CASE 1:
This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.use auxiliary/scanner/http/frontpage_login
set rhosts IP_Address
set rport 80
run
[*] http://IP_Address/ may not support FrontPage Server Extensions
[*] Scanned 1 of 1 hosts (100% complete)
CASE 2:
This module identifies the existence of possible copies of a specific file in a given path
use auxiliary/scanner/http/backup_file
set rhosts IP_Address
run
CASE 3:
use auxiliary/scanner/http/http_version
set rhosts IP_Address
run
[*] IP_Address:80 Microsoft-IIS/8.0 ( Powered by ASP.NET )
[*] Scanned 1 of 1 hosts (100% complete)
CASE 4:
Discover active pcAnywhere services through TCPuse auxiliary/scanner/pcanywhere/pcanywhere_udp
set rhosts IP_Address
run
CASE 5:
This module is based on et’s HTTP Directory Scanner module,
with one exception.Where authentication is required, it
attempts to bypass authentication using the WebDAV IIS6
Unicode vulnerability discovered by Kingcope.
use auxiliary/scanner/http/dir_webdav_unicode_bypass
set rhosts IP_Address
run
[*] Using code ’404′ as not found.
[*] Found protected folder http://IP_Address:80/Rpc/ 401 (IP_Address)
[*] Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
CASE 6:
This module identifies the existence of files in a givendirectory path named as the same name of the directory.
use auxiliary/scanner/http/file_same_name_dir
set rhosts IP_Address
run
[-] Blank or default PATH set.
CASE 7:
This module attempts to authenticate to an HTTP service.use auxiliary/scanner/http/http_login
set rhosts IP_Address
run
[-] http://IP_Address:80 No URI found that asks for HTTP authentication
CASE 8:
Collect any leaked internal IPs by requesting commonly redirected locs from IIS.use auxiliary/scanner/http/iis_internal_ip
set rhosts IP_Address
run
CASE 9:
Simplified version of MS09-020 IIS6 WebDAV Unicode AuthBypass scanner. It attempts to bypass authentication using
the WebDAV IIS6 Unicode vulnerability discovered by Kingcope.
use auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
set rhosts IP_Address
run
CASE 10:
Checks if an HTTP proxy is open. False positive are avoided
verifing the HTTP return code and matching a pattern.
use auxiliary/scanner/http/open_proxy
set rhosts IP_Address
run
CASE 11:
Display available HTTP options for each systemuse auxiliary/scanner/http/options
set rhosts IP_Address
run
[*] IP_Address allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] IP_Address:80 – TRACE method allowed.
[*] Scanned 1 of 1 hosts (100% complete)
CASE 12:
This module identifies files in the first parent directorywith same name as the given directory path.
Example: Test /backup/files/ will look for the following files /backup/files.ext .
use auxiliary/scanner/http/prev_dir_same_name_file
set rhosts IP_Address
run
[-] Blank or default PATH set.
[*] Scanned 1 of 1 hosts (100% complete)
CASE 13:
This module identifies the existence of additional files bymodifying the extension of an existing file.
use auxiliary/scanner/http/replace_ext
set rhosts IP_Address
run
[*] Using code ’404′ as not found for .bak files.
[*] Using code ’404′ as not found for .txt files.
[*] Using code ’404′ as not found for .tmp files.
[*] Using code ’404′ as not found for .old files.
[*] Using code ’404′ as not found for .htm files.
[*] Using code ’404′ as not found for .ini files.
[*] Using code ’404′ as not found for .cfg files.
[*] Using code ’404′ as not found for .html files.
[*] Using code ’404′ as not found for .php files.
[*] Using code ’404′ as not found for .temp files.
[*] Using code ’404′ as not found for .tmp files.
[*] Using code ’404′ as not found for .java files.
[*] Using code ’404′ as not found for .doc files.
[*] Using code ’404′ as not found for .log files.
[*] Using code ’404′ as not found for .xml files.
[*] Scanned 1 of 1 hosts (100% complete)
CASE 14:
Scrap defined data from a specific web page based on aregular expresion.
use auxiliary/scanner/http/scraper
set rhosts IP_Address
run
[*] [IP Address] / [Microsoft Internet Information Services 8]
[*] Scanned 1 of 1 hosts (100% complete)
CASE 15:
This module launch a sqlmap session. sqlmap is an automatic SQLinjection tool developed in Python. Its goal is to detect and
take advantage of SQL injection vulnerabilities on web applications.
Once it detects one or more SQL injections on the target host,
the user can choose among a variety of options to perform an
extensive back-end database management system fingerprint,
retrieve DBMS session user and database, enumerate users,
password hashes, privileges, databases, dump entire or
user specific DBMS tables/columns, run his own SQL SELECT
statement, read specific files on the file system and much more.
use auxiliary/scanner/http/sqlmap
set rhosts IP_Address
run
CASE 16:
This module test for authentication bypass using different HTTP verbs.use auxiliary/scanner/http/verb_auth_bypass
set rhosts IP_Address
run
[*] [IP_Address] Authentication not required. / 200
[*] Scanned 1 of 1 hosts (100% complete)
CASE 17:
Identify valid users through the finger service using a
variety of tricks.
use auxiliary/scanner/finger/finger_users
set rhosts IP_Address
run
[*] IP_Address:79 No users found.
