Monday, November 13, 2006

Metasploit morphs into Autosploit

Its not quite finished, bui its off to an impresive start. If someone wanted to destroy a network from the inside, I think one instance of this running inside the border could pretty much destroy the domain if they were just a little out of date with their patches.

This certainly speakes volumes about the importance of patch management.


The db_autopwn command is where the exploitation magic happens. This command will scan through the database tables and create a list of modules that match up to specific vulnerabilities. This matching process can happen in two different ways. The first method involves analyzing the list of vulnerability references for every exploit and matching them up with the references in every imported vulnerability record. This cross-referencing method is fairly accurate and depends on standard identifiers, such as OSVDB, Bugtraq, and CVE to match exploits with their targets. The second method uses the default port associated with each exploit module to locate targets running the same service. While this will work in most cases, it can cause a fair amount of collateral damage and is likely to miss vulnerabile services running on non-default ports.

At this point, you have a few options. You can either import an existing Nessus NBE file using the db_import_nessus_nbe command, import an existing Nmap XML output file using the db_import_nmap_xml command, or use the db_nmap command to populate the database. The benefit of using a Nessus NBE file is that it provides data for the cross-referencing mode (-x) of db_autopwn. The benefit of using Nmap data is that you can quickly attack a large group of systems without having to run a complete vulnerability scan, but you will miss vulnerabilities that are not on the default port of the associated Metasploit module.


Post a Comment

<< Home