Following on from the previous post, I’ve improved the MS08_067 scanner by removing the sledge-hammer approach, ie scan everything, to a more defined and controlled approach, ie get some hosts, work out if they might be a windows box and then scan.
Here is the script;
<ruby>
###########################################################
#Must set Global RHOSTS via setg RHOSTS xxx.xxx.xxx.xxx/xx#
###########################################################
#Check to see if RHOSTS is set Globally
if (framework.datastore['RHOSTS'] == nil)
print_line("Please set RHOSTS globally with this command setg RHOSTS xxx.xxx.xxx.xxx/xx...exiting")
return
end
#Populate the datastore with some Hosts
#######################################
#Setup NMAP Options
nmapopts = "-O -T 5"
run_single("db_nmap #{nmapopts} #{framework.datastore['RHOSTS']}")
#Remove RHOSTS
run_single("unsetg RHOSTS")
framework.db.workspace.hosts.each do |host|
host.services.each do |serv|
next if not serv.host
next if (serv.state != ServiceState::Open)
if (serv.name =~ /smb/ or serv.name =~ /microsoft-ds/ or serv.name =~ /netbios/ or serv.port == 445 or serv.port == 139 or serv.port == 137)
if(serv.port == 445)
run_single("use exploit/windows/smb/ms08_067_netapi")
run_single("set RHOST #{host.address}")
run_single("check")
end
end
end
end
</ruby>
Some changes to the way the resource script works, first we need to set the Global variable RHOSTS, this can be set via the ‘setg RHOSTS xxx.xxx.xxx.xxx/xx’ command.
Then we just fire up the resource script as before, but this time you will get a bunch of nmap output.
I used a db_nmap scan to populate the database
Then, if there are any Windows hosts on the network with the correct services listening, you will see this;
And the rest is down to you…Enjoy
Credit to the MSF guys, as a couple of lines of code were taken from the default resource scripts that ship with the framework and of course to @mubix for the initial rapid psexec script that this was based upon.