MSF Auxiliary Modules

2,671 views

Published on

Gave a talk on auxiliary modules at Reverse Space in NoVA

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,671
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

MSF Auxiliary Modules

  1. 1. Metasploit Auxiliary Modules Chris Gates carnal0wnage1
  2. 2. Outline• Metasploit Framework Architecture• Metasploit Libraries• Auxiliary Modules Types• Examples/Practical Examples
  3. 3. Metasploit Framework architecture LIBRARIES INTERFACES Console TOOLS Rex CLI MSF Core GUI & Armitage PLUGINS MSF Base RPC MODULES Exploit Payload Encoder NOP Auxiliary
  4. 4. Libraries – Rex• lib/rex/• “Ruby EXploitation library”• Basic library for most tasks• Sockets, protocols, command shell interface• SSL, SMB, HTTP, XOR, Base64, random text• Intended to be useful outside of the framework
  5. 5. Libraries – MSF Core• lib/msf/core• “Ruby EXploitation library”• Mixins for exploits and auxiliaries• AuxiliaryScanner, Report, AuthBrute, etc
  6. 6. Libraries – MSF Core• ExploitHTTP, FTP, Oracle, MSSQL, SMB
  7. 7. Libraries – MSF Core• Auxiliary mixins makes use of REX libraries
  8. 8. Where they live• Official modules live in msf3/modules/ – Subdirectories organized by module type (exploit/, auxiliary/, post/, …)• ~/.msf3/modules/ has same structure, loaded at startup if it exists
  9. 9. What is an auxiliary module?• Auxiliary – An exploit without a payload – Underappreciated*• Used mostly for discovery, fingerprinting, and automating tasks :-)• Makes use of the MSF REX library and other mixins• Uses run() instead of exploit()
  10. 10. Types of Auxiliary Modules• Various scanners for protocols (SMB, DCERPC, HTTP)• Network protocol “fuzzers”• Port scanner modules• Wireless• IPV6• Denial of service modules• Server modules• Administrative access exploits
  11. 11. Various scanners for protocols11
  12. 12. Various scanners for protocols12
  13. 13. Various scanners for protocols • Designed to help with reconnaissance • Dozens of useful service scanners • Simple module format, easy to use • Specify THREADS for concurrency – Keep this under 16 for native Windows – 256 is fine on Linux • Uses RHOSTS instead of RHOST13
  14. 14. Scanner tricks & tips • Uses OptAddressRange option class, similar to nmap host specification – 192.168.0.1,3,5-7 – 192.168.0.* – www.metasploit.com/24 – file:/tmp/ranges.txt14
  15. 15. Scanner Tricks & Tips15
  16. 16. Scanner Tricks & Tips16
  17. 17. Network protocol “fuzzers”17
  18. 18. Port scanner modules18
  19. 19. Port scanner modules19
  20. 20. Wireless20
  21. 21. IPv6 • Makes use of the IPV6rachet mixin21
  22. 22. Denial of service modules • Ummm Denial of Service modules…for those times when you need to force a reboot 22
  23. 23. Server modules • Evil services, mostly for stealing credentials23
  24. 24. Administrative access exploits • Directory traversals – Vmware, coldfusion • Authentication bruteforcing – SMB, HTTP, FTP • Web application vulnerabilities24
  25. 25. Administrative access exploits • Directory traversal25
  26. 26. Authentication Bruteforcing • Authentication Bruteforcing26
  27. 27. Practical Examples • Practical Example – Useragent checker27
  28. 28. Questions? Chris Gates @carnal0wnage cg@metasploit.com

×