Module: Msf::RPC::Simple::Features::Framework

Included in:
Client
Defined in:
lib/msfrpc-simple/features/framework.rb

Instance Method Summary collapse

Instance Method Details

#bruteforce_range(range, user_file, pass_file, threads = 25) ⇒ Object

Public: This module runs a number of bruteforce modules. This method should only be run after running setup, then the nmap_range method.

host - an ipv4 ip address or hostname

This method should only be run after running setup, and then the nmap_range method.

Returns nothing



98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
# File 'lib/msfrpc-simple/features/framework.rb', line 98

def bruteforce_range(range, user_file, pass_file, threads=25)

  module_list = [
    {:module_name => "auxiliary/scanner/http/http_login", :module_options => {}},
    {:module_name => "auxiliary/scanner/smb/smb_login", :module_options => {}},
    {:module_name => "auxiliary/scanner/snmp/snmp_login", :module_options => {}},
    {:module_name => "auxiliary/scanner/ssh/ssh_login", :module_options => {"SSH_TIMEOUT" => 3}}
  ]

  # Iterate through modules in the list, adding in generic and module-specific options
  # if they exist
  module_list.each do |mod|

    # Generic module options
    mod[:options] = { 
      "RHOSTS" => "#{range}",
      "USER_FILE" => "#{user_file}",
      "PASS_FILE" => "#{pass_file}",
      "THREADS" => "#{threads}"
    }
    # Module specific options
    mod[:options].merge!(mod[:module_options])

    execute_module(mod)
  end

end

#discover_range(range, threads = 25) ⇒ Object

Public: This module runs a number of discovery modules. This method should only be run after running setup, then the nmap_range method.

host - an ipv4 ip address or hostname

This method should only be run after running setup, and then the nmap_range method.

Returns nothing



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/msfrpc-simple/features/framework.rb', line 43

def discover_range(range, threads=25)

  # Other Potential options
  #  - auxiliary/scanner/smb/pipe_auditor
  #  - auxiliary/scanner/smb/pipe_dcerpc_auditor
  #  - auxiliary/scanner/smb/smb_enumshares
  #  - auxiliary/scanner/smb/smb_enumusers
  modules_and_options = [
    {:module_name => "auxiliary/scanner/http/http_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/http/cert", :module_options => {}},
    {:module_name => "auxiliary/scanner/ftp/ftp_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/h323/h323_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/imap/imap_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/portscan/syn", :module_options => {}},
    {:module_name => "auxiliary/scanner/portscan/tcp", :module_options => {}},
    #{:module_name => "auxiliary/scanner/lotus/lotus_domino_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/mysql/mysql_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/netbios/nbname", :module_options => {}},
    {:module_name => "auxiliary/scanner/netbios/nbname_probe"},
    #{:module_name => "auxiliary/scanner/pcanywhere/pcanywhere_tcp", :module_options => {}},
    #{:module_name => "auxiliary/scanner/pcanywhere/pcanywhere_udp", :module_options => {}},
    {:module_name => "auxiliary/scanner/pop3/pop3_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/postgres/postgres_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/smb/smb_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/snmp/snmp_enum", :module_options => {}},
    {:module_name => "auxiliary/scanner/ssh/ssh_version", :module_options => {}},
    {:module_name => "auxiliary/scanner/telnet/telnet_version", :module_options => {}},
    #{:module_name => "auxiliary/scanner/vmware/vmauthd_version", :module_options => {}}
  ]

  module_list.each do |mod|
    # Merge in default options
    mod[:options] = { 
      "RHOSTS" => "#{range}", 
      "THREADS" => "#{threads}"
    }

    # Module specific options
    mod[:options].merge!(mod[:module_options])

    # execute the module
     execute_module(mod)
  end
end

#execute_module(params) ⇒ Object

Public: This method executes a specified metasploit module

params - A parameters hash containing:

- :module_name - a full metasploit module name
- :options - a hash of options to be "set" for the module

Note that typical behavior for metasploit when calling “module.execute” is to background the task. This method waits for the task to complete, thereby allowing you to fire this method, then interact with the database to find the requisite result(s).

returns nothing



163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/msfrpc-simple/features/framework.rb', line 163

def execute_module(params)
  module_name = params[:module_name]
  module_type = params[:module_name].split("/").first
  module_options = params[:options]
  raise "Error, bad module name" unless ["exploit", "auxiliary", "post", "encoder", "nop"].include? module_type
  
  # Execute the module and obtain the job details
  job_details = @client.call("module.execute", module_type, module_name, module_options)

  while @client.call("job.list").has_key?(job_details["job_id"].to_s)
    # Wait while the module is executed in the background
    sleep 1
  end

end

#exploit_single(host) ⇒ Object

Public: This module runs a number of exploit modules. This method should only be run after running setup, then the nmap_range method.

host - an ipv4 ip address or hostname

This method should only be run after running setup, and then the nmap_range method.

Returns nothing



135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
 
# File 'lib/msfrpc-simple/features/framework.rb', line 135

def exploit_single(host)

  # TODO - will need to set up / manage a handler - should this go 
  # back to the console? 

  module_list = [
    { :module_name => "exploit/windows/smb/ms08_067_netapi", :module_options => {} }
  ]
  
  module_list.each do |mod|
    mod[:options] = { "RHOST" => "#{host}" }
    mod[:options].merge!(mod[:module_options])
    execute_module(mod)
  end
end

#nmap_range(range) ⇒ Object

Public: This module runs a db_nmap command

range - an ipv4 ip address range in cidr format

This method should only be run after running setup

Returns nothing



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# File 'lib/msfrpc-simple/features/framework.rb', line 14

def nmap_range(range)

  unique_string = Time.now.utc.to_s.gsub(" ","_").gsub(":","_")
  nmap_report_path = "/tmp/metasploit_temp_#{unique_string}.xml"

  # Call out to nmap to scan the given range
  `nmap --top-ports 100 -oX #{nmap_report_path} #{range}`
  
  # Import the XML into metasploit
  _send_command("db_import #{nmap_report_path}")

  # Wait for a few seconds while the xml is imported
  sleep 10

  # Remove the file
  File.delete(nmap_report_path)

end