Ollama Scanner_MSF:AUXILIARY-SCANNER-HTTP-OLLAMA_INFO-

Description

This module identifies ollama instances and enumerates the LLM models which have been loaded and are running. Module Options msf use auxiliary/scanner/http/ollamainfo msf auxiliaryollamainfo show actions ...actions... msf auxiliaryollamainfo set ACTION...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-SCANNER-HTTP-OLLAMA_INFO-

Published May 21, 2026 at 19:01

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ollama Scanner',
'Description' => %q{
This module identifies ollama instances and enumerates the LLM
models which have been loaded and are running.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die'
],
'References' => [
['URL', 'https://ollama.readthedocs.io/en/api/']
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => []
}
)
)

register_options(
[
Opt::RPORT(11434),
OptString.new('TARGETURI', [true, 'Base URI', '/']),
]
)
end

def humanize(bytes)
return '0 B' if bytes <= 0

units = ['B', 'KB', 'MB', 'GB', 'TB']
i = [(Math.log2(bytes) / 10).to_i, units.length - 1].min
'%.2f %s' % [bytes.to_f / (1024**i), units[i]]
end

def ollama?
res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI']) })

return res.body == 'Ollama is running' if res && res.code == 200

nil
end

# documenting that this is here, but nunused
# def generate
# res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'generate') })
#
# return res.get_json_document if res && res.code == 200
#
# nil
# end

def list_local_models
res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'tags') })

return res.get_json_document if res && res.code == 200

nil
end

def list_running_models
res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'ps') })

return res.get_json_document if res && res.code == 200

nil
end

def get_model_info(model)
post_data = {
'model' => model
}
post_json = JSON.generate(post_data)
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/json',
'data' => post_json,
'uri' => normalize_uri(target_uri.path, 'api', 'show')
})

return res.get_json_document if res && res.code == 200

nil
end

def get_temperature(details)
unless details.nil? || details['parameters'].nil?
details['parameters'].each_line do |line|
next unless line.start_with?('temperature')

return line.split[1]
end
end
'N/A'
end

def get_system_prompt(details)
unless details.nil? || details['modelfile'].nil?
details['modelfile'].each_line do |line|
next unless line.start_with?('SYSTEM ')

return line.split('SYSTEM ')[1]
end
end
'N/A'
end

def run_host(ip)
vprint_status("Checking #{ip}")
unless ollama?
vprint_error('Ollama instance not found')
return
end
models_table = Rex::Text::Table.new(
'Header' => "#{ip} Ollama Models",
'Indent' => 2,
'Columns' => [
'Name',
'Release',
'Status',
'Size',
'Parameter Size',
'Temperature',
'System Prompt'
]
)
running_names = []
running_models_res = list_running_models
if running_models_res.nil?
vprint_error('Could not retrieve running models (endpoint unreachable or returned non-200)')
end
(running_models_res&.fetch('models', nil) || []).each do |model|
vprint_status(" Found model: #{model['name']}")
details = get_model_info(model['name'])
temperature = get_temperature(details)
system_prompt = get_system_prompt(details)

models_table << [
model['name'].split(':')[0],
model['name'].split(':')[1],
'Running',
humanize(model['size']),
details.dig('details', 'parameter_size'),
temperature,
system_prompt
]
running_names << model['name']
end
installed_models_res = list_local_models
if installed_models_res.nil?
vprint_error('Could not retrieve local models (endpoint unreachable or returned non-200)')
return
end
(installed_models_res['models'] || []).each do |model|
next if running_names.include?(model['name'])

vprint_status(" Found model: #{model['name']}")
details = get_model_info(model['name'])
temperature = get_temperature(details)
system_prompt = get_system_prompt(details)

models_table << [
model['name'].split(':')[0],
model['name'].split(':')[1],
'Installed',
humanize(model['size']),
details.dig('details', 'parameter_size'),
temperature,
system_prompt
]
end

