Fing and Metasploit: Open source security testing

Fing and Metasploit helps QA pros find security flaws. Testing expert Matt Heusser explains how to use these open source tools.

Open source tools fing and Metasploit can help software pros conduct security testing, without having to invest in commercial tools. 

Fing screenshot

In this fing screenshot, network details are obscured for privacy reasons.

Tracking down weaknesses in software can seem like a demanding task. You've got to find the top security threats for your domain, and understand each exploit, from SQL injections to buffer overflows and cross site scripting errors. The port scanners Metasploit and fing can help address this problem.

These tools can first identify every node on a network, then loop through them trying to find out which network ports are open, along with the type of machine. Metasploit can go further than that, cross-checking its list of open ports and machines with a list of known security exploits, allowing you, the penetration tester, to perform the attack. That might mean getting access to the network and the file system, as well as command line access, FTP access or super user access.

In this tip, I explain how to use these open source offerings, starting with Metasploit, the more powerful tool, before moving to fing, the easier one.

Downloading and installing Metasploit

You can get a copy of Metasploit for free when you download BackTrack Linux, a security oriented Linux distribution, or you can download it directly from metasploit.com.

No, you don't need to convert your operating system to Linux -- or even install Linux on a partition. Most security professionals recommend keeping Metasploit off your hard drive entirely; it is, after all, a tool invented by professional system crackers. Instead, put BackTrack on a DVD, thumb drive or virtual machine running in a sandbox without access to your hard drive. I chose to install it on Virtual Box running the Web Security Dojo, an enhanced version of BackTrack with a few more tools.

Once the virtual machine is running, getting Metasploit to run is as simple as selecting the applications icon on the top-left, then tools -> metasploit from the menus. That brings up a terminal window.

Performing the attack

I want to discover all the hosts on my local area network, so I scan the 192.169.x.0/24 network range and perform a ping on every possible host (192.168.x.0/24 is the internal network IP address). Every internal network has an address like this; the difference is the x. In my case, x is ‘1', as it will be on most simple networks. To find out the hosts on the network, I use nmap; it will discover every IP address. Db_nmap goes further and stores the results in a database, to enable that cross-check I told you about.

Here goes:

db_nmap -sP

Running this command gets me two IP addresses on the internal network:

Nmap scan report for

Host is up (0.014s latency).

Nmap scan report for

Host is up (0.075s latency).

With those IP addresses in hand, I can run another scanner to get more detail on those machines:

use auxiliary/scanner/portscan/tcp

auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

Name         Current Setting  Required  Description

----         ---------------  --------  -----------

CONCURRENCY  10               yes       The number of concurrent ports to check per host

FILTER                        no        The filter string for capturing traffic

INTERFACE                     no        The name of the interface

PCAPFILE                      no        The name of the PCAP capture file to process

PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)

RHOSTS                        yes       The target address range or CIDR identifier

SNAPLEN      65535            yes       The number of bytes to capture

THREADS      1                yes       The number of concurrent threads

TIMEOUT      1000             yes       The socket connect timeout in milliseconds

Note that RHOSTS is the discovered network host; my next move is to run RHOSTS to set up scanning, then use the run command. Eventually, I get results like this:

msf  auxiliary(tcp) > run

[*] - TCP OPEN

[*] - TCP OPEN

This tells me that the only open port on my machines is port 80, the default port for Internet traffic. Since that doesn't tell me much, I turn on remote login for all users on my laptop and run the scan again, with these slightly different results:

[*] - TCP OPEN

[*] - TCP OPEN

[*] - TCP OPEN

[*] Scanned 2 of 2 hosts (100% complete)

[*] Auxiliary module execution completed

The problem is that newer operating systems (and older systems that have been hardened) do not reply to a request for identification. That means that when I run ‘show exploits' in Metasploit, it gives me the entire list for port 80 and 21, mostly Windows exploits and buffer overflows for application programs I am not running.

I need something insecure to test against.

Enter Metasploitable

Once you've downloaded Metasploit, installed it and played with it, you will eventually want something to attack, something vulnerable to practice on. You could go buy some Windows 98 or Windows 2000 machines from eBay. Or you could download Metasploitable, a free Linux version that is designed to be insecure and to run as a virtual machine. The staff at Rapid7, the company behind Metasploit, has even designed a configuration and attack guide to Metasploitable.

With Metasploitable running in a different virtual machine, I run a command to scan all the ports from 1 to 100 and report back details:

db_nmap -v -sV

db_nmap -p0-100

[*] Nmap: Starting Nmap 6.25 ( http://nmap.org ) at 2013-02-15 00:13 EST

[*] Nmap: Nmap scan report for

[*] Nmap: Host is up (0.0055s latency).

[*] Nmap: Not shown: 95 filtered ports


[*] Nmap: 21/tcp open  ftp

[*] Nmap: 22/tcp open  ssh

[*] Nmap: 23/tcp open  telnet

[*] Nmap: 25/tcp open  smtp

[*] Nmap: 53/tcp open  domain

[*] Nmap: 80/tcp open  http

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.98 seconds

These specific ports have known vulnerabilities I can Google or research with 'show exploits.' My next idea is to go after the FTP service.

Sometimes you don't want a full attack system; you just want a single button called ‘scan the network.' In that case, Fing is your friend.


If you search the Apple app store for ‘fing', you'll find a free port scanning tool. Double-clicking fing brings up a list of networks in range. I click one, and it scans the entire network and provides a list -- and clicking on a specific IP address gets me the vulnerabilities for that device. Because it runs on an iPhone, you can do this to any network you can connect to, including branch offices or your local coffee bar, so check network policies before doing a full port scan, please.

Where to go for more information

Once you find the open ports, the next step is to see if they are exploitable. Much more information, including a full step-by-step tutorial on Metasploit, is at offensive-security.com. The tutorial is a full tutorial. It lets you create a virtual machine with known weaknesses, then attack the machine with the tool. It takes a significant amount of disk space (around 20 GB) to run the tutorial, and considerable time to walk through it. Alternatively, you can watch the Metasploit Security Movie, also free on SecurityTube.

The video opens with a quote from Abraham Lincoln, which I consider good advice: "If I had eight hours to chop down a tree, I'd spend the first six of them sharpening my axe." 

Metasploit is free. It is effective. It is powerful. It might take some time to learn, but then again, I expect it will be time well spent.

Are you using fing and Metasploit? Let us know what you think and follow us on Twitter @SoftwareTestTT.

Dig Deeper on Topics Archive