Browse Exploit & Auxiliary Modules
The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.
Search for modules
Module Browser
Energizer DUO Trojan Scanner
Detect instances of the Energizer DUO trojan horse software on port 7777
DB2 Authentication Brute Force Utility
This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
DB2 Discovery Service Detection
This module simply queries the DB2 discovery service for information.
Endpoint Mapper Service Discovery
This module can be used to obtain information from the Endpoint Mapper service.
Hidden DCERPC Service Discovery
This module will query the endpoint mapper and make a list of all ncacn_tcp RPC services. It will then connect to each of these services and use the management API to list all other RPC services accessible on this port. Any RPC service found attached to a TCP port, but not listed in the endpoint mapper, will be displayed and analyzed to see whether anonymous access is permitted.
Remote Management Interface Discovery
This module can be used to obtain information from the Remote Management Interface DCERPC service.
DCERPC TCP Service Auditor
Determine what DCERPC services are accessible over a TCP port
DECT Base Station Scanner
This module scans for DECT base stations
ARP Sweep Local Network Discovery
Enumerate alive Hosts in local network using ARP requests.
IPv6 Link Local/Node Local Ping Discovery
Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.
IPv6 Local Neighbor Discovery
Enumerate local IPv6 hosts which respond to Neighbor Solicitations with a link-local address. Note, that like ARP scanning, this usually cannot be performed beyond the local broadcast network.
IPv6 Local Neighbor Discovery Using Router Advertisement
Send a spoofed router advertisement with high priority to force hosts to start the IPv6 address auto-config. Monitor for IPv6 host advertisements, and try to guess the link-local address by concatinating the prefix, and the host portion of the IPv6 address. Use NDP host solicitation to determine if the IP address is valid'
EMC AlphaStor Device Manager Service
This module querys the remote host for the EMC Alphastor Device Management Service.
EMC AlphaStor Library Manager Service
This module querys the remote host for the EMC Alphastor Library Management Service.
Finger Service User Enumerator
Identify valid users through the finger service using a variety of tricks
Anonymous FTP Access Detection
Detect anonymous (read/write) FTP server access.
FTP Authentication Scanner
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Adobe XML External Entity Injection
Multiple Adobe Products -- XML External Entity Injection. Affected Sofware: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2
Apache "mod_userdir" User Enumeration
Apache with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.
Apache Axis2 v1.4.1 Local File Inclusion
This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability. By loading a local XML file which contains a cleartext username and password, attackers can trivially recover authentication credentials to Axis services.
Apache Axis2 v1.4.1 Brute Force Utility
This module attempts to login to an Apache Axis2 v1.4.1 instance using username and password combindations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
HTTP Backup File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
Barracuda Multiple Product "locale" Directory Traversal
This module exploits a directory traversal vulnerability present in serveral Barracuda products, including the Barracuda Spam and Virus Firewall, Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default, this module will attempt to download the Barracuda configuration file.
HTTP Blind SQL Injection GET QUERY Scanner
This module identifies the existence of Blind SQL injection issues in GET Query parameters values.
HTTP Directory Brute Force Scanner
This module identifies the existence of interesting directories by brute forcing the name in a given directory path.
HTTP SSL Certificate Checker
This module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern and that the certificate is not expired. Note: Be sure to check your expression if using msfcli, shells tend to not like certain things and will strip/interpret them (= is a perfect example). It is better to use in console.
Cisco Device HTTP Device Manager Access
This module gathers data from a Cisco device (router or switch) with the device manager web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify authentication.
Cisco IOS HTTP Unauthorized Administrative Access
This module exploits a vulnerability in the Cisco IOS HTTP Server. By sending a GET request for "/level/num/exec/..", where num is between 16 and 99, it is possible to bypass authentication and obtain full system control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.3(11d).
Cisco Network Access Manager Directory Traversal Vulnerability
This module tests whether a directory traversal vulnerablity is present in versions of Cisco Network Access Manager 4.8.x You may wish to change FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.
