Metasploit has an auxiliary module that can be used to perform TCP connect scans on specified TCP ports:

1. To open up Metasploit in Kali Linux, use the msfconsole command in a Terminal session, as follows:

2. To call the TCP connect scan module in Metasploit, use the use command with the relative path of the auxiliary module. Once the module has been selected, the show options command can be used to identify and/or modify scan configurations. This command will display four column headers to include: Name, Current Setting, Required, and Description. The Name column identifies the name of each configurable variable. The Current Setting column lists the existing configuration for any given variable. The Required column identifies whether a value is required for any given variable. Finally, the Description column describes the function of each variable. We can change the value for any given variable using the set command and by providing the new value as an argument, as follows:

3. In the example provided, the RHOSTS value was changed to the IP address of the remote system that we wish to scan. The PORTS value is set to the TCP port 80 (HTTP). After the necessary variables have been updated, the configurations can be verified again using the show options command. Once the desired configurations have been verified, the scan is launched. The run command is used in Metasploit to execute the selected auxiliary module. In the example provided, the run command executes a TCP connect scan against the port 80 of the specified IP address.

This TCP connect scan can also be performed against a sequential series of TCP ports by supplying the first and last values, separated by a dash:

4. In the example provided, the first 100 TCP port addresses were set to be scanned. Additionally, the number of threads was changed to 20. The THREADS value defines the number of concurrent tasks that will be performed in the background. Determining thread values consists of finding a good balance that will noticeably improve the speed of the task without overly depleting system resources. For most systems, 20 threads is a fast and reasonably safe number of concurrent processes. Although this scan identified multiple services on the target system, one cannot be sure that all services have been identified unless all of the possible port addresses have been scanned. The portions of the TCP header that define the source and destination port addresses are both 16 bits in length. Moreover, each bit can retain a value of 1 or 0. As such, there are 2¹⁶, or 65,536, possible TCP port addresses. For the total possible address space to be scanned, a port range of 0 to 65535 needs to be supplied, as follows:

5. In the example provided, all of the open TCP ports on the remote system were identified by scanning all of the possible TCP port addresses. We can also modify the scan configurations to scan a sequential series of addresses using dash notation:

6. In the example provided, a TCP connect scan is performed on the ports 22, 80, and 443 on all of the host addresses specified by the RHOSTS variable. Similarly, RHOSTS can be used to define a network range using CIDR notation: