Dislaimer: The below article is meant to get you started with the basics, i.e. set up metasploit and run your first scan. You do this at your own risk, and make sure you have permission from the network owner before you do anything. Better yet, do it on your own network.

I highly recommend that you read this article to get a more in-depth understanding: https://www.offsec.com/metasploit-unleashed/port-scanning/

Installing metasploit

Metasploit comes preinstalled with Kali, so nothing to do here.

Update metasploit

To update metasploit, you can run the following commands:

sudo apt update
sudo apt install metasploit-framework

In the olden days, or if you installed Metasploit yourself, you would’ve run this command:

sudo msfupdate

But nowadays, you will get an error such as: “msfupdate is no longer supported when Metasploit is part of the operating system

Metasploit basics

Hackthebox explains this really well, so give this article a read, but the below image summarizes things quite well for our purposes.

Article: https://www.hackthebox.com/blog/metasploit-tutorial

Metasploit framework

All of the above components can also be found on disk in this folder:

/usr/share/metasploit-framework

For example, the Modules folder contains folders for auxiliary, encoders, payloads, etc. This is very useful as everything is well organized. This also allows you to browse the folder structures to help you find what you are looking for.

Folder structure

Starting msfconsole

msfconsole is the command line interface we will use to interact with Metasploit. But there are 2 steps steps we should perform before we start msfconsole:

Step 1: Check if postgreSQL is running

msfconsole does not need postgreSQL, but, this will help a lot to keep track of hosts, host operating systems, module configs, etc.

systemctl list-units --type=service | grep postgresql

The above command is useful in case you have multiple postgreSQL instances running as it will show all of them. If you only have 1 postgreSQL instance instance you can enable and start it with these commands. The last command will show you the status, i.e. if postgreSQL is running or not.

systemctl enable postgresql.service
systemctl start postgresql.service
systemctl status postgresql.service

If you have more than 1 postgreSQL instance, you can enable and start it as such (just replace the version numbers with the output you received)

sudo systemctl enable [email protected]
sudo systemctl enable [email protected]

sudo systemctl start [email protected]
sudo systemctl start [email protected]

sudo systemctl status [email protected]
sudo systemctl status [email protected]

Step 2: msfdb

You only have to run the below command once. It will create the required database in postgreSQL and start up the necessary webservices for Metasploit:

sudo msfdb init

The init command will also start postgreSQL if it is not already started, but because so many things rely on postgreSQL, it is better to let it start up when Kali boots up like we did above.

If you want to check if msfdb has been set up before, you can run this command:

sudo msfdb status

If you need to reinitialize your database, which is useful if you are starting a new project, you can run the below command. Just keep in mind this will clear out your database.

sudo msfdb reinit

Searching Modules and Module Rank

The command “search” allows you to search all modules that contain a specific word. For example:

search snmp

This will show you a list of all modules containing the word “snmp” and it also shows the rank.

search module output

Module Rank

The module rank is rather important as can be see in the below table. Lower ranked modules could potentially crash a service on the remote host, or it might be more difficult to exploit. Modules with a dot as a rank means that it has not been ranked yet.

module rank

Scanning for hosts and ports

There are many ways you can scan for hosts. We will go through some of my favorites. There are many more scans that you can perform.

db_nmap

db_nmap will run nmap as per usual, but it will also add the hosts, its detected operating systems, etc to the database.

db_nmap -sV -A 192.168.0.1/24
db_nmap -Pn 192.168.0.1/24

The second command takes quite long as it will treat all hosts as up. This is useful if you know a host is up but it is not responding to any probes.

Now you can run the “hosts” command to see a list of hosts you discovered.

hosts command output

You can also run the “services” command to get a list of all open ports and any headers/banners nmap was able to get:

services command output

TCP Scanners

Metasploit contains many, many, different types of scanners. Below I will show some examples of my favorites.

Take note: Instead of setting RHOSTS manually, you can do “hosts -R” which will read in all hosts you discovered using db_nmap, which could speed things up greatly as only online hosts will be scanned.

Portscan

use auxiliary/scanner/portscan/tcp
set RHOSTS <target_ip>
set PORTS 1-1000
run
use portscan tcp and set hosts using hosts -R

You can also run an SMB version scan:

use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.122
run

And an SSH version scan:

use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.1
run

Don’t forget to scan for UDP services

db_nmap -sU -sV 192.168.1.114

Metasploit has several scanners for specific UDP services which are useful to run once your db_nmap scan is complete and picked up UDP services:

snmp scan

use auxiliary/scanner/snmp/snmp_login
set RHOSTS <target_ip>
run

Credentials

Lets say you ran the smb_login scanner and you successfully connected to an SMB share, Metasploit will store this credential (username and password) in the database.

use /auxiliary/smb/smb_login
set RHOSTS 192.168.1.122
set smbuser homeuser
set smbpass XXX
run
creds output