Metasploit/Armitage not seeing Win XP VM

[jb61264]

Digging my way through metasploit using armitage on my pentest lab. I have three VMs (of 15 installed) running 1.metasploitable 2.Windows XP32 SP2 3.CentOS

Nmap scan via Armitage is finding metasploitable and CentoS but not the Windows XP machine (which is kinda funny actually).

However when I run Zenmap separately, it finds that machine.

All VMs are in the same network.

Am I missing something for metasploit to see a Windows machine? Interestingly when I review the output from the scan, there is a line that says "All 65535 scanned ports on {IP ADDRESS} are filtered...maybe I should go back to using Windows XP...

[digininja]

What command are you using to do the scanning?

[jb61264]

Just now, digininja said:

What command are you using to do the scanning?

So I'm doing everything within Kali. I ran the nmap scan (intense all TCP ports) within Armitage and then separately ran the same scan within zenmap

nmap -p 1-65535 -T4 -A -v <IP ADDRESS/24>

 

[digininja]

Are you running either or both scans as root?

[digip]

Try nmap like so:

 

nmap -sC -sV -p- -Pn -A -v -T4 --script vuln x.x.x.x/xx

The -Pn tells it not to verify with a ping if the device is up. The --script vuln, will check for known vulns on the target where x.x.x.x is the IP and /XX is the subnet mash(if scanning a network) otherwise, omit the /xx and only target the IP address.

Edited May 13, 2017 by digip

[digininja]

As I learnt the other day, if you are not root then nmap only checks ports 80 and 443 to identify if a machine is up, no ICMP. If you are root you get ICMP as well. So, if the XP box isn't running a web server (unlikely) then a non-root user would not find the machine.

[digip]

1 hour ago, digininja said:

As I learnt the other day, if you are not root then nmap only checks ports 80 and 443 to identify if a machine is up, no ICMP. If you are root you get ICMP as well. So, if the XP box isn't running a web server (unlikely) then a non-root user would not find the machine.

We're not talking about the XP box not responding to an icmp and being discovered by nmap? I'm bit confused. Thought he couldn't find the XP machine with his port scan. It won't by default, respond to icmp/igmp pings if the firewall is on unless explicitly allowed or turned off(on the XP machine), but will show an arp even when it denies responding to a ping. Quickest discover is ping sweep the subnet and check arp after each ping to see the MAC address of the device. Without a -Pn nmap won't see it if it doesn't respond to a ping, it will skip and move on depending on what type of scan you do against it. Zenmap might be doing an arp by default depending on what scan he selected from the drop down menu.

I'm referencing his command specifically though:

nmap -p 1-65535 -T4 -A -v <IP AD

If it were a permissions issue on the attacking machine, I'd think he'd need to use sudo if it were an admin issue or it would fail, no? That is, if he isn't already root, but he said he is using Kali, so he should already be root by default, unless he created a new user, kali runs as root for everything. He also might need to slow his scan from T4 to like T2 or slower.

[jb61264]

3 hours ago, digininja said:

Are you running either or both scans as root?

I am running both scans as root on the same Kali VM 

[digip]

Try the nmap command I posted above. The one with the -Pn and --script, see if it sees the WIndows machine. CAn change the scan slower too to be more throurough, like -T2 instead of T4. Alternatively, run netdiscover first, find all machines on the subnet, then scan them individually.

[jb61264]

1 minute ago, digip said:

Try the nmap command I posted above. The one with the -Pn and --script, see if it sees the WIndows machine. CAn change the scan slower too to be more throurough, like -T2 instead of T4. Alternatively, run netdiscover first, find all machines on the subnet, then scan them individually.

Interestingly, when i ran the nmap scan again I went back and reviewed the output and found this:

Nmap: All 65535 scanned ports on 192.168.xxx.xxx are filtered...so I guess its "seeing" it but for some reason the host is showing as all ports are filtered? I don't understand why it would see an 32bit XP SP2 machine as having all ports filtered.

[digininja]

digip, what I was suggesting was that as one scan was being done through Armitage and one through Zenmap, maybe Armitage was dropping privs for some reason or he was starting Zenmap as root but Armitage not. nmap will only scan a machine it recognises as up and as non-root, the way it determines whether it is up or not is to try to connect to 80 and 443, if they aren't open, it assumes the host is down. With, or without the firewall, XP is unlikely to be running a web server so should not be detected by a non-root nmap scan.

When root scans, there is also an ICMP check which may be spotting the host depending on what the firewall is doing. Your -Pn will force nmap to assume the machine is up so should find something if it is there.

I can't remember the default configuration for XP but was file sharing turned off by default? If so, then there probably shouldn't be any ports open by default. Or, the firewall may be on and just dropping everything.

[digip]

50 minutes ago, jb61264 said:

Interestingly, when i ran the nmap scan again I went back and reviewed the output and found this:

Nmap: All 65535 scanned ports on 192.168.xxx.xxx are filtered...so I guess its "seeing" it but for some reason the host is showing as all ports are filtered? I don't understand why it would see an 32bit XP SP2 machine as having all ports filtered.

What services do you know are def running on it? Change your port scan settings, try different things and add --open to the list of switches when scanning. Also try UDP, things like 135-139, 445, etc

[digip]

Server, Computer Browser and Workstation should be on by default after an install unless disabled and netbios names should also be possible via SMB advertising on the network. If the machine is still pre SP3??/2/1?, you should be able to do an ms08-067 if the Server, Computer Browser and Workstation are enabled. That's one of the first things I disable on all my windows boxes, even non XP machines, is stop the server and computer browser services, and disable netbios. I don't use any file sharing on my windows machines and if I need something most of my other boxes are linux, I scp/sftp into them to move files back and forth.

[jb61264]

8 minutes ago, digip said:

What services do you know are def running on it? Change your port scan settings, try different things and add --open to the list of switches when scanning. Also try UDP, things like 135-139, 445, etc

The XP SP2 VM is a "new install" from a disk that I have kept from work for the last 8 years. No configuration except a clean install. 

I guess I should be clear about nmap too...it is basically the one that comes with Armitage in the "Hosts" menu...so I am running it from there if that makes any difference. As far as privileges, I am running everything from the same Kali Linux box (on the same network as all the other VMs I run. 

I guess its not a "huge" deal but I found it annoyingly interesting that the nmap scan within Armitage doesn't pick up and provide an 'icon' in the visual area of Armitage like it does for the metasploitable and CentOS VMs

I'm going to fire up my Win2K3 VM and rerun as well to see if it picks that up.

[digip]

6 hours ago, jb61264 said:

The XP SP2 VM is a "new install" from a disk that I have kept from work for the last 8 years. No configuration except a clean install. 

I guess I should be clear about nmap too...it is basically the one that comes with Armitage in the "Hosts" menu...so I am running it from there if that makes any difference. As far as privileges, I am running everything from the same Kali Linux box (on the same network as all the other VMs I run. 

I guess its not a "huge" deal but I found it annoyingly interesting that the nmap scan within Armitage doesn't pick up and provide an 'icon' in the visual area of Armitage like it does for the metasploitable and CentOS VMs

I'm going to fire up my Win2K3 VM and rerun as well to see if it picks that up.

In armitage, open a console, and use dbnmap (or might be _dbnmap or db_nmap, I forget) which lets you do an nmap scan that will send resutls to the metasploit database for armitage as well. You can cusotmize the scan switches this way.

 

edit: googled, its "db_nmap" from the console while in metasploit or armitage's console.

Edited May 14, 2017 by digip

[Yeah Hub]

Follow step by step Armitage