print_status(models_table.to_s)
end
end

{
    "lastseen": "2026-05-21T19:28:01",
    "description": "This module identifies ollama instances and enumerates the LLM models which have been loaded and are running. Module Options msf use auxiliary/scanner/http/ollamainfo msf auxiliaryollamainfo show actions ...actions... msf auxiliaryollamainfo set ACTION...",
    "published": "2026-05-21T19:01:01",
    "modified": "2026-05-21T19:01:01",
    "type": "metasploit",
    "title": "Ollama Scanner",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-SCANNER-HTTP-OLLAMA_INFO-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Auxiliary::Scanner\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Ollama Scanner',\n        'Description' => %q{\n          This module identifies ollama instances and enumerates the LLM\n          models which have been loaded and are running.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'h00die'\n        ],\n        'References' => [\n          ['URL', 'https://ollama.readthedocs.io/en/api/']\n        ],\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [],\n          'SideEffects' => []\n        }\n      )\n    )\n\n    register_options(\n      [\n        Opt::RPORT(11434),\n        OptString.new('TARGETURI', [true, 'Base URI', '/']),\n      ]\n    )\n  end\n\n  def humanize(bytes)\n    return '0 B' if bytes <= 0\n\n    units = ['B', 'KB', 'MB', 'GB', 'TB']\n    i = [(Math.log2(bytes) / 10).to_i, units.length - 1].min\n    '%.2f %s' % [bytes.to_f / (1024**i), units[i]]\n  end\n\n  def ollama?\n    res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI']) })\n\n    return res.body == 'Ollama is running' if res && res.code == 200\n\n    nil\n  end\n\n  # documenting that this is here, but nunused\n  # def generate\n  #   res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'generate') })\n  #\n  #   return res.get_json_document if res && res.code == 200\n  #\n  #   nil\n  # end\n\n  def list_local_models\n    res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'tags') })\n\n    return res.get_json_document if res && res.code == 200\n\n    nil\n  end\n\n  def list_running_models\n    res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'ps') })\n\n    return res.get_json_document if res && res.code == 200\n\n    nil\n  end\n\n  def get_model_info(model)\n    post_data = {\n      'model' => model\n    }\n    post_json = JSON.generate(post_data)\n    res = send_request_cgi({\n      'method' => 'POST',\n      'ctype' => 'application/json',\n      'data' => post_json,\n      'uri' => normalize_uri(target_uri.path, 'api', 'show')\n    })\n\n    return res.get_json_document if res && res.code == 200\n\n    nil\n  end\n\n  def get_temperature(details)\n    unless details.nil? || details['parameters'].nil?\n      details['parameters'].each_line do |line|\n        next unless line.start_with?('temperature')\n\n        return line.split[1]\n      end\n    end\n    'N/A'\n  end\n\n  def get_system_prompt(details)\n    unless details.nil? || details['modelfile'].nil?\n      details['modelfile'].each_line do |line|\n        next unless line.start_with?('SYSTEM ')\n\n        return line.split('SYSTEM ')[1]\n      end\n    end\n    'N/A'\n  end\n\n  def run_host(ip)\n    vprint_status(\"Checking #{ip}\")\n    unless ollama?\n      vprint_error('Ollama instance not found')\n      return\n    end\n    models_table = Rex::Text::Table.new(\n      'Header' => \"#{ip} Ollama Models\",\n      'Indent' => 2,\n      'Columns' => [\n        'Name',\n        'Release',\n        'Status',\n        'Size',\n        'Parameter Size',\n        'Temperature',\n        'System Prompt'\n      ]\n    )\n    running_names = []\n    running_models_res = list_running_models\n    if running_models_res.nil?\n      vprint_error('Could not retrieve running models (endpoint unreachable or returned non-200)')\n    end\n    (running_models_res&.fetch('models', nil) || []).each do |model|\n      vprint_status(\"  Found model: #{model['name']}\")\n      details = get_model_info(model['name'])\n      temperature = get_temperature(details)\n      system_prompt = get_system_prompt(details)\n\n      models_table << [\n        model['name'].split(':')[0],\n        model['name'].split(':')[1],\n        'Running',\n        humanize(model['size']),\n        details.dig('details', 'parameter_size'),\n        temperature,\n        system_prompt\n      ]\n      running_names << model['name']\n    end\n    installed_models_res = list_local_models\n    if installed_models_res.nil?\n      vprint_error('Could not retrieve local models (endpoint unreachable or returned non-200)')\n      return\n    end\n    (installed_models_res['models'] || []).each do |model|\n      next if running_names.include?(model['name'])\n\n      vprint_status(\"  Found model: #{model['name']}\")\n      details = get_model_info(model['name'])\n      temperature = get_temperature(details)\n      system_prompt = get_system_prompt(details)\n\n      models_table << [\n        model['name'].split(':')[0],\n        model['name'].split(':')[1],\n        'Installed',\n        humanize(model['size']),\n        details.dig('details', 'parameter_size'),\n        temperature,\n        system_prompt\n      ]\n    end\n\n    print_status(models_table.to_s)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/ollama_info.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/ollama_info/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply