Browsing exploits with Metasploit console

Question

Is there any way to browse certain exploits in MSFconsole? The show exploits command shows too many and I cannot find a way to show just Windows file format exploits, for example.

Answer 1

There's a couple of ways you could do this, that spring to mind

First up would be using search which will show exploits matching the search term, (eg, search fileformat would return modules matching that term. The other was would be to use the tab completion, so if you type:

use exploit/windows/fileformat/ and then hit Tab. It'll scroll through all the exploits under that folder.

Answer 2

In msf console,

• you can use the autocomplete feature (as Rory suggests)
• you can use the search command: search windows/fileformat -t exploit

If not restrained to the console, another idea is to browse them online here http://www.metasploit.com/modules/exploit/windows/fileformat/

You can also use things like Armitage to browse exploits in a nicer way or other various interfaces.

Answer 3

If you're looking to list certain properties of the exploits (for instance, targets), have a look at the tools directory:

user@disko:~/framework/tools$ ./module_rank.rb 
Module Ranks
============

Module                                                                 Rank
------                                                                 ----
auxiliary/admin/2wire/xslt_password_reset                              300
auxiliary/admin/backupexec/dump                                        300
... [snip]

If you're comfortable looking at source, i use a lot of this bash function (stuck in my .bashrc). While it may be overkill, you'll find lots of interesting tidbits in the source / comments:

function rgrep() { 
    find -L . -type f -name \*.*rb -exec grep -n -i -H --color "$1" {} \; 
}

user@disko:~/framework/modules$ rgrep "backup exec"
./auxiliary/admin/backupexec/dump.rb:22:            'Name'  => 'Veritas Backup Exec Windows Remote File Access',
./auxiliary/admin/backupexec/dump.rb:24:                This module abuses a logic flaw in the Backup Exec Windows Agent to download
./auxiliary/admin/backupexec/dump.rb:26:                remain anonymous and affects all known versions of the Backup Exec Windows Agent. 
... [snip]

... And probably what you're really looking for (as stated above) is the search command inside msfconsole. Note that you can search by name, path, platform, type, app, author, cve, bid, or osvdb.

Answer 4

To search for an exploit, use search.

search name:[name of exploit, e.g smb/rpc/http] type:[exploit/payload/auxillary] platform:[windows/linux etc.]

For example:

msf> search name:smb type:exploit platform:windows

Answer 5

You can use Armitage in order to browse the module tree and easily search for exploit modules. Armitage filters the module tree in real time based on the keywords you type in, as shown in the screenshot below.

Answer 6

First I'll list what doesn't quite work for me.

1. use exploit/windows/fileformat/ and then hit Tab is next to the best in my list. I appreciate the auto-completion feature, but the output lacks disclosure date, rank and descriptions - the fields that are available with the search command.

2. Using search command with type: filter delivers too broad result set (you get all exploits or all auxiliary modules; you can't zero in on exploit/windows/local for example), and is currently broken anyway.

3. metasploit-framework/tools/module_rank.rb takes too long to return results, sorting by rank doesn't work, rank is displayed in numbers (you have to remember that 300 is Normal, and 400 is Good), and the result set doesn't contain a description.

The crutch I found to be working is using the module branch path with the search command, e.g. search exploit/windows/fileformat/ will return all fileformat exploits for Windows with disclosure date, rank and description. But you have to be fluent with msfconsole module branch paths to find this approach useful.