Cityscape
Girl
logo

Fundamentals of Penetration Testing

Using nmap in metasploit

Medium
10 min

Nmap and Metasploit

A good starting point for network scanning is the nmap tool, which is also built into the Metasploit Framework as its own module. By using the built-in nmap module, the results are saved to a database so they can be used later in attacks. However, this requires a database to be set up first, so let's start with that.

Starting Metasploit Database

If you want Metasploit to save data to a database (this is required when using db_nmap), you must first start the postgresql database and create the Metasploit database schema and user. You can do this with the following commands:

service postgresql start
msfdb init

Starting Metasploit

When the database is running, we can launch Metasploit with the following command.

msfconsole

Using Nmap in Metasploit

In Metasploit, Nmap is used within msfconsole with the command db_nmap.

msf6 > db_nmap -h
[*] Nmap 7.93 ( https://nmap.org )
[*] Usage: nmap [Scan Type(s)] [Options] {target specification}
[*] TARGET SPECIFICATION:
[*] Can pass hostnames, IP addresses, networks, etc.
[*] Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
[*] -iL <inputfilename>: Input from list of hosts/networks
[*] -iR <num hosts>: Choose random targets
[*] --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
[*] --excludefile <exclude_file>: Exclude
...

The Nmap's results are automatically saved to the Metasploit's database, from where they can be viewed and used within Metasploit. Let's take a practical example of this before you start practicing yourself.

Exercise

Start the lab now and perform the following steps along.

Metasploit Practice

In this lab, there are several different vulnerable web services that you can search for with Metasploit.


msfdb init

Let's start by launching and initializing the metasploit database. Don't worry about the systemd error message, it doesn't matter.

service postgresql start
msfdb init
...
[+] Starting database
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
[+] Creating database user 'msf'
[+] Creating Databases 'msf'
[+] Creating Databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema

msfconsole

Let's open Metasploit console:

root@b0trac0a9r-student:~# msfconsole
                                                  
#cowsay++
 ____________
< Metasploit >
 ------------
       \ ,__,
        \ (oo)____
           (__) )\
              ||--|| *


       =[ Metasploit v6.3.4-dev ]
+ -- --=[ 2294 Exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 Encoders - 11 nops ]
+ -- --=[ 9 evasion ]

Metasploit tip: Start commands with a space to avoid saving
them to history
Metasploit Documentation: https://docs.metasploit.com/
msf6 >

msf6 -> db_status

Check that the database connection has been established.

msf6 -> db_nmap <ip>

Check the section "Internal Network Targets" to find the IP address of your target.

Starting an nmap scan that performs a basic scan on the IP address.

msf6 > db_nmap 10.0.2.22
[*] Nmap: Starting Nmap 7.94 ( https://nmap.org )...
[*] Nmap: Nmap scan report for 10.0.2.22
[*] Nmap: Host is up (0.000020s latency).
[*] Nmap: Not shown: 992 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp open ssh
[*] Nmap: 25/tcp open smtp
[*] Nmap: 53/tcp open domain
[*] Nmap: 111/tcp open rpcbind
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 2121/tcp open ccproxy-ftp
[*] Nmap: 3306/tcp open mysql
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Basic scan found quite a few open ports, but we have not yet identified the services behind those ports (the displayed services are Nmap guesses based solely on the port number).

msf6 -> hosts

Run the "hosts" command to see what devices nmap has found on the network.

msf6 > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- ---- ----
10.0.2.22 Unknown device

As expected, only one device is displayed in the list because we have only scanned one IP address. The operating system has also not been identified yet.

msf6 -> services

Run the "services" command to see which ports and services nmap has found on the network.

msf6 > services
Services
========

host port proto name state info
---- ---- ----- ---- ---- ---- ----
10.0.2.22 22 tcp ssh open
10.0.2.22 25 tcp smtp open
10.0.2.22 53 tcp domain open
10.0.2.22 111 tcp rpcbind open
10.0.2.22 139 tcp netbios-ssn open
10.0.2.22 445 tcp microsoft-ds open
10.0.2.22 2121 tcp ccproxy-ftp open
10.0.2.22 3306 tcp mysql open

The ports are listed and named according to Nmap's best guess of what service is usually found behind each port. However, no actual services have been identified and there is no additional information about them.

msf6 -> db_nmap -A

Next, we will scan the operating system version, open ports, and try to identify the services behind those ports. All of this can be done using the -A flag. This scan takes a bit longer.

msf6 > db_nmap -A 10.0.2.22
[*] Nmap: Starting Nmap 7.94 ( https://nmap.org )...
[*] Nmap: Nmap scan report for 10.0.2.22
[*] Nmap: Host is up (0.000085s latency).
[*] Nmap: Not shown: 992 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: | ssh hostkey:
[*] Nmap: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
[*] Nmap: |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
[*] Nmap: 25/tcp open smtp Postfix smtpd
...

Nmap finally finished. And now there is a lot more information!

msf6 -> hosts

Let's look at hosts again, have we received more information.

msf6 > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- ---- ----
10.0.2.22 Linux 3.X server

A little more, now we know at least that it is a Linux server.

msf6 > services

Next, let's look at the identified services:

msf6 > services
Services
========

host port proto name state info
---- ---- ----- ---- ---- ---- ----
10.0.2.22 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
10.0.2.22 25 tcp smtp open Postfix smtpd
10.0.2.22 53 tcp tcpwrapped open
10.0.2.22 111 tcp rpcbind open 2 RPC #100000
10.0.2.22 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
10.0.2.22 445 tcp netbios-ssn open Samba smbd 3.0.20-Debian workgroup: WORKGROUP
...

Exercises

What port does ProFTPd run on?

What is the version of ProFTPd?

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.