New Meterpreter Extension Released: MSFMap Beta

Sunday, January 08, 2012

Spencer McIntyre

759c37c6aff04cd46262f93652b5fad5

SecureState has released a new extension for Metasploit’s Meterpreter called MSFMap. This new utility provides an NMap-like port scanner from within the context of a Meterpreter session. 

This gives penetration testers an easily deployable and flexible port scanning utility.  Having this functionality can make pivoting into internal networks much easier without the need to install or upload an additional program.

The benefits are numerous depending on the type of scan being conducted.  MSFMap supports full TCP-Connection scans, ICMP scans, and ARP scans.  The TCP Connection scans are faster than using the auxiliary/scanner/portscan/tcp module because connections do not have to be “pivoted” through the compromised host. 

The ICMP and ARP scanning features bring great benefits over many other common methods because MSFMap does not spawn any new processes that may reveal its presence to a watchful user.  MSFMap runs entirely in memory and does not write any data to the compromised host.

MSFMap was designed to mimic the behavior and functionality of NMap.  MSFMap options are compatible with NMap style arguments; and the output of MSFMap also resembles that of NMap. 

Furthermore, MSFMap takes advantage of the nmap-services file from the system on which Metasploit is installed.  This resolves common ports to a service name which can be useful for penetration testers attempting to identify services for further testing.

The scan behavior is also similar to NMap.  By default (with no arguments), when a host is scanned, MSFMap will first determine whether the IP address is on a directly attached network. 

Based on this information, MSFMap will use an ARP ping for hosts on the LAN and an ICMP echo request for hosts that are not on the LAN.  Assuming the host is up or the ping phase is skipped, MSFMap will proceed to scan the top 100 ports that NMap will scan by default. 

Although NMap scans the top 1000 ports by default, only the top 100 of these will be scanned by MSFMap.  This can be expanded using the --top-ports option up to 1000.

This is the first public release of MSFMap, and as such it is in beta status.  The code is hosted at http://code.google.com/p/msfmap and can be downloaded from there.  In the future MSFMap will include features for TCP SYN scanning (where possible) and additional speed optimizations.

Find out more about the tools related to this attack here:

Metasploit: http://www.metasploit.com/

NMap: http://nmap.org/

Cross-posted from SecureState

Possibly Related Articles:
10088
Network->General
Information Security
Scanners Tools Penetration Testing Metasploit ICMP Nmap Meterpreter MSFMap Spencer McIntyre
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.