TCP & SYN Scanning with Metasploit Framework without NMAP

Port Scan is Often done by hackers and penetration testers to identifying and discovering internal services of target host. Port Scanning is an important action for gathering more information of the target host.

Today, We will see how to use Metasploit to scan port. As we all knows Metasploit Framework is a free and open source popular Exploitation Framework. This Framework widely used by hackers and professional penetration tester.

In addition to its ability to use third-party scanners, Metasploit has several port scanners built into its auxiliary modules that directly integrate with most aspects of the Framework.

For example, suppose you compromise a system behind a firewall that is using Network Address Translation (NAT). The system behind the NAT-based firewall uses private IP addresses, which you cannot contact directly from the Internet. If you use Metasploit to compromise a system behind a NAT, you might be able to use that compromised internal system to pass traffic (pivot) to internally hosted and private IP-based systems to penetrate the network farther behind the firewall.

Let’s see how we can use Metasploit for basic port scanning. To start the Metasploit Framework, you can type “msfconsole” in your terminal window.

To see the list of port scanning tools that the Metasploit Framework offers, enter the following command in your terminal:

Command: search portscan

To use the TCP SYN Port Scanner module, type “use auxiliary/scanner/portscan/syn” in your same terminal.

Type “show options” to see all the available options under portscan module.

Here you can see that, RHOSTS field is empty which you can easily set it by typing “set RHOSTS“. Scanners and most other auxiliary modules use the RHOSTS option instead of RHOST.

RHOSTS also can take

  • IP ranges (,
  • CIDR ranges (,
  • Multiple ranges separated by commas (,, and
  • Line-separated host list files (file:/tmp/hostlist.txt).

By default, all of the scanner modules will have the THREADS value set to “1“. The THREADS value sets the number of concurrent threads to use while scanning. To set the value of Thread, just type “Set THREADS 10” in your same terminal under auxiliary(syn) module.

Now we can type the “run” command and we can see the results in the image below:

We can see that Metasploit’s built-in scanner modules are more than capable of finding systems and open ports for us. It’s just another excellent tool to have in your arsenal if you happen to be running Metasploit on a system without Nmap installed.

We can see that some common ports are open on the remote host like port 135, 139 and 445.This is giving us also an indication for the operating system of the target.It is definitely Windows because ports 139 and 445 belongs to the netbios service in Windows environments.

For TCP scanning, you can use the module “use auxiliary/scanner/portscan/tcp“.

We can see that we have slightly different options from the SYN scanner.For example we can set a filter string for capturing traffic or we can process a packet capture file. To see all options, type “show options” in same terminal.

For TCP Scan, we’ve set the following parameters:

Type run command to see all the results.


  • From these two scans we have noticed that the TCP scan is much faster however it is not as stealth as a SYN scan and it could be identified by the IDS.
  • From the other hand a SYN scan is slower but less intrusive because it sends the RST packet to the remote host before the connection is established.
You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts