The module we will be using for this demonstration is ftp_version.rb from scanners in the auxiliary section.

Scanning FTP services

Let us select the module using the use command and check what different options are required by the module for it to work:

We can see we have a number of modules to work with. However, for now, let us use the ftp_version module, as shown in the following screenshot:

To scan the entire network, let's set RHOSTS to 192.168.10.0/24 (0-255) and also increase the number of threads for a speedy operation:

Let's run the module and analyze the output:

We can see we have scanned the entire network and found two hosts running FTP services, which are TP-LINK FTP server and FTP Utility FTP server. So now that we know what services are running on the target, it will be easy for us to find any matching exploit if the version of these FTP services is vulnerable.

We can also see that some lines are displaying the progress of the scan and generating...

Let us now jump into Metasploit-specific modules for testing the MSSQL server and see what kind of information we can gain by using them.

Using the mssql_ping module

The very first auxiliary module that we will be using is mssql_ping. This module will gather service information related to the MSSQL server.

So, let us load the module and start the scanning process as follows:

We can clearly see that mssql_ping has generated an excellent output of the fingerprinted MSSQL service.

Let us perform a TCP port scan of a different network as shown in the following screenshot:

We will be using the tcp scan module listed under auxiliary/scanner/portscan, as shown in the preceding screenshot. Let's run the module and analyze the results as follows:

We can see that we found two services only that don't look that appealing. Let us also perform a UDP sweep of the network and check if we can find something interesting:

To carry out a UDP sweep, we will use the auxiliary/scanner/discovery/udp_sweep module as shown in the preceding screenshot. Next, we only need to provide the network range by setting the RHOSTS option. Additionally, you can increase the number of threads as well. Let's run the module and analyze results:

Amazing! We can see plenty of results generated by the UDP sweep module. Additionally, a Simple Network Management Protocol (SNMP) service is also discovered on 192.168.1.19.

The SNMP, is a commonly used service that provides...

Netbios services also provide vital information about the target and help us uncover the target architecture, operating system version, and many other things. To scan a network for NetBIOS services, we can use the nbname module from auxiliary/scanner/netbios, as shown in the following screenshot:

As we did previously, we set the RHOSTS to the entire network by providing the CIDR identifier. Let's run the module and analyze the results as follows:

We can see that we have almost every system running the NetBIOS service on the network listed in the preceding screenshot. This information provides us with useful evidence for the operating system type, name, domain, and related IP addresses of the systems.

Metasploit allows us to perform fingerprinting of various HTTP services. Additionally, Metasploit contains a large number of exploit modules targeting different kinds of web servers. Hence, scanning HTTP services not only allows for fingerprinting the web servers, but it builds a base of web server vulnerabilities that Metasploit can attack later. Let us use the http_version module and run it against the network as follows:

Let's execute the module after setting up all the necessary options such as RHOSTS and Threads as follows:

The http_version module from Metasploit has successfully fingerprinted various web server software and applications in the network. We will exploit some of these services in Chapter 3, Exploitation and Gaining Access. We saw how we could fingerprint HTTP services, so let's try figuring out if we can scan its big brother, the HTTPS with Metasploit.

Metasploit contains the SSL scanner module that can uncover a variety of information related to the SSL service on a target. Let us quickly set up and run the module as follows:

We have the SSL module from auxiliary/scanner/http, as shown in the preceding screenshot. We can now set the RHOSTS, a number of threads to run, and RPORT if it is not 443, and execute the module as follows:

Analyzing the preceding output, we can see that we have a self-signed certificate in place on the IP address 192.168.1.8 and other details such as CA authority, e-mail address, and much more. This information becomes vital to law enforcement agencies and in cases of fraud investigation. There have been many cases where the CA has accidentally signed malware spreading sites for SSL services.

We learned about various Metasploit modules. Let us now delve deeper and look at how the modules are built.

The best way to start learning about module development is to delve deeper into the existing Metasploit modules and see how they work. Let's look at some modules to find out what happens when we run these modules.

require 'msf/core' 
class MetasploitModule < Msf::Auxiliary 
  def initialize(info = {}) 
    super(update_info(info, 
      'Name'           => 'Module name', 
      'Description'    => %q{ 
       Say something that the user might want to know. 
      }, 
      'Author'         => [ 'Name' ], 
      'License'        => MSF_LICENSE 
    )) 
  end 
def run 
    # Main function 
  end 
end 

Let's work with a simple module that we used previously, that is, the HTTP version scanner and see how it works. The path to this Metasploit module is /modules/auxiliary/scanner/http/http_version.rb.

Let's examine this module systematically:

# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit 
# website for more information on licensing and terms of use. 
# http://metasploit.com/ 
require 'rex/proto/http' 
require 'msf/core' 
class Metasploit3 < Msf::Auxiliary

Let's discuss how things are arranged here. The copyright lines starting with the # symbol are the comments and they are included in all Metasploit modules. The required 'rex/proto/http' statement asks the interpreter to include a path to all the HTTP protocol methods from the rex library. Therefore, the path to all the files from the /lib/rex/proto/http directory is now available to the module...

Throughout this chapter, we covered scanning extensively over various types of services such as databases, FTP, HTTP, SNMP, NetBIOS, SSL, and more. We looked at how the stuff works for developing custom modules and dismantled some library functions and modules. This chapter will help you answer the following set of questions:

You can try the following self-paced exercises to learn more about the scanners: