Find online windows machines using metasploit
In this post I am going to show you, how to discover windows machines online. These windows machines are desktop users connected to the internet. Many windows versions are known to have vulnerabilities that can be exploited with metasploit by just using the ip address of the system. So the first step would be to find out such machines if any.
SMB version scanner
Metasploit has an auxiliary scanner module for scanning the samba service version on a range of ip addresses. The samba service runs on port number 445. The exact path to the scanner inside msfconsole is auxiliary/scanner/smb/smb_version .
The first step would be to set the target ip addresses to scan for. The best way to find a range of ip addresses to scan is your own ip address range. Just like you are connected to the internet through your isp, lots of other users are connected too. Lets say I find out my public ip address to be 126.96.36.199 then I can choose a range of 188.8.131.52-255
That range will scan 255 ip addresses in all.
Lets try this with metasploit. Start msfconsole. I am using backtrack so the output might look different from your console if its windows or something else.
msf > use auxiliary/scanner/smb/smb_version msf auxiliary(smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads
First select the smb version scanner, then display the options it needs to scan. In the options the only one necessary is the RHOSTS which is the ip range to scan. so we set it to the ip address range we chose above.
msf auxiliary(smb_version) > set RHOSTS 184.108.40.206-255 RHOSTS => 220.127.116.11-255
We also set a higher value for the THREADS like 10 so that it can scan faster.
msf auxiliary(smb_version) > set THREADS 10 THREADS => 10
All options are set, now enter run and hit enter. It would start showing online windows machines with the version number, build etc.
msf auxiliary(smb_version) > run [*] 18.104.22.168:445 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:MANISH-PC) (domain:WORKGROUP) [*] 22.214.171.124:445 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:RAJESH-PC) (domain:WORKGROUP) [*] 126.96.36.199:445 is running Windows 7 Home Premium (Build 7601) (language: Unknown) (name:MININT-VCRO6TK) (domain:WORKGROUP)
If you are lucky enough to find an unpatched windows xp sp2( or lesser) machine then you might be able to launch the famous ms08_067_netapi exploit and gain control of the system using meterpreter or vnc. That is going to be real fun until you are caught! If you are running out of hacking ideas, then let me tell you that you can try this on your isps ip range, your friend's isp's ip range, your school computer lab and so on.
Note that these are those machines that are directly connected to the internet, because metasploit could access the port number 445 and extract information out. If a machine is connected via an internet router then it wont show up here, since the router would be the device online in that case.
So we saw how the auxiliary modules lend metasploit the power to scan as well apart from exploitation. There are many other useful scanners that we are going to talk about in upcoming posts.