Metasploit MS08_067 Scanner Version 2

Following on from the previous post, I’ve improved the MS08_067 scanner by removing the sledge-hammer approach, ie scan everything, to a more defined and controlled approach, ie get some hosts, work out if they might be a windows box and then scan.

Here is the script;

<ruby>
###########################################################
#Must set Global RHOSTS via setg RHOSTS xxx.xxx.xxx.xxx/xx#
###########################################################
#Check to see if RHOSTS is set Globally
if (framework.datastore['RHOSTS'] == nil)
print_line("Please set RHOSTS globally with this command setg RHOSTS xxx.xxx.xxx.xxx/xx...exiting")
return
end

#Populate the datastore with some Hosts
#######################################

#Setup NMAP Options
nmapopts = "-O -T 5"
run_single("db_nmap #{nmapopts} #{framework.datastore['RHOSTS']}")

#Remove RHOSTS
run_single("unsetg RHOSTS")

framework.db.workspace.hosts.each do |host|
host.services.each do |serv|
next if not serv.host
next if (serv.state != ServiceState::Open)
if (serv.name =~ /smb/ or serv.name =~ /microsoft-ds/ or serv.name =~ /netbios/ or serv.port == 445 or serv.port == 139 or serv.port == 137)
if(serv.port == 445)
run_single("use exploit/windows/smb/ms08_067_netapi")
run_single("set RHOST #{host.address}")
run_single("check")
end
end
end
end
</ruby>

Some changes to the way the resource script works, first we need to set the Global variable RHOSTS, this can be set via the ‘setg RHOSTS xxx.xxx.xxx.xxx/xx’ command.

Then we just fire up the resource script as before, but this time you will get a bunch of nmap output.

I used a db_nmap scan to populate the database

Then, if there are any Windows hosts on the network with the correct services listening, you will see this;

And the rest is down to you…Enjoy

Credit to the MSF guys, as a couple of lines of code were taken from the default resource scripts that ship with the framework and of course to @mubix for the initial rapid psexec script that this was based upon.

Metasploit MS08_067 Scanner Resource Script

Today I’ve been messing around with Metasploit and came up with this, its not rocket science and uses a bit of code from another resource script written by @mubix, you can find it here http://www.room362.com/blog/2010/9/12/rapid-fire-psexec-for-metasploit.html

Any ways I thought why not try and write some resource scripts that look for ‘low hanging fruit’ to kinda speed up the pwnage on big network penetration tests.

The ms08_067 exploit module supports the ‘check’ function which we use to find our vulnerable hosts, there are more exploits with this function but not all.

Here’s the code its pretty self explanitory, just set the rhosts variable in the script.

################################################
# MS08_067 Vulnerability Checker Resource Script
################################################
use exploit/windows/smb/ms08_067_netapi

require 'rex/socket/range_walker'
#################################################
#Set rhosts to be network range you want to check
#################################################
rhosts = "192.168.0.0/24"
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|
self.run_single("set RHOST #{rhost}")
self.run_single("check")
end

Copy the code into a file called ms08_067_checker.rc and save it here /root/.msf4/scripts/resource or /yourusername/.msf4/scripts/resource, to be able to use it directly from msfconsole.
The resource script output is as below:

Unlucky…

Woot, we’re in luck.

The rest is simple,   Happy hunting.