Metasploit Framework includes some port scanners that could be used in a situation that we have compromise a system which is behind a NAT Firewall and we want to do a port scan to the rest of the network or we are just performing an internal penetration test.

In this scenario we will see how we can perform a simple TCP and SYN port scan by using the modules of the Metasploit.

SYN Scanning

First we open the Metasploit Framework and we type search portscan to find the existing scanners.

Choosing the Port Scanner

The port scanner that we will use is the syn scanner and we can see the configuration settings in the image below:

Configuration of SYN Scanner

Before we type the run command that it will start the port scanning in the remote host we can use the show options command in order to see the available options and to check if all the settings are correct.

SYN Scanner Options

From the image above we can see that the default setting for the ports that the scanner will scan is from 1-10000.We can change this setting if want the scanner just to check for specific ports or we can give the range that we want.

For this example we have chosen to scan the ports from 1 to 600.

Port Range Setting

Now we can type the run command and we can see the results in the image below:

Scanning the target with SYN scan

We can see that some common ports are open on the remote host like port 80,139 and 445.This is giving us also an indication for the operating system of the target.It is definitely Windows because ports 139 and 445 belongs to the netbios service in Windows environments.

TCP Scanning

Metasploit Framework has also and a TCP Scanner.We  have used this scanner as well into the same remote host.

We can see that we have slightly different options from the SYN scanner.For example we can set a filter string for capturing traffic or we can process a packet capture file.

Available options of TCP Scanner

For the TCP scan we have set the following parameters:

TCP Scanner Settings

The screenshot below is showing us the output of the scan:

TCP Scan Results

Conclusions

From these two scans we have noticed that the TCP scan is much faster however it is not as stealth as a SYN scan and it could be identified by the IDS (Intrusion Detection System). From the  other hand a SYN scan is slower but less intrusive because it sends the RST packet to the remote host before the connection is established.