Information gathering is the first and one of the most, if not the most, important activities in penetration testing. This step is carried out in order to find out as much information about the target machine as possible. The more information we have, the better our chances will be for exploiting the target. During the information gathering phase, our main focus is to collect facts about the target machine, such as the IP address, available services, and open ports. This information plays a vital role in the process of penetration testing. To achieve this goal, we will be learning certain scanning techniques such as SMB scanning, SSH server scanning, FTP scanning, SNMP enumeration, HTTP scanning, and WinRM scanning and brute forcing by the end of this chapter.

Information gathering, footprinting, and enumeration are terms that are often used interchangeably. But they...

Scanning is an active information gathering technique in which we will now start dealing with the target directly. Port scanning is an interesting process of information gathering. It involves a deeper search of the target machine, but since active port scanning involves reaching out to the target systems, these activities can be detected by firewalls and intrusion prevention systems.

There are a variety of port scanners available to us within the Metasploit Framework, allowing us to properly enumerate the target systems. To list all the available portscan modules, you can use the search command, as follows:

Nmap is the most powerful and preferred scanner for security professionals. The usage of Nmap varies from novice to an advanced level; we will analyze the various scan techniques in detail.

You run Nmap directly from msfconsole, as you normally would from the command line. However, if you want to import the results into the Metasploit database, you need to run the Nmap scan using the -oX flag, followed by the desired filename to generate the XML output file, and then issue the db_import command to populate the Metasploit database.

Using the db_nmap command, we can run Nmap against our targets and store our scan results automatically in our database, without the need to use the db_import command.

The db_nmap command is part of msfconsole, so you just need to launch msfconsole and use db_nmap, as you would use nmap on the command line.

In Chapter 1, Metasploit Quick Tips for Security Professionals, we already talked about the db_nmap basic usage, so now we will take a look at some more advanced features. In the following example...

ARP Sweep allows us to enumerate live hosts in the local network using ARP requests, providing us with a simple and fast way to identify possible targets.

When your target systems are located on the same LAN as your attacking machine, you are able to enumerate systems by performing an ARP scan.

1. To enumerate systems using ARP in Metasploit, you can use the ARP Sweep Local Network Discovery auxiliary module. You just need to set the target address range in RHOSTS, set the number of concurrent threads...

The UDP Service Sweeper auxiliary module allows us to detect interesting UDP services. Since UDP is a connectionless protocol, it is more difficult to probe than TCP. Using an auxiliary module like the UDP Service Sweeper can help you find some low-hanging fruit, in a timely manner.

To run the UDP Service Sweeper, select the auxiliary/scanner/discovery/udp_sweep module and set the target address range in RHOSTS:

msf > use auxiliary/scanner/discovery/udp_sweep 
msf auxiliary(udp_sweep) > set RHOSTS 192.168.216.0/24
RHOSTS => 192.168.216.0/24
msf auxiliary(udp_sweep) > run

[*] Sending 13 probes to 192.168.216.0->192.168.216.255 (256 hosts)
[*] Discovered...

Over the years, the Server Message Block (SMB) protocol, a network file sharing protocol implemented in Microsoft Windows, has proven to be one of the most abused protocols, allowing from sharing and user enumeration up to remote code execution.

1. Using the SMB Share Enumeration auxiliary module without authentication, allows us to collect some valuable information, such as share names and OS versions and services packs:

msf > use auxiliary/scanner/smb/smb_enumshares 
msf auxiliary(smb_enumshares) > set RHOSTS 192.168.216.10,129
RHOSTS => 192.168.216.10,129
msf auxiliary(smb_enumshares) > run

...
[+] 192.168.216.129:139 - IPC$ - (I) IPC Service (metasploitable...