exploitable. Much more information, including a full step-by-step tutorial on Metasploit, is at offensive-security.com. The tutorial is a full tutorial. It lets you create a virtual machine with known weaknesses, then attack the machine with the tool. It takes a significant amount of disk space (around 20 GB) to run the tutorial, and considerable time to walk through it. Alternatively, you can watch the Metasploit Security Movie, also free on SecurityTube.
The video opens with a quote from Abraham Lincoln, which I consider good advice: "If I had eight hours to chop down a tree, I'd spend the first six of them sharpening my axe."
Metasploit is free. It is effective. It is powerful. It might take some time to learn, but then again, I expect it will be time well spent.
This was first published in April 2013