When most people think of Metasploit, exploits come to mind. Exploits are cool, exploits get you shell, and exploits get all the attention. But sometimes you need something more than that. By definition, a Metasploit module that is not an exploit is an auxiliary module, which leaves a lot to the imagination.
In addition to providing valuable reconnaissance tools such as port scanners and service fingerprinters, auxiliary modules such as ssh_login can take a known list of usernames and passwords and then attempt to log in via brute force across an entire target network. Also included in the auxiliary modules are various protocol fuzzers such as ftp_pre_post, http_get_uri_long, smtp_fuzzer, ssh_version_corrupt, and more. You can launch these fuzzers at a target service in hopes of finding your own vulnerabilities to exploit.
Just because auxiliary modules don’t have a payload, don’t think you won’t use them. But before we dive into their myriad uses, here’s an overview to help you see what we are dealing with.
root@bt:/opt/framework3/msf3/modules/auxiliary# ls -l
total 52
drwxr-xr-x 23 root root 4096 Apr 10 03:22 admin
drwxr-xr-x 4 root root 4096 Dec 14 03:25 client
drwxr-xr-x 16 root root 4096 Jan 1 04:19 dos
drwxr-xr-x 8 root root 4096 Dec 14 03:25 fuzzers
drwxr-xr-x 3 root root 4096 May 2 15:38 gather
drwxr-xr-x 4 root root 4096 Dec 14 03:25 pdf
drwxr-xr-x 36 root root 4096 Apr 10 03:22 scanner
drwxr-xr-x 5 root root 4096 May 2 15:38 server
drwxr-xr-x 3 root root 4096 May 2 15:38 sniffer
drwxr-xr-x 5 root root 4096 Dec 14 03:25 spoof
drwxr-xr-x 4 root root 4096 Dec 14 03:25 sqli
drwxr-xr-x 3 root root 4096 May 2 15:38 test
drwxr-xr-x 3 root root 4096 May 2 15:38 voip
As you can see in the preceding listing, modules are installed within the /modules/auxiliary directory of the Framework, and within that, sorted based on the functions they provide. Should you want to create your own module or edit an existing one to suit a specific purpose, you will find them in their corresponding directories. For instance, if you need to develop a fuzzer module to hunt your own bugs, you will find some pre-existing modules in the /fuzzers directory.
To list all the available auxiliary modules within Metasploit, simply issue the show auxiliary
command within msfconsole. If you compare the preceding directory listing with the module names displayed in msfconsole, you will notice that the naming of the modules depends on the underlying directory structure, as shown below.
msf >show auxiliary
Auxiliary ========= Name Rank Description ---- ---- ----------- admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access admin/backupexec/registry normal Veritas Backup Exec Server Registry Access admin/cisco/ios_http_auth_bypass normal Cisco IOS HTTP Unauthorized Administrative Access. . . SNIP . . .
fuzzers/ssh/ssh_version_corrupt normal SSH Version Corruption fuzzers/tds/tds_login_corrupt normal TDS Protocol Login Request Corruption Fuzzer fuzzers/tds/tds_login_username normal TDS Protocol Login Request Username Fuzzer fuzzers/wifi/fuzz_beacon normal Wireless Beacon Frame Fuzzer fuzzers/wifi/fuzz_proberesp normal Wireless Probe Response Frame Fuzzer gather/citrix_published_applications normal Citrix MetaFrame ICA Published Applications Scanner gather/citrix_published_bruteforce normal Citrix MetaFrame ICA Published Applications Bruteforcer gather/dns_enum normal DNS Enumeration Module gather/search_email_collector normal Search Engine Domain Email Address Collector pdf/foxit/authbypass normal Foxit Reader Authorization Bypass scanner/backdoor/energizer_duo_detect normal Energizer DUO Trojan Scanner scanner/db2/db2_auth normal DB2 Authentication Brute Force Utility scanner/db2/db2_version normal DB2 Probe Utility
As you can see in this trimmed output, the auxiliary modules are organized by category. At your disposal are the DNS enumeration module, Wi-Fi fuzzers, and even a module to locate and abuse the Trojan backdoor that was included on Energizer USB battery chargers.
