Scanning and Managing Hosts
Host discovery is the process of that Metasploit performs to identify the ports, services, and operating systems that are in use by hosts on a particular network. You run a scan to find the hosts that are accessible on a network and to help you identify vulnerabilities based on the open ports and services that the scan finds.
Scanning for Hosts
You can launch a discovery scan to enumerate services and ports on target hosts. A discovery scan performs host discovery, port scanning, and OS fingerprinting.
A discovery scan starts with an Nmap scan to detect available systems and scan ports. Next, the discovery scan sweeps the target network with UDP probes to identify additional systems. After the discovery scan identifies available ports, the discovery scan sweeps the ports with service specific modules to identify active services.
Use the pro_discover
command to perform a discovery scan.
msf-pro > pro_discover 192.168.0.1
{*] Started task 1
To view the status of the task, run the following command:
msf-pro > pro_tasks
Id Project Description Status Information
== ======= =========== ====== ============
12 default Discovering running Configuring and launching
msf-pro > pro_tasks -w 12
Running a Credentialed Scan
If you have SMB credentials that you want to specify for Windows hosts running Samba or for shared access points, you can use the pro_discover
command and the following options:
-
-sd
option defines the SMB domain. -
-su
option specifies the user name. -
-sp
option specifies the password.
msf-pro > pro_discover 192.168.0.1 -sd workgroup -su root -sp root
Viewing a List of Hosts
Use the hosts
command to view a list of hosts that the database contains. To view a list of hosts, you must have an active connection to the database.
msf-pro > hosts
Hosts
=====
addresss mac name os_name os_flavor os_sp purpose info comments
======== === ==== ======= ========= ===== ======= ==== ========
192.168.0.1
192.168.0.2
Adding a Host
Use the hosts
command and the -a
option to add a host to the current workspace.
msf-pro > hosts -a 192.168.0.3
<*] Time: 2012-02-01 05:05:05 UTC Host: host=192.168.0.3
Deleting a Host
Use the hosts
command and the -d
option to delete a host from the current workspace:
msf-pro > hosts -d 192.168.0.3
<*] Deleted 1 hosts
Connecting to a Host
Use the connect
command to communicate with a host. You must supply the host address and port that you want to connect to.
msf-pro > connect 192.168.0.1 22
<*] Connected to 192.168.0.1:22
Outputting Host Data to CSV File
Use the hosts command and the -o
option to output the all the information about the hosts in the database to a CSV file. The data includes the IP address, MAC address, host name, operating system, OS flavor, purpose, and comments.
The following example outputs all the hosts in the database to a file called HRHosts.
msf-pro > hosts - o HRHosts.csv
Importing Scan Data
Use the db_import
command to import host or scan data into the database. The data must be stored in an XML file. By default, the Metasploit Framework imports files from the msf3/data directory.
msf-pro > db_import subnetA.xml
<*] Importing ‘Metasploit XML’ data
<*] Importing host 192.168.0.3
<*] Successfully imported C:/metasploit/msf3/subnetA.xml
Supported Scan Data Formats
You can import scan data from most vulnerability and scanning tools that are available as well as exported Metasploit project files.
Metasploit supports most of the major scanners on the market, including Rapid7's own Nexpose, and other tools like Qualys and Core Impact. The following scan reports are supported:
- Foundstone Network Inventory XML
- Microsoft MBSA SecScan XML
- nCircle IP360 XMLv3 and ASPL
- NetSparker XML
- Nessus NBE
- Nessus XML v1 and v2
- Qualys Asset XML
- Qualys Scan XML
- Burp Session XML
- Acunetix XML
- AppScan XML
- Nmap XML
- Retina XML
- Amap Log
- Critical Watch VM XML
- IP Address List
- Libpcap Network Capture
- Spiceworks Inventory Summary CSV
- Core Impact XML
Metasploit does not import service and port information from Qualys Asset files. If you import a Qualys Asset file, you must run a discovery scan to enumerate services and ports that are active on the imported hosts.
Viewing Hosts that Are Up
Use the hosts
command and the -u
option to view a list of hosts that are up.
msf-pro > hosts -u
Hosts
=====
addresss mac name os_name os_flavor os_sp purpose info comments
======== === ==== ======= ========== ===== ====== ==== ========
192.168.0.1
Viewing Specific Columns from the Hosts Table
Use the hosts
command and the -c
option to view specific columns from the database.
msf-pro > hosts -c address
msf > hosts -u
Hosts
=====
address
========
192.168.0.1
192.168.0.2
192.168.0.3
Columns in the Hosts Table
Metasploit stores host data from in the hosts table. You can use the column name to search the database for hosts. For example, if you want to see the names of all the hosts stored in the database, you can type hosts -c name
, and the console displays a list of all host names in the workspace.
The following columns are available for the hosts table:
- address
- arch
- comm
- comments
- created_at
- cred_count
- detected_arch
- exploit_attempt
- history_count
- info
- mac
- name
- note_count
- os_flavor
- os_lang
- os_name
- os_sp
- purpose
- scope
- service_count
- state
- updated_at
- virtual_host
- vuln_count
- svcs
- vulns
- workspace
- tags
Viewing Loot
Loot is the collected data that Metasploit stores in the database. You can use the loot command to store and retrieve the data that you have collected from target hosts.
msf-pro > loot
Outputting Host Data
Use the hosts
command and the -o
option to generate a CSV text file that contains the data from the host table.
msf-pro > hosts -o subnet1data
<*] Wrote hosts to subnet1data