ColdFusion Version Scanner
This module attempts identify various flavors of ColdFusion as well as the underlying OS
ColdFusion Server Check
This module attempts to exploit the directory traversal in the 'locale' attribute. According to the advisory the following versions are vulnerable: ColdFusion MX6 6.1 base patches, ColdFusion MX7 7,0,0,91690 base patches, ColdFusion MX8 8,0,1,195765 base patches, ColdFusion MX8 8,0,1,195765 with Hotfix4. Adobe released patches for ColdFusion 8.0, 8.0.1, and 9 but ColdFusion 9 is reported to have directory traversal protections in place, subsequently this module does NOT work against ColdFusion 9. Adobe did not release patches for ColdFusion 6.1 or ColdFusion 7.
HTTP Copy File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
HTTP Directory Listing Scanner
This module identifies directory listing vulnerabilities in a given directory path.
HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path.
MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
This module is based on et's HTTP Directory Scanner module, with one exception. Where authentication is required, it attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.
Drupal Views Module Users Enumeration
This module exploits an information disclosure vulnerability in the 'Views' module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'
Ektron CMS400.NET Default Password Scanner
Ektron CMS400.NET is a web content management system based on .NET. This module tests for installations that are utilizing default passwords set by the vendor. Additionally, it has the ability to brute force user accounts. Note that Ektron CMS400.NET, by default, enforces account lockouts for regular user account after a number of failed attempts.
Pull Del.icio.us Links (URLs) for a domain
This module pulls and parses the URLs stored by Del.icio.us users for the purpose of replaying during a web assessment. Finding unlinked and old pages.
Pull Archive.org stored URLs for a domain
This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages.
HTTP Error Based SQL Injection Scanner
This module identifies the existence of Error Based SQL injection issues. Still requires alot of work
HTTP File Same Name Directory Scanner
This module identifies the existence of files in a given directory path named as the same name of the directory. Only works if PATH is differenet than '/'.
HTTP Interesting File Scanner
This module identifies the existence of interesting files in a given directory path.
FrontPage Server Extensions Login Utility
This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.
GlassFish Brute Force Utility
This module attempts to login to GlassFish instance using username and password combindations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
HTTP Login Utility
This module attempts to authenticate to an HTTP service.
HTTP Writable Path PUT/DELETE File Access
This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default. If filename isn't specified, the module will generate a random string for you as a .txt file. If DELETE is used, a filename is required.
Http:BL lookup
This module can be used to enumerate information about an IP addresses from Project HoneyPot's HTTP Block List.
HTTP SSL Certificate Impersonation
This module request a copy of the remote SSL certificate and creates a local (self.signed) version using the information from the remote version. The module then Outputs (PEM|DER) format private key / certificate and a combined version for use in Apache or other Metasploit modules requiring SSLCert Inputs for private key / CA cert have been provided for those with diginator certs hanging about!
JBoss Vulnerability Scanner
This module scans a JBoss instance for a few vulnerablities.
LiteSpeed Source Code Disclosure/Download
This module exploits a source code disclosure/download vulnerability in versions 4.0.14 and prior of LiteSpeed.
HTTP Microsoft SQL Injection Table XSS Infection
This module implements the mass SQL injection attack in use lately by concatenation of HTML string that forces a persistant XSS attack to redirect user browser to a attacker controller website.
Majordomo2 _list_file_get() Directory Traversal
This module exploits a directory traversal vulnerability present in the _list_file_get() function of Majordomo2 (help function). By default, this module will attempt to download the Majordomo config.pl file.
Apache HTTPD mod_negotiation Filename Bruter
This module performs a brute force attack in order to discover existing files on a server which uses mod_negotiation. If the filename is found, the IP address and the files found will be displayed.
Apache HTTPD mod_negotiation scanner
This module scans the webserver of the given host(s) for the existence of mod_negotiate. If the webserver has mod_negotiation enabled, the IP address will be displayed.
MS09-020 IIS6 WebDAV Unicode Auth Bypass
Simplified version of MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner. It attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.