Using an auxiliary module is similar to using any exploit within the Framework—simply issue the use
command followed by the module name. For example, to use the webdav_scanner module (explored in Auxiliary Modules in Use in Auxiliary Modules in Use), you would run use scanner/http/webdav_scanner
as shown below.
In auxiliary modules, the basic options are slightly different with an RHOSTS
option to target multiple machines and a THREADS
value to fine-tune the speed of your scanning.
msf >use scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) >info
Name: HTTP WebDAV Scanner Version: 9179 License: Metasploit Framework License (BSD) Rank: Normal Provided by: et <[email protected]> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host Description: Detect webservers with WebDAV enabled msf auxiliary(webdav_scanner) >
Here we issue the use
command for the module of interest. We can then get a full dump of information from the system using the info
command , as well as a list of the various available options. Within the options, we see that the only required option without a default is RHOSTS
, which can take a single IP address, list, range, or CIDR notation.
The other options mostly vary depending on the auxiliary module being used. For instance, the THREADS
option allows multiple threads to be launched as part of a scan, which speeds things up exponentially.
Auxiliary modules are exciting because they can be used in so many ways for so many things. If you can’t find the perfect auxiliary module, it’s easy to modify one to suit your specific needs.
Consider a common example. Say you are conducting a remote penetration test, and upon scanning the network, you identify a number of web servers and not much else. Your attack surface is limited at this point, and you have to work with what is available to you. Your auxiliary scanner/http modules will now prove extremely helpful as you look for low-hanging fruit against which you can launch an exploit. To search for all available HTTP scanners, run search scanner/http
as shown here.
msf auxiliary(webdav_scanner) > search scanner/http
[*] Searching loaded modules for pattern 'scanner/http'...
Auxiliary
=========
Name Rank Description
---- ---- -----------
scanner/http/backup_file normal HTTP Backup File Scanner
scanner/http/blind_sql_query normal
HTTP Blind SQL Injection GET QUERY Scanner
scanner/http/brute_dirs normal
HTTP Directory Brute Force Scanner
scanner/http/cert normal HTTP SSL Certificate Checker
scanner/http/copy_of_file normal HTTP Copy File Scanner
scanner/http/dir_listing normal
HTTP Directory Listing Scanner
scanner/http/dir_scanner normal HTTP Directory Scanner
scanner/http/dir_webdav_unicode_bypass normal
MS09-020 IIS6 WebDAV Unicode Auth Bypass
Directory Scanner
scanner/http/enum_delicious normal
Pull Del.icio.us Links (URLs) for a domain
scanner/http/enum_wayback normal
Pull Archive.org stored URLs for a domain
scanner/http/error_sql_injection normal
HTTP Error Based SQL Injection Scanner
scanner/http/file_same_name_dir normal
HTTP File Same Name Directory Scanner
scanner/http/files_dir normal HTTP Interesting File Scanner
scanner/http/frontpage_login normal
FrontPage Server Extensions Login Utility
scanner/http/http_login normal HTTP Login Utility
scanner/http/http_version normal HTTP Version Detection
scanner/http/lucky_punch normal
HTTP Microsoft SQL Injection Table XSS
Infection
scanner/http/ms09_020_webdav_unicode_bypass normal
MS09-020 IIS6 WebDAV Unicode Auth Bypass
scanner/http/options normal HTTP Options Detection
scanner/http/prev_dir_same_name_file normal HTTP
Previous Directory File Scanner
scanner/http/replace_ext normal HTTP File Extension Scanner
scanner/http/robots_txt
normal HTTP Robots.txt Content Scanner
scanner/http/soap_xml normal
HTTP SOAP Verb/Noun Brute Force Scanner
scanner/http/sqlmap normal SQLMAP SQL
Injection External Module
scanner/http/ssl normal HTTP
SSL Certificate Information
scanner/http/svn_scanner normal HTTP Subversion Scanner
scanner/http/tomcat_mgr_login normal Tomcat
Application Manager Login Utility
scanner/http/trace_axd normal HTTP
trace.axd Content Scanner
scanner/http/verb_auth_bypass normal HTTP Verb
Authentication Bypass Scanner
scanner/http/vhost_scanner normal HTTP Virtual
Host Brute Force Scanner
scanner/http/vmware_server_dir_trav normal VMware Server
Directory Transversal
Vulnerability
scanner/http/web_vulndb normal HTTP Vuln scanner
scanner/http/webdav_internal_ip
normal HTTP WebDAV Internal IP Scanner
scanner/http/webdav_scanner normal HTTP WebDAV Scanner
scanner/http/webdav_website_content normal HTTP
WebDAV Website Content Scanner
scanner/http/writable
normal HTTP Writable Path PUT/DELETE File Access
scanner/http/xpath normal HTTP Blind XPATH 1.0 Injector
There are a lot of options here, so let’s identify some likely candidates in that list. Notice that there are the options for identifying the robots.txt file from various servers, numerous ways to interact with WebDAV , tools to identify servers with writable file access , and many other special-purpose modules.
