I installed a vulnerable version of icecast on my Windows 7 VM and scanned it with nessus. I loaded the .nessus file into a metasploit db then ran db_autopwn but it didn't create any sessions. It tried to run about 50 exploits but didn't run the icecast exploit. I conclude that this approach isn't very effective. I notice that metasploit ran the exploits quite rapidly so I could instead just port scan the victim to get a list of open ports then run every single possible exploit associated with those open ports. Or I could just try every single windows exploit. Is there a command in metasploit to do this?

As far as I know not in metasploit, but this command exists in armitage. It's the hail-mary attack. You can do it either by port or by vulnerability. (If vulnerability scan results are available.)

Besides that, it'd probably be a lot more effective and a LOT more stealthy to just search for icecast exploits trough msfconsole and tune/launch them manually.

Also, make sure you have a clear path for the payload to connect it's session. (An open port on the target for regular sessions, or an open port to your metasploit machine for reverse and/or staged payloads.)

Well I know you can use nmap in metasploit for this purpose. Then you can run autopwn against those ports. I'm not sure if your indicating you tried that or not, but here's pretty much how you would do that:

Code: Select all

db_nmap 192.168.0.1 -p 8000
db_autopwn -p -e

With that, it would scan port 8000 (that's icecast isn't it?), and launch any exploits that match for that port. You could do whatever nmap options, but need root/admin before you start metasploit. The autopwn attack is the one that normally will try to launch any and all exploits at the machine in hopes one works.

What it doesn't do is any checks that you would normally do manually to see if the unsuccessful launching of an exploit will crash the service or machine. This is why it is better to narrow it down to either only open ports with nmap, or a single service with a targeted exploit. The later being optimal.

Also, mind you I haven't tinkered with metasploit in some time, but I think you still want to tell it what driver to use and create a database first:

Code: Select all

db_driver sqlite3 or something?
db_create mydb
db_nmap 192.168.0.1 -p 8000
db_autopwn -p -e

I think they dropped sqlite3 support a few versions back.

Yeah I think it's on postgresql now.

Thor wrote:Yeah I think it's on postgresql now.

postgres or mysql.

Cool_Fire wrote:Besides that, it'd probably be a lot more effective and a LOT more stealthy to just search for icecast exploits trough msfconsole and tune/launch them manually.

Yeah of course, I've tried that and it works. Thats the reason I assumed db_autopwn should work, because I've tested the exploit so I know it works. The problem is in a real life scenario, I wouldn't automatically know a computer is running a vulnerable version of a program. I'm not sure if nmap would even tell me that IceCast is running on a particular server.

Thor wrote:Well I know you can use nmap in metasploit for this purpose. Then you can run autopwn against those ports. I'm not sure if your indicating you tried that or not, but here's pretty much how you would do that:

Haven't tried that yet, thanks.

CaptainCheeseTits wrote:I'm not sure if nmap would even tell me that IceCast is running on a particular server.

With the -sV flag, yes it can.