LabEx
Log InJoin Free

Perform a Basic Port Scan using db_nmap in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

The Metasploit Framework is a powerful open-source tool for developing, testing, and executing exploit code against a remote target machine. A critical part of any security assessment is information gathering, which includes port scanning to identify open ports and running services.

Metasploit integrates the popular Nmap scanner through the db_nmap command. The key advantage of db_nmap is that it automatically saves the scan results directly into the Metasploit database, allowing you to easily manage and query the collected data.

In this lab, you will learn how to perform basic port scans using db_nmap and view the results within the Metasploit console.

Select a workspace for the scan results

In this step, you will start the Metasploit console and create a dedicated workspace. Workspaces in Metasploit help you organize your projects by keeping hosts, services, and other collected data separate for each assessment.

First, open your terminal and start the Metasploit Framework console by running the following command. It may take a moment to load.

msfconsole

Once the msfconsole prompt (msf6 >) appears, you can create and switch to a new workspace. We will name our workspace portscan_lab. Use the -a flag to add a new workspace.

workspace -a portscan_lab

You should see a confirmation message.

[*] Added workspace: portscan_lab
[*] Workspace: portscan_lab

To confirm that you are in the correct workspace, you can run the workspace command without any arguments. The asterisk * indicates the currently active workspace.

workspace

The output will list all available workspaces:

  default
* portscan_lab

Now that your workspace is set up, you are ready to start scanning.

Run a TCP SYN scan using db_nmap -sS

In this step, you will perform a TCP SYN scan. This type of scan, also known as a "stealth scan" or "half-open scan," is a popular choice because it is fast and less likely to be logged by target systems. The -sS flag tells Nmap to perform a SYN scan.

Within the msfconsole prompt, use the db_nmap command to scan your local machine (localhost). The results will be automatically saved to your portscan_lab workspace.

db_nmap -sS localhost

The command will execute Nmap and display its progress and results. The output will look similar to the standard Nmap output.

[*] Nmap: Starting Nmap 7.94 ( https://nmap.org ) at ...
[*] Nmap: Nmap scan report for localhost (127.0.0.1)
[*] Nmap: Host is up (0.000084s latency).
[*] Nmap: Other addresses for localhost (not scanned): ::1
[*] Nmap: Not shown: 997 closed tcp ports (reset)
[*] Nmap: PORT     STATE SERVICE
[*] Nmap: 22/tcp   open  ssh
[*] Nmap: 5432/tcp open  postgresql
[*] Nmap: 6200/tcp open  oracle-tns
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

The scan has identified several open ports, and this information is now stored in the Metasploit database.

Run a service version detection scan using db_nmap -sV

In this step, you will perform a more detailed scan to identify the specific versions of the services running on the open ports. Knowing the service version is crucial for finding potential vulnerabilities. The -sV flag enables version detection in Nmap.

Run the following command in your msfconsole prompt. This scan will take slightly longer than the previous one because Nmap needs to interact with each open port to probe for version information.

db_nmap -sV localhost

The output will be more detailed than the SYN scan. Notice the new VERSION column, which contains the information gathered by the version detection probes.

[*] Nmap: Starting Nmap 7.94 ( https://nmap.org ) at ...
[*] Nmap: Nmap scan report for localhost (127.0.0.1)
[*] Nmap: Host is up (0.00011s latency).
[*] Nmap: Other addresses for localhost (not scanned): ::1
[*] Nmap: Not shown: 997 closed tcp ports (reset)
[*] Nmap: PORT     STATE SERVICE VERSION
[*] Nmap: 22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
[*] Nmap: 5432/tcp open  postgresql PostgreSQL DB 14.10 (Ubuntu 14.10-0ubuntu0.22.04.1)
[*] Nmap: 6200/tcp open  unknown
[*] Nmap: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

This new information is also automatically added to the database, updating the records for the discovered host and its services.

List discovered hosts in the database with the hosts command

In this step, you will learn how to query the Metasploit database to view the hosts that have been discovered during your scans. The hosts command provides a summary of all hosts stored in the current workspace.

Run the hosts command in your msfconsole prompt:

hosts

The output will be a table listing all the hosts found. Since you only scanned localhost, you will see one entry.

Hosts
=====

address      mac  name       os_name  os_flavor  os_sp  purpose  info  comments
-------      ---  ----       -------  ---------  -----  -------  ----  --------
127.0.0.1         localhost  Linux               Linux  device

This command is a quick way to see all the targets that have been identified and stored in your project workspace.

List discovered services with the services command

In this step, you will use the services command to view detailed information about the open ports and services discovered on the hosts in your database. This command is especially useful after running a version detection scan.

Execute the services command in your msfconsole prompt:

services

The output will display a detailed table of all services found. Notice how it includes the port, protocol, service name, and the version information you gathered in Step 3.

Services
========

Host       Port  Proto  Name        State  Info
----       ----  -----  ----        -----  ----
127.0.0.1  22    tcp    ssh         open   OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
127.0.0.1  5432  tcp    postgresql  open   PostgreSQL DB 14.10 (Ubuntu 14.10-0ubuntu0.22.04.1)
127.0.0.1  6200  tcp    unknown     open

The services command allows you to quickly review all potential points of entry on your target systems, which is a fundamental part of planning the next phase of a security assessment.

Summary

In this lab, you have successfully learned the fundamentals of performing port scans within the Metasploit Framework.

You started by setting up a dedicated workspace to keep your project organized. Then, you used the db_nmap command to execute both a fast TCP SYN scan (-sS) and a more detailed service version detection scan (-sV). Finally, you learned how to query the Metasploit database using the hosts and services commands to review the automatically saved scan results.

This workflow is a cornerstone of the information gathering phase in penetration testing and security analysis.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux