Metasploit Framework includes some port scanners that could be used in a situation that we have compromise a system which is behind a NAT Firewall and we want to do a port scan to the rest of the network or we are just performing an internal penetration test.
In this scenario we will see how we can perform a simple TCP and SYN port scan by using the modules of the Metasploit.
First we open the Metasploit Framework and we type search portscan to find the existing scanners.
The port scanner that we will use is the syn scanner and we can see the configuration settings in the image below:
Before we type the run command that it will start the port scanning in the remote host we can use the show options command in order to see the available options and to check if all the settings are correct.
From the image above we can see that the default setting for the ports that the scanner will scan is from 1-10000.We can change this setting if want the scanner just to check for specific ports or we can give the range that we want.
For this example we have chosen to scan the ports from 1 to 600.
Now we can type the run command and we can see the results in the image below:
We can see that some common ports are open on the remote host like port 80,139 and 445.This is giving us also an indication for the operating system of the target.It is definitely Windows because ports 139 and 445 belongs to the netbios service in Windows environments.
Metasploit Framework has also and a TCP Scanner.We have used this scanner as well into the same remote host.
We can see that we have slightly different options from the SYN scanner.For example we can set a filter string for capturing traffic or we can process a packet capture file.
For the TCP scan we have set the following parameters:
The screenshot below is showing us the output of the scan:
From these two scans we have noticed that the TCP scan is much faster however it is not as stealth as a SYN scan and it could be identified by the IDS (Intrusion Detection System). From the other hand a SYN scan is slower but less intrusive because it sends the RST packet to the remote host before the connection is established.