Skip to main content

Auxiliary Modules


Overview​

Auxiliary modules perform enumeration, scanning, and credential testing without delivering a payload. For CTE, the primary value is network discovery, SMB/service enumeration, and validating credential sets across multiple hosts.

All auxiliary modules follow the same pattern:

msf6 > use auxiliary/<path>
msf6 > set RHOSTS <TARGET>
msf6 > set THREADS 10
msf6 > run

Results are written to the database automatically when db_status is connected.


SMB Enumeration​

Host Reachability / SMB Version​

msf6 > use auxiliary/scanner/smb/smb_version
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set THREADS 20
msf6 > run

Returns OS version, SMB dialect, hostname, and domain for each responding host. Populates hosts and services in the database.

Share Enumeration​

msf6 > use auxiliary/scanner/smb/smb_enumshares
msf6 > set RHOSTS <TARGET_IP>
msf6 > set SMBUser <USERNAME>
msf6 > set SMBPass <PASSWORD>
msf6 > run

Lists all shares and access level (read/write). Set credentials if null session doesn't work.

User Enumeration​

msf6 > use auxiliary/scanner/smb/smb_enumusers
msf6 > set RHOSTS <TARGET_IP>
msf6 > set SMBUser <USERNAME>
msf6 > set SMBPass <PASSWORD>
msf6 > run

MS17-010 (EternalBlue) Vulnerability Check​

msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set THREADS 10
msf6 > run

Non-destructive - reports vulnerable hosts without exploiting.


Credential Testing​

SMB Login (Password Spray / Credential Validation)​

msf6 > use auxiliary/scanner/smb/smb_login
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set SMBUser Administrator
msf6 > set SMBPass Password123
msf6 > set THREADS 10
msf6 > run

# Pass-the-hash
msf6 > set SMBUser Administrator
msf6 > set SMBPass aad3b435b51404eeaad3b435b51404ee:<NT_HASH>
msf6 > run
Account Lockout

Before spraying, confirm the domain lockout policy. Default Windows policy locks at 5 failures. Spray conservatively - one password at a time across all hosts before trying another.

Successful logins are stored in creds. View them:

msf6 > creds

SSH Login​

msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 > set RHOSTS <TARGET_IP>
msf6 > set USERNAME root
msf6 > set PASSWORD Password123
# Or use a credential list:
msf6 > set USER_FILE /opt/wordlists/users.txt
msf6 > set PASS_FILE /opt/wordlists/passwords.txt
msf6 > set STOP_ON_SUCCESS true
msf6 > run

Successful login automatically opens a session (command shell).

WinRM Login​

msf6 > use auxiliary/scanner/winrm/winrm_login
msf6 > set RHOSTS <TARGET_IP>
msf6 > set USERNAME Administrator
msf6 > set PASSWORD Password123
msf6 > run

RDP Login​

msf6 > use auxiliary/scanner/rdp/rdp_scanner
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set THREADS 10
msf6 > run

Identifies hosts with RDP open; does not authenticate. Pair with smb_login creds for manual RDP access.


HTTP Enumeration​

Directory Brute Force​

msf6 > use auxiliary/scanner/http/dir_scanner
msf6 > set RHOSTS <TARGET_IP>
msf6 > set RPORT 80
msf6 > set DICTIONARY /usr/share/dirb/wordlists/common.txt
msf6 > run

HTTP Version / Headers​

msf6 > use auxiliary/scanner/http/http_version
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set RPORT 80
msf6 > set THREADS 20
msf6 > run

HTTP Login (Basic / Form Auth)​

msf6 > use auxiliary/scanner/http/http_login
msf6 > set RHOSTS <TARGET_IP>
msf6 > set AUTH_URI /admin/
msf6 > set USERNAME admin
msf6 > set PASSWORD admin
msf6 > run

Port Scanning​

MSF's port scanner is most useful when scanning through a pivot session (where external tools like Nmap may not route properly without proxychains).

msf6 > use auxiliary/scanner/portscan/tcp
msf6 > set RHOSTS 10.10.10.0/24
msf6 > set PORTS 22,80,443,445,3389,5985,8080,8443
msf6 > set THREADS 20
msf6 > run

SNMP Enumeration​

If SNMP is open on network devices or older Windows hosts:

msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 > set RHOSTS <TARGET_IP>
msf6 > set COMMUNITY public
msf6 > run

Dumps system info, network interfaces, running processes, and installed software via SNMP.


Useful Module Quick Reference​

ModulePathUse Case
SMB version scanscanner/smb/smb_versionOS/hostname fingerprint, DB population
SMB vuln checkscanner/smb/smb_ms17_010EternalBlue identification
SMB share enumscanner/smb/smb_enumsharesFind readable/writable shares
SMB credential testscanner/smb/smb_loginValidate creds or spray, supports PTH
SSH credential testscanner/ssh/ssh_loginSSH access validation
WinRM loginscanner/winrm/winrm_loginWinRM access validation
HTTP versionscanner/http/http_versionWeb service fingerprinting
HTTP directoryscanner/http/dir_scannerWeb content discovery
TCP port scanscanner/portscan/tcpPivot-side port scanning
SNMP enumscanner/snmp/snmp_enumDevice/host enumeration via SNMP
ARP sweepscanner/discovery/arp_sweepLive host discovery on a local segment