Nginx Source Code Disclosure/Download
This module exploits a source code disclosure/download vulnerability in versions 0.7 and 0.8 of the nginx web server. Versions 0.7.66 and 0.8.40 correct this vulnerability.
HTTP Open Proxy Detection
Checks if an HTTP proxy is open. False positive are avoided verifing the HTTP return code and matching a pattern.
HTTP Options Detection
Display available HTTP options for each system
Outlook Web App (OWA) Brute Force Utility
This module tests credentials on OWA 2003, 2007 and 2010 servers. The default action is set to OWA 2010.
HTTP Previous Directory File Scanner
This module identifies files in the first parent directory with same name as the given directory path. Example: Test /backup/files/ will look for the following files /backup/files.ext .
HTTP File Extension Scanner
This module identifies the existence of additional files by modifying the extension of an existing file.
Reverse Proxy Bypass Scanner
Scan for poorly configured reverse proxy servers. By default, this module attempts to force the server to make a request with an invalid domain name. Then, if the bypass is successful, the server will look it up and of course fail, then responding with a status code 502. A baseline status code is always established and if that baseline matches your test status code, the injection attempt does not occur. "set VERBOSE true" if you are paranoid and want to catch potential false negatives. Works best against Apache and mod_rewrite
SAP BusinessObjects User Bruteforcer
This module attempts to bruteforce SAP BusinessObjects users. The dswsbobje interface is only used to verify valid credentials for CmcApp. Therefore, any valid credentials that have been identified can be leveraged by logging into CmcApp.
SAP BusinessObjects Web User Bruteforcer
This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.
SAP BusinessObjects User Enumeration
This module simply attempts to enumerate SAP BusinessObjects users.The dswsbobje interface is only used to verify valid users for CmcApp. Therefore, any valid users that have been identified can be leveraged by logging into CmcApp.
SAP BusinessObjects Version Detection
This module simply attempts to identify the version of SAP BusinessObjects.
HTTP Page Scraper
Scrap defined data from a specific web page based on a regular expresion
HTTP SOAP Verb/Noun Brute Force Scanner
This module attempts to brute force SOAP/XML requests to uncover hidden methods.
SQLMAP SQL Injection External Module
This module launch a sqlmap session. sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
Squiz Matrix User Enumeration Scanner
This module attempts to enumernate remote users that exist within the Squiz Matrix and MySource Matrix CMS by sending GET requests for asset IDs e.g. ?a=14 and searching for a valid username eg "~root" or "~test" which is prefixed by a "~" in the response. It will also try to GET the users full name or description, or other information. You may wish to modify ASSETBEGIN and ASSETEND values for greater results, or set VERBOSE. Information gathered may be used for later bruteforce attacks.
HTTP SSL Certificate Information
Parse the server SSL certificate to obtain the common name and signature algorithm
HTTP Subversion Scanner
Detect subversion directories and files and analize its content. Only SVN Version > 7 supported
Sybase Easerver 6.3 Directory Traversal
This module exploits a directory traversal vulnerability found in Sybase EAserver's Jetty webserver on port 8000. Code execution seems unlikely with EAserver's default configuration unless the web server allows WRITE permission.
Apache Tomcat User Enumeration
Apache Tomcat user enumeration utility, for Apache Tomcat servers prior to version 6.0.20, 5.5.28, and 4.1.40.
Tomcat Application Manager Login Utility
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.
- MODULE USAGE
- CVE-2009-3843
- OSVDB-60317
- BID-37086
- CVE-2009-4189
- OSVDB-60670
- http://www.harmonysecurity.co...
- http://www.zerodayinitiative....
- CVE-2009-4188
- BID-38084
- CVE-2010-0557
- http://www-01.ibm.com/support...
- CVE-2010-4094
- http://www.zerodayinitiative....
