Network map/topology module

[h00die]

Back in 2017 I remember talking with "management" during my interview with the metasploit team about a network map generator and they agreed it would be good in framework and not a pro feature. Then in 2019 R7 had a Metasploit hack-a-thon in Austin. While waiting at the airport I started to create a module which would take the database information from MSF (and nmap fed into msf) and create a network topology/map for pentest reports. The advantage being we would know which hosts were compromised, and other insights. After trying several different JS libraries, graph databases, etc I never found the mix of time and features I needed to make it a reality and gave up. However, 7yrs later and the advanced in AI, I now present the module I had envisioned so long ago with Claude's help.

THIS IS NOT A GUI FOR METASPLOIT, I repeat THIS IS NOT A GUI FOR METASPLOIT!!!

2019 testing:

2026 edition:

Features

1. Takes loot, sessions, hosts, creds from metasploit's DB to create a standalone HTML page for browsing the hosts
2. Gives detailed information about hosts:
   1. IP
   2. Mac
   3. Traceroute info (with timing for each host and total time)
   4. OS with icon
   5. purpose
   6. status
   7. services with port numbers
   8. Sessions, with a copy button to copy the commands to re-create the session (ie use module, set payload, set rhost, set lhost)
   9. modules used: a quick summary of all unique modules used against target (likely fed ONLY from sessions)
   10. loot: a list of all loot from target, click a loot and it'll open (if on the same box as MSF)
   11. creds: list of creds seen on the box, marked successful or not
3. shows pathing through switches/routers. Click a box and it'll highlight the route back to the host
4. dark and light mode (dark by default, obvi)
5. export to PNG once you have everything set you the way you want it for embedding in the report
6. Need to move a node on the map? Just do it, they'll stick where you leave them so you can sort by business units or other custom way
7. Filters:
   1. Filters can just dim or completely hide boxes depending on needs
   2. Filter by sessions (active or ever)
   3. Device type
   4. OS
   5. Ports
   6. Credentials
8. Layout direction, top down by default, but left-> right is also an option
9. Nodes per line is configurable so you can have a VERY wide map, or multiple rows of not many items, up to your graphical desires
10. Did MSF miss identify something? right click the node to change the device type, color or OS

Verification

• Start msfconsole
• Two options here:
  • Populate your db, I recommend using db_nmap. I forget which flags do traceroute, but you'll want that data as well
    • db_nmap -p 53 -sV --traceroute
    • get a shell on a box and do some loot just to make the page more fun
  • https://github.com/h00die/metasploit-framework/blob/a3fd14bfb523aa0964a5816878c9c489e4d9c330/data/auxiliary/analyze/network_map/README.md#steps (also in docs)
• use auxiliary/analyze/network_graph
• run
• open the output in a browser
• I've also included an example run as output since it can be quicker than polluting your db
• check it out

[h00die]

I've now included an up to date example output: https://github.com/h00die/metasploit-framework/blob/5c0ceef84020269f4bd139cc913ae550a8c59a48/data/auxiliary/analyze/network_map/example_output.html so that you can play around with it. Biggest changes since I originally submitted is it now has creds. creds appear on a box's info, and are also available as a filter.

[hdm]

@h00die nice work!

[github-actions]

Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.

We've added the additional-testing-required label to indicate that additional testing is required before this pull request can be merged.
For maintainers, this means visiting here.

[inokii]

@h00die Nice! I think I recall that demo shot after the 2019 Metasploit global committer hackathon.