ONE OF THE USE OF AUXILIARY ON METASPLOIT

Scanners and most other auxiliary modules use the RHOSTS option instead of RHOST. RHOSTS can take IP ranges (192.168.56.1-192.168.56.120), CIDR ranges (192.168.56.0/24), and line separated host list files (file:/tmp/hostlist.txt). This is another use for our grepable Nmap output file.

Note also that, by default, all of the scanner modules will have the THREADS value set to '1'. The THREADS value sets the number of concurrent threads to use while scanning. Set this value to a higher number in order to speed up your scans or keep it lower in order to reduce network traffic but be sure to adhere to the following guidelines:

• Keep the THREADS value under 16 on native Win32 systems
• Keep THREADS under 200 when running MSF under Cygwin
• On Unix-like operating systems, THREADS can be set to 256.

In addition to running Nmap, there are a variety of other port scanners that are available to us within the framework. 

msf > search portscan

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External port scanner

auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner

auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner

auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner

auxiliary/scanner/portscan/tcp normal TCP Port Scanner

auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner

The Nmap scan we ran earlier was a SYN scan so we'll run the same scan across the subnet looking for port 21 through our vboxnet0 interface using Metasploit.

msf > use auxiliary/scanner/portscan/syn

msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

Name Current Setting Required Description

---- --------------- -------- -----------

BATCHSIZE 256 yes The number of hosts to scan per set

INTERFACE no The name of the interface

PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)

RHOSTS yes The target address range or CIDR identifier

SNAPLEN 65535 yes The number of bytes to capture

THREADS 1 yes The number of concurrent threads

TIMEOUT 500 yes The reply read timeout in milliseconds

msf auxiliary(syn) > set INTERFACE vboxnet0

INTERFACE => vboxnet0

msf auxiliary(syn) > set PORTS 21

PORTS => 21

msf auxiliary(syn) > set RHOSTS 192.168.56.0/24

RHOSTS => 192.168.56.0/24

msf auxiliary(syn) > set THREADS 50

THREADS => 50

msf auxiliary(syn) > run

[*] TCP OPEN 192.168.56.101:21

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

So we can see that Metasploit's built-in scanner modules are more than capable of finding systems and open port for us. It's just another excellent tool to have in your arsenal if you happen to be running Metasploit on a system without Nmap installed.