Auxiliary Modules
Overviewβ
Auxiliary modules perform enumeration, scanning, and credential testing without delivering a payload. For CTE, the primary value is network discovery, SMB/service enumeration, and validating credential sets across multiple hosts.
All auxiliary modules follow the same pattern:
msf6 > use auxiliary/<path>
msf6 > set RHOSTS <TARGET>
msf6 > set THREADS 10
msf6 > run
Results are written to the database automatically when db_status is connected.
SMB Enumerationβ
Host Reachability / SMB Versionβ
msf6 > use auxiliary/scanner/smb/smb_version
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set THREADS 20
msf6 > run
Returns OS version, SMB dialect, hostname, and domain for each responding host. Populates hosts and services in the database.
Share Enumerationβ
msf6 > use auxiliary/scanner/smb/smb_enumshares
msf6 > set RHOSTS <TARGET_IP>
msf6 > set SMBUser <USERNAME>
msf6 > set SMBPass <PASSWORD>
msf6 > run
Lists all shares and access level (read/write). Set credentials if null session doesn't work.
User Enumerationβ
msf6 > use auxiliary/scanner/smb/smb_enumusers
msf6 > set RHOSTS <TARGET_IP>
msf6 > set SMBUser <USERNAME>
msf6 > set SMBPass <PASSWORD>
msf6 > run
MS17-010 (EternalBlue) Vulnerability Checkβ
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set THREADS 10
msf6 > run
Non-destructive - reports vulnerable hosts without exploiting.
Credential Testingβ
SMB Login (Password Spray / Credential Validation)β
msf6 > use auxiliary/scanner/smb/smb_login
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set SMBUser Administrator
msf6 > set SMBPass Password123
msf6 > set THREADS 10
msf6 > run
# Pass-the-hash
msf6 > set SMBUser Administrator
msf6 > set SMBPass aad3b435b51404eeaad3b435b51404ee:<NT_HASH>
msf6 > run
Before spraying, confirm the domain lockout policy. Default Windows policy locks at 5 failures. Spray conservatively - one password at a time across all hosts before trying another.
Successful logins are stored in creds. View them:
msf6 > creds
SSH Loginβ
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 > set RHOSTS <TARGET_IP>
msf6 > set USERNAME root
msf6 > set PASSWORD Password123
# Or use a credential list:
msf6 > set USER_FILE /opt/wordlists/users.txt
msf6 > set PASS_FILE /opt/wordlists/passwords.txt
msf6 > set STOP_ON_SUCCESS true
msf6 > run
Successful login automatically opens a session (command shell).
WinRM Loginβ
msf6 > use auxiliary/scanner/winrm/winrm_login
msf6 > set RHOSTS <TARGET_IP>
msf6 > set USERNAME Administrator
msf6 > set PASSWORD Password123
msf6 > run
RDP Loginβ
msf6 > use auxiliary/scanner/rdp/rdp_scanner
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set THREADS 10
msf6 > run
Identifies hosts with RDP open; does not authenticate. Pair with smb_login creds for manual RDP access.
HTTP Enumerationβ
Directory Brute Forceβ
msf6 > use auxiliary/scanner/http/dir_scanner
msf6 > set RHOSTS <TARGET_IP>
msf6 > set RPORT 80
msf6 > set DICTIONARY /usr/share/dirb/wordlists/common.txt
msf6 > run
HTTP Version / Headersβ
msf6 > use auxiliary/scanner/http/http_version
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set RPORT 80
msf6 > set THREADS 20
msf6 > run
HTTP Login (Basic / Form Auth)β
msf6 > use auxiliary/scanner/http/http_login
msf6 > set RHOSTS <TARGET_IP>
msf6 > set AUTH_URI /admin/
msf6 > set USERNAME admin
msf6 > set PASSWORD admin
msf6 > run
Port Scanningβ
MSF's port scanner is most useful when scanning through a pivot session (where external tools like Nmap may not route properly without proxychains).
msf6 > use auxiliary/scanner/portscan/tcp
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set PORTS 22,80,443,445,3389,5985,8080,8443
msf6 > set THREADS 20
msf6 > run
SNMP Enumerationβ
If SNMP is open on network devices or older Windows hosts:
msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 > set RHOSTS <TARGET_IP>
msf6 > set COMMUNITY public
msf6 > run
Dumps system info, network interfaces, running processes, and installed software via SNMP.
Useful Module Quick Referenceβ
| Module | Path | Use Case |
|---|---|---|
| SMB version scan | scanner/smb/smb_version | OS/hostname fingerprint, DB population |
| SMB vuln check | scanner/smb/smb_ms17_010 | EternalBlue identification |
| SMB share enum | scanner/smb/smb_enumshares | Find readable/writable shares |
| SMB credential test | scanner/smb/smb_login | Validate creds or spray, supports PTH |
| SSH credential test | scanner/ssh/ssh_login | SSH access validation |
| WinRM login | scanner/winrm/winrm_login | WinRM access validation |
| HTTP version | scanner/http/http_version | Web service fingerprinting |
| HTTP directory | scanner/http/dir_scanner | Web content discovery |
| TCP port scan | scanner/portscan/tcp | Pivot-side port scanning |
| SNMP enum | scanner/snmp/snmp_enum | Device/host enumeration via SNMP |
| ARP sweep | scanner/discovery/arp_sweep | Live host discovery on a local segment |