TCP ACK Firewall Scanner - Metasploit

This page contains detailed information about how to use the auxiliary/scanner/portscan/ack metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: TCP ACK Firewall Scanner
Module: auxiliary/scanner/portscan/ack
Source code: modules/auxiliary/scanner/portscan/ack.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/portscan/ack
msf auxiliary(ack) > show options
    ... show and set options ...
msf auxiliary(ack) > set RHOSTS ip-range
msf auxiliary(ack) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(ack) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(ack) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(ack) > set RHOSTS file:/tmp/ip_list.txt

Required Options

---

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Go back to menu.

Msfconsole Usage

---

Here is how the scanner/portscan/ack auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/portscan/ack

msf6 auxiliary(scanner/portscan/ack) > show info

       Name: TCP ACK Firewall Scanner
     Module: auxiliary/scanner/portscan/ack
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  kris katterjohn <[email protected]>

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  BATCHSIZE  256              yes       The number of hosts to scan per set
  DELAY      0                yes       The delay between connections, per thread, in milliseconds
  INTERFACE                   no        The name of the interface
  JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
  PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  SNAPLEN    65535            yes       The number of bytes to capture
  THREADS    1                yes       The number of concurrent threads (max one per host)
  TIMEOUT    500              yes       The reply read timeout in milliseconds

Description:
  Map out firewall rulesets with a raw ACK scan. Any unfiltered ports 
  found means a stateful firewall is not in place for them.

Module Options

---

This is a complete list of options available in the scanner/portscan/ack auxiliary module:

msf6 auxiliary(scanner/portscan/ack) > show options

Module options (auxiliary/scanner/portscan/ack):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    500              yes       The reply read timeout in milliseconds

Advanced Options

---

Here is a complete list of advanced options supported by the scanner/portscan/ack auxiliary module:

msf6 auxiliary(scanner/portscan/ack) > show advanced

Module advanced options (auxiliary/scanner/portscan/ack):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   GATEWAY_PROBE_HOST   8.8.8.8          yes       Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC
   GATEWAY_PROBE_PORT                    no        The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)
   SECRET               1297303073       yes       A 32-bit cookie for probe requests.
   ShowProgress         true             yes       Display progress messages during a scan
   ShowProgressPercent  10               yes       The interval in percent that progress should be shown
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the scanner/portscan/ack module can do:

msf6 auxiliary(scanner/portscan/ack) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

---

Here is the full list of possible evasion options supported by the scanner/portscan/ack auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/portscan/ack) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

---

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

PORTS

---

Here is a relevant code snippet related to the "PORTS" error message:

43:	
44:	  def run_batch(hosts)
45:	
46:	    ports = Rex::Socket.portspec_crack(datastore['PORTS'])
47:	    if ports.empty?
48:	      raise Msf::OptionValidateError.new(['PORTS'])
49:	    end
50:	
51:	    jitter_value = datastore['JITTER'].to_i
52:	    if jitter_value < 0
53:	      raise Msf::OptionValidateError.new(['JITTER'])

JITTER

---

Here is a relevant code snippet related to the "JITTER" error message:

48:	      raise Msf::OptionValidateError.new(['PORTS'])
49:	    end
50:	
51:	    jitter_value = datastore['JITTER'].to_i
52:	    if jitter_value < 0
53:	      raise Msf::OptionValidateError.new(['JITTER'])
54:	    end
55:	
56:	    delay_value = datastore['DELAY'].to_i
57:	    if delay_value < 0
58:	      raise Msf::OptionValidateError.new(['DELAY'])

DELAY

---

Here is a relevant code snippet related to the "DELAY" error message:

53:	      raise Msf::OptionValidateError.new(['JITTER'])
54:	    end
55:	
56:	    delay_value = datastore['DELAY'].to_i
57:	    if delay_value < 0
58:	      raise Msf::OptionValidateError.new(['DELAY'])
59:	    end
60:	
61:	    open_pcap
62:	
63:	    pcap = self.capture

Error

---

Here is a relevant code snippet related to the "Error" error message:

98:	            :type	=> "TCP UNFILTERED #{dhost}:#{dport}",
99:	            :data	=> "TCP UNFILTERED #{dhost}:#{dport}"
100:	          )
101:	
102:	        rescue ::Exception
103:	          print_error("Error: #{$!.class} #{$!}")
104:	        end
105:	      end
106:	    end
107:	
108:	    close_pcap

Go back to menu.

Related Pull Requests

---

• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #6317 Merged Pull Request: Add capability for delays (+/- jitter) to all auxiliary scanner modules & implement in portscan modules
• #6010 Merged Pull Request: Fix #6008, incorrect usage of capture_sendto
• #2779 Merged Pull Request: Raise Msf::OptionValidateError when the PORTS option is invalid
• #2525 Merged Pull Request: Change module boilerplate
• #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary

Go back to menu.

See Also

---

Check also the following modules related to this module:

• auxiliary/scanner/natpmp/natpmp_portscan
• auxiliary/scanner/portscan/ftpbounce
• auxiliary/scanner/portscan/syn
• auxiliary/scanner/portscan/tcp
• auxiliary/scanner/portscan/xmas
• auxiliary/scanner/sap/sap_router_portscanner
• auxiliary/scanner/backdoor/energizer_duo_detect
• auxiliary/scanner/http/backup_file
• auxiliary/scanner/http/bmc_trackit_passwd_reset
• auxiliary/scanner/http/dlink_user_agent_backdoor
• auxiliary/scanner/http/enum_wayback
• auxiliary/scanner/http/wordpress_pingback_access
• auxiliary/scanner/http/wp_bulletproofsecurity_backups
• auxiliary/scanner/http/wp_mobile_pack_info_disclosure
• auxiliary/scanner/http/wp_simple_backup_file_read
• auxiliary/scanner/misc/sercomm_backdoor_scanner
• auxiliary/scanner/smb/impacket/dcomexec
• auxiliary/scanner/smb/impacket/secretsdump
• auxiliary/scanner/smb/impacket/wmiexec
• auxiliary/scanner/ssh/eaton_xpert_backdoor
• auxiliary/scanner/ssh/fortinet_backdoor
• auxiliary/scanner/ssh/juniper_backdoor

Authors

---

kris katterjohn

Version

---

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.