Metasploit Information Gathering Basic[Search for info]
Metasploit is an open source penetration testing framework. Using some metasploit auxiliary modules we can gather information against our target. Let's see how to do it in simple step to collect emails.
msf > use auxiliary/gather/search_email_collector
msf auxiliary(search_email_collector) > show options
Module options (auxiliary/gather/search_email_collector):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The domain name to locate email addresses for
OUTFILE no A filename to store the generated email list
SEARCH_BING true yes Enable Bing as a backend search engine
SEARCH_GOOGLE true yes Enable Google as a backend search engine
SEARCH_YAHOO true yes Enable Yahoo! as a backend search engine
msf auxiliary(search_email_collector) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(search_email_collector) > run
[*] Harvesting emails .....
[*] Searching Google for email addresses from microsoft.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from microsoft.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from microsoft.com
[*] Extracting emails from Yahoo search results...
[*] Located 0 email addresses for microsoft.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) > set DOMAIN cisco.com
DOMAIN => cisco.com
msf auxiliary(search_email_collector) > run
[*] Harvesting emails .....
[*] Searching Google for email addresses from cisco.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from cisco.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from cisco.com
[*] Extracting emails from Yahoo search results...
[*] Located 2 email addresses for cisco.com
[*] gsahagun@cisco.com
[*] vern@cisco.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) >
Microsoft is little scary to post their email address publicly ?
Let's find some DNS information with Metasploit against microsoft:
msf auxiliary(shodan_search) > use auxiliary/gather/dns_info
msf auxiliary(dns_info) > show options
Module options (auxiliary/gather/dns_info):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The target domain name
NS no Specify the name server to use for queries, otherwise use the system configured DNS Server is used.
msf auxiliary(dns_info) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_info) > run
[*] Enumerating microsoft.com
[+] microsoft.com - Address 134.170.188.221 found. Record type: A
[+] microsoft.com - Address 134.170.185.46 found. Record type: A
[+] microsoft.com - Name server ns4.msft.net (208.76.45.53) found. Record type: NS
[+] microsoft.com - Name server ns4.msft.net (2620:0:37::53) found. Record type: NS
[+] microsoft.com - Name server ns1.msft.net (208.84.0.53) found. Record type: NS
[+] microsoft.com - Name server ns1.msft.net (2620:0:30::53) found. Record type: NS
[+] microsoft.com - Name server ns2.msft.net (208.84.2.53) found. Record type: NS
[+] microsoft.com - Name server ns2.msft.net (2620:0:32::53) found. Record type: NS
[+] microsoft.com - Name server ns3.msft.net (193.221.113.53) found. Record type: NS
[+] microsoft.com - Name server ns3.msft.net (2620:0:34::53) found. Record type: NS
[+] microsoft.com - ns1.msft.net (208.84.0.53) found. Record type: SOA
[+] microsoft.com - ns1.msft.net (2620:0:30::53) found. Record type: SOA
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.170) found. Record type: MX
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.138) found. Record type: MX
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.215) found. Record type: MX
[+] microsoft.com - Text info found: v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.128.25 ip4:147.243.1.47 ip4:147.243.1.48 -all . Record type: TXT
[+] microsoft.com - Text info found: FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ== . Record type: TXT
[*] Auxiliary module execution completed
msf auxiliary(dns_info) >
to find SRV record do the following:
msf auxiliary(dns_info) > use auxiliary/gather/dns_srv_enum
msf auxiliary(dns_srv_enum) > show options
Module options (auxiliary/gather/dns_srv_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
ALL_NS false no Run against all name servers for the given domain.
DOMAIN yes The target domain name.
msf auxiliary(dns_srv_enum) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_srv_enum) > run
[*] Enumerating SRV Records for microsoft.com
[+] Host: sipfed.microsoft.com IP: 131.107.255.86 Service: sipfederationtls Protocol: tcp Port: 5061
[+] Host: sipdog3.microsoft.com IP: 131.107.1.47 Service: xmpp-server Protocol: tcp Port: 5269
[*] Auxiliary module execution completed
Bit lazy to format the text to code. So this might be little hard to read. But I think you still now have basic idea that how you can use metasploit for information gathering. If you like to see more in details or any questions .... you can post comments here.