Introduction
The Metasploit Framework is a powerful tool used by security professionals for penetration testing and vulnerability assessment. It contains a vast database of modules, including exploits, auxiliary scanners, payloads, and more. With thousands of available modules, knowing how to efficiently search for the right one is a critical skill.
In this lab, you will learn the fundamental techniques for searching for modules in Metasploit. We will start with basic keyword searches and then explore how to refine those searches using filters for module type and specific CVE identifiers. Finally, you will learn how to inspect a module's details and select it for use.
Use the search command with a service name like ssh
In this step, you will begin by launching the Metasploit console and performing a basic search for modules related to a specific service. The search command is your primary tool for navigating Metasploit's extensive module library.
First, open your terminal and start the Metasploit Framework console by running the msfconsole command. This may take a moment to load.
msfconsole
You will see a banner and the Metasploit command prompt, which looks like msf6 >.
Now, let's search for all modules related to the SSH (Secure Shell) service. Type the following command into the Metasploit console and press Enter:
search ssh
Metasploit will display a list of all modules that have "ssh" in their name or description. The output will be a table with several columns:
- #: The index number of the module in the search results.
- Name: The full path and name of the module.
- Disclosure Date: The date the vulnerability was publicly disclosed.
- Rank: The reliability rating of the module (e.g.,
excellent,great,good). - Check: Indicates if the module has a check method to see if a target is vulnerable without exploiting it.
- Description: A brief summary of what the module does.
Your output will look similar to this (the list may be longer and versions might differ):
msf6 > search ssh
Matching Modules
================
## Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login 1999-01-01 normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey 2002-07-23 normal No SSH Public Key Login Scanner
2 exploit/linux/ssh/libssh_auth_bypass 2018-10-16 great Yes LibSSH Authentication Bypass
3 auxiliary/scanner/ssh/ssh_enumusers 2018-08-20 normal No OpenSSH User Enumeration
4 post/linux/manage/ssh_authorized_keys normal No Linux Manage SSH Authorized Keys
...
This simple search gives you a broad overview of all available SSH-related modules.
Filter search results by module type like exploit or auxiliary
In this step, you will learn how to narrow your search results by filtering for a specific module type. The previous search returned various types of modules, such as auxiliary, exploit, and post. Often, you know what kind of module you need.
Metasploit allows you to filter searches with keywords like type. The most common types are:
exploit: Modules that take advantage of a vulnerability to gain control.auxiliary: Modules for scanning, fuzzing, sniffing, and other actions that are not direct exploits.post: Post-exploitation modules that are run on a compromised system.
Let's refine our previous search to find only exploit modules related to SSH. Use the type: filter in your search query:
search type:exploit ssh
The output will now be limited to modules that are classified as exploits:
msf6 > search type:exploit ssh
Matching Modules
================
## Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/ssh/libssh_auth_bypass 2018-10-16 great Yes LibSSH Authentication Bypass
1 exploit/multi/ssh/sshexec 2004-01-01 manual No SSH Exec
...
Similarly, if you were looking for a scanner to gather information about an SSH service, you would search for auxiliary modules:
search type:auxiliary ssh
This command will return a list of scanners and other non-exploit tools for SSH.
msf6 > search type:auxiliary ssh
Matching Modules
================
## Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login 1999-01-01 normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_enumusers 2018-08-20 normal No OpenSSH User Enumeration
...
Using type filters is a powerful way to quickly find the kind of tool you need.
Search for a specific CVE identifier
In this step, you will learn how to search for modules associated with a specific Common Vulnerabilities and Exposures (CVE) identifier. When you know the CVE ID of a vulnerability you want to target, this is the most direct way to find the corresponding exploit.
A CVE is a unique identifier for a publicly known cybersecurity vulnerability. Metasploit modules are often tagged with the CVEs they address.
You can search by CVE using the cve: filter. For example, let's search for a module related to CVE-2018-15473, a user enumeration vulnerability in some versions of OpenSSH.
search cve:2018-15473
This search is very specific and should return only the module(s) designed to target this exact vulnerability.
msf6 > search cve:2018-15473
Matching Modules
================
## Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_enumusers 2018-08-20 normal No OpenSSH User Enumeration
As you can see, the search pinpoints the exact auxiliary module for this CVE. Searching by CVE is an essential technique when you are working from a vulnerability scan report or a security advisory.
Use the info command to view detailed module information
In this step, you will learn how to get detailed information about a module before you use it. After finding a promising module, it's important to understand what it does, what options it requires, and who developed it. The info command provides all of this.
You can use the info command with either the module's full name or its index number from the last search result. Let's get more information on the ssh_enumusers module we found in the previous step.
You can use its full name:
info auxiliary/scanner/ssh/ssh_enumusers
Alternatively, if it was item 0 in your last search, you could simply use info 0. Using the full name is generally more reliable.
The command will display a detailed page about the module:
msf6 > info auxiliary/scanner/ssh/ssh_enumusers
Name: OpenSSH User Enumeration
Module: auxiliary/scanner/ssh/ssh_enumusers
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2018-08-20
Provided by:
Justin Gardner
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USER_FILE yes File containing usernames, one per line
Description:
This module enumerates valid usernames on OpenSSH servers by exploiting
a subtle timing discrepancy in the C library's handling of password
authentication.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15473
https://www.exploit-db.com/exploits/45233/
This output gives you crucial information, including the required options (RHOSTS, USER_FILE, etc.), a full description of the module's purpose, and links to the original vulnerability disclosures. Always review this information before using a module.
Select a module for use with the use command
In this final step, you will learn how to select a module to make it active. Once you have identified and researched a module, you need to load it into the framework's context to configure and run it. This is done with the use command.
Similar to the info command, use can be followed by the module's full name or its index number from the search results. Let's select the ssh_enumusers module.
use auxiliary/scanner/ssh/ssh_enumusers
After you run this command, you will notice that your Metasploit prompt changes. It now includes the name of the active module, indicating that it is loaded and ready for configuration.
msf6 > use auxiliary/scanner/ssh/ssh_enumusers
msf6 auxiliary(scanner/ssh/ssh_enumusers) >
The new prompt msf6 auxiliary(scanner/ssh/ssh_enumusers) > confirms that the module is loaded. From here, you would typically use commands like show options to see what parameters need to be set, set to configure them, and finally run or exploit to execute the module. We will not be running the module in this lab, but selecting it is the essential final step in the search process.
To go back to the main msf6 > prompt, you can use the back command.
Summary
In this lab, you have learned the essential skills for finding modules within the Metasploit Framework. You are now able to navigate the thousands of available modules with precision and efficiency.
You practiced using the core commands for this process:
search: To find modules based on keywords like service names.search type:<type>: To filter results for specific module types likeexploitorauxiliary.search cve:<cveid>: To pinpoint modules associated with a specific CVE vulnerability.info: To inspect a module's details, options, and purpose.use: To select and load a module into the framework's context.
Mastering these search techniques is a fundamental step toward becoming proficient with Metasploit. You are now well-equipped to find the right tools for your future penetration testing engagements.