- CVE-2009-3548
- OSVDB-60176
- BID-36954
- http://tomcat.apache.org/
- CVE-1999-0502
HTTP TRACE Detection
Test if TRACE is actually enabled. 405 (Apache) 501(IIS) if its disabled, 200 if it is
HTTP Verb Authentication Bypass Scanner
This module test for authentication bypass using different HTTP verbs.
HTTP Virtual Host Brute Force Scanner
This module tries to identify unique virtual hosts hosted by the target web server.
VMware Server Directory Transversal Vulnerability
This modules exploits the VMware Server Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.
HTTP WebDAV Website Content Scanner
Detect webservers disclosing its content though WebDAV
Wordpress Brute Force and User Enumeration Utility
Wordpress Authentication Brute Force and User Enumeration Utility
HTTP Blind XPATH 1.0 Injector
This module exploits blind XPATH 1.0 injections over HTTP GET requests.
Yaws Web Server Directory Traversal
This module exploits a directory traversal bug in Yaws v1.9.1 or less. The module can only be used to retrieve files. However, code execution might be possible. Because when the malicious user sends a PUT request, a file is actually created, except no content is written.
IPID Sequence Scanner
This module will probe hosts' IPID sequences and classify them using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O). Nmap's probes are SYN/ACKs while this module's are SYNs. While this does not change the underlying functionality, it does change the chance of whether or not the probe will be stopped by a firewall. Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental".
Borland InterBase Services Manager Information
This module retrieves version of the services manager, version and implementation of the InterBase server from InterBase Services Manager.
OKI Printer Default Login Credential Scanner
This module scans for OKI printers via SNMP, then tries to connect to found devices with vendor default administrator credentials via HTTP authentication. By default, OKI network printers use the last six digits of the MAC as admin password.
Redis-server Scanner
This module scans for Redis server. By default Redis has no auth. If auth (password only) is used, it is then possible to execute a brute force attack on the server. This scanner will find open or password protected Redis servers and report back the server information
Rosewill RXS-3211 IP Camera Password Retriever
This module takes advantage of a protocol design issue with the Rosewill admin executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested. The protocol deisgn issue also allows attackers to reset passwords on the device.
SunRPC Portmap Program Enumerator
This module calls the target portmap service and enumerates all program entries and their running port numbers.
Motorola Timbuktu Service Detection
This module simply sends a packet to the Motorola Timbuktu service for detection.
MSSQL Password Hashdump
This module extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.
MSSQL Login Utility
This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).
MSSQL Schema Dump
This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master,model,msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.
MYSQL Password Hashdump
This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.
MySQL Login Utility
This module simply queries the MySQL instance for a specific user/pass (default is root with blank).
NAT-PMP External port scanner
Scan NAT devices for their external listening ports using NAT-PMP
NetBIOS Information Discovery Prober
Discover host information using sequential NetBIOS Probes
NFS Mount Scanner
This module scans NFS mounts and their permissions.
Oracle Enterprise Manager Control SID Discovery
This module makes a request to the Oracle Enterprise Manager Control Console in an attempt to discover the SID.
Oracle iSQL*Plus Login Utility
This module attempts to authenticate against an Oracle ISQL*Plus administration web site using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE. This module does not require a valid SID, but if one is defined, it will be used. Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to fingerprint the version and automatically select the correct POST request.
Oracle isqlplus SID Check
This module attempts to bruteforce the SID on the Oracle application server iSQL*Plus login pages. It does this by testing Oracle error responses returned in the HTTP response. Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error. Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to fingerprint the version and automatically select the correct POST request.
Oracle Password Hashdump
This module dumps the usernames and password hashes from Oracle given the proper Credentials and SID. These are then stored as loot for later cracking.
Oracle RDBMS Login Utility
This module attempts to authenticate against an Oracle RDBMS instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
Oracle TNS Listener SID Bruteforce
This module queries the TNS listner for a valid Oracle database instance name (also known as a SID). Any response other than a "reject" will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, SIDs read from the named file will be attempted in sequence instead.
Oracle TNS Listener SID Enumeration
This module simply queries the TNS listner for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed.
