In this step, you will learn about some popular vulnerability scanning tools available in Kali Linux.
-
X-scan: X-scan is a well-known comprehensive scanning tool in China. It is completely free, does not require installation, and supports both graphical and command-line interfaces in Chinese and English. X-scan is developed by a renowned Chinese hacker group called "Security Focus" and has been constantly improved since its internal testing version 0.2 in 2000.
-
Nessus: Nessus is one of the most widely used vulnerability scanning and analysis software in the world. Over 75,000 organizations use Nessus to scan their computer systems. Nessus was created by Renaud Deraison in 1998 with the goal of providing a free, powerful, frequently updated, and easy-to-use remote system security scanning program for the internet community.
-
SQLmap: SQLmap is an automatic SQL injection tool that can scan, detect, and exploit SQL injection vulnerabilities in a given URL. It currently supports MS-SQL, MySQL, Oracle, and PostgreSQL databases. SQLmap employs four unique SQL injection techniques: blind inference, UNION queries, stacked queries, and time-based blind injection.
-
Nmap: Nmap is a powerful and versatile network exploration and security auditing tool. It can be used for various purposes, including network discovery, port scanning, and vulnerability detection.
Now, you will use Nmap to perform a vulnerability scan on the Metasploitable2 target machine.
- Start the Metasploit database service and initialize the database:
cd ~
service postgresql start
msfdb init
- Launch the Metasploit console:
msfconsole
- Within the Metasploit console, use the
nmap
command to scan the target machine:
nmap -sS -T4 192.168.122.102
Here's an example of the output you might see:
[*] exec: nmap -sS -T4 192.168.122.102
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-23 23:15 UTC
Nmap scan report for 192.168.122.102
Host is up (0.0032s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 52:54:00:1E:9E:B4 (QEMU virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
The -sS
parameter performs a TCP SYN scan (also known as a half-open or stealth scan), and -T4
sets the timing policy to be aggressive but not too fast to avoid excessive network traffic.
- Observe the output of the scan, which should display the open ports and services on the target machine.
Press Ctrl+D to quit the Metasploit console then start the inspection