Hi,
as I started to write my first metasploit automation scripts (rc-scripts) I had a few problems on finding the predefined variables (such as using globally set RHOSTS) which I can use. As I know there is no documentation. The only way I found was looking into the source codes and other rc files which you can find on the internet.
I'd like to use this threat to start a collection of these functions/variables. So everbody is invited to add some.
Let's start:
How to run modules
run_single("something")run_single("use auxiliary/scanner/smb/smb_login")
Print Information/Errors to the screen
print_status("TEXT")
print_error("ERROR_TEXT")
Using globally set RHOSTS in rc script
Usage as Variable:
#{framework.datastore['RHOSTS']}Example 1: nmap scan against RHOSTS
run_single("db_nmap #{framework.datastore['RHOSTS']}")Example 2: check if RHOSTS is set globally or exit
if (framework.datastore['RHOSTS'] == nil)
print_error("RHOSTS must be set globally ... exiting")
return
end
What about the workspace
find workspace
framework.db.find_workspace(workspace_name)add a workspace
framework.db.add_workspace(workspace_name)Example: create a workspace with the value from RHOSTS as name and use it
workspace_name = framework.datastore['RHOSTS']
print_status("Creating Workspace #{workspace_name}")
print_status("If a workspace with this name allready exists it will be deleted")
workspace = framework.db.find_workspace(workspace_name)
if workspace != nil
workspace.destroy
workspace = framework.db.add_workspace(workspace_name)
print_status("Create Workspace #{workspace_name}")
else
workspace = framework.db.add_workspace(workspace_name)
end
run_single("workspace #{workspace_name}")
Running a loop through all hosts in database (Maybe there is a better way???)
You can use the following syntax to create a loop through all entries in hosts db-table
framework.db.hosts.each do |ip|in this loop you are able to query the entries with the column name behind the defined variable name
ip.address or ip.id and so onIn this Example I take all hosts from the services db-table which have tcp/445 open and then get there IP Adress from the hosts db-table to run a smb scan against them (in services db-table the host from the hosts db-table is referenced be .host.id)
framework.db.services.each do |db_services|
#this runs if port 445 (SMB) was detected
if (db_services.port == 445) && (db_services.name == "microsoft-ds")
#Get IP Address from hosts database
framework.db.hosts.each do |ip|
#Search for the right host in host db with services host id
if ip.id == db_services.host.id
#set new RHOSTS globally
run_single("setg RHOSTS #{ip.address}")
#NMAP Scan smb-check-vulns
print_status("Checking if Host #{ip.address} is vulnerable for MS08_067")
run_single("db_nmap --script=smb-check-vulns #{ip.address}")
end
end
end
end
for now this is all. I hope ypu have some additional input to add.
cheers,
8xsde9ed
