Ports scanning using Metasploit

On your penetration testing, finding ports and services is important. In the real world, I exploited some systems by identifying open ports and try to attack this port.

This articles, I am going to guide you how to use some module on Metasploit for finding ports and services on your target system.

  1. auxiliary/scanner/portscan/ackĀ Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.
  2. auxiliary/scanner/portscan/synEnumerate open TCP services using a raw SYN scan.
  3. auxiliary/scanner/portscan/tcpEnumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
  4. auxiliary/scanner/portscan/xmasEnumerate open|filtered TCP services using a raw “XMas” scan; this sends probes containing the FIN, PSH and URG flags.

Demo

To use all 4 modules, you can use this script:

#!/bin/bash
echo "type your target IP: " 
read RHOSTS;
echo "type your range of ports to scan: "
read PORTS;
echo "type THREADS: "
read thread;
echo "
use auxiliary/scanner/portscan/ack
set RHOSTS $RHOSTS
set PORTS $PORTS 
set THREADS $thread
run
use auxiliary/scanner/portscan/syn
set RHOSTS $RHOSTS
set PORTS $PORTS 
set THREADS $thread
run
use auxiliary/scanner/portscan/tcp
set RHOSTS $RHOSTS
set PORTS $PORTS 
set THREADS $thread
run
use auxiliary/scanner/portscan/xmas
set RHOSTS $RHOSTS
set PORTS $PORTS 
set THREADS $thread
run" > portscan.rc
msfconsole -r portscan.rc

Share