One of the most important phases of a pen-test, is the ‘information gathering’ phase. This is where most of your time should be focused. The more information you can gather about a target, the more chance you have of finding  a flaw which could lead to exploitation. You can’t attack something, if you don’t know anything about it, and starting out by blindly throwing exploits at a target will not guarantee success. You might get lucky every now and then, but you’re going to be missing a whole lot of stuff this way.

We’re going to approach Metasploitable in the same manner. For this series however, I’m not going to go through the host discovery phase, as that is something you should be able to do on your own. I like to view these machines from a black box perspective, so let’s start by running some Nmap scans.

In your Kali machine, open a Terminal session. Here, we’re going to run the first Nmap scan using the following syntax:

nmap -sV -p 1-65535

By default, nmap scans the first 1024 ports, so I specified all ports just in case something is running on one of the higher ports. Some administrators may change the default port for some services, trying to throw you off the “scent trail” of what is actually running on the box.


Lots of interesting ports open here. For us, each one represents a potential gateway into the computer, so we’ll look at each as we go through the tutorial.

Nmap gives us the service and version it thinks is running on each of the ports. We can manually verify the banner information by using telnet to connect to a port, and view the banner it returns.

Here we’re connecting to port 21 with telnet:


Notice it matches the service and version that Nmap reported.

If you notice, these are all TCP ports. The default Nmap scan doesn’t scan UDP ports, but we need to look at those too. One notable UDP port to look for is 161, which is SNMP. We’ll run a quick UDP scan with Nmap to see if anything interesting is returned. The command looks like this:

nmap -sU


I didn’t specify all ports here, but this did return a few ports. One to keep in mind is UDP 69, which is the TFTP service. We may be able to use this to transfer files, but we’ll look at this a little later.

Nmap “Trick”
With Nmap, you see when we ran the scans that the output was just displayed to the screen. Nmap provides several options for saving this output to a file, so that you can go through the data at a later time. Two of the output options I like to use are ‘-oX’ for XML, and ‘-oG’ for ‘greppable’ output. The XML output can be imported into other programs used to extract the data. If you’re doing a professional pen-test, you can use this XML file to generate a nice HTML report you can include in your report to the customer. An example Nmap scan using one of these file types would look like this:

nmap  -A  -oX  nmap.xml

There is a program in Kali which will convert the XML file to an HTML file for you. The program is called xsltproc. The usage is very simple. In a terminal window, type the following command:

xsltproc  nmap.xml  -o  nmap.html

Once the HTML file has been created, simply open it in a browser to view the formatted report:


This is a partial screenshot of the HTML file, but you can see it lays everything out in an easy to read manner, and provides quite a bit of information about each port discovered.

In the next section, we’ll start focusing on each of the open ports and services, looking for exploits with Metasploit. We’re going to start with the first open port, and work our way down the list.