Port Scanning with Metasploit: A Comprehensive Guide

Mastering Port Scanning with Metasploit: A Comprehensive Guide

Port scanning is a fundamental step in ethical hacking and penetration testing. It helps identify open doors into a system, revealing potential vulnerabilities. Metasploit, widely known for exploitation, also boasts a rich set of scanning tools integrated within its auxiliary modules. In this guide, we’ll explore the key techniques for port scanning with Metasploit, along with practical examples and expert tips.

What is Pivoting?

Pivoting allows hackers to use a compromised system as a bridge to access other systems hidden behind firewalls or NAT (Network Address Translation). For instance, systems behind NAT typically have private IPs, making them unreachable from the internet. By exploiting such a system with Metasploit, you can route traffic through it to uncover other hidden targets.

Getting Started: Searching for Port Scanning Modules

To initiate port scanning in Metasploit, you can search for available modules using:

msf > search portscan

This command displays all port-scanning modules within the framework, ready to be utilized for various scanning methods.

1. SYN Port Scanning

The SYN scan is a stealthy way to identify open TCP ports without completing the full handshake. Here’s an example:

msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > run

Output:

[*] TCP OPEN 192.168.1.155:135
[*] TCP OPEN 192.168.1.155:139
[*] TCP OPEN 192.168.1.155:445

The results can be stored in Metasploit’s database for future exploitation.

2. Targeted Scanning

Targeted scanning focuses on specific services, configurations, or software versions, prioritizing those known to have exploitable vulnerabilities. Use the latest Metasploit modules to identify these weaknesses quickly.

3. Scanning for SMB Services

SMB (Server Message Block) is widely used for file sharing and network communication. You can detect details about SMB services using the smb_version module:

msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 10.10.11.129
RHOSTS => 10.10.11.129
msf auxiliary(smb_version) > run

Output:

[*] 10.10.11.129:445 - SMB Detected (compression: AES-128-CCM)

4. Scanning for Misconfigured Microsoft SQL Servers

Microsoft SQL (MS SQL) servers can be a goldmine for vulnerabilities. Here’s how to scan for them using the mssql_ping module:

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 10.10.1.0/24
RHOSTS => 10.10.1.0/24
msf auxiliary(mssql_ping) > set THREADS 255
THREADS => 255
msf auxiliary(mssql_ping) > run

Output:

[+] 128.143.124.123 - InstanceName = SQLEXPRESS
[+] 128.143.124.123 - Version = 15.0.2000.5

5. Scanning for Amazon S3 Buckets

Misconfigured Amazon S3 buckets can expose sensitive data. While Metasploit doesn’t natively support S3 scanning, tools like S3Scanner can be used:

sudo pip3 install s3scanner
s3scanner scan --bucket flaws2.cloud

Output:

http://flaws2.cloud | bucket_exists | AuthUsers: [], AllUsers: []

6. Scanning for SSH Server Versions

Use the ssh_version module to identify SSH versions running on a target:

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.1.0/24
msf auxiliary(ssh_version) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_version) > run

Output:

[*] 192.168.1.101:22 - SSH server version: SSH-2.0-OpenSSH_7.4

7. Scanning for FTP Services

FTP services can often be poorly configured, allowing for anonymous access. Use the ftp_version module to scan for FTP services:

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 192.168.1.0/24
msf auxiliary(ftp_version) > run

Check for anonymous access with:

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 192.168.1.155
msf auxiliary(anonymous) > run

Output:

[*] 192.168.1.155:21 Anonymous READ/WRITE

This is a significant security risk.

Conclusion

Metasploit’s auxiliary modules offer a robust framework for port scanning, making it an indispensable tool for penetration testers. Whether identifying open ports, misconfigured services, or exploitable versions, Metasploit simplifies the process and empowers ethical hackers to uncover vulnerabilities effectively.

For more resources on ethical hacking, visit:

🔗 Links & Resources:

• Ocsaly Academy Blog Post: How Hackers Exploit Calibre and What You Can Do About It
• Certificated Ethical Hacking Course: Real Ethical Hacking in 43 Hours
• Red Teaming & Exploit Development Course: MSAC+ on Udemy

Stay tuned for more tutorials, and happy scanning!