When you want to gather information about a system, one of the initial things to do is to find out which ports are open.

While Nmap is usually the go-to tool for this, there are situations where you might need to use something else.

Luckily, Metasploit comes with a built-in port scanner that makes it simple to conduct scans directly within the framework. In this tutorial, we'll walk you through three types of port scans you can perform using Metasploit.

Learning how to use various modules such as the port scanner of the Metasploit framework can enhance your workflow and allow you to better understand how the Metasploit framework works.

Let us dive in and check it out.

What is Port Scanning?

Let us start with the basics and discuss what exactly is port scanning?

Port scanning refers to the process of probing a specific target system with the aim of determining which network ports are open and available for communication.

If you are not familiar with the basics of networking, check our tutorial on the topic to learn more.

However, at the core, each network service that running on a target system listens on a given port number. Once we scan the ports that are available, we can start to get an idea of the services that are running on the computer.

This is one of the major steps when it comes to security. Discovering what services on the target machine allows you to layout your attack surface and prepare your arsenal appropriately.

Types of Port Scans

Although there are a number of port scans that we can carry out on a target system, there are three main ones that can come in hand and very common.

These types of scans include:

TCP Connect Scan

This is the most basic type of port scan, which simply attempts to establish a full TCP connection with the target system on the specified port. If the connection is successful, the port is considered open.

SYN Scan

This technique sends SYN packets to the target system and waits for a response. If a SYN/ACK packet is received, the port is considered open, and if a RST packet is received, it means the port is closed.


In this scan, a packet is sent to the target system with the FIN, URG, and PSH flags set. If a RST packet is received, the port is considered closed, and if no response is received, the port is considered open.

There are several other types of scans, such as UDP scans, NULL scans, and FIN scans, which use different techniques to scan for open ports. The choice of scan type depends on the specific scenario and the information that we need gather from the target system.

TCP Connect Scan with Metasploit

Let us now dive in and discuss how we can perform a TCP scan using Metasploit.

We hope this is not your first using the Metasploit framework, if it is, check out our series on the topics to discover more. You can also leave a us a message and tell us what topics you wish for us to cover in the resource below:


Let us start by launching the Metasploit framework by running the command:


This will launch the framework and display the information as shown below:

< This console just got 20% cooler                >
 ▀▄▄▄▄▄▄▄▄                                 /  
   ▀▀▄▄▄▄▄█▄▄▄▄                           /   
   ▄███▄▄▄▄██▄██                         /    
 ▄██▄█▄▄█▄▄██▄███                       /     
 ▄██▄█████▄██▄▄█▄▄                     /      
▄███████▄██▄▀▀▄▄██                    /       
██████████▄▄▄ ██▄█                   /        
██▄███▄███ ▀▀ ████                  /         
▀███▄███▄▀     ███                 /          
 ▀ ████▄▀      █▄█                /           
   ██▄▀█     ▄▄▄▄▄▄▄▄            /            
   ▀▄█ ▀   ▄▄█▄██████▄▄         /             
    ▀█    ███▄█████████        /              
        ▄███▄▄█████████       /               
       ███████▄██████▄▀      /                
    ▄▄███▄▀ █▄███████   ▄▄▄▄▄▄▄▄▄             
   ▄▄█████ ▄█▄██▄████▄█▄█▄▄██▄▄██▄█▀          
     ▀▀  ▄███████████████▄▄▄██▄▄███▀▄         
       ▀▀▄▄██████▄██████▄▄▄████▄▄  ▀▀▀        
        ▀▀ █▄████ ███▄█▄▄▄▄▄▄▄▀▀              
           ▄▄████  ████▄██                    
           ▀▄████   ██▄███                    
             ▀▄▄▀   ██▀█▀▀                    

       =[ metasploit v6.3.5-dev                           ]
+ -- --=[ 2296 exploits - 1202 auxiliary - 410 post       ]
+ -- --=[ 965 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can use help to view all 
available commands
Metasploit Documentation: https://docs.metasploit.com/

Metasploit provides a series of scanning modules in the auxiliary section. We can search the portscan module in Metasploit using the command:

[msf](Jobs:0 Agents:0) >> search portscan type:auxiliary

The command above search portscan type:auxiliary will search for all auxiliary modules in Metasploit Framework that perform port scanning.

The command will return various results that matches the specified search parameters. An example output is as shown below:

![image-20230401210932083](C:\Users\Sepiol Sam\AppData\Roaming\Typora\typora-user-images\image-20230401210932083.png)

In our case, we are interested in the auxiliary/scanner/portscan/tcp. This module will allow us to perform a TCP port scan on the target machine.

The next step is to tell Metasploit that we wish to use this module. We can do this by running the use command as shown:

>> use auxiliary/scanner/portscan/tcp

This should load the module and change the Metasploit shell to reflect the currently selected module.

Next, let us determine the options required to run this module. We can accomplish this by using the options command:

auxiliary(scanner/portscan/tcp) >> options

This should display the required options for the module as shown in the output below:

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

View the full module info with the info, or info -d command.

From the output above, we can see that the scanner module accepts a wide range of options. You can check the description tab to determine what each option does.

For simplicity, we will only provide the rhosts parameter which determines the target machine. We can provide a single IP address or a range of values. For simplicity, we will scan only a single machine by providing its target IP address.

To set the IP address of the target machine, we can use the set command followed by the option and the value as shown in the command below:

set rhosts

The next option we need to configure is the number of ports we wish to scan. For simplicity, we will scan the top 1000 ports by setting the option as:

set ports 1-1000

Now we are ready to perform the scan. We can do this by simply typing the run command as shown:

>> run

Once we execute, the scanner module will run through the top 1000 ports and determine the open ports. Since this is a TCP scan, it will run pretty quickly and return the results as shown:

[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[+]      - - TCP OPEN
[*]      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

SYN Scan With Metasploit

The next step is performing a SYN scan using metasploit modules. Start by returning the main prompt by running the command back

Next, use the syn scanner using the command:

use auxiliary/scanner/portscan/syn

SImilarly, you can use the options command to view the options required for the module. In this case, we will just set the rhost and ports options as shown

[msf] auxiliary(scanner/portscan/syn) >> set rhosts
rhosts =>

[msf] auxiliary(scanner/portscan/syn) >> set ports 1-1000
ports => 1-1000

To execute the scan, use the run command:

>> run

This should return the SYN scan result as:

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

A SYN scan may take some time. You can speed it up by increasing the number of threads with the command:

>> set threads 10

XMAS Scan Using Metasploit

We can also perform a xmas scan by using the auxiliary/scanner/portscan/xmas module. Repeat the steps shown int the previous steps to learn more.


Still there? In this guide, we talked about three types of port scans - TCP, SYN, and XMAS using Metasploit interactive console.  Although these scans might not be the most sophisticated methods out there, but they're fast and effective in finding open ports. This just goes to show how awesome Metasploit is for white hat hackers, giving them a lot of useful tools to get the job done.

Join us as we explore Metasploit and other security features.

Table of Contents
Great! Next, complete checkout for full access to GeekBits.
Welcome back! You've successfully signed in.
You've successfully subscribed to GeekBits.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.