Oracle Application Server Spy Servlet SID Enumeration
This module makes a request to the Oracle Application Server in an attempt to discover the SID.
Oracle TNS Listener Service Version Query
This module simply queries the tnslsnr service for the Oracle build.
Oracle XML DB SID Discovery
This module simply makes a authenticated request to retrieve the sid from the Oracle XML DB httpd server.
Oracle XML DB SID Discovery via Brute Force
This module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigan's default oracle password list.
pcAnywhere UDP Service Discovery
Discover active pcAnywhere services through UDP
POP3 Login Utility
This module attempts to authenticate to an POP3 service.
TCP ACK Firewall Scanner
Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.
FTP Bounce Port Scanner
Enumerate TCP services via the FTP bounce PORT/LIST method, which can still come in handy every once in a while (I know of a server that still allows this just fine...).
TCP "XMas" Port Scanner
Enumerate open|filtered TCP services using a raw "XMas" scan; this sends probes containing the FIN, PSH and URG flags.
Postgres Password Hashdump
This module extracts the usernames and encrypted password hashes from a Postgres server and stores them for later cracking.
PostgreSQL Login Utility
This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.
Postgres Schema Dump
This module extracts the schema information from a Postgres server.
PostgreSQL Version Probe
Enumerates the verion of PostgreSQL servers.
Rogue Gateway Detection: Receiver
This module listens for replies to the requests sent by the rogue_send module. The RPORT, CPORT, and ECHOID values must match the rogue_send parameters used exactly.
Rogue Gateway Detection: Sender
This module send a series of TCP SYN and ICMP ECHO requests to each internal target host, spoofing the source address of an external system running the rogue_recv module. This allows the system running the rogue_recv module to determine what external IP a given internal system is using as its default route.
rexec Authentication Scanner
This module will test an rexec service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).
rlogin Authentication Scanner
This module will test an rlogin service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).
rsh Authentication Scanner
This module will test a shell (rsh) service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024).
SAP URL Scanner
This module scans for commonly found SAP Internet Communication Manager URLs and outputs return codes for the user.
SAP Management Console ABAP syslog
This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface.
SAP Management Console Brute Force
This module simply attempts to brute force the username | password for the SAP Management Console SOAP Interface. By setting the SAP SID value, a list of default SAP users can be tested without needing to set a USERNAME or USER_FILE value. The default usernames are stored in ./data/wordlists/sap_common.txt (the value of SAP SID is automatically inserted into the username to replce <SAPSID>).
SAP Management Console Extract Users
This module simply attempts to extract SAP users from the ABAP Syslog through the SAP Management Console SOAP Interface.
SAP Management Console Get Access Points
This module simply attempts to output a list of SAP access points through the SAP Management Console SOAP Interface.
SAP Management Console getEnvironment
This module simply attempts to identify SAP Environment settings through the SAP Management Console SOAP Interface.
SAP Management Console Get Logfile
This module simply attempts to download available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. Please use the sap_manamgenet_console_listlogfiles extension to view a list of availble files.
SAP Management Console Get Process Parameters
This module simply attempts to output a SAP process parameters and configuration settings through the SAP Management Console SOAP Interface.
SAP Management Console Instance Properties
This module simply attempts to identify the instance properties through the SAP Management Console SOAP Interface.
SAP Management Console List Logfiles
This module simply attempts to output a list of available logfiles and developer tracefiles through the SAP Management Console SOAP Interface.
SAP Management Console getStartProfile
This module simply attempts to acces the SAP startup profile through the SAP Management Console SOAP Interface.
SAP Management Console Version Detection
This module simply attempts to identify the version of SAP through the SAP Management Console SOAP Interface.
SIP Username Enumerator (UDP)
Scan for numeric username/extensions using OPTIONS/REGISTER requests
SIP Username Enumerator (TCP)
Scan for numeric username/extensions using OPTIONS/REGISTER requests
SIPDroid Extension Grabber
This module exploits a leak of extension/SIP Gateway on SIPDroid 1.6.1 beta, 2.0.1 beta, 2.2 beta (tested in Android 2.1 and 2.2 - official Motorola release) (other versions may be affected).
