For me (Dave Kennedy) this was one of my first modules that I have ever built for the Metasploit framework. I am a python guy and switching to ruby actually ended up not being "as" bad as I had anticipated. After I built the module, I wanted to write step by step how I was able to create the module, give a little introduction into module building and how easy it really is to add additional tools or exploits into the Metasploit framework.
I first want to start you off with giving you a little idea on some of the key components to the Metasploit framework that we'll be talking about.
First take a peek at the lib/msf/core section within Metasploit, this area here is a goldmine that you will want to leverage in order to not have to reconstruct every protocol or attack each individual time. Browse to the core/exploit section:
We can see several areas that could be useful for us, for example theres already prepackaged protocols like Microsoft SQL, HTTP, TCP, Oracle, RPC, FTP, SMB, SMTP, and much more. Take a look at the mssql.rb and mssql_commands.rb, these two have undergone some significant changes by HD Moore, myself, and Dark Operator recently as we are adding quite a bit of functionality through the MSSQL aspects.
If you look starting on line 126 in mssql.rb, this is the section we will be heavily focusing on, read through it and get a basic understanding as we will be covering this area later.
Lets leave core, and head to the "modules" directory, if we add any new file into here, it will dynamically be imported into Metasploit for us. Let's try a very simple program, go into framework3/modules/auxiliary/scanner/mssql
Do a quick "cp mssql_ping.rb ihaz_sql.rb"
Edit the file real quick using nano or vi and lets modify it just slightly, I'm going to walk you through each line and what it means:
## # $Id: ihaz_sql.rb 7243 2009-12-04 21:13:15Z rel1k $ <--- automatically gets set for us when we check in ##
## # This file is part of the Metasploit Framework and may be subject to <---- licensing agreement, keep standard # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##
require 'msf/core' <--- use the msf core library
class Metasploit3 < Msf::Auxiliary <---- its going to be an auxiliary module
include Msf::Exploit::Remote::MSSQL <----- we are using remote MSSQL right? include Msf::Auxiliary::Scanner <----------- it use to be a SQL scanner
def initialize <---- initialize the main section super( 'Name' => 'I HAZ SQL Utility', <------- name of the exploit 'Version' => '$Revision: 7243 $', <------- svn number 'Description' => 'This just prints some funny stuff.', <------------ description of the exploit 'Author' => 'relik', <--- thats you bro! 'License' => MSF_LICENSE <---- keep standard )
deregister_options('RPORT', 'RHOST') <---- dont specify RPORT or RHOST end
def run_host(ip) <--- define the main function
begin <---begin the function puts "I HAZ SQL!!!!" <---- print to screen i haz SQL!!! end <--- close end <---- close end <---- close
Now that you have a basic idea of the module, save this (without the <------) and lets run it in msfconsole.
Name Description ---- ----------- scanner/mssql/ihaz_sql MSSQL Ping Utility
msf > use scanner/mssql/ihaz_sql msf auxiliary(ihaz_sql) > show options
Module options:
Name Current Setting Required Description ---- --------------- -------- ----------- HEX2BINARY /pentest/exploits/framework3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_USER sa no The username to authenticate as RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads
msf auxiliary(ihaz_sql) > set RHOSTS doesntmatter RHOSTS => doesntmatter msf auxiliary(ihaz_sql) > exploit I HAZ SQL!!!!
For me (Dave Kennedy) this was one of my first modules that I have ever built for the Metasploit framework. I am a python guy and switching to ruby actually ended up not being "as" bad as I had anticipated. After I built the module, I wanted to write step by step how I was able to create the module, give a little introduction into module building and how easy it really is to add additional tools or exploits into the Metasploit framework.
I first want to start you off with giving you a little idea on some of the key components to the Metasploit framework that we'll be talking about.
First take a peek at the lib/msf/core section within Metasploit, this area here is a goldmine that you will want to leverage in order to not have to reconstruct every protocol or attack each individual time. Browse to the core/exploit section:
We can see several areas that could be useful for us, for example theres already prepackaged protocols like Microsoft SQL, HTTP, TCP, