126
Chapter 9
Here we issue the
use
command for the module of interest. We can then
get a full dump of information from the system using the
info
command , as
well as a list of the various available options. Within the options, we see that
the only required option without a default is
RHOSTS
, which can take a single
IP address, list, range, or CIDR notation.
The other options mostly vary depending on the auxiliary module
being used. For instance, the
THREADS
option allows multiple threads to
be launched as part of a scan, which speeds things up exponentially.
Auxiliary Modules in Use
Auxiliary modules are exciting because they can be used in so many ways for
so many things. If you can’t find the perfect auxiliary module, it’s easy to mod-
ify one to suit your specific needs.
Consider a common example. Say you are conducting a remote penetra-
tion test, and upon scanning the network, you identify a number of web serv-
ers and not much else. Your attack surface is limited at this point, and you
have to work with what is available to you. Your auxiliary
scanner/http
modules
will now prove extremely helpful as you look for low-hanging fruit against which
you can launch an exploit. To search for all available HTTP scanners, run
search scanner/http
as shown here.
msf auxiliary(webdav_scanner) >
search scanner/http
[*] Searching loaded modules for pattern 'scanner/http'...
Auxiliary
=========
Name
Rank Description
----
---- -----------
scanner/http/backup_file
normal HTTP Backup File Scanner
scanner/http/blind_sql_query
normal HTTP Blind SQL Injection GET QUERY Scanner
scanner/http/brute_dirs
normal HTTP Directory Brute Force Scanner
scanner/http/cert
normal HTTP SSL Certificate Checker
scanner/http/copy_of_file
normal HTTP Copy File Scanner
scanner/http/dir_listing
normal HTTP Directory Listing Scanner
scanner/http/dir_scanner
normal HTTP Directory Scanner
scanner/http/dir_webdav_unicode_bypass
normal MS09-020 IIS6 WebDAV Unicode Auth Bypass
Directory Scanner
scanner/http/enum_delicious
normal Pull Del.icio.us Links (URLs) for a domain
scanner/http/enum_wayback
normal Pull Archive.org stored URLs for a domain
scanner/http/error_sql_injection
normal HTTP Error Based SQL Injection Scanner
scanner/http/file_same_name_dir
normal HTTP File Same Name Directory Scanner
scanner/http/files_dir
normal HTTP Interesting File Scanner
scanner/http/frontpage_login
normal FrontPage Server Extensions Login Utility
scanner/http/http_login
normal HTTP Login Utility
scanner/http/http_version
normal HTTP Version Detection
scanner/http/lucky_punch
normal HTTP Microsoft SQL Injection Table XSS
Infection