You can see immediately that there are modules that you can use for subsequent exploration. Older versions of Microsoft IIS had a vulnerability in their WebDAV implementations that allowed for remote exploitation, so you could first run a scan against your targets in hopes of finding a server with WebDAV enabled, as follows.
msf auxiliary(dir_webdav_unicode_bypass) >use scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) >show options
Module options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(webdav_scanner) >set RHOSTS 192.168.1.242, 192.168.13.242.252,
192.168.13.242.254, 192.168.4.116, 192.168.4.118, 192.168.4.122,
192.168.13.242.251, 192.168.13.242.234, 192.168.8.67, 192.68.8.113,
192.168.13.242.231, 192.168.13.242.249, 192.168.4.115, 192.168.8.66, 192.168.8.68,
192.168.6.62
RHOSTS => 192.168.1.242, 192.168.13.242.252, 192.168.13.242.254, 192.168.4.116, 192.168.4.118, 192.168.4.122, 192.168.13.242.251, 192.168.13.242.234, 192.168.8.67, 192.168.6.113, 192.168.13.242.231, 192.168.13.242.249, 192.168.4.115, 192.168.8.66, 192.168.8.68, 192.168.6.62 msf auxiliary(webdav_scanner) >run
[*] 192.168.1.242 (Microsoft-IIS/6.0) WebDAV disabled. [*] 192.168.13.242.252 (Apache/2.2.9 (Debian) proxy_html/3.0.0 mod_ssl/2.2.9 OpenSSL/0.9.8g) WebDAV disabled. [*] Scanned 04 of 31 hosts (012% complete) [*] Scanned 07 of 31 hosts (022% complete) [*] 192.168.4.116 (Apache/2.2.3 (Red Hat)) WebDAV disabled. [*] Scanned 10 of 31 hosts (032% complete) [*] 192.168.4.122 (Apache/2.2.3 (Red Hat)) WebDAV disabled. [*] Scanned 13 of 31 hosts (041% complete) [*] 192.168.13.242.251 (Microsoft-IIS/6.0) WebDAV disabled. [*] 192.168.13.242.234 (Microsoft-IIS/6.0) WebDAV disabled. [*] Scanned 16 of 31 hosts (051% complete) [*] 192.168.8.67 (Microsoft-IIS/6.0) WebDAV disabled. [*] Scanned 19 of 31 hosts (061% complete) [*] 192.168.6.113 (Microsoft-IIS/5.0) has WEBDAV ENABLED [*] 192.168.13.242.231 (Microsoft-IIS/6.0) WebDAV disabled. [*] Scanned 22 of 31 hosts (070% complete) [*] 192.168.13.242.249 (Microsoft-IIS/6.0) WebDAV disabled. [*] Scanned 25 of 31 hosts (080% complete) [*] 192.168.4.115 (Microsoft-IIS/6.0) WebDAV disabled. [*] 192.168.8.66 (Microsoft-IIS/6.0) WebDAV disabled. [*] Scanned 28 of 31 hosts (090% complete) [*] 192.168.8.68 (Microsoft-IIS/6.0) WebDAV disabled. [*] Scanned 31 of 31 hosts (100% complete) [*] Auxiliary module execution completed
As you can see in this example, a number of HTTP servers have been scanned in the search for WebDAV , and only one happens to have Web-DAV enabled . This module has quickly identified a specific system against which you can launch further attacks.
Auxiliary module functionality goes far beyond scanning. As you will see in Chapter 14 auxiliary modules also work great as fuzzers with a little modification. A number of denial-of-service modules are also available for Wi-Fi (including dos/wifi/deauth), which can prove quite disruptive when used properly.