When most people think of Metasploit, exploits come to mind. Exploits are cool, exploits get you shell, and exploits get all the attention. But sometimes you need something more than that. By definition, a Metasploit module that is not an exploit is an auxiliary module, which leaves a lot to the imagination.
In addition to providing valuable reconnaissance tools such as port scanners and service fingerprinters, auxiliary modules such as ssh_login can take a known list of usernames and passwords and then attempt to log in via brute force across an entire target network. Also included in the auxiliary modules are various protocol fuzzers such as ftp_pre_post, http_get_uri_long, smtp_fuzzer, ssh_version_corrupt, and more. You can launch these fuzzers at a target service in hopes of finding your own vulnerabilities to exploit.
Just because auxiliary modules don’t have a payload, don’t think you won’t use them. But before we dive into their myriad uses, here’s an overview to help you see what we are dealing with.
root@bt:/opt/framework3/msf3/modules/auxiliary#
ls -ltotal 52 drwxr-xr-x 23 root root 4096 Apr 10 03:22 admin drwxr-xr-x 4 root root 4096 Dec 14 03:25 client drwxr-xr-x 16 root root 4096 Jan 1 04:19 dos drwxr-xr-x 8 root root 4096 Dec 14 03:25 fuzzers drwxr-xr-x 3 root root 4096 May 2 15:38 gather drwxr-xr-x 4 root root 4096 Dec 14 03:25 pdf drwxr-xr-x 36 root root 4096 Apr 10 03:22 scanner drwxr-xr-x 5 root root 4096 May 2 15:38 server drwxr-xr-x 3 root root 4096 May 2 15:38 sniffer drwxr-xr-x 5 root root 4096 Dec 14 03:25 spoof drwxr-xr-x 4 root root 4096 Dec 14 03:25 sqli drwxr-xr-x 3 root root 4096 May 2 15:38 test drwxr-xr-x 3 root root 4096 May 2 15:38 voip
As you can see in the preceding listing, modules are installed within the /modules/auxiliary directory of the Framework, and within that, sorted based on the functions they provide. Should you want to create your own module or edit an existing one to suit a specific purpose, you will find them in their corresponding directories. For instance, if you need to develop a fuzzer module to hunt your own bugs, you will find some pre-existing modules in the /fuzzers directory.
To list all the available auxiliary modules within Metasploit, simply issue the show auxiliary command within msfconsole. If you compare the preceding directory listing with the module names displayed in msfconsole, you will notice that the naming of the modules depends on the underlying directory structure, as shown below.
show auxiliaryAuxiliary ========= Name Rank Description ---- ---- ----------- admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access admin/backupexec/registry normal Veritas Backup Exec Server Registry Access admin/cisco/ios_http_auth_bypass normal Cisco IOS HTTP Unauthorized Administrative Access. . . SNIP . . .fuzzers/ssh/ssh_version_corrupt normal SSH Version Corruption fuzzers/tds/tds_login_corrupt normal TDS Protocol Login Request Corruption Fuzzer fuzzers/tds/tds_login_username normal TDS Protocol Login Request Username Fuzzer fuzzers/wifi/fuzz_beacon normal Wireless Beacon Frame Fuzzer fuzzers/wifi/fuzz_proberesp normal Wireless Probe Response Frame Fuzzer gather/citrix_published_applications normal Citrix MetaFrame ICA Published Applications Scanner gather/citrix_published_bruteforce normal Citrix MetaFrame ICA Published Applications Bruteforcer gather/dns_enum normal DNS Enumeration Module gather/search_email_collector normal Search Engine Domain Email Address Collector pdf/foxit/authbypass normal Foxit Reader Authorization Bypass scanner/backdoor/energizer_duo_detect normal Energizer DUO Trojan Scanner scanner/db2/db2_auth normal DB2 Authentication Brute Force Utility scanner/db2/db2_version normal DB2 Probe Utility
As you can see in this trimmed output, the auxiliary modules are organized by category. At your disposal are the DNS enumeration module, Wi-Fi fuzzers, and even a module to locate and abuse the Trojan backdoor that was included on Energizer USB battery chargers.
Using an auxiliary module is similar to using any exploit within the Framework—simply issue the use command followed by the module name. For example, to use the webdav_scanner module (explored in Auxiliary Modules in Use in Auxiliary Modules in Use), you would run use scanner/http/webdav_scanner as shown below.
Note
In auxiliary modules, the basic options are slightly different with an RHOSTS option to target multiple machines and a THREADS value to fine-tune the speed of your scanning.
use scanner/http/webdav_scannermsf auxiliary(webdav_scanner) >
infoName: HTTP WebDAV Scanner Version: 9179 License: Metasploit Framework License (BSD) Rank: Normal Provided by: et <[email protected]> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chainRHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host Description: Detect webservers with WebDAV enabled msf auxiliary(webdav_scanner) >
Here we issue the use command for the module of interest. We can then get a full dump of information from the system using the info command , as well as a list of the various available options. Within the options, we see that the only required option without a default is RHOSTS , which can take a single IP address, list, range, or CIDR notation.
The other options mostly vary depending on the auxiliary module being used. For instance, the THREADS option allows multiple threads to be launched as part of a scan, which speeds things up exponentially.