[*] Scanned 1 of 1 hosts (100% complete)
CASE 18:
Detect anonymous (read/write) FTP server access.use auxiliary/scanner/ftp/anonymous
set rhosts IP_Address
run
[*] IP_Address:21 Anonymous READ (220 Microsoft FTP Service)
[*] Scanned 1 of 1 hosts (100% complete)
CASE 19:
This module will test FTP logins on a range of machines andreport successful logins. If you have loaded a database plugin
and connected to a database this module will record successful
logins and hosts so you can track your access.
use auxiliary/scanner/ftp/ftp_login
set rhosts IP_Address
run
[*] IP_Address:21 – Starting FTP login sweep
[*] Connecting to FTP server IP_Address:21…
[*] Connected to target FTP server.
[*] IP_Address:21 – FTP Banner: ’220 Microsoft FTP Service\x0d\x0a’
[*] IP_Address:21 FTP – Attempting FTP login for ‘anonymous’:’IEUser@’
[+] IP_Address:21 – Successful FTP login for ‘anonymous’:’IEUser@’
[*] IP_Address:21 – User ‘anonymous’ has READ access
[*] Successful authentication with read access on IP_Address will not be reported
[*] Scanned 1 of 1 hosts (100% complete)
CASE 20:
auxiliary/scanner/http/webdav_scannerset rhosts IP_Address
run
[*] IP_Address (Microsoft-IIS/8.0) WebDAV disabled.
[*] Scanned 1 of 1 hosts (100% complete)
CASE 21:
use auxiliary/scanner/http/webdav_internal_ip
set rhosts IP_Address
run
CASE 22:
use auxiliary/scanner/http/webdav_website_contentset rhosts IP_Address
run
CASE 23:
For more on webdav myexploit recommend
http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
CASE 24:
use auxiliary/scanner/http/dir_scannerset rhosts IP_Address
run
[*] Detecting error code
[*] Using code ’404′ as not found for IP_Address
[*] Found http://IP_Address:80/Rpc/ 404 (IP_Address)
[*] Found http://IP_Address:80/aspnet_client/ 404 (IP_Address)
[*] Found http://IP_Address:80/rpc/ 404 (IP_Address)
[*] Scanned 1 of 1 hosts (100% complete)
CASE 25:
use auxiliary/scanner/http/sslset rhosts IP_Address
run
[*] IP_Address:443 Subject: /CN=WIN8SERVER
[*] IP_Address:443 Issuer: /CN=WIN8SERVER
[*] IP_Address:443 Signature Alg: sha1WithRSAEncryption
[+] Certificate contains no CA Issuers extension… possible self signed certificate
[+] Certificate Subject and Issuer match… possible self signed certificate
[*] IP_Address:443 has common name WIN8SERVER
[*] Scanned 1 of 1 hosts (100% complete)
CASE 26:
The “mssql_ping” module queries a host or range of hosts on
UDP port 1434 to determine the listening TCP port of any
MSSQL server, if available. MSSQL randomizes the TCP port
that it listens on so this is a very valuable module in
the Framework.
use auxiliary/scanner/mssql/mssql_ping
set rhosts IP_Address
run
CASE 27:
The SMTP Enumeration module will connect to a given mail server and use a wordlist to enumerate users that are present on the remote system.use auxiliary/scanner/smtp/smtp_enum
set rhosts IP_Address
run
CASE 28:
use auxiliary/scanner/smtp/smtp_versionset rhosts IP_Address
run
CASE 29:
The “snmp_enum” module performs detailed enumeration of a
host or range of hosts via SNMP similar to the
standalone tools snmpenum and snmpcheck.
use auxiliary/scanner/snmp/snmp_enum
set rhosts IP_Address
run
CASE 30:
The endpoint_mapper module queries the EndPoint Mapper
service of a remote system to determine what services are
available. In the information gathering stage, this can
provide some very valuable information.
use auxiliary/scanner/dcerpc/endpoint_mapper
set rhosts IP-Address
set THREADS 55
run
[*] Connecting to the endpoint mapper service…
[*] b85afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 TCP (49152) IP-Address
[*] a500d4c6-0dd1-4543-bc0c-d5f93486eaf8 v1.0 LRPC (LRPC-c9b26c881cadc33e19)
[*] 87f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc01E39F1E2)
[*] 12e65dd8-887f-41ef-91bf-8d816c42c2e7 v1.0 LRPC (WMsgKRpc01E39F1E2) [Secure Desktop LRPC interface]
[*] 541b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC-f46a818864cada72bb)
[*] 541b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC-f46a818864cada72bb)
CASE 31:
The dcerpc/hidden scanner connects to a given range of IPaddresses and try to locate any RPC services that are not
listed in the Endpoint Mapper and determine if
anonymous access to the service is allowed.
use auxiliary/scanner/dcerpc/hidden
set rhosts IP_Address
run
============================================================
Posts
