[Blackhat Europe tool] Exploitivator: Automate Metasploit scanning and exploitation

Exploitivator

Exploitivator

This script uses two config files(exploitivator_scan.cfg and exploitivator.cfg). One to specify Nmap scans and parameters(exploitivator_scan.cfg), and one to specify Metasploit payloads and parameters(exploitivator.cfg). These use ‘##’ as a separator and have the following formats.

exploitivator_scan.cfg: [Label]

##[Nmap command line parameters]

##[Nmap command line parameters for file output]

##[Optional – grep command to be used if Nmap’s greppable output is being used]

In the above format:

  1. The first section is a label linking the scan to the exploit
  2. The second section is the part of the Nmap command line which specifies details of the type of scan to run, such as port and script
  3. The third section is the part of the Nmap command line that defines the Nmap output file (Exploitivator handles XML or greppable Nmap output)
  4. The optional fourth section is the grep command that you wish to use in order to identify a vulnerable target within a ‘.gnmap’ file

Install

Pre requirement

This has only been tested on Kali.

It depends on the msfrpc module for Python, described in detail here: https://www.trustwave.com/Resources/SpiderLabs-Blog/Scripting-Metasploit-using-MSGRPC/

Install the necessary Kali packages and the PostgreSQL gem for Ruby: apt-get install postgresql libpq-dev git-core gem install pg

Install the current version of the msfrpc Python module from git:

git clone git://github.com/SpiderLabs/msfrpc.git msfrpc

cd msfrpc/python-msfrpc

python setup.py install

Download

git clone https://github.com/N1ckDunn/Exploitivator.git

Use

Before running either of the scripts, load msfconsole and start the MSGRPC service.
MSGRPC can be started with msfrpcd in Metasploit as follows: load msgrpc Pass=abc123

The results of scans and/or exploitation will appear in the Metasploit console and in the ouput file(s) (msf_scan_output.txt and exploitivator_output.txt).

Use MSFScan to run multiple Metasploit scans against a group of target hosts. Use Exploitivator to run Nmap script scans against a group of target hosts and automatically exploit any reported as vulnerable.

Exploitivator

Command-line usage:

Examples: The application can be run as follows, where ‘10.128.108.178’ is the IP address of the attack machine, ‘hosts.txt’ is a list of target hosts, ‘msf’ is the Metasploit Postgres username and ‘abc123’ is the Metasploit Postgres password:

./exploitivator.py -l 10.128.108.178 -f hosts.txt -u msf -m abc123

MSFScan

Command-line usage:

./msf_scan.py filename ./msf_scan.py filename MSF_DB_Username MSF_DB_Password

Examples: The application can be run as follows, where ‘hosts.txt’ is a list of target hosts, ‘msf’ is the Metasploit Postgres username and ‘abc123’ is the Metasploit Postgres password: ./msf_scan.py hosts.txt msf abc123

To run with ‘hosts.txt’ as a list of target hosts, using the script’s default Metasploit Postgres username(msf) and the script’s default Metasploit Postgres password(abc123): ./msf_scan.py hosts.txt

Config Files

Both scripts rely on config files to provide details of required Nmap and Metasploit scans and attacks.

MSFScan

The script uses a config file with the name ‘scan_types.cfg’. This contains a list of paths for any Metasploit scans the are to run against the targets. e.g.: auxiliary/scanner/dcerpc/endpoint_mapper auxiliary/scanner/smb/smb_version auxiliary/scanner/x11/open_x11 auxiliary/scanner/discovery/ipv6_multicast_ping auxiliary/scanner/discovery/ipv6_neighbor auxiliary/scanner/smb/smb_login

Source: https://github.com/N1ckDunn/