background image

126

Chapter 9

Here we issue the 

use

 command   for the module of interest. We can then 

get a full dump of information from the system using the 

info

 command  , as 

well as a list of the various available options. Within the options, we see that 
the only required option without a default is 

RHOSTS

  , which can take a single 

IP address, list, range, or CIDR notation. 

The other options mostly vary depending on the auxiliary module 

being used. For instance, the 

THREADS

   option allows multiple threads to 

be launched as part of a scan, which speeds things up exponentially.

Auxiliary Modules in Use

Auxiliary modules are exciting because they can be used in so many ways for 
so many things. If you can’t find the perfect auxiliary module, it’s easy to mod-
ify one to suit your specific needs.

Consider a common example. Say you are conducting a remote penetra-

tion test, and upon scanning the network, you identify a number of web serv-
ers and not much else. Your attack surface is limited at this point, and you 
have to work with what is available to you. Your auxiliary 

scanner/http

 modules 

will now prove extremely helpful as you look for low-hanging fruit against which 
you can launch an exploit. To search for all available HTTP scanners, run 

search scanner/http

 as shown here.

msf auxiliary(webdav_scanner) > 

search scanner/http

[*] Searching loaded modules for pattern 'scanner/http'...

Auxiliary
=========

   Name

Rank    Description

   ----

----    -----------

   scanner/http/backup_file

normal  HTTP Backup File Scanner

   scanner/http/blind_sql_query

normal  HTTP Blind SQL Injection GET QUERY Scanner

   scanner/http/brute_dirs

normal  HTTP Directory Brute Force Scanner

   scanner/http/cert

normal  HTTP SSL Certificate Checker

   scanner/http/copy_of_file

normal  HTTP Copy File Scanner

   scanner/http/dir_listing

normal  HTTP Directory Listing Scanner

   scanner/http/dir_scanner

normal  HTTP Directory Scanner

   scanner/http/dir_webdav_unicode_bypass

normal  MS09-020 IIS6 WebDAV Unicode Auth Bypass 

Directory Scanner

   scanner/http/enum_delicious

normal  Pull Del.icio.us Links (URLs) for a domain

   scanner/http/enum_wayback

normal  Pull Archive.org stored URLs for a domain

   scanner/http/error_sql_injection

normal  HTTP Error Based SQL Injection Scanner

   scanner/http/file_same_name_dir

normal  HTTP File Same Name Directory Scanner

   scanner/http/files_dir

normal  HTTP Interesting File Scanner

   scanner/http/frontpage_login

normal  FrontPage Server Extensions Login Utility

   scanner/http/http_login

normal  HTTP Login Utility

   scanner/http/http_version

normal  HTTP Version Detection

   scanner/http/lucky_punch

normal  HTTP Microsoft SQL Injection Table XSS 

Infection