Information gathering using Metasploit

Chintan Gurjar
April 14, 2014 by
Chintan Gurjar

Your goals during information gathering should be to gain accurate information about your targets without revealing your presence or your intentions, to learn how the organization operates, and to determine the best route. Metasploit is the best console for information gathering, as it is a very comprehensive penetration testing tool. In this article, I am going to cover whole information gathering of a network using Metasploit.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Information gathering requires careful planning, research, and most importantly, the ability to think like an attacker. At this step, you will attempt to collect as much information about the target environment as possible.

There are two types of information gathering: passive and active.

1) Passive information gathering

Using passive information gathering, you can discover information about targets without touching their systems. For example, you can identify network boundaries, operating systems, open ports, and web server software in use on the target without touching their system.

2) Active information gathering

In active information gathering, we interact directly with a system to learn more about it. We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation.

But beware If you get careless while active information gathering, you might be nabbed by an IDS or intrusion prevention system (IPS).

Starting msfconsole

•First, we start the database

#service postgresql start

•then start metasploit service

#service metasploit start

•now start msfconsole.


•now, we'll use db_status to make sure that we're connected correctly.

Importing Nmap Results into Metasploit

When you are working with other team members, with various individuals scanning at different times and from different locations, it helps to know how to import a basic nmap generated XML export file into the Framework.

First, we scan the Windows virtual machine using the -oX option to generate a Target.xml file.

#nmap -Pn -sS -A -oX Target

After generating the XML file, we use the db_import command to import it into our database. We can then verify that the import worked by using the "hosts" command, which lists the systems entries that have been created, as shown here:

msf > db_import Subnet1.xml

msf> hosts

Running Nmap from MSFconsole

We've performed advanced enumeration on our target, now let's connect Nmap with Metasploit. First, we should be able to enter the db_nmap command from within msfconsole to run Nmap and have its results automatically stored in our new database.

#msf > db_nmap -sS -A

To check that the results from the scan are stored in the database, we run db_services.

#msf > db_services

Port Scanning with Metasploit

Metasploit has several port scanners built into its auxiliary modules that directly integrate with most aspects of the Framework. We'll use these port scanners to leverage compromised systems to access and attack.

To see the list of port scanning tools that the Framework offers, enter the following.

#msf > search portscan

Let's conduct a simple scan of a single host using Metasploit's SYN Port Scanner. In the following listing, we start the scan with use scanner/portscan/syn, set RHOSTS to, set THREADS to 100, and then run the scan.

#msf > use scanner/portscan/syn

Server Message Block Scanning

Metasploit can attempt to identify versions of Microsoft Windows using its smb_version module.so we use smb_version.

And set RHOSTS, and begin scanning.

#msf > use scanner/smb/smb_version

The results of this scan are stored in the Metasploit database for use at a later time and to be accessed with the "hosts" command.

#msf auxiliary(smb_version) > hosts

We have discovered a system running Windows XP without having to do a full scan of the network.

Gathering My SQL server information

Many system administrators don't even realize that they have MS SQL servers installed on their workstations at all, because the service is installed as a prerequisite for some common software, such as Microsoft Visual Studio.

When MS SQL is installed, it listens by default either on TCP port 1433 or on a random dynamic TCP port. If MS SQL is listening on a dynamic port, simply query UDP port 1434 to discover on what dynamic TCP port MS SQL is listening.

Metasploit has a module that can make use of this "feature": mssql_ping. It uses UDP. Metasploit finds MS SQL servers, it displays all the details it can extract from them including, perhaps most importantly, the TCP port on which the server is listening.

Now use mysql_ping:

#msf > use scanner/mssql/mssql_ping

msf auxiliary(mssql_ping) > set RHOSTS


msf auxiliary(mssql_ping) > set THREADS 255

THREADS => 255

msf auxiliary(mssql_ping) > run

As you can see, not only does the scanner locate an MS SQL server, but it also identifies the instance name, the SQL server version, and the TCP port number on which it is listening.

Gathering SSH Server Information

If during your scanning you target machines running Secure Shell (SSH), you should determine which version is running on the target.

SSH is a secure protocol, but vulnerabilities in various implementations have been identified. You never know when you might get lucky and come across an old machine that hasn't been updated. You can use the Framework's ssh_version module to determine the SSH version running on the target server.

#msf > use scanner/ssh/ssh_version

Scanning FTP version

FTP servers are often the easiest way into a target network, and you should always scan for, identify, and fingerprint any FTP servers running on your target. According to the vulnerability, you can launch an attack and get into the target system.

Here we use the ftp_version module for scanning the FTP server.

#msf > use scanner/ftp/ftp_version

The scanner successfully identifies an FTP server. Now let's see if this FTP server allows anonymous logins. Here we use "scanner/


The scanner reports that anonymous access is allowed and that anonymous users have read access to the server. In other words, we have only read access to the remote system and the ability to read any file that can be accessed by the FTP server software.

This is how we do information gathering using the Metasploit console. Probably in my next article, I will move towards vulnerability scanning, and later on, exploitation.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Chintan Gurjar
Chintan Gurjar

Chintan Gurjar is a System Security Analyst and researcher from London working in Lucideus Tech Pvt Ltd. He has written articles for Europe based magazine namely “Hakin9”, "PentestMag" and India based magazine “Hacker5”. He has done a valuable research in cryptography overhead mechanism. Chintan Gurjar has completed B.Tech in computer science from India and currently pursuing his post graduate degree in computer security & forensics from London (UK). During his academics, he has submitted a small scale research paper on Cryptography Overhead Mechanism in IPsec Protocol. He has also submitted Network Security Auditing and Network services administration and management report. He is very keen to spread cyber awareness world wide. In future he would like to work for his Country’s government in a forensics investigation field.