SMB Session Pipe DCERPC Auditor
Determine what DCERPC services are accessible over a SMB pipe
SMB User Enumeration (SAM EnumUsers)
Determine what local users exist via the SAM RPC service
SMB Domain User Enumeration
Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.
SMB Login Check Scanner
This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
SMB Local User Enumeration (LookupSid)
Determine what local users exist via brute force SID lookups
SMTP User Enumeration Utility
The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.
Cisco IOS SNMP Configuration Grabber (TFTP)
This module will download the startup or running configuration from a Cisco IOS device using SNMP and TFTP. A read-write SNMP community is required. The SNMP community scanner module can assist in identifying a read-write community. The target must be able to connect back to the Metasploit system and the use of NAT will cause the TFTP transfer to fail.
Cisco IOS SNMP File Upload (TFTP)
This module will copy file to a Cisco IOS device using SNMP and TFTP. A read-write SNMP community is required. The SNMP community scanner module can assist in identifying a read-write community. The target must be able to connect back to the Metasploit system and the use of NAT will cause the TFTP transfer to fail.
SNMP Enumeration Module
This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public".
SNMP Windows SMB Share Enumeration
This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP
SNMP Windows Username Enumeration
This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP
SNMP Community Scanner
Scan for SNMP devices using common community names
SNMP Set Module
This module, similar to snmpset tool, uses the SNMP SET request to set information on a network entity. A OID (numeric notation) and a value are required. Target device must permit write access.
Xerox WorkCentre User Enumeration (SNMP)
This module will do user enumeration based on the Xerox WorkCentre present on the network. SNMP is used to extract the usernames.
SSH Public Key Acceptance Scanner
This module can determine what public keys are configured for key-based authentication across a range of machines, users, and sets of known keys. The SSH protocol indicates whether a particular key is accepted prior to the client performing the actual signed authentication request. To use this module, a text file containing one or more SSH keys should be provided. These can be private or public, so long as no passphrase is set on the private keys. If you have loaded a database plugin and connected to a database this module will record authorized public keys and hosts so you can track your process. Key files may be a single public (unencrypted) key, or several public keys concatenated together as an ASCII text file. Non-key data should be silently ignored. Private keys will only utilize the public key component stored within the key file.
SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
SSH Public Key Login Scanner
This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Note that password-protected key files will not function with this module -- it is designed specifically for unencrypted (passwordless) keys. Key files may be a single private (unencrypted) key, or several private keys concatenated together as an ASCII text file. Non-key data should be silently ignored.
Wardialer
Scan for dial-up systems that are connected to modems and answer telephony indials.
Telnet Service Encyption Key ID Overflow Detection
Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd)
Telnet Login Check Scanner
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
IpSwitch WhatsUp Gold TFTP Directory Traversal
This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp Gold's TFTP service.
TFTP Brute Forcer
This module uses a dictionary to brute force valid TFTP image names from a TFTP server.
SSDP M-SEARCH Gateway Information Discovery
Discover information about the local gateway via UPnP
VMWare Authentication Daemon Login Scanner
This module will test vmauthd logins on a range of machines and report successful logins.
VMWare Web Login Scanner
This module attempts to authenticate to the VMWare HTTP service for VMWare Server, ESX, and ESXi
VNC Authentication Scanner
This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, and 3.8 using the VNC challenge response authentication method.
VNC Authentication None Detection
Detect VNC servers that support the "None" authentication method.
Telephone Line Voice Scanner
This module dials a range of phone numbers and records audio from each answered call
VxWorks WDB Agent Boot Parameter Scanner
Scan for exposed VxWorks wdbrpc daemons and dump the boot parameters from memory
VxWorks WDB Agent Version Scanner
Scan for exposed VxWorks wdbrpc daemons
X11 No-Auth Scanner
This module scans for X11 servers that allow anyone to connect without authentication.