How to perform reconnaissance using Metasploit

Key takeaways:

• Metasploit is an open-source penetration testing tool for reconnaissance and vulnerability detection.

• Setting up the Metasploit console in Kali Linux is the first step.

• Target systems can be set using the RHOST command for single or multiple IPs.

• ARP sweep identifies active hosts on a local network using the ARP discovery process.

• TCP port scanning helps identify open ports, which could be entry points for attacks.

• HTTP version scanning identifies vulnerabilities in outdated HTTP services.

• The database scanner, using brute force, can detect credentials to assess database security.

• Metasploit offers additional scanners in the auxiliary directory for comprehensive vulnerability detection.

Metasploit, an open-source penetration testing framework, uses different tools to perform reconnaissance and exploit the identified vulnerabilities. Reconnaissance is the process of gathering information about the target system. This is done to identify the vulnerabilities within the system. Metasploit can be used for both offensive and defensive cybersecurity. However, in this Answer, we’ll explore cybersecurity’s defensive side and how Metasploit can help gather information and improve the system’s security posture.

Let’s dive into the process of gathering information about the target system through Metasploit.

Setting up the Metasploit console

The first step is installing your Metasploit framework in your Kali Linux terminal. You can do it by running the following command:

To start the Metasploit console, write the following command in the terminal:

Once you’ve done this, you will see the terminal shift to the Metasploit console.

Now, your system is up and ready to perform reconnaissance on the target system. You can switch back to Kali root by typing “exit” in the console.

Reconnaissance process

Set the target system: In Metasploit, you define an IP or a range of IPs as the host for penetration and security testing. We can set up multiple IP addresses as hosts as well. To set the remote host, use the following command:

• set RHOST: The keyword telling the Metasploit to set its target IPs.

• <target_IP>: The host to perform reconnaissance on. You can replace <target_IP> with a specific IP or a range of IPs.

After you run this, you can set a range of IPs as hosts using RHOSTS.

ARP sweep host discovery

ARP discovery is the process of identifying the active hosts within a range of IPs available on the local network. To use the feature, run the following command:

• use: The keyword to tell Metasploit to execute the given scanner.

• auxiliary/scanner/discovery/arp_sweep: The path to the ARP sweep scanner.

After that, you can start running the scanner using run command.

For demonstration purposes, we have used ten IPs as hosts. At the end of the scan, you can determine the live IPs within the range specified.

TCP port scanning

TCP port scanning is the process of identifying the open ports on a network and the services running on these ports. The open ports on a target system are considered vulnerabilities as they can be the entry point to various malicious payloads.

• use: The keyword to tell Metasploit to execute the mentioned scanner.

• auxiliary/scanner/portscan/tcp: The path to the TCP port scanner. You can set the host and run the scanner on it.

Target host is already set. Now, you can start running the scanner using run command. The process can take some time to generate responses as it is a long and thorough scan process. You can use short IP ranges to save time.

HTTP detector

The HTTP version auxiliary module scans HTTP services on the target host.

This can help identify the vulnerabilities associated with the target host being used. The older versions of HTTP have several unpatched vulnerabilities that serve as vulnerabilities within the system operating on those versions. To check the HTTP version of the target host, navigate to the HTTP version scanner using the following command:

• use: The keyword to tell Metasploit to execute the given detector.

• auxiliary/scanner/http/http_version: The path to the HTTP version detector. Once you’ve done this, identify the host to identify the HTTP version and start the scanner. After that, you can start running the scanner using run command.

Database scanner

The database scanning technique can be used to find the credentials to access the database. Once you have the credentials, you can use them to access the target system database, making it easy to identify the security posture of the database used in the target host. It’s important to note that this procedure uses brute force attacks to detect the password. To use the utility of the Metasploit, navigate to the scanner directory using the following command:

• use: The keyword to tell Metasploit to execute the given detector.

• auxiliary/scanner/mssql/mssql_login: The path to the MySQL login detector. Next, identify the target host to detect the database credentials and run the utility.

After that, you can start running the scanner using run command.

Other scanners

Metasploit has multiple other defensive scanners in the auxiliary directory of the installation. You can also test your target host IP with other scanners to identify as many vulnerabilities as possible.

Try it yourself

Now that you’ve gone through a few reconnaissance techniques and the procedures to perform them. You can test it on your target IP. Remember, it is advised to use a vulnerable target host to identify maximum vulnerabilities for testing purposes.

Conclusion

In conclusion, Metasploit is a powerful framework for reconnaissance and vulnerability identification within target systems.

By leveraging a variety of scanning techniques, such as ARP sweeps, TCP port scans, HTTP version detection, and database credential scanning, security professionals can collect critical information to strengthen their organization's security posture.

However, it is essential to consider the ethical implications of its use, as the misuse of Metasploit can result in legal consequences.

By adhering to responsible security practices and utilizing the framework effectively, organizations can enhance the protection of their digital assets against potential threats.