In previous article, we identified the name of the operating system using Ping command. But today we’ll show you that how you can identify the OS using one and only one post exploitation framework i.e. Metasploit Framework.
Metasploit is primarily a framework for developing and testing exploits. It comes with a suite of supporting tools that aid in exploit development, including port scanners. We can use one of these scanners to scan for open ports and fingerprint Windows services as well as the OS type. Using the following commands we can quickly fingerprint the SMB port of 445 to determine the OS version.
To start the metasploit framework, type “msfconsole” in your terminal.
There are variety of port scanner modules are available in metasploit framework like acknowledgement scan, syn scan, tcp scan, xmas scan etc. But for this purpose, we’ll use syn scanning by typing the following command:
Command: use auxiliary/scanner/portscan/syn
Scanners and most other auxiliary modules use the RHOSTS option instead of RHOST. RHOSTS can take IP ranges (192.168.1.20-192.168.1.30), CIDR ranges (192.168.1.0/24), multiple ranges separated by commas (192.168.1.0/24, 192.168.3.0/24), and line-separated host list files (file:/tmp/hostlist.txt).
In this case, our target IP is 192.168.179.142, so the command is “set RHOSTS 192.168.179.142“. If you want to scan all ports ranging from 1-10000 then leave the PORTS command, otherwise you can choose “set PORTS 445“.
Here we’ll load up the ‘tcp’ scanner by typing run command and the results is in front of you which clearly shows that 445 port is open against your target address. Then based on your results, we’ll use SMB scanner if port 445 is open.
For SMB scanning, type “use auxiliary/scanner/smb/smb_version” in your same terminal.
Again define the target by typing “set RHOSTS 192.168.179.142“.
The smb_version scanner connects to each workstation in a given range of hosts and determines the version of the SMB service that is running. As you can see, within a few simple metasploit commands you can easily determine the OS type of a remote system.