Cscan-msfrpc.md

Cscan msfrpc plugin

Continous scanning with Faraday cscan and the msfrpc plugin.

In this example we will deploy metasploitables target machines and a kali-light machine provisioned with Chef.
Cscan will be configured for msfrpc plugin, with following scripts:

• msf-basic-discovery-nmap.sh
• msf-autoscan.sh
• msf-autosploit.sh

We will start Faraday server/client and configure it (manually) for metasploiton plugin, so we have scan results inside Faraday. Our continuous scanning setup will take many time (it will try a lot of metasploit modules...)

You can find videos demonstrations here: https://www.youtube.com/playlist?list=PLk_I6VgAdVmX7NMwhv863u55LmODGF4uO
The pentestrc file is available in the example directory

Environment setup

Stuff

Instances:

• kali-light

Targets:

• metasploitable2
• metasploitable3-win2008r2

Networks:

• 172.28.128.0/24

Here is the base pentestrc that define all machines:

# -*- mode: yaml -*-

instances:
  - kali-light
targets:
  - metasploitable2
  - metasploitable3-win2008r2

kali-light:
  networks:
    - private_network:
        adapter: 2
        type: dhcp
        ip: 172.28.128.0/24
  vbox:
    customize:
      memory: 4096

metasploitable2:
  autostart: true
  networks:
    - private_network:
        adapter: 2
        type: dhcp
        ip: 172.28.128.0/24
  vbox:
    customize:
      memory: 1024

metasploitable3-win2008r2:
  autostart: true
  networks:
    - private_network:
        adapter: 2
        type: dhcp
        ip: 172.28.128.0/24
  vbox:
    customize:
      memory: 2048

Configuration

Requirements

• apt & git packages
• couchdb service for faraday
• metasploit-framework package
• Faraday server & client
• CScan configured to scan the above network

Here is the Chef setup for kali-light instance:

kali-light:
  chef:
    recipes:
      - apt
      - git
      - couchdb
      - pentest-env::cscan
      - pentester::msf_pkg
    roles:
      - faraday-from-package
    json:
      faraday:
        config:
          couch_uri: http://127.0.0.1:5985
          last_workpace: cscan-pentest-env
      pentest-env:
        cscan:
          ips: [172.28.128.0/24]
          websites: []
          config:
            CS_CATEGORIES: network,extra
            CS_SCRIPTS: msf-basic-discovery-nmap.sh,msf-autoscan.sh,msf-autosploit.sh
            CS_NMAP: nmap
            CS_NMAP_ARGS: -p- -O -sT -T5 -Pn --script=default,safe,discovery,version
            CS_MSF_TMP_WS: disabled
            CS_MSF_EXPORT: enabled

You can find the complete pentestrc file here.

Deploying the environment

Ok it's time to bootstrap the environment:

Update cookbook dependencies

$ bundle exec berks update

Load cscan-msfrpc.pentestrc file and show status

$ export PENTESTRC=examples/cscan-msfrpc.pentestrc
$ vagrant status

Current machine states:

kali-light                not created (virtualbox)
metasploitable2           not created (virtualbox)
metasploitable3-win2008r2 not created (virtualbox)

This environment represents multiple VMs. The VMs are all listed
above with their current state. For more information about a specific
VM, run `vagrant status NAME`.

Now run vagrant up to create and configure machines, the kali-light machine provisioning can take some time depending of your network connection..
Once the provisioning is completed, you need to connect to the kali-light machine and prepare it before running the cscan.py script:

Update: Following manual setup can be configured automatically with Chef, see the faraday-cscan-msfrpc-chef-setup.pentestrc file

Metasploit setup

Run following commands in a terminal in the kali-light machine:

• msfdb init To initialize the metasploit database
• msfconsole Start the msfconsole
• load msgrpc Load msgrpc plugin inside msfconsole

Note the password, you will need it later.

Faraday setup

Run following commands to setup Faraday:

• /usr/share/python-faraday/faraday-server.py to start Faraday server
• /usr/share/python-faraday/faraday.py to start Faraday client

In Faraday GUI, create the cscan-pentest-env workspace and enable the Metasploit Online Service Plugin with following informations:

• Enable: 1
• Database: msf
• Workspace: default
• Server: localhost
• User: msf
• Password: Auto-generated by msfdb init, find it in /usr/share/metasploit-framework/config/database.yml
• Port: 5432

CScan setup

CScan is already configured via Chef, but we need to add msgrpc credentials in our environment to allow msfrpc plugin to connect to our RPC server.
In my case I will put environment variables in the ~/.bashrc:

export MSFRPC_HOST=127.0.0.1
export MSFRPC_PORT=55552
export MSFRPC_USER=msf
export MSFRPC_PASS=[msgrpc_password]

Done. The environment is ready! You can see a video demonstration for this setup here

Running cscan.py

You can now run the continuous scanning script!

Open a new terminal and:

$ cd cscan-pentest-env/
$ ./cscan.py

This will take many time to scan the two targets, about 2 hours and 45 minutes in my case, to spawn 7 shells on metasploitable2 :) (0 for metasploitable3-win2008r2)

See following videos:

• basic-discovery + autoscan: https://youtu.be/7-h9pGkuGzc
• autosploit part1: https://youtu.be/raxJ62qOSsY
• autosploit part2: https://youtu.be/h5hFcCapJbI

An example output for autoscan & autosploit resources is available here

Happy Hacking!