M E T A S P L O I T   A U X I L I A R Y  

M O D U L E S

When most people think of Metasploit, exploits come 
to mind. Exploits are cool, exploits get you shell, and 
exploits get all the attention. But sometimes you need 
something more than that. By definition, a Metasploit 
module that is not an exploit is an 

auxiliary module

, 

which leaves a lot to the imagination.

In addition to providing valuable reconnaissance tools such as port 

scanners and service fingerprinters, auxiliary modules such as 

ssh_login

 can 

take a known list of usernames and passwords and then attempt to log in 
via brute force across an entire target network. Also included in the auxiliary 
modules are various protocol fuzzers such as 

ftp_pre_post

, 

http_get_uri_long

, 

smtp_fuzzer

, 

ssh_version_corrupt

, and more. You can launch these fuzzers at a 

target service in hopes of finding your own vulnerabilities to exploit.

Just because auxiliary modules don’t have a payload, don’t think you 

won’t use them. But before we dive into their myriad uses, here’s an overview 
to help you see what we are dealing with.