background image


Chapter 9

Here we issue the 


 command   for the module of interest. We can then 

get a full dump of information from the system using the 


 command  , as 

well as a list of the various available options. Within the options, we see that 
the only required option without a default is 


  , which can take a single 

IP address, list, range, or CIDR notation. 

The other options mostly vary depending on the auxiliary module 

being used. For instance, the 


   option allows multiple threads to 

be launched as part of a scan, which speeds things up exponentially.

Auxiliary Modules in Use

Auxiliary modules are exciting because they can be used in so many ways for 
so many things. If you can’t find the perfect auxiliary module, it’s easy to mod-
ify one to suit your specific needs.

Consider a common example. Say you are conducting a remote penetra-

tion test, and upon scanning the network, you identify a number of web serv-
ers and not much else. Your attack surface is limited at this point, and you 
have to work with what is available to you. Your auxiliary 



will now prove extremely helpful as you look for low-hanging fruit against which 
you can launch an exploit. To search for all available HTTP scanners, run 

search scanner/http

 as shown here.

msf auxiliary(webdav_scanner) > 

search scanner/http

[*] Searching loaded modules for pattern 'scanner/http'...



Rank    Description


----    -----------


normal  HTTP Backup File Scanner


normal  HTTP Blind SQL Injection GET QUERY Scanner


normal  HTTP Directory Brute Force Scanner


normal  HTTP SSL Certificate Checker


normal  HTTP Copy File Scanner


normal  HTTP Directory Listing Scanner


normal  HTTP Directory Scanner


normal  MS09-020 IIS6 WebDAV Unicode Auth Bypass 

Directory Scanner


normal  Pull Links (URLs) for a domain


normal  Pull stored URLs for a domain


normal  HTTP Error Based SQL Injection Scanner


normal  HTTP File Same Name Directory Scanner


normal  HTTP Interesting File Scanner


normal  FrontPage Server Extensions Login Utility


normal  HTTP Login Utility


normal  HTTP Version Detection


normal  HTTP Microsoft SQL Injection Table XSS