Hack Like a Pro: Exploring Metasploit Auxiliary Modules (FTP Fuzzing)

Exploring Metasploit Auxiliary Modules (FTP Fuzzing)

Welcome back, my hacker novitiates!

In previous guides, we have used one of the most powerful hacking platforms on the planet, Metasploit, to perform numerous hacks. They ranged from exploiting Windows XP and Windows 7/8 vulnerabilities, to installing a keylogger and turning on a webcam remotely. We have even been able to save the world from nuclear annihilation, see if our girlfriend is cheating, spy on suspicious neighbors, evade antivirus detection, and more.

In each of those tutorials, we focused primarily on using two types of Metasploit modules, the exploits and the payloads, but Metasploit has several other types including NOPs (no operations), encoders, post (post exploitation), and auxiliary. In this article, I want to introduce you to the auxiliary modules in Metasploit where many powerful tools await our call.

Step 1: Fire Up Kali

Let's get started. First, fire up Kali and open a terminal like that below.

Step 2: Go to Metasploit Framework Directory

Now, let's navigate to the Metasploit directory in Kali:

cd /usr/share/metasploit-framework

Please note that we are not invoking the Metasploit console. We are simply navigating to where Metasploit resides in the file system, so that we can explore what modules exist there.

Next, let's list the contents of that directory like that below.

kali > ls -l

Let's now navigate to the subdirectory modules and do a listing on that subdirectory.

kali > cd modules
kali > ls -l

As we can see in the screenshot above, Metasploit has six (6) different types of modules:

  • auxiliary
  • encoders
  • exploits
  • nops
  • payloads
  • post

As stated before, in nearly every previous Meatsploit tutorial here on Null Byte, we have focused exclusively on the exploits and payloads. I have also done a couple of guides on using the encoders module, but we have never explored the NOPs, auxiliary, or post modules. Today, let's examine what is available to us in the auxiliary module.

Step 3: Open Auxiliary Directory

First, let change directories to the auxiliary directory and do a directory listing.

kali > cd auxiliary
kali > ls -l

When we do so, we can see that the auxiliary module directory is broken down to many sub-directories starting with the admin directory and ending through the vspoit directory.

Step 4: Explore the Auxiliary Sub Directories

As you can see, there are numerous auxiliary directories and modules, but for now, let's focus on one—the fuzzers.

Fuzzing

Fuzzing is the practice of attempting random input into a variable area to see whether we can "break" it. That is, if we try to put too much data or a data of a type not expected, we may be able to get the buffer to overflow.

Buffer overflows (I'll do a few articles soon on this subject) are among the most serious types of vulnerabilities as they often enable us to execute our own code remotely. Fuzzing is often the first step in finding a vulnerability that may lead to the development of a zero-day exploit.

Now let's navigate to the fuzzer directory:

kali > cd fuzzers

Once we are in the fuzzer directory, let's look inside with an long listing.

kali > ls -l

As you can see, Metasploit has seven (7) types of fuzzers:

  • dns
  • ftp
  • http
  • smb
  • smtp
  • ssh
  • tds

Each of these directories include programs or scripts that enable us to fuzz a particular protocol or function. We will focus our attention on ftp fuzzing in this tutorial.

Step 5: Open the Fuzzers

Let's look inside the ftp fuzzing directory:

kali > cd ftp
kali > ls -l

As you can see, there are two fuzzers for ftp, the client_ft.rb and the ftp_pre_post.rb. Let's use the ftp_pre_post.

Step 6: Use the FTP Pre Post Fuzzer

Now that we have identified an auxiliary module we want to use, let's open the msfconsole and find and use this module. Open the msfconsole by typing msfconsole in any directory from a terminal. This will open up the msfconsole and provide us with an msf prompt.

To find the fuzzer modules in Metasploit, we can use the search function built into msfconsole. We can type:

msf > search type:auxiliary fuzzers

Here we are asking msfconsole to list us only those modules that are auxiliary (type:auxiliary) and contain the keyword, ftp.

The results of that search are listed above. I have highlighted in the screenshot the module we will be using, auxiliary/fuzzers/ftp/ftp_pre_post.

Step 7: Load the Fuzzer Module

To load the module, simply type:

msf > use auxiliary/fuzzers/ftp/ftp_pre_post

Let's take a look at the particulars of this module by looking at its info page.

msf > info

Although this module has many options, to run it we only need to provide a target IP address. In this case, we will run it against a Windows 2003 server with IIS 6.0 and an FTP server. Let's set the IP address:

msf > set RHOSTS 191.168.89.191

After setting the target IP address, we then only need to run this ruby script.

msf > run

As we can see above, the fuzzer begins by running random input set to size 10 bytes and increments the size by 10 each attempt. The default setting runs to size 20,000, but we can change that to any value that we find appropriate.

After attempting random input, it then begins to attempt various command inputs once again beginning at 10 bytes and incrementing by 10 to 20,000 bytes. It will stop when it finds two error messages or comes to the end of all of its attempts. Just a warning, this can take hours.

Keep coming back, my hacker novitiates, as we explore more Metasploit auxiliary modules and use them to find unknown vulnerabilities and progress toward developing our own zero-day exploits.

Cover image via Hack a Week

5 Comments

for the first time, i was trying this hack and it went smoothly all the way till the end (usually when i try to connect and exploit as you do on your tutorials it will say cannot connect to host, connecting to 0.0.0.0.444) but this time it went all the way but now when i run, it just says exception 1 of 2, then exception 2 of 2 over and over again. What did I do wrong?

Michael:

Make sure you can ping the target. That error is becsuse you are not connecting to the target.

OzTW

well in every other exploit you have taught, i try it and it tells me it cannot connect to the ip. I dont know why though. am i using the wrong port?

Now I keep getting this:
* Phase 1 Fuzzing without command - 2014-06-28 18:25:43 -0400
* Character : Cyclic (1/1)
* Exception 1 of 2
* Crash string : Cyclic x 10
* Exception triggered, need 1 more exception(s) before interrupting process
* Exception 2 of 2
* Crash string : Cyclic x 10
* System does not respond - exiting now

  • Error: Rex::ConnectionRefused The connection was refused by the remote host (192.168.1.97:21).

Scanned 1 of 1 hosts (100% complete)
* Auxiliary module execution completed
msf auxiliary(ftpprepost) >

On every other one of your exploits I have tried, I get

msf exploit(adobeflashmp4cprt) > exploit
* Exploit running as background job.

* Started reverse handler on 0.0.0.0:4444

msf exploit(adobeflashmp4cprt) > - Exploit failed: Rex::AddressInUse The address is already in use (*.*.1.97:8080).

what in the world am I doing wrong?!?

Michael:

As for the 8080 message on the adobe hack, Metasploit opens a web server that uses port 8080. Once you set up and then try the exploit again, it will give you the 8080 message. You need to restart Metasploit to re-run this exploit.

OTW

Share Your Thoughts

  • Hot
  • Latest