[Blackhat Europe tool] Exploitivator: Automate Metasploit scanning and exploitation
This script uses two config files(exploitivator_scan.cfg and exploitivator.cfg). One to specify Nmap scans and parameters(exploitivator_scan.cfg), and one to specify Metasploit payloads and parameters(exploitivator.cfg). These use ‘##’ as a separator and have the following formats.
##[Nmap command line parameters]
##[Nmap command line parameters for file output]
##[Optional – grep command to be used if Nmap’s greppable output is being used]
In the above format:
- The first section is a label linking the scan to the exploit
- The second section is the part of the Nmap command line which specifies details of the type of scan to run, such as port and script
- The third section is the part of the Nmap command line that defines the Nmap output file (Exploitivator handles XML or greppable Nmap output)
- The optional fourth section is the grep command that you wish to use in order to identify a vulnerable target within a ‘.gnmap’ file
This has only been tested on Kali.
It depends on the msfrpc module for Python, described in detail here: https://www.trustwave.com/Resources/SpiderLabs-Blog/Scripting-Metasploit-using-MSGRPC/
Install the necessary Kali packages and the PostgreSQL gem for Ruby: apt-get install postgresql libpq-dev git-core gem install pg
Install the current version of the msfrpc Python module from git:
git clone git://github.com/SpiderLabs/msfrpc.git msfrpc
python setup.py install
git clone https://github.com/N1ckDunn/Exploitivator.git
Before running either of the scripts, load msfconsole and start the MSGRPC service.
MSGRPC can be started with msfrpcd in Metasploit as follows: load msgrpc Pass=abc123
The results of scans and/or exploitation will appear in the Metasploit console and in the ouput file(s) (msf_scan_output.txt and exploitivator_output.txt).
Use MSFScan to run multiple Metasploit scans against a group of target hosts. Use Exploitivator to run Nmap script scans against a group of target hosts and automatically exploit any reported as vulnerable.
Examples: The application can be run as follows, where ‘10.128.108.178’ is the IP address of the attack machine, ‘hosts.txt’ is a list of target hosts, ‘msf’ is the Metasploit Postgres username and ‘abc123’ is the Metasploit Postgres password:
./exploitivator.py -l 10.128.108.178 -f hosts.txt -u msf -m abc123
./msf_scan.py filename ./msf_scan.py filename MSF_DB_Username MSF_DB_Password
Examples: The application can be run as follows, where ‘hosts.txt’ is a list of target hosts, ‘msf’ is the Metasploit Postgres username and ‘abc123’ is the Metasploit Postgres password: ./msf_scan.py hosts.txt msf abc123
To run with ‘hosts.txt’ as a list of target hosts, using the script’s default Metasploit Postgres username(msf) and the script’s default Metasploit Postgres password(abc123): ./msf_scan.py hosts.txt
Both scripts rely on config files to provide details of required Nmap and Metasploit scans and attacks.
The script uses a config file with the name ‘scan_types.cfg’. This contains a list of paths for any Metasploit scans the are to run against the targets. e.g.: auxiliary/scanner/dcerpc/endpoint_mapper auxiliary/scanner/smb/smb_version auxiliary/scanner/x11/open_x11 auxiliary/scanner/discovery/ipv6_multicast_ping auxiliary/scanner/discovery/ipv6_neighbor auxiliary/scanner/smb/smb_login