Metasploit Penetration Testing Cookbook: Over 70 recipes to master the most widely used penetration testing framework with this book and ebook.

Information gathering is the first basic step towards penetration testing. This step is carried out to find out as much information about the target machine as possible. The more information we have, the better will be our chances of exploiting the target. During the information gathering phase, our main focus is to collect facts about the target machine, such as the IP address, available services, open ports. This information plays a vital role in the process of penetration testing. There are basically three types of techniques used in information gathering.

Let us take a quick look at these processes:

Let us deal with some of the most commonly used techniques for information gathering.

root@bt:~# whois www.packtpub.com	
Domain Name: PACKTPUB.COM
   Registrar: EASYDNS TECHNOLOGIES, INC.
   Whois Server: whois.easydns.com
   Referral URL: http...

Every security professional is aware of the information gathering techniques discussed in the previous recipe. But there are some techniques which analysts neglect because of their reduced popularity and awareness, but they can produce results as good as the previous techniques. The techniques we will discuss here will involve a deeper analysis of our target, though we will still be using a passive technique. These techniques do not require the use of Metasploit, but since information gathering is an important field for penetration testing, we will discuss it here.

Port scanning is an active information gathering technique in which we will now start dealing with our target directly. Port scanning is an interesting process of information gathering. It involves a deeper search of the target machine. Nmap is the most powerful and preferred scanner for security professionals. The usage of Nmap varies from novice to an advanced level. We will analyze the various scan techniques in detail.

msf > nmap

Auxiliary modules are the in-built modules of a Metasploit that can help us perform a variety of tasks. They are different from exploits as they run on the pen-tester's machine and also it does not provide any shell. There are more than 350 different auxiliary modules present in the Metasploit framework, each having specific tasks. Here we will discuss the scanner auxiliary modules.

Let us now try out some targeted scanning for specific services running on a range of IP addresses, or on a single target host. Various service-based scans are available; VNC, FTP, SMB, and so on. Auxiliary modules can be really handy in such situations when we are looking for specific types of services on our target.

	
root@bt:/pentest/exploits/framework3/modules/auxiliary/scanner# ls
	
backdoor   emc 	ip    	mysql	pop3   	sap   ssh    	vnc
db2    	finger  lotus 	netbios  portscan   sip   telephony voice
dcerpc 	ftp 	misc  	nfs  	postgres   smb   telnet 	vxworks
dect   	http	motorola  ntp  	rogue  	smtp  tftp   	x11
discovery  imap	mssql 	oracle   rservices  snmp  upnp

So far, we have learned the basics of port scanning, along with the practical implementation with Nmap. Port scanning has been extended to several other tools which further enhance the process of scanning and information gathering. In the next few recipes, we will cover those tools which scan the target for available services and open ports and then tries to determine the type of vulnerability that may exist for that particular service or port. Let us begin our journey to vulnerability scanning.

Nessus is one of the most widely used vulnerability scanners. It scans the target for a range of vulnerabilities and produces a detailed report for it. Nessus is a very helpful tool during penetration testing. Either you can use the GUI version of Nessus, or you can also use it from the Metasploit console. In this book, we will primarily focus on using Nessus with msfconsole.

In the previous recipe, we discussed Nessus as a potential vulnerability scanner. In this recipe, we will cover another important vulnerability scanner NeXpose.

NeXpose is a popular tool by Rapid7 which performs the task of vulnerability scanning and importing results to the Metasploit database. The usage of NeXpose is similar to Nessus which we learned in the previous recipe, but let's have a quick overlook of how to get started with NeXpose. I will leave the task of exploring it deeper as an assignment for you.

msf > db_connect msf3:8b826ac0@127.0.0.1:7175/msf3 

msf > load nexpose

msf > nexpose_connect darklord:toor@localhost ok

[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username...

In our previous recipes, we learned several techniques for gaining information about our target. While performing penetration tests, we may need to share information with other pen-testers which may be located at other physical locations. In that case, sharing the penetration testing information can be made easier by using the Dradis framework. It is an open source framework for sharing information during security assessments. It has several features which makes it an excellent information-sharing tool. Some of them are:

Although it will not help us in gaining any information about the target, the tool is important for all security professionals in sharing pen-test results and findings.