Chapter nine of Metasploit: The Penetration Tester’s Guide moves into auxiliary modules. Here’s a snippet from the book:
In addition to providing valuable tools such as port scanners and service fingerprints, auxiliary modules such as ssh_login can take a known list of usernames and passwords and then attempt to log in via brute force across an entire network. Also included in the auxiliary modules are various protocol fuzzers such as ftp_pre_post, http_get_uri, smtp_fuzzer, ssh_version_corrupt and more. You can launch these fuzzers at a target service in hopes of finding your own vulnerabilities to exploit.
We can list all the auxiliary modules available:
msf > show auxiliary
Auxiliary
=========Name Disclosure Date Rank Description
—- ————— —- ———–
admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability
admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access
admin/backupexec/registry normal Veritas Backup Exec Server Registry Access
admin/cisco/cisco_secure_acs_bypass normal Cisco Secure ACS Version < 5.1.0.44.5 or 5.2.0.26.2 Unauthorized Password Change
admin/cisco/vpn_3000_ftp_bypass 2006-08-23 normal Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access
admin/db2/db2rcmd 2004-03-04 normal IBM DB2 db2rcmd.exe Command Execution Vulnerability
admin/edirectory/edirectory_dhost_cookie normal Novell eDirectory DHOST Predictable Session Cookie
admin/edirectory/edirectory_edirutil normal Novell eDirectory eMBox Unauthenticated File Access
admin/emc/alphastor_devicemanager_exec 2008-05-27 normal EMC AlphaStor Device Manager Arbitrary Command Execution
admin/emc/alphastor_librarymanager_exec 2008-05-27 normal EMC AlphaStor Library Manager Arbitrary Command Execution
admin/hp/hp_data_protector_cmd 2011-02-07 normal HP Data Protector 6.1 EXEC_CMD Command Execution
admin/http/axigen_file_access 2012-10-31 normal Axigen Arbitrary File Read and Delete
admin/http/contentkeeper_fileaccess normal ContentKeeper Web Appliance mimencode File Access
admin/http/dlink_dir_300_600_exec_noauth 2013-02-04 normal D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
admin/http/dlink_dir_645_password_extractor normal DLink DIR 645 Password Extractor
admin/http/dlink_dsl320b_password_extractor normal DLink DSL 320B Password Extractor
admin/http/hp_web_jetadmin_exec 2004-04-27 normal HP Web JetAdmin 6.5 Server Arbitrary Command Execution
admin/http/iis_auth_bypass 2010-07-02 normal MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass
admin/http/intersil_pass_resetAnd so on…..
Here’s my first use of an auxiliary module against my virtual hacking lab:
msf > use scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) > infoName: HTTP WebDAV Scanner
Module: auxiliary/scanner/http/webdav_scanner
Version: 0
License: Metasploit Framework License (BSD)
Rank: NormalProvided by:
et <et@metasploit.com>Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
PATH / yes Path to use
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual hostDescription:
Detect webservers with WebDAV enabledmsf auxiliary(webdav_scanner) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(webdav_scanner) > run[+] 192.168.1.79 (Microsoft-IIS/5.1) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(webdav_scanner) >
This auxiliary module simply detects webservers with WebDAV enabled, which it is in this instance.