control – metasploit auxiliary_scanner_http

wake up, Neo…
the matrix has you
follow the white rabbit.

knock, knock, Neo.

This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.

use auxiliary/scanner/http/frontpage_login
set rhosts IP_Address
set rport 80
run

[*] http://IP_Address/ may not support FrontPage Server Extensions
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

This module identifies the existence of possible copies of a specific file in a given path

use auxiliary/scanner/http/backup_file
set rhosts IP_Address
run

============================================================

use auxiliary/scanner/http/http_version
set rhosts IP_Address
run

[*] IP_Address:80 Microsoft-IIS/8.0 ( Powered by ASP.NET )
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

Discover active pcAnywhere services through TCP

use auxiliary/scanner/pcanywhere/pcanywhere_udp
set rhosts IP_Address
run

============================================================

This module is based on et’s HTTP Directory Scanner module,
with one exception.Where authentication is required, it
attempts to bypass authentication using the WebDAV IIS6
Unicode vulnerability discovered by Kingcope.

use auxiliary/scanner/http/dir_webdav_unicode_bypass
set rhosts IP_Address
run

[*] Using code ‘404’ as not found.
[*] Found protected folder http://IP_Address:80/Rpc/ 401 (IP_Address)
[*]     Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.

============================================================

This module identifies the existence of files in a given
directory path named as the same name of the directory.

use auxiliary/scanner/http/file_same_name_dir
set rhosts IP_Address
run

[-] Blank or default PATH set.

============================================================
This module attempts to authenticate to an HTTP service.

use auxiliary/scanner/http/http_login
set rhosts IP_Address
run

[-] http://IP_Address:80 No URI found that asks for HTTP authentication

============================================================

Collect any leaked internal IPs by requesting commonly redirected locs from IIS.

use auxiliary/scanner/http/iis_internal_ip
set rhosts IP_Address
run

============================================================

Simplified version of MS09-020 IIS6 WebDAV Unicode Auth
Bypass scanner. It attempts to bypass authentication using
the WebDAV IIS6 Unicode vulnerability discovered by Kingcope.

use auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
set rhosts IP_Address
run

============================================================

Checks if an HTTP proxy is open. False positive are avoided
verifing the HTTP return code and matching a pattern.

use auxiliary/scanner/http/open_proxy
set rhosts IP_Address
run

============================================================

Display available HTTP options for each system

use auxiliary/scanner/http/options
set rhosts IP_Address
run

[*] IP_Address allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] IP_Address:80 – TRACE method allowed.
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

This module identifies files in the first parent directory
with same name as the given directory path.
Example: Test /backup/files/ will look for the following files /backup/files.ext .

use auxiliary/scanner/http/prev_dir_same_name_file
set rhosts IP_Address
run

[-] Blank or default PATH set.
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

This module identifies the existence of additional files by
modifying the extension of an existing file.

use auxiliary/scanner/http/replace_ext
set rhosts IP_Address
run

[*] Using code ‘404’ as not found for .bak files.
[*] Using code ‘404’ as not found for .txt files.
[*] Using code ‘404’ as not found for .tmp files.
[*] Using code ‘404’ as not found for .old files.
[*] Using code ‘404’ as not found for .htm files.
[*] Using code ‘404’ as not found for .ini files.
[*] Using code ‘404’ as not found for .cfg files.
[*] Using code ‘404’ as not found for .html files.
[*] Using code ‘404’ as not found for .php files.
[*] Using code ‘404’ as not found for .temp files.
[*] Using code ‘404’ as not found for .tmp files.
[*] Using code ‘404’ as not found for .java files.
[*] Using code ‘404’ as not found for .doc files.
[*] Using code ‘404’ as not found for .log files.
[*] Using code ‘404’ as not found for .xml files.
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

Scrap defined data from a specific web page based on a
regular expresion.

use auxiliary/scanner/http/scraper
set rhosts IP_Address
run

[*] [IP Address] / [Microsoft Internet Information Services 8]
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

This module launch a sqlmap session. sqlmap is an automatic SQL
injection tool developed in Python. Its goal is to detect and
take advantage of SQL injection vulnerabilities on web applications.
Once it detects one or more SQL injections on the target host,
the user can choose among a variety of options to perform an
extensive back-end database management system fingerprint,
retrieve DBMS session user and database, enumerate users,
password hashes, privileges, databases, dump entire or
user specific DBMS tables/columns, run his own SQL SELECT
statement, read specific files on the file system and much more.

use auxiliary/scanner/http/sqlmap
set rhosts IP_Address
run

============================================================

This module test for authentication bypass using different HTTP verbs.

use auxiliary/scanner/http/verb_auth_bypass
set rhosts IP_Address
run

[*] [IP_Address] Authentication not required. / 200
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

