Easy Pentesting: Metasploit's db_autopwn

转载

feier7501 2023-04-26 18:19:49 博主文章分类：metasploit

文章标签 mysql MySQL sed 文章分类 JavaScript 前端开发

Everyday, life gets easier for script kiddies. These days everything is pretty much automated. I came across the db_autopwn feature of the Metasploit Framework a few semesters ago and I think it's definitely something that security professionals should know about and administrators should use as a quick way to find holes in their network. Try it now before someone else on the Internet does.

Prerequisites

I assume the following:

You have the latest version of Metasploit Framework installed
You have MySQL, or other database server running and configured properly

How it works (the simple version)

This command works by using some sort of database. I will be using MySQL as I am most familiar with it, but PostgresSQL is an excellent alternative especially when dealing with large networks. The information stored in the database can vary. There is more than one way to get information into the database that Metasploit will be able to read.

You may choose from an NBE file from Nessus, the Nmap XML output files, or use the built in Nmap wrapper command (db_nmap). For a more thorough test I would highly recommend using a Nessus scan as it matches exploits based on actual vulnerabilities, while the Nmap results match exploits based solely on port numbers. Really though you should be fine using the Nmap scans as long as your services are running on standard ports. Once all the data is in the database, it's then just a matter of executing the db_autopwn command. It will read through the database and automatically try to exploit vulnerabilities based on the IPs on your network as well as the open ports.

Performing the Pentest

First you must load up the MySQL plugin so that connections to the database are possible.

msf > load db_mysql [*] Successfully loaded plugin: db_mysql

Now go ahead and create a database within MySQL. Insert your own credentials as necessary.

msf > db_create root:password@localhost/pentest [*] Database creation complete (check for errors)

It says to check for errors, so why not? Login to the MySQL console and take a look.

As you can see the pentest database exists and the proper tables exist within. Next you need to fill up the database. I'm going to use the db_nmap wrapper because that's keeps this pentest very simple and quick. You can throw any nmap options at this command as it is just a wrapper. I do a quick scan of my entire network with the following:

msf > db_nmap -A 192.168.1.0/24

Once that finishes running find out if the hosts on your network were loaded into the database.

msf > db_hosts [*] Time: Thu May 21 22:52:48 -0700 2009 Host: 192.168.1.1 Status: alive OS: [*] Time: Thu May 21 22:52:49 -0700 2009 Host: 192.168.1.2 Status: alive OS: [*] Time: Thu May 21 22:52:49 -0700 2009 Host: 192.168.1.103 Status: alive OS: [*] Time: Thu May 21 22:52:49 -0700 2009 Host: 192.168.1.120 Status: alive OS: [*] Time: Thu May 21 22:52:49 -0700 2009 Host: 192.168.1.140 Status: alive OS:

Your database is now set up and you can run the db_autopwn command against your network. You can find out all the options for the command by running db_autopwn with no options. Something that should be noted, the x switch is for use with information loaded from a Nessus scan. It uses vulnerability references instead of relying on ports. Here we will be relying on port numbers.

msf > db_autopwn -pb

sessions -lv

Why is this important?

As I stated in the beginning, script kiddies are going rampant trying to build bot nets. Don't let your systems become part of this. Just run a quick pentest because that will show you what is open and exploitable by script kiddies. This is a great way to show improvement to your bosses as well. That way they can stop thinking that you're not doing anything.