Link Search Menu Expand Document

Metasploit plugins can change the behavior of Metasploit framework by adding new features, new user interface commands, and more. They are designed to have a very loose definition in order to make them as useful as possible.

Plugins are not available by default, they need to be loaded:

msf6 > load plugin_name

Plugins can be automatically loaded and configured on msfconsole’s start up by configuring a custom ~/.msf4/msfconsole.rc file:

load plugin_name
plugin_name_command --option

Available Plugins

The current available plugins for Metasploit can be found by running the load -l command, or viewing Metasploit’s plugins directory:

aggregatorInteracts with the external Session Aggregator
aliasAdds the ability to alias console commands
auto_add_routeAdds routes for any new subnets whenever a session opens
beholderCapture screenshots, webcam pictures, and keystrokes from active sessions
besecureIntegrates with the beSECURE - open source vulnerability management
captureStart all credential capture and spoofing services
db_credcollectAutomatically grab hashes and tokens from Meterpreter session events and store them in the database
db_trackerMonitors socket calls and updates the database backend
event_testerInternal test tool used to verify the internal framework event subscriber logic works
ffautoregenThis plugin reloads and re-executes a file-format exploit module once it has changed
ips_filterScans all outgoing data to see if it matches a known IPS signature
labAdds the ability to manage VMs
libnotifySend desktop notification with libnotify on sessions and db events
msfdProvides a console interface to users over a listening TCP port
msgrpcProvides a MessagePack interface over HTTP
nessusNessus Bridge for Metasploit
nexposeIntegrates with the Rapid7 Nexpose vulnerability management product
openvasIntegrates with the OpenVAS - open source vulnerability management
pcap_logLogs all socket operations to pcaps (in /tmp by default)
requestMake requests from within Metasploit using various protocols.
rssfeedCreate an RSS feed of events
sampleDemonstrates using framework plugins
session_notifierThis plugin notifies you of a new session via SMS
session_taggerAutomatically interacts with new sessions to create a new remote TaggedByUser file
socket_loggerLog socket operations to a directory as individual files
soundsAutomatically plays a sound when various framework events occur
sqlmapsqlmap plugin for Metasploit
threadInternal test tool for testing thread usage in Metasploit
token_adduserAttempt to add an account using all connected Meterpreter session tokens
token_hunterSearch all active Meterpreter sessions for specific tokens
wikiOutputs stored database values from the current workspace into DokuWiki or MediaWiki format
wmapWeb assessment plugin


Alias Plugin

The Alias plugin adds the ability to alias console commands:

msf6 > load alias
[*] Successfully loaded plugin: alias
msf6 > alias -h
Usage: alias [options] [name [value]]


    -c   Clear an alias (* to clear all).
    -f   Force an alias assignment.
    -h   Help banner.

Register an alias such as proxy_enable:

msf6 > alias proxy_enable "set Proxies http:localhost:8079"

Now when running the aliased proxy_enable command, the proxy datastore value will be set for the current module:

msf6 auxiliary(scanner/http/title) > proxy_enable
Proxies => http:localhost:8079

Viewing registered aliases:

msf6 > alias

Current Aliases

       Alias Name    Alias Value
       ----------    -----------
alias  proxy_enable  set Proxies http:localhost:8079

To automatically load and configure the alias plugin on startup of Metasploit, create a custom ~/.msf4/msfconsole.rc file:

load alias
alias proxy_enable "set Proxies http:localhost:8079"
alias proxy_disable "unset Proxies"
alias routes "route print"

Capture Plugin

Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the modules/auxiliary/server/capture directory. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote interfaces via Meterpreter. A configuration file can be used to select individual services to start and once finished, all services can easily be stopped using a single command.

To use the plugin, it must first be loaded. That will provide the captureg command (for Capture-Global) which then offers start and stop subcommands. In the following example, the plugin is loaded, and then all default services are started on the interface.

msf6 > load capture
[*] Successfully loaded plugin: Credential Capture
msf6 > captureg start --ip
Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt
Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808
[+] Authentication Capture: DRDA (DB2, Informix, Derby) started
[+] Authentication Capture: FTP started
[+] HTTP Client MS Credential Catcher started
[+] HTTP Client MS Credential Catcher started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: MSSQL started
[+] Authentication Capture: MySQL started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: PostgreSQL started
[+] Printjob Capture Service started
[+] Authentication Capture: SIP started
[+] Authentication Capture: SMB started
[+] Authentication Capture: SMTP started
[+] Authentication Capture: Telnet started
[+] Authentication Capture: VNC started
[+] Authentication Capture: FTP started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: SMTP started
[+] NetBIOS Name Service Spoofer started
[+] LLMNR Spoofer started
[+] mDNS Spoofer started
[+] Started capture jobs
msf6 >

This content was originally posted on the Rapid7 Blog.