Identify valid users through the finger service using a
variety of tricks.

use auxiliary/scanner/finger/finger_users
set rhosts IP_Address
run

[*] IP_Address:79 No users found.
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

Detect anonymous (read/write) FTP server access.

use auxiliary/scanner/ftp/anonymous
set rhosts IP_Address
run

[*] IP_Address:21 Anonymous READ (220 Microsoft FTP Service)
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

This module will test FTP logins on a range of machines and
report successful logins. If you have loaded a database plugin
and connected to a database this module will record successful
logins and hosts so you can track your access.

use auxiliary/scanner/ftp/ftp_login
set rhosts IP_Address
run

[*] IP_Address:21 – Starting FTP login sweep
[*] Connecting to FTP server IP_Address:21…
[*] Connected to target FTP server.
[*] IP_Address:21 – FTP Banner: ‘220 Microsoft FTP Service\x0d\x0a’
[*] IP_Address:21 FTP – Attempting FTP login for ‘anonymous’:’IEUser@’
[+] IP_Address:21 – Successful FTP login for ‘anonymous’:’IEUser@’
[*] IP_Address:21 – User ‘anonymous’ has READ access
[*] Successful authentication with read access on IP_Address will not be reported
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

auxiliary/scanner/http/webdav_scanner
set rhosts IP_Address
run

[*] IP_Address (Microsoft-IIS/8.0) WebDAV disabled.
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

use auxiliary/scanner/http/webdav_internal_ip
set rhosts IP_Address
run

============================================================

use auxiliary/scanner/http/webdav_website_content
set rhosts IP_Address
run

============================================================

For more on webdav myexploit recommend

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html

============================================================

use auxiliary/scanner/http/dir_scanner
set rhosts IP_Address
run

[*] Detecting error code
[*] Using code ‘404’ as not found for IP_Address
[*] Found http://IP_Address:80/Rpc/ 404 (IP_Address)
[*] Found http://IP_Address:80/aspnet_client/ 404 (IP_Address)
[*] Found http://IP_Address:80/rpc/ 404 (IP_Address)
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

use auxiliary/scanner/http/ssl
set rhosts IP_Address
run

[*] IP_Address:443 Subject: /CN=WIN8SERVER
[*] IP_Address:443 Issuer: /CN=WIN8SERVER
[*] IP_Address:443 Signature Alg: sha1WithRSAEncryption
[+] Certificate contains no CA Issuers extension… possible self signed certificate
[+] Certificate Subject and Issuer match… possible self signed certificate
[*] IP_Address:443 has common name WIN8SERVER
[*] Scanned 1 of 1 hosts (100% complete)

============================================================

The “mssql_ping” module queries a host or range of hosts on
UDP port 1434 to determine the listening TCP port of any
MSSQL server, if available. MSSQL randomizes the TCP port
that it listens on so this is a very valuable module in
the Framework.

use auxiliary/scanner/mssql/mssql_ping
set rhosts IP_Address
run

============================================================

The SMTP Enumeration module will connect to a given mail server and use a wordlist to enumerate users that are present on the remote system.

use auxiliary/scanner/smtp/smtp_enum
set rhosts IP_Address
run

============================================================

use auxiliary/scanner/smtp/smtp_version
set rhosts IP_Address
run

============================================================

The “snmp_enum” module performs detailed enumeration of a
host or range of hosts via SNMP similar to the
standalone tools snmpenum and snmpcheck.

use auxiliary/scanner/snmp/snmp_enum
set rhosts IP_Address
run

============================================================

The endpoint_mapper module queries the EndPoint Mapper
service of a remote system to determine what services are
available. In the information gathering stage, this can
provide some very valuable information.

use auxiliary/scanner/dcerpc/endpoint_mapper
set rhosts IP-Address
set THREADS 55
run

[*] Connecting to the endpoint mapper service…

[*] b85afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 TCP (49152) IP-Address

[*] a500d4c6-0dd1-4543-bc0c-d5f93486eaf8 v1.0 LRPC (LRPC-c9b26c881cadc33e19)

[*] 87f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc01E39F1E2)

[*] 12e65dd8-887f-41ef-91bf-8d816c42c2e7 v1.0 LRPC (WMsgKRpc01E39F1E2) [Secure Desktop LRPC interface]

[*] 541b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC-f46a818864cada72bb)

[*] 541b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC-f46a818864cada72bb)

============================================================

The dcerpc/hidden scanner connects to a given range of IP
addresses and try to locate any RPC services  that are not
listed in the Endpoint Mapper and determine if
anonymous access to the service is allowed.

use auxiliary/scanner/dcerpc/hidden
set rhosts IP_Address
run

============================================================

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s