In this post, we will explore how to perform various port scans using various metasploit modules.
When you want to gather information about a system, one of the initial things to do is to find out which ports are open.
While Nmap is usually the go-to tool for this, there are situations where you might need to use something else.
Luckily, Metasploit comes with a built-in port scanner that makes it simple to conduct scans directly within the framework. In this tutorial, we'll walk you through three types of port scans you can perform using Metasploit.
Learning how to use various modules such as the port scanner of the Metasploit framework can enhance your workflow and allow you to better understand how the Metasploit framework works.
Let us dive in and check it out.
What is Port Scanning?
Let us start with the basics and discuss what exactly is port scanning?
Port scanning refers to the process of probing a specific target system with the aim of determining which network ports are open and available for communication.
If you are not familiar with the basics of networking, check our tutorial on the topic to learn more.
However, at the core, each network service that running on a target system listens on a given port number. Once we scan the ports that are available, we can start to get an idea of the services that are running on the computer.
This is one of the major steps when it comes to security. Discovering what services on the target machine allows you to layout your attack surface and prepare your arsenal appropriately.
Types of Port Scans
Although there are a number of port scans that we can carry out on a target system, there are three main ones that can come in hand and very common.
These types of scans include:
TCP Connect Scan
This is the most basic type of port scan, which simply attempts to establish a full TCP connection with the target system on the specified port. If the connection is successful, the port is considered open.
This technique sends SYN packets to the target system and waits for a response. If a SYN/ACK packet is received, the port is considered open, and if a RST packet is received, it means the port is closed.
In this scan, a packet is sent to the target system with the FIN, URG, and PSH flags set. If a RST packet is received, the port is considered closed, and if no response is received, the port is considered open.
There are several other types of scans, such as UDP scans, NULL scans, and FIN scans, which use different techniques to scan for open ports. The choice of scan type depends on the specific scenario and the information that we need gather from the target system.
TCP Connect Scan with Metasploit
Let us now dive in and discuss how we can perform a TCP scan using Metasploit.
We hope this is not your first using the Metasploit framework, if it is, check out our series on the topics to discover more. You can also leave a us a message and tell us what topics you wish for us to cover in the resource below:
Let us start by launching the Metasploit framework by running the command:
This will launch the framework and display the information as shown below:
_________________________________________________ < This console just got 20% cooler > ------------------------------------------------- / / ▀▄▄▄▄▄▄▄▄ / ▀▀▄▄▄▄▄█▄▄▄▄ / ▄███▄▄▄▄██▄██ / ▄██▄█▄▄█▄▄██▄███ / ▄██▄█████▄██▄▄█▄▄ / ▄███████▄██▄▀▀▄▄██ / ██████████▄▄▄ ██▄█ / ██▄███▄███ ▀▀ ████ / ▀███▄███▄▀ ███ / ▀ ████▄▀ █▄█ / ██▄▀█ ▄▄▄▄▄▄▄▄ / ▀▄█ ▀ ▄▄█▄██████▄▄ / ▀█ ███▄█████████ / ▄███▄▄█████████ / ███████▄██████▄▀ / █████▄▄█████████ ▄▄███▄▀ █▄███████ ▄▄▄▄▄▄▄▄▄ ▄▄█████ ▄█▄██▄████▄█▄█▄▄██▄▄██▄█▀ ▀▄██▄▀▄▄▄███▄▄███▄██▄▄███▄▄███▄▄▄ ▀▀ ▄███████████████▄▄▄██▄▄███▀▄ ████▄█████████▄▄▄▄▄█▄▄▄▄▄███ ███████▄█████▄▄████▄▄██▄██▀▄██ ▀▀▄▄██████▄██████▄▄▄████▄▄ ▀▀▀ ▄▄██████████▄▄█▄▄▄▄▄██▄▄▄ ██▄█████████▄▄▄██████████ ▀▀ █▄████ ███▄█▄▄▄▄▄▄▄▀▀ ▄▄████ ████▄██ ▀▄████ ██▄███ ▀▄▄▀ ██▀█▀▀ █ =[ metasploit v6.3.5-dev ] + -- --=[ 2296 exploits - 1202 auxiliary - 410 post ] + -- --=[ 965 payloads - 45 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit tip: You can use help to view all available commands Metasploit Documentation: https://docs.metasploit.com/
Metasploit provides a series of scanning modules in the auxiliary section. We can search the
portscan module in Metasploit using the command:
[msf](Jobs:0 Agents:0) >> search portscan type:auxiliary
The command above
search portscan type:auxiliary will search for all auxiliary modules in Metasploit Framework that perform port scanning.
