Your SlideShare is downloading. ×
Metasploit Auxiliary Modules    Chris Gates    carnal0wnage1
Outline•   Metasploit Framework Architecture•   Metasploit Libraries•   Auxiliary Modules Types•   Examples/Practical Exam...
Metasploit Framework architecture                       LIBRARIES         INTERFACES                                      ...
Libraries – Rex•   lib/rex/•   “Ruby EXploitation library”•   Basic library for most tasks•   Sockets, protocols, command ...
Libraries – MSF Core•   lib/msf/core•   “Ruby EXploitation library”•   Mixins for exploits and auxiliaries•   AuxiliarySc...
Libraries – MSF Core• ExploitHTTP, FTP, Oracle, MSSQL, SMB
Libraries – MSF Core• Auxiliary mixins makes use of REX libraries
Where they live• Official modules live in msf3/modules/   – Subdirectories organized by module type (exploit/, auxiliary/,...
What is an auxiliary module?• Auxiliary – An exploit without a payload   – Underappreciated*• Used mostly for discovery, f...
Types of Auxiliary Modules• Various scanners for protocols (SMB,  DCERPC, HTTP)• Network protocol “fuzzers”• Port scanner ...
Various scanners for protocols11
Various scanners for protocols12
Various scanners for protocols     • Designed to help with reconnaissance     • Dozens of useful service scanners     • Si...
Scanner tricks & tips     • Uses OptAddressRange option class, similar       to nmap host specification        – 192.168.0...
Scanner Tricks & Tips15
Scanner Tricks & Tips16
Network protocol “fuzzers”17
Port scanner modules18
Port scanner modules19
Wireless20
IPv6     • Makes use of the IPV6rachet mixin21
Denial of service modules     • Ummm Denial of Service modules…for those times when       you need to force a reboot 22
Server modules     • Evil services, mostly for stealing credentials23
Administrative access exploits     • Directory traversals        – Vmware, coldfusion     • Authentication bruteforcing   ...
Administrative access exploits     • Directory traversal25
Authentication Bruteforcing     • Authentication Bruteforcing26
Practical Examples     • Practical Example        – Useragent checker27
Questions?             Chris Gates             @carnal0wnage             cg@metasploit.com
Upcoming SlideShare
Loading in...5
×

MSF Auxiliary Modules

2,018

Published on

Gave a talk on auxiliary modules at Reverse Space in NoVA

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,018
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "MSF Auxiliary Modules"

  1. 1. Metasploit Auxiliary Modules Chris Gates carnal0wnage1
  2. 2. Outline• Metasploit Framework Architecture• Metasploit Libraries• Auxiliary Modules Types• Examples/Practical Examples
  3. 3. Metasploit Framework architecture LIBRARIES INTERFACES Console TOOLS Rex CLI MSF Core GUI & Armitage PLUGINS MSF Base RPC MODULES Exploit Payload Encoder NOP Auxiliary
  4. 4. Libraries – Rex• lib/rex/• “Ruby EXploitation library”• Basic library for most tasks• Sockets, protocols, command shell interface• SSL, SMB, HTTP, XOR, Base64, random text• Intended to be useful outside of the framework
  5. 5. Libraries – MSF Core• lib/msf/core• “Ruby EXploitation library”• Mixins for exploits and auxiliaries• AuxiliaryScanner, Report, AuthBrute, etc
  6. 6. Libraries – MSF Core• ExploitHTTP, FTP, Oracle, MSSQL, SMB
  7. 7. Libraries – MSF Core• Auxiliary mixins makes use of REX libraries
  8. 8. Where they live• Official modules live in msf3/modules/ – Subdirectories organized by module type (exploit/, auxiliary/, post/, …)• ~/.msf3/modules/ has same structure, loaded at startup if it exists
  9. 9. What is an auxiliary module?• Auxiliary – An exploit without a payload – Underappreciated*• Used mostly for discovery, fingerprinting, and automating tasks :-)• Makes use of the MSF REX library and other mixins• Uses run() instead of exploit()
  10. 10. Types of Auxiliary Modules• Various scanners for protocols (SMB, DCERPC, HTTP)• Network protocol “fuzzers”• Port scanner modules• Wireless• IPV6• Denial of service modules• Server modules• Administrative access exploits
  11. 11. Various scanners for protocols11
  12. 12. Various scanners for protocols12
  13. 13. Various scanners for protocols • Designed to help with reconnaissance • Dozens of useful service scanners • Simple module format, easy to use • Specify THREADS for concurrency – Keep this under 16 for native Windows – 256 is fine on Linux • Uses RHOSTS instead of RHOST13
  14. 14. Scanner tricks & tips • Uses OptAddressRange option class, similar to nmap host specification – 192.168.0.1,3,5-7 – 192.168.0.* – www.metasploit.com/24 – file:/tmp/ranges.txt14
  15. 15. Scanner Tricks & Tips15
  16. 16. Scanner Tricks & Tips16
  17. 17. Network protocol “fuzzers”17
  18. 18. Port scanner modules18
  19. 19. Port scanner modules19
  20. 20. Wireless20
  21. 21. IPv6 • Makes use of the IPV6rachet mixin21
  22. 22. Denial of service modules • Ummm Denial of Service modules…for those times when you need to force a reboot 22
  23. 23. Server modules • Evil services, mostly for stealing credentials23
  24. 24. Administrative access exploits • Directory traversals – Vmware, coldfusion • Authentication bruteforcing – SMB, HTTP, FTP • Web application vulnerabilities24
  25. 25. Administrative access exploits • Directory traversal25
  26. 26. Authentication Bruteforcing • Authentication Bruteforcing26
  27. 27. Practical Examples • Practical Example – Useragent checker27
  28. 28. Questions? Chris Gates @carnal0wnage cg@metasploit.com

×