Tcp syn port scanning with metasploit

Metasploit

Metasploit has a large collection of modules like exploits, auxiliary etc. The module auxiliary/scanner/portscan/syn can be used for tcp syn port scanning. For tcp syn scanning metasploit must be run as root since tcp syn scanning requires raw socket, which require root privileges on a linux system.

For example on ubuntu it should be run as "sudo msfconsole" so that msfconsole starts with root privileges.

msf > use auxiliary/scanner/portscan/syn 
msf  auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf  auxiliary(syn) >

The show options command will show all the options the current module has. In this the module is a tcp syn port scanner. The options include specifying multiple remote hosts, port numbers and the number of threads. Note that it is multithreaded and this makes it fast.

So after selecting the module, the next important task is to set the correct options for the module. Lets take an example.

msf  auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf  auxiliary(syn) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf  auxiliary(syn) > set PORTS 1-1000
PORTS => 1-1000
msf  auxiliary(syn) > set THREADS 100
THREADS => 100
msf  auxiliary(syn) > set TIMEOUT 250
TIMEOUT => 250
msf  auxiliary(syn) > run

[*]  TCP OPEN 192.168.1.1:21
[*]  TCP OPEN 192.168.1.1:23
[*]  TCP OPEN 192.168.1.1:80






To set any option use the set option_name option_value syntax. It is easy enough to understand from the above example. After setting the options the last remaining task is to run the module. This is done by issuing the run command. It will run and start outputting the results.

So the output shows 3 ports open(21- ftp, 23 - telnet, 80 - http). The equivalent nmap command for this scan would be

$ nmap -sS -T4 192.168.1.1 -p1-1000

The source code of the tcp syn port scanner module can be viewed here.
As can be seen its not very big in size and uses the pcap library.

References

http://www.metasploit.com/modules/auxiliary/scanner/portscan/syn
Last Updated On : 25th February 2013

Subscribe to get updates delivered to your inbox

Leave a comment