Monday, March 22, 2010

Using Metasploit for OS fingerprinting

Metasploit is primarilly a framework for developing and testing exploits. It comes with a suite of supporting tools that aid in exploit development, including port scanners. We can use one of these scanners to scan for open ports and fingerprint Windows services as well as the OS type. Using the following commands we can quickly fingerprint the SMB port of 445 to determine the OS version.

# ./msfconsole //launches the framework

msf> use auxiliary/scanner/portscan/syn
msf auxiliary(syn)>show options
set the necessary options, using port 445 as the port
msf auxiliary(smb version)>run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Then based on your results, if port 445 is open on the host, use
msf> use auxiliary/scanner/smb/smb_version
msf auxiliary(smb version)>show options
set the rhosts option then run the auxiliary module:
msf auxiliary(smb version)>run
[*] is runnnin Windows XP Service Pack 3(Language: English) (name:PC1) (domain:PC1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As you can see, withing a few simple metasploit commands you can determine the OS type of a remote system. This however uses the SMB port of 445 and is a requirement for this experiment. Then are other ways to determine this information but this is one of the most reliable methods.

1 comment:

  1. This works great for windows boxes, but it's not useful at all for iOS or Android. So far the only way I've found to detect those operating systems is by using the "Comprehensive" nmap scan in armitage. This takes a very, very long time to complete, and so it not that useful when scanning large networks.