Today SecureState is releasing a new extension for Metasploit’s Meterpreter called MSFMap. This new utility provides an NMap-like port scanner from within the context of a Meterpreter session. This gives penetration testers an easily deployable and flexible port scanning utility. Having this functionality can make pivoting into internal networks much easier without the need to install or upload an additional program.
The benefits are numerous depending on the type of scan being conducted. MSFMap supports full TCP-Connection scans, ICMP scans, and ARP scans. The TCP Connection scans are faster than using the auxiliary/scanner/portscan/tcp module because connections do not have to be “pivoted” through the compromised host. The ICMP and ARP scanning features bring great benefits over many other common methods because MSFMap does not spawn any new processes that may reveal its presence to a watchful user. MSFMap runs entirely in memory and does not write any data to the compromised host.
MSFMap was designed to mimic the behavior and functionality of NMap. MSFMap options are compatible with NMap style arguments; and the output of MSFMap also resembles that of NMap. Furthermore, MSFMap takes advantage of the nmap-services file from the system on which Metasploit is installed. This resolves common ports to a service name which can be useful for penetration testers attempting to identify services for further testing.
Figure 1: Currently available MSFMap options
The scan behavior is also similar to NMap. By default (with no arguments), when a host is scanned, MSFMap will first determine whether the IP address is on a directly attached network. Based on this information, MSFMap will use an ARP ping for hosts on the LAN and an ICMP echo request for hosts that are not on the LAN. Assuming the host is up or the ping phase is skipped, MSFMap will proceed to scan the top 100 ports that NMap will scan by default. Although NMap scans the top 1000 ports by default, only the top 100 of these will be scanned by MSFMap. This can be expanded using the–top-ports option up to 1000.
Figure 2: MSFMap scan output of scanme.nmap.com
This is the first public release of MSFMap, and as such it is in beta status. The code is hosted at http://code.google.com/p/msfmap and can be downloaded from there. In the future MSFMap will include features for TCP SYN scanning (where possible) and additional speed optimizations.
Find out more about the tools related to this attack here: