Easy Pentesting: Metasploit's db_autopwn

Everyday, life gets easier for script kiddies. These days everything is pretty much automated. I came across the db_autopwn feature of the Metasploit Framework a few semesters ago and I think it's definitely something that security professionals should know about and administrators should use as a quick way to find holes in their network. Try it now before someone else on the Internet does.

Prerequisites

I assume the following:

  • You have the latest version of Metasploit Framework installed
  • You have MySQL, or other database server running and configured properly

How it works (the simple version)

This command works by using some sort of database. I will be using MySQL as I am most familiar with it, but PostgresSQL is an excellent alternative especially when dealing with large networks. The information stored in the database can vary. There is more than one way to get information into the database that Metasploit will be able to read.

You may choose from an NBE file from Nessus, the Nmap XML output files, or use the built in Nmap wrapper command (db_nmap). For a more thorough test I would highly recommend using a Nessus scan as it matches exploits based on actual vulnerabilities, while the Nmap results match exploits based solely on port numbers. Really though you should be fine using the Nmap scans as long as your services are running on standard ports. Once all the data is in the database, it's then just a matter of executing the db_autopwn command. It will read through the database and automatically try to exploit vulnerabilities based on the IPs on your network as well as the open ports.

Performing the Pentest

First you must load up the MySQL plugin so that connections to the database are possible.

msf > load db_mysql
[*] Successfully loaded plugin: db_mysql

Now go ahead and create a database within MySQL. Insert your own credentials as necessary.

msf > db_create root:password@localhost/pentest
[*] Database creation complete (check for errors)

It says to check for errors, so why not? Login to the MySQL console and take a look.

$ mysql -u root -p
mysql> show databases;
+--------------------+
| Database             |
+--------------------+
| pentest              |
+--------------------+
5 rows in set (0.10 sec)
mysql> use pentest
mysql> show tables;
+-------------------+
| Tables_in_pentest |
+-------------------+
| hosts               |
| notes               |
| refs                |
| services            |
| vulns               |
| vulns_refs          |
+-------------------+
6 rows in set (0.00 sec)

As you can see the pentest database exists and the proper tables exist within. Next you need to fill up the database. I'm going to use the db_nmap wrapper because that's keeps this pentest very simple and quick. You can throw any nmap options at this command as it is just a wrapper. I do a quick scan of my entire network with the following:

msf > db_nmap -A 192.168.1.0/24

Once that finishes running find out if the hosts on your network were loaded into the database.

msf  > db_hosts
[*]  Time: Thu May 21  22:52:48 -0700 2009 Host: 192.168.1.1 Status: alive OS:
[*]  Time: Thu May 21  22:52:49 -0700 2009 Host: 192.168.1.2 Status: alive OS:
[*]  Time: Thu May 21  22:52:49 -0700 2009 Host: 192.168.1.103 Status: alive OS:
[*]  Time: Thu May 21  22:52:49 -0700 2009 Host: 192.168.1.120 Status: alive OS:
[*]  Time: Thu May 21  22:52:49 -0700 2009 Host: 192.168.1.140 Status: alive OS:

Your database is now set up and you can run the db_autopwn command against your network. You can find out all the options for the command by running db_autopwn with no options. Something that should be noted, the x switch is for use with information loaded from a Nessus scan. It uses vulnerability references instead of relying on ports. Here we will be relying on port numbers.

msf > db_autopwn -pb

The options I used tell the command to match vulnerabilities based on open ports and to bind using a random port. This command may take some time to run depending on the number of ports open on each device as well as the number of hosts you are running through. If you read the help options you will find ways to only run against certain hosts, which is highly recommended since your workstations probably do not need to be scanned as they should not have any ports available to the outside. To find out if any exploits were successful, use the sessions command. You should be familiar with this command if you're using Metasploit, but to give you a hint take a look at sessions -lv to list all current shell connections as well as the exploit that allowed for remote shell access. Then you can use -i to connect to the session numbers shell.

Why is this important?

As I stated in the beginning, script kiddies are going rampant trying to build bot nets. Don't let your systems become part of this. Just run a quick pentest because that will show you what is open and exploitable by script kiddies. This is a great way to show improvement to your bosses as well. That way they can stop thinking that you're not doing anything.

Tags: