Scanning and Managing Hosts

Host discovery is the process of that Metasploit performs to identify the ports, services, and operating systems that are in use by hosts on a particular network. You run a scan to find the hosts that are accessible on a network and to help you identify vulnerabilities based on the open ports and services that the scan finds.

Scanning for Hosts

You can launch a discovery scan to enumerate services and ports on target hosts. A discovery scan performs host discovery, port scanning, and OS fingerprinting.

A discovery scan starts with an Nmap scan to detect available systems and scan ports. Next, the discovery scan sweeps the target network with UDP probes to identify additional systems. After the discovery scan identifies available ports, the discovery scan sweeps the ports with service specific modules to identify active services.

Use the pro_discover command to perform a discovery scan.

 
1
msf-pro > pro_discover 192.168.0.1
2
{*] Started task 1

To view the status of the task, run the following command:

 
1
msf-pro > pro_tasks
2
 
3
Id Project Description Status Information
4
== ======= =========== ====== ============
5
12 default Discovering running Configuring and launching
6
 
7
msf-pro > pro_tasks -w 12

Running a Credentialed Scan

If you have SMB credentials that you want to specify for Windows hosts running Samba or for shared access points, you can use the pro_discover command and the following options:

  • -sd option defines the SMB domain.
  • -su option specifies the user name.
  • -sp option specifies the password.
 
1
msf-pro > pro_discover 192.168.0.1 -sd workgroup -su root -sp root

Viewing a List of Hosts

Use the hosts command to view a list of hosts that the database contains. To view a list of hosts, you must have an active connection to the database.

 
1
msf-pro > hosts
2
 
3
Hosts
4
=====
5
addresss mac name os_name os_flavor os_sp purpose info comments
6
======== === ==== ======= ========= ===== ======= ==== ========
7
192.168.0.1
8
192.168.0.2

Adding a Host

Use the hosts command and the -a option to add a host to the current workspace.

 
1
msf-pro > hosts -a 192.168.0.3
2
 
3
<*] Time: 2012-02-01 05:05:05 UTC Host: host=192.168.0.3

Deleting a Host

Use the hosts command and the -d option to delete a host from the current workspace:

 
1
msf-pro > hosts -d 192.168.0.3
2
<*] Deleted 1 hosts

Connecting to a Host

Use the connect command to communicate with a host. You must supply the host address and port that you want to connect to.

 
1
msf-pro > connect 192.168.0.1 22
2
<*] Connected to 192.168.0.1:22

Outputting Host Data to CSV File

Use the hosts command and the -o option to output the all the information about the hosts in the database to a CSV file. The data includes the IP address, MAC address, host name, operating system, OS flavor, purpose, and comments.

The following example outputs all the hosts in the database to a file called HRHosts.

 
1
msf-pro > hosts - o HRHosts.csv

Importing Scan Data

Use the db_import command to import host or scan data into the database. The data must be stored in an XML file. By default, the Metasploit Framework imports files from the msf3/data directory.

 
1
msf-pro > db_import subnetA.xml
2
<*] Importing ‘Metasploit XML’ data
3
<*] Importing host 192.168.0.3
4
<*] Successfully imported C:/metasploit/msf3/subnetA.xml

Supported Scan Data Formats

You can import scan data from most vulnerability and scanning tools that are available as well as exported Metasploit project files.

Metasploit supports most of the major scanners on the market, including Rapid7's own Nexpose, and other tools like Qualys and Core Impact. The following scan reports are supported:

  • Foundstone Network Inventory XML
  • Microsoft MBSA SecScan XML
  • nCircle IP360 XMLv3 and ASPL
  • NetSparker XML
  • Nessus NBE
  • Nessus XML v1 and v2
  • Qualys Asset XML
  • Qualys Scan XML
  • Burp Session XML
  • Acunetix XML
  • AppScan XML
  • Nmap XML
  • Retina XML
  • Amap Log
  • Critical Watch VM XML
  • IP Address List
  • Libpcap Network Capture
  • Spiceworks Inventory Summary CSV
  • Core Impact XML

Metasploit does not import service and port information from Qualys Asset files. If you import a Qualys Asset file, you must run a discovery scan to enumerate services and ports that are active on the imported hosts.

Viewing Hosts that Are Up

Use the hosts command and the -u option to view a list of hosts that are up.

 
1
msf-pro > hosts -u
2
 
3
Hosts
4
=====
5
addresss mac name os_name os_flavor os_sp purpose info comments
6
======== === ==== ======= ========== ===== ====== ==== ========
7
192.168.0.1

Viewing Specific Columns from the Hosts Table

Use the hosts command and the -c option to view specific columns from the database.

 
1
msf-pro > hosts -c address
2
msf > hosts -u
3
 
4
Hosts
5
=====
6
address
7
========
8
192.168.0.1
9
192.168.0.2
10
192.168.0.3

Columns in the Hosts Table

Metasploit stores host data from in the hosts table. You can use the column name to search the database for hosts. For example, if you want to see the names of all the hosts stored in the database, you can type hosts -c name, and the console displays a list of all host names in the workspace.

The following columns are available for the hosts table:

  • address
  • arch
  • comm
  • comments
  • created_at
  • cred_count
  • detected_arch
  • exploit_attempt
  • history_count
  • info
  • mac
  • name
  • note_count
  • os_flavor
  • os_lang
  • os_name
  • os_sp
  • purpose
  • scope
  • service_count
  • state
  • updated_at
  • virtual_host
  • vuln_count
  • svcs
  • vulns
  • workspace
  • tags

Viewing Loot

Loot is the collected data that Metasploit stores in the database. You can use the loot command to store and retrieve the data that you have collected from target hosts.

 
1
msf-pro > loot

Outputting Host Data

Use the hosts command and the -o option to generate a CSV text file that contains the data from the host table.

 
1
msf-pro > hosts -o subnet1data
2
<*] Wrote hosts to subnet1data