Ports scanning using Metasploit

On your penetration testing, finding ports and services is important. In the real world, I exploited some systems by identifying open ports and try to attack this port.

This articles, I am going to guide you how to use some module on Metasploit for finding ports and services on your target system.

1. auxiliary/scanner/portscan/ack Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.
2. auxiliary/scanner/portscan/synEnumerate open TCP services using a raw SYN scan.
3. auxiliary/scanner/portscan/tcpEnumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
   
4. auxiliary/scanner/portscan/xmasEnumerate open|filtered TCP services using a raw “XMas” scan; this sends probes containing the FIN, PSH and URG flags.
   

Demo

To use all 4 modules, you can use this script:

#!/bin/bash

echo "type your target IP: " 

read RHOSTS;

echo "type your range of ports to scan: "

read PORTS;

echo "type THREADS: "

read thread;

echo "

use auxiliary/scanner/portscan/ack

set RHOSTS $RHOSTS

set PORTS $PORTS 

set THREADS $thread

run

use auxiliary/scanner/portscan/syn

set RHOSTS $RHOSTS

set PORTS $PORTS 

set THREADS $thread

run

use auxiliary/scanner/portscan/tcp

set RHOSTS $RHOSTS

set PORTS $PORTS 

set THREADS $thread

run

use auxiliary/scanner/portscan/xmas

set RHOSTS $RHOSTS

set PORTS $PORTS 

set THREADS $thread

run" > portscan.rc

msfconsole -r portscan.rc