Metasploit Auxiliary Modules
127
scanner/http/ms09_020_webdav_unicode_bypass normal MS09-020 IIS6 WebDAV Unicode Auth Bypass
scanner/http/options
normal HTTP Options Detection
scanner/http/prev_dir_same_name_file
normal HTTP Previous Directory File Scanner
scanner/http/replace_ext
normal HTTP File Extension Scanner
scanner/http/robots_txt
normal HTTP Robots.txt Content Scanner
scanner/http/soap_xml
normal HTTP SOAP Verb/Noun Brute Force Scanner
scanner/http/sqlmap
normal SQLMAP SQL Injection External Module
scanner/http/ssl
normal HTTP SSL Certificate Information
scanner/http/svn_scanner
normal HTTP Subversion Scanner
scanner/http/tomcat_mgr_login
normal Tomcat Application Manager Login Utility
scanner/http/trace_axd
normal HTTP trace.axd Content Scanner
scanner/http/verb_auth_bypass
normal HTTP Verb Authentication Bypass Scanner
scanner/http/vhost_scanner
normal HTTP Virtual Host Brute Force Scanner
scanner/http/vmware_server_dir_trav
normal VMware Server Directory Transversal
Vulnerability
scanner/http/web_vulndb
normal HTTP Vuln scanner
scanner/http/webdav_internal_ip
normal HTTP WebDAV Internal IP Scanner
scanner/http/webdav_scanner
normal HTTP WebDAV Scanner
scanner/http/webdav_website_content
normal HTTP WebDAV Website Content Scanner
scanner/http/writable
normal HTTP Writable Path PUT/DELETE File Access
scanner/http/xpath
normal HTTP Blind XPATH 1.0 Injector
There are a lot of options here, so let’s identify some likely candidates in
that list. Notice that there are the options for identifying the
robots.txt
file
from various servers, numerous ways to interact with WebDAV , tools to
identify servers with writable file access , and many other special-purpose
modules.
You can see immediately that there are modules that you can use for sub-
sequent exploration. Older versions of Microsoft IIS had a vulnerability in
their WebDAV implementations that allowed for remote exploitation, so you
could first run a scan against your targets in hopes of finding a server with
WebDAV enabled, as follows.
msf auxiliary(dir_webdav_unicode_bypass) >
use scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS
yes
The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(webdav_scanner) >
set RHOSTS 192.168.1.242, 192.168.13.242.252,
192.168.13.242.254, 192.168.4.116, 192.168.4.118, 192.168.4.122,
192.168.13.242.251, 192.168.13.242.234, 192.168.8.67, 192.68.8.113,
192.168.13.242.231, 192.168.13.242.249, 192.168.4.115, 192.168.8.66, 192.168.8.68,
192.168.6.62