Auto-Exploitation

If you need Metasploit Pro to choose the exploits based on the host and vulnerability data that it has, you should use automated exploits. When you run an automated exploit, Metasploit Pro builds an attack plan based on the service, operating system, and vulnerability information that it has for the target system. Metasploit Pro obtains this information from the discovery scan or from the information that you provide for the target host. The attack plan defines the exploit modules that Metasploit Pro will use to attack the target systems.

To run an automated exploit, you must specify the hosts that you want to exploit and the minimum reliability setting that Metasploit Pro should use. The minimum reliability setting indicates the potential impact that the exploits have on the target system. If you use a high ranking, such as excellent or great, Metasploit Pro uses exploits that will be unlikely to crash the service or system. Exploits that typically have a high reliability ranking include SQL injection exploits, web application exploits, and command execution exploits. Exploits that corrupt memory will most likely not have a high reliability ranking.

You can also specify the payload type that you want the exploit to use. By default, automated exploits use Meterpreter, but you can choose to use a command shell instead.

Running an Automated Exploit

Use the pro_exploit command to run an automated exploit. You can define the evasion level, minimum reliability rank, payload, and ports that the exploits use.

If you do not define any options for the automated exploit, Metasploit Pro uses the default settings.

1
msf-pro > pro_exploit 192.168.184.139
2
3
Id Project Desc Status Information
4
== ======= ==== ====== ===========
5
12 default exploiting
6
7
<*] Started task 1

Defining a Host Blacklist for an Automated Exploit

Use the pro_exploit command to run an automated exploit and the -b option to specify a list of hosts that you want to exclude from the exploit.

1
msf-pro > pro_exploit 192.168.184.0/24 -b 192.168.184.138
2
3
Id Project Desc Status Information
4
== ======= ==== ====== ===========
5
12 default exploiting
6
7
<*] Started task 1

Defining a Port Blacklist for an Automated Exploit

Use the pro_exploit command to run an automated exploit and the -pb option to specify a list of ports that you want to exclude from the exploit.

1
msf-pro > pro_exploit 192.168.184.0/24 -pb 22-23
2
3
Id Project Desc Status Information
4
== ======= ==== ====== ===========
5
12 default exploiting
6
7
<*] Started task 1

Performing a Dry Run of an Automated Exploit

Use the pro_exploit command to run an automated exploit and the -d option to perform a dry run of the automated exploit.

1
msf-pro > pro_exploit 192.168.184.0/24 -d
2
3
Id Project Desc Status Information
4
== ======= ==== ====== ===========
5
12 default exploiting
6
7
<*] Started task 1

Setting the Application Evasion Level for an Automated Exploit

Use the pro_exploit command to run an automated exploit and the -ea option to set the evasion level for an automated exploit. The application evasion level affects SMB, DCERPC, and HTTP based exploits. You can assign an evasion level of 'none', 'low', 'medium', and 'high'. Higher evasion levels use more aggressive evasion techniques.

1
msf-pro > pro_exploit 192.168.184.0/24 -ea low
2
3
Id Project Desc Status Information
4
== ======= ==== ====== ===========
5
12 default exploiting
6
7
<*] Started task 1

Application Evasion Level Options for SMB

The following application evasion levels for SMB are available:

  • None - Does not apply any evasion techniques.
  • Low - Obscures the PIPE string, places extra padding between the SMB headers and data, and obscures the path names.
  • Medium - Segments SMB read/write operations.
  • High - Sets the maximum size for SMB reads and writes to a value between 4 and 64.

Application Evasion Level Options for DCERPC

The following application evasion levels for DCERPC are available:

  • None - Does not apply any evasion techniques.
  • Low - Adds fake UUIDs before and after the actual UUID targeted by the exploit.
  • High - Sets the maximum fragmentation size of DCERPC calls to a value between 4-64.

Application Evasion Level Options for HTTP

The application evasion levels for HTTP are available:

  • None - Does not apply any evasion techniques.
  • Low - Adds “header folding”, which splits HTTP headers in separate lines, joined by whitespace by the server. Adds random cases to HTTP methods. Adds between 1-64 fake HTTP headers. Medium: Adds fake query strings to GET requests (1-64 of them). Adds 1-64 whitespace characters between tokens.
  • High - Encodes some characters as percent-u unicoded characters (half, randomly), adds a fake “end” to HTTP requests before the attack, and uses back slashes instead of forward slashes.

Setting the TCP Evasion Level in an Automated Exploit

Use the pro_exploit command to run an automated exploit and the -et option to set the TCP evasion level. You can assign an evasion level of 'none', 'low', 'medium', and 'high'.

1
msf-pro > pro_exploit 192.168.184.0/24 -ea low
2
3
Id Project Desc Status Information
4
== ======= ==== ====== ===========
5
12 default exploiting
6
7
<*] Started task 1

TCP Evasion Level Options

The TCP evasion levels are available:

  • None - Does not apply any evasion techniques.
  • Low - Inserts delays between TCP packets.
  • Medium - Sends small TCP packets.
  • High - Inserts delays between TCP packets and sends small TCP packets.

Setting the Payload Connection Type for an Automated Exploit

Use the pro_exploit command to run an automated exploit and the -m option to set the payload type for an automated exploit. The payload types are auto, bind, and reverse

1
msf-pro > pro_exploit 192.168.184.0/24 -m bind
2
3
Id Project Desc Status Information
4
== ======= ==== ====== ===========
5
12 default exploiting
6
7
<*] Started task 1

Payload Connection Types

The payload connection types are available:

  • Auto - Automatically selects the payload connection type for the exploit. Auto chooses bind when the system detects NAT, otherwise, the system uses reverse for most exploits.
  • Bind - Attaches a command prompt to a listening port on the exploited system. You can connect to the bind shell to access the exploited system.
  • Reverse - Creates a connection from the target machine back to you as a command prompt.

Setting the Minimum Rank for an Automated Exploit

Use the pro_exploit command to run an automated exploit and the -r option to set the payload type for an automated exploit. The minimum rank settings are 'low', 'average', 'normal', 'good', 'great', and 'excellent'.

1
msf-pro > pro_exploit 192.168.184.0/24 -r good
2
3
Id Project Desc Status Information
4
== ======= ==== ====== ===========
5
12 default exploiting
6
7
<*] Started task 1

Minimum Reliability Rank

The minimum reliability rank indicates the potential impact that the exploits have on the target system. If you use a high ranking, such as excellent or great, Metasploit Pro uses exploits that are unlikely to crash the service or system.

The following minimum ranks are available:

  • Low - Exploits are unlikely to compromise common platforms.
  • Average - Exploits are unreliable and unlikely to exploit the target system.
  • Normal - Exploits are reliable, but depend on a specific version. These exploits do not auto-detect the appropriate targets.
  • Good - Exploits have a default target and are the common case for a particular type of software. For example, English, Windows XP for a desktop application and 2003 for a server.
  • Great - Exploits have a default target and auto-detects the appropriate target.These exploits use an application-specific return address after a version check.
  • Excellent - Exploits do not crash the service. Exploits that typically have this ranking are SQL injection, CMD execution, and web application exploits.