I am getting back into my studies and I was hoping I can get a few questions answered here. I have a lab network here at home and I can pretty easily exploit W2k3 machines and some Windows Vista machines with Windows Firewall disabled.
So question 1, with WF enabled, whats the best way to perform port scanning? I've tried nmap with nearly all Windows compatible options that I know, but ICMP, TCP, UDP seem to be well filtered.
Q2: Assuming I've found a host, and know what ports are open and what service are running on those ports, I, plain and simple, have not been able to find exploits for W7. The MSFUpdate works fine, but i'm trying to attack services rather than web applications, and web exploits seem to be the only options available... I've done my research, and I know that there were some new W7 vulnerabilities discovered, and I hadn't patched the systems, so I know they are vulnerable. But even searching exploitdb, exploitsearch and Metasploit exploits, I dont think I found any 2011 exploits not tied to applications running on the victim machine.
Now I am fairly certain that this may be to keep script kiddies from getting the latest exploit code, but that really doesnt help me.
I think i'll limit my questions to those for the moment. Thanks for your help.