Auxiliary modules are exciting because they can be used in so many ways for so many things. If you can’t find the perfect auxiliary module, it’s easy to modify one to suit your specific needs.
Consider a common example. Say you are conducting a remote penetration test, and upon scanning the network, you identify a number of web servers and not much else. Your attack surface is limited at this point, and you have to work with what is available to you. Your auxiliary scanner/http modules will now prove extremely helpful as you look for low-hanging fruit against which you can launch an exploit. To search for all available HTTP scanners, run search scanner/http as shown here.
msf auxiliary(webdav_scanner) >search scanner/http[*] Searching loaded modules for pattern 'scanner/http'... Auxiliary ========= Name Rank Description ---- ---- ----------- scanner/http/backup_file normal HTTP Backup File Scanner scanner/http/blind_sql_query normal HTTP Blind SQL Injection GET QUERY Scanner scanner/http/brute_dirs normal HTTP Directory Brute Force Scanner scanner/http/cert normal HTTP SSL Certificate Checker scanner/http/copy_of_file normal HTTP Copy File Scanner scanner/http/dir_listing normal HTTP Directory Listing Scanner scanner/http/dir_scanner normal HTTP Directory Scanner scanner/http/dir_webdav_unicode_bypass normal MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner scanner/http/enum_delicious normal Pull Del.icio.us Links (URLs) for a domain scanner/http/enum_wayback normal Pull Archive.org stored URLs for a domain scanner/http/error_sql_injection normal HTTP Error Based SQL Injection Scanner scanner/http/file_same_name_dir normal HTTP File Same Name Directory Scanner scanner/http/files_dir normal HTTP Interesting File Scanner scanner/http/frontpage_login normal FrontPage Server Extensions Login Utility scanner/http/http_login normal HTTP Login Utility scanner/http/http_version normal HTTP Version Detection scanner/http/lucky_punch normal HTTP Microsoft SQL Injection Table XSS Infection scanner/http/ms09_020_webdav_unicode_bypass normal MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner/http/options normal HTTP Options Detection scanner/http/prev_dir_same_name_file normal HTTP Previous Directory File Scanner scanner/http/replace_ext normal HTTP File Extension Scanner
There are a lot of options here, so let’s identify some likely candidates in that list. Notice that there are the options for identifying the robots.txt file from various servers, numerous ways to interact with WebDAV , tools to identify servers with writable file access , and many other special-purpose modules.
You can see immediately that there are modules that you can use for subsequent exploration. Older versions of Microsoft IIS had a vulnerability in their WebDAV implementations that allowed for remote exploitation, so you could first run a scan against your targets in hopes of finding a server with WebDAV enabled, as follows.
msf auxiliary(dir_webdav_unicode_bypass) >use scanner/http/webdav_scannermsf auxiliary(webdav_scanner) >show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual hostset RHOSTS 192.168.1.242, 192.168.13.242.252,192.168.13.242.254, 192.168.4.116, 192.168.4.118, 192.168.4.122,192.168.13.242.251, 192.168.13.242.234, 192.168.8.67, 192.68.8.113,192.168.13.242.231, 192.168.13.242.249, 192.168.4.115, 192.168.8.66, 192.168.8.68,192.168.6.62RHOSTS => 192.168.1.242, 192.168.13.242.252, 192.168.13.242.254, 192.168.4.116, 192.168.4.118, 192.168.4.122, 192.168.13.242.251, 192.168.13.242.234, 192.168.8.67, 192.168.6.113, 192.168.13.242.231, 192.168.13.242.249, 192.168.4.115, 192.168.8.66, 192.168.8.68, 192.168.6.62 msf auxiliary(webdav_scanner) >run[*] 192.168.1.242 (Microsoft-IIS/6.0) WebDAV disabled. [*] 192.168.13.242.252 (Apache/2.2.9 (Debian) proxy_html/3.0.0 mod_ssl/2.2.9 OpenSSL/0.9.8g) WebDAV disabled. [*] Scanned 04 of 31 hosts (012% complete) [*] Scanned 07 of 31 hosts (022% complete) [*] 192.168.4.116 (Apache/2.2.3 (Red Hat)) WebDAV disabled. [*] Scanned 10 of 31 hosts (032% complete) [*] 192.168.4.122 (Apache/2.2.3 (Red Hat)) WebDAV disabled. [*] Scanned 13 of 31 hosts (041% complete) [*] 192.168.13.242.251 (Microsoft-IIS/6.0) WebDAV disabled. [*] 192.168.13.242.234 (Microsoft-IIS/6.0) WebDAV disabled. [*] Scanned 16 of 31 hosts (051% complete) [*] 192.168.8.67 (Microsoft-IIS/6.0) WebDAV disabled. [*] Scanned 19 of 31 hosts (061% complete)
As you can see in this example, a number of HTTP servers have been scanned in the search for WebDAV , and only one happens to have Web-DAV enabled . This module has quickly identified a specific system against which you can launch further attacks.
Note
Auxiliary module functionality goes far beyond scanning. As you will see in Chapter 14 auxiliary modules also work great as fuzzers with a little modification. A number of denial-of-service modules are also available for Wi-Fi (including dos/wifi/deauth), which can prove quite disruptive when used properly.