The command will return various results that matches the specified search parameters. An example output is as shown below:
In our case, we are interested in the
auxiliary/scanner/portscan/tcp. This module will allow us to perform a TCP port scan on the target machine.
The next step is to tell Metasploit that we wish to use this module. We can do this by running the use command as shown:
>> use auxiliary/scanner/portscan/tcp
This should load the module and change the Metasploit shell to reflect the currently selected module.
Next, let us determine the options required to run this module. We can accomplish this by using the
auxiliary(scanner/portscan/tcp) >> options
This should display the required options for the module as shown in the output below:
Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host DELAY 0 yes The delay between connections, per thread, in milliseconds JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 1000 yes The socket connect timeout in milliseconds View the full module info with the info, or info -d command.
From the output above, we can see that the scanner module accepts a wide range of options. You can check the description tab to determine what each option does.
For simplicity, we will only provide the
rhosts parameter which determines the target machine. We can provide a single IP address or a range of values. For simplicity, we will scan only a single machine by providing its target IP address.
To set the IP address of the target machine, we can use the
set command followed by the option and the value as shown in the command below:
set rhosts 192.168.136.129
The next option we need to configure is the number of ports we wish to scan. For simplicity, we will scan the top 1000 ports by setting the option as:
set ports 1-1000
Now we are ready to perform the scan. We can do this by simply typing the
run command as shown:
Once we execute, the scanner module will run through the top 1000 ports and determine the open ports. Since this is a TCP scan, it will run pretty quickly and return the results as shown:
[+] 192.168.136.129: - 192.168.136.129:25 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:23 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:22 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:21 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:53 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:80 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:111 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:139 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:445 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:513 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:514 - TCP OPEN [+] 192.168.136.129: - 192.168.136.129:512 - TCP OPEN [*] 192.168.136.129: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
SYN Scan With Metasploit
The next step is performing a SYN scan using metasploit modules. Start by returning the main prompt by running the command
Next, use the
syn scanner using the command:
SImilarly, you can use the
options command to view the options required for the module. In this case, we will just set the rhost and ports options as shown
[msf] auxiliary(scanner/portscan/syn) >> set rhosts 192.168.136.129 rhosts => 192.168.136.129 [msf] auxiliary(scanner/portscan/syn) >> set ports 1-1000 ports => 1-1000
To execute the scan, use the
This should return the SYN scan result as:
[+] TCP OPEN 192.168.136.129:21 [+] TCP OPEN 192.168.136.129:22 [+] TCP OPEN 192.168.136.129:80 [+] TCP OPEN 192.168.136.129:512 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
A SYN scan may take some time. You can speed it up by increasing the number of threads with the command:
>> set threads 10
XMAS Scan Using Metasploit
We can also perform a xmas scan by using the
auxiliary/scanner/portscan/xmas module. Repeat the steps shown int the previous steps to learn more.
Still there? In this guide, we talked about three types of port scans - TCP, SYN, and XMAS using Metasploit interactive console. Although these scans might not be the most sophisticated methods out there, but they're fast and effective in finding open ports. This just goes to show how awesome Metasploit is for white hat hackers, giving them a lot of useful tools to get the job done.
Join us as we explore Metasploit and other security features.