Port Scanning

Scanners and most other auxiliary modules use the RHOSTS option instead of RHOST. RHOSTS can take IP ranges (192.168.1.20-192.168.1.30), CIDR ranges (192.168.1.0/24), multiple ranges separated by commas (192.168.1.0/24, 192.168.3.0/24), and line separated host list files (file:/tmp/hostlist.txt). This is another use for our grepable Nmap output file.

Note also that, by default, all of the scanner modules will have the THREADS value set to ‘1’. The THREADS value sets the number of concurrent threads to use while scanning. Set this value to a higher number in order to speed up your scans or keep it lower in order to reduce network traffic but be sure to adhere to the following guidelines:

  • Keep the THREADS value under 16 on native Win32 systems
  • Keep THREADS under 200 when running MSF under Cygwin
  • On Unix-like operating systems, THREADS can be set to 256.

More @ offensive-security.com/metasploit-unleashed/Port_Scanning

Hunting For MSSQL

Searching and locating MSSQL installations inside the internal network can be achieved using UDP foot-printing. When MSSQL installs, it installs either on port 1433 TCP or a randomized dynamic TCP port. If the port is dynamically attributed, querying UDP port 1434 will provide us with information on the server including the TCP port on which the service is listening.
Let us search and load the MSSQL ping module inside the msfconsole.

More @ offensive-security.com/metasploit-unleashed/Hunting_For_MSSQL

Password Sniffing

Max Moser released a Metasploit password sniffing module named ‘psnuffle’ that will sniff passwords off the wire similar to the tool dsniff. It currently supports pop3, imap, ftp, and HTTP GET. More information is available on his blog.

Using the ‘psnuffle’ module is extremely simple. There are some options available but the module works great “out of the box”.

More @ offensive-security.com/metasploit-unleashed/Password_Sniffing