Automate compromising hosts with Metasploit and Autopwn

Saturday, March 22, 2008

Metasploit is a free, open source tool for developing and executing exploit code against a remote target machine. In regards to automated penetration testing, starting with version 3, Metasploit offers a module called "autopwn" which can automate the exploitation phase of a penetration test. While autopwn is far from perfect, it does a decent job of exploiting multiple hosts. With 269 exploits (as of the latest update) you have lots of options (especially with Windows targets) for gaining a basic bind shell with autopwn.

Some of the strengths of autopwn include the ability to import vulnerability data from Nessus NBE files and to pull in Nmap XML output. Nice feature that works well. In addition, you can run Nmap from within the Metasploit console and it will put the results in the database. Finally, you can launch exploits based on ports, services or vulnerabilities from your imported data.

Limitations of autopwn
Autopwn has some limitations worth mentioning. Autopwn requires either a MySQL, Sqlite or Postgres database. Some pre-configuration required which may be a daunting task for some users. RubyGems, active record (part of ruby on rails), and getting the database configured to work with autopwn are all required. In terms of payloads you are pretty limited as well. Unfortunately with the current version you can only use a basic bind shell as your payload.

If you are looking for fancy reports with your vulnerability data you will have to do that on your own as there is no automated reporting in autopwn. On that same note...decent logging within Metasploit is limited to the debug modes. I recommend you run the "script" command from a shell before you start up the msfconsole so everything is logged to a file. Not much you can do if you use the GUI or web consoles for Metasploit except for screen shots.

Finally, if you are exploiting large numbers (several hundred) or wanting to import a ton of Nessus are going to take a performance hit. Autopwn seems to choke on lots of data. This will probably be fixed as it gets tweaked and tuned in future versions.

More information
HD Moore wrote up a very good autopwn tutorial which you can check out on the official Metasploit blog.

If you really want to quickly test out the features of autopwn without a lot of setup work, I recommend that you download one of the Backtrack disks. Backtrack 2 has autopwn ready to go once you launch the ninja script. Backtrack 3 beta has it installed but you need to update everything first on the disk by using the script which is included. Fast-track is a very useful script if you are a regular user of Backtrack...the creator of this script (Dave Kennedy from SecureState) was actually at the meeting last night and I got to chat with him about some cool stuff coming soon to the fast-track script and some new "to be announced" modules for Metasploit.

You can download a very good and recent Metasploit presentation here

-- Anish


  © Blogger templates Newspaper by 2008

Back to TOP