How to perform reconnaissance using Metasploit

Key takeaways:

  • Metasploit is an open-source penetration testing tool for reconnaissance and vulnerability detection.

  • Setting up the Metasploit console in Kali Linux is the first step.

  • Target systems can be set using the RHOST command for single or multiple IPs.

  • ARP sweep identifies active hosts on a local network using the ARP discovery process.

  • TCP port scanning helps identify open ports, which could be entry points for attacks.

  • HTTP version scanning identifies vulnerabilities in outdated HTTP services.

  • The database scanner, using brute force, can detect credentials to assess database security.

  • Metasploit offers additional scanners in the auxiliary directory for comprehensive vulnerability detection.

Metasploit, an open-source penetration testing framework, uses different tools to perform reconnaissance and exploit the identified vulnerabilities. Reconnaissance is the process of gathering information about the target system. This is done to identify the vulnerabilities within the system. Metasploit can be used for both offensive and defensive cybersecurity. However, in this Answer, we’ll explore cybersecurity’s defensive side and how Metasploit can help gather information and improve the system’s security posture.

Please note that unethical use of Metasploit can cause legal issues.

Let’s dive into the process of gathering information about the target system through Metasploit.

Setting up the Metasploit console

The first step is installing your Metasploit framework in your Kali Linux terminal. You can do it by running the following command:

apt-get install metasploit-framework
Install Metasploit framework in terminal

To start the Metasploit console, write the following command in the terminal:

msfconsole
Start the Metasploit console

Once you’ve done this, you will see the terminal shift to the Metasploit console.

msf6 >
Metasplot console

Now, your system is up and ready to perform reconnaissance on the target system. You can switch back to Kali root by typing “exit” in the console.

Reconnaissance process

Set the target system: In Metasploit, you define an IP or a range of IPs as the host for penetration and security testing. We can set up multiple IP addresses as hosts as well. To set the remote host, use the following command:

set RHOSTS <target_IP>
Set hosts in Metasploit
  • set RHOST: The keyword telling the Metasploit to set its target IPs.

  • <target_IP>: The host to perform reconnaissance on. You can replace <target_IP> with a specific IP or a range of IPs.

After you run this, you can set a range of IPs as hosts using RHOSTS.

set RHOSTS 192.168.1.1-192.168.1.10
Set hosts in Metasploit

ARP sweep host discovery

ARP discovery is the process of identifying the active hosts within a range of IPs available on the local network. To use the feature, run the following command:

use auxiliary/scanner/discovery/arp_sweep
Use ARP sweep scanner
  • use: The keyword to tell Metasploit to execute the given scanner.

  • auxiliary/scanner/discovery/arp_sweep: The path to the ARP sweep scanner.

After that, you can start running the scanner using run command.

run
Run the scanner

For demonstration purposes, we have used ten IPs as hosts. At the end of the scan, you can determine the live IPs within the range specified.

TCP port scanning

TCP port scanning is the process of identifying the open ports on a network and the services running on these ports. The open ports on a target system are considered vulnerabilities as they can be the entry point to various malicious payloads.

use auxiliary/scanner/portscan/tcp
Use TCP port scanner
  • use: The keyword to tell Metasploit to execute the mentioned scanner.

  • auxiliary/scanner/portscan/tcp: The path to the TCP port scanner. You can set the host and run the scanner on it.

Target host is already set. Now, you can start running the scanner using run command. The process can take some time to generate responses as it is a long and thorough scan process. You can use short IP ranges to save time.

HTTP detector

The HTTP version auxiliary module scans HTTP services on the target host.

This can help identify the vulnerabilities associated with the target host being used. The older versions of HTTP have several unpatched vulnerabilities that serve as vulnerabilities within the system operating on those versions. To check the HTTP version of the target host, navigate to the HTTP version scanner using the following command:

use auxiliary/scanner/http/http_version
Use HTTP version detector
  • use: The keyword to tell Metasploit to execute the given detector.

  • auxiliary/scanner/http/http_version: The path to the HTTP version detector. Once you’ve done this, identify the host to identify the HTTP version and start the scanner. After that, you can start running the scanner using run command.

Database scanner

The database scanning technique can be used to find the credentials to access the database. Once you have the credentials, you can use them to access the target system database, making it easy to identify the security posture of the database used in the target host. It’s important to note that this procedure uses brute force attacks to detect the password. To use the utility of the Metasploit, navigate to the scanner directory using the following command:

use auxiliary/scanner/mssql/mssql_login
Use database scanner
  • use: The keyword to tell Metasploit to execute the given detector.

  • auxiliary/scanner/mssql/mssql_login: The path to the MySQL login detector. Next, identify the target host to detect the database credentials and run the utility.

After that, you can start running the scanner using run command.

Other scanners

Metasploit has multiple other defensive scanners in the auxiliary directory of the installation. You can also test your target host IP with other scanners to identify as many vulnerabilities as possible.

Try it yourself

Now that you’ve gone through a few reconnaissance techniques and the procedures to perform them. You can test it on your target IP. Remember, it is advised to use a vulnerable target host to identify maximum vulnerabilities for testing purposes.

Terminal 1
Terminal
Loading...

Conclusion

In conclusion, Metasploit is a powerful framework for reconnaissance and vulnerability identification within target systems.

By leveraging a variety of scanning techniques, such as ARP sweeps, TCP port scans, HTTP version detection, and database credential scanning, security professionals can collect critical information to strengthen their organization's security posture.

However, it is essential to consider the ethical implications of its use, as the misuse of Metasploit can result in legal consequences.

By adhering to responsible security practices and utilizing the framework effectively, organizations can enhance the protection of their digital assets against potential threats.

Frequently asked questions

Haven’t found what you were looking for? Contact Us


How do hackers use Metasploit?

Hackers use Metasploit to exploit known vulnerabilities in systems, allowing them to gain unauthorized access, escalate privileges, or deploy malicious payloads during penetration testing.


Can Metasploit scan for vulnerabilities?

Yes, Metasploit can scan for vulnerabilities using its built-in auxiliary modules that identify weaknesses in systems, services, and applications.


What is evasion in Metasploit?

Evasion in Metasploit refers to techniques used to avoid detection by security measures, such as firewalls or antivirus software, while executing exploits or payloads.


Why is Metasploit risky?

Metasploit is risky because it can be misused for malicious purposes, leading to unauthorized access, data breaches, or damage to systems. Additionally, if not configured or used properly, it can expose security professionals to legal and ethical issues.


Free Resources

Copyright ©2025 Educative, Inc. All rights reserved