background image

Metasploit Auxiliary Modules

127

   scanner/http/ms09_020_webdav_unicode_bypass normal  MS09-020 IIS6 WebDAV Unicode Auth Bypass
   scanner/http/options

normal  HTTP Options Detection

   scanner/http/prev_dir_same_name_file

normal  HTTP Previous Directory File Scanner

   scanner/http/replace_ext

normal  HTTP File Extension Scanner

scanner/http/robots_txt

normal  HTTP Robots.txt Content Scanner

   scanner/http/soap_xml

normal  HTTP SOAP Verb/Noun Brute Force Scanner

   scanner/http/sqlmap

normal  SQLMAP SQL Injection External Module

   scanner/http/ssl

normal  HTTP SSL Certificate Information

   scanner/http/svn_scanner

normal  HTTP Subversion Scanner

   scanner/http/tomcat_mgr_login

normal  Tomcat Application Manager Login Utility

   scanner/http/trace_axd

normal  HTTP trace.axd Content Scanner

   scanner/http/verb_auth_bypass

normal  HTTP Verb Authentication Bypass Scanner

   scanner/http/vhost_scanner

normal  HTTP Virtual Host Brute Force Scanner

   scanner/http/vmware_server_dir_trav

normal VMware Server Directory Transversal 

Vulnerability

   scanner/http/web_vulndb

normal  HTTP Vuln scanner

scanner/http/webdav_internal_ip

normal  HTTP WebDAV Internal IP Scanner

   scanner/http/webdav_scanner

normal  HTTP WebDAV Scanner

   scanner/http/webdav_website_content

normal  HTTP WebDAV Website Content Scanner

scanner/http/writable

normal  HTTP Writable Path PUT/DELETE File Access

scanner/http/xpath

normal  HTTP Blind XPATH 1.0 Injector

There are a lot of options here, so let’s identify some likely candidates in 

that list. Notice that there are the options for identifying the 

robots.txt

   file 

from various servers, numerous ways to interact with WebDAV  , tools to 
identify servers with writable file access  , and many other special-purpose 
modules. 

You can see immediately that there are modules that you can use for sub-

sequent exploration. Older versions of Microsoft IIS had a vulnerability in 
their WebDAV implementations that allowed for remote exploitation, so you 
could first run a scan against your targets in hopes of finding a server with 
WebDAV enabled, as follows.

msf auxiliary(dir_webdav_unicode_bypass) > 

use scanner/http/webdav_scanner

 

msf auxiliary(webdav_scanner) > 

show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOSTS

 yes 

The target address range or CIDR identifier

   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

 msf auxiliary(webdav_scanner) > 

set RHOSTS 192.168.1.242, 192.168.13.242.252, 

192.168.13.242.254, 192.168.4.116, 192.168.4.118, 192.168.4.122, 
192.168.13.242.251, 192.168.13.242.234, 192.168.8.67, 192.68.8.113, 
192.168.13.242.231, 192.168.13.242.249, 192.168.4.115, 192.168.8.66, 192.168.8.68, 
192.168.6.62