Both The Basics of Hacking and Penetration Testing and Metasploit: The Penetration Tester’s Guide introduce us early on to the port scanner Nmap.
Nmap Network Scanning describe the tool thus:
Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.
You can read roughly half of this book online for free here.
It’s worth noting at the outset the Nmap book assumes basic familiarity with TCP/IP and networking concepts. The TCP/IP Guide is recommended, but before buying, a free online version is available. This is an extremely lengthy guide, but if you’re starting from the place of near complete ignorance as I was, then I do recommend spending time reading it.
You can run Nmap in Backtrack/Karli by simply typing ‘nmap’ in the terminal.
Here is the output from an Nmap scan (nmap -Pn -sS ipaddress) of the Windows system on my Virtual Hacking Lab:
Host is up (0.24s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
912/tcp open apex-mesh
1025/tcp open NFS-or-IIS
1433/tcp open ms-sql-s
When I performed the scan again adding the -A flag which attempts advanced service enumeration and banner grabbing, giving even more details of the target; results included:
80/tcp open http Microsoft IIS httpd 5.1
|_http-title: Metasploit Sample Web Attack Site
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1025/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTMDevice type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
With all of this information at hand, exploiting the system would be a breeze.
Nmap results can be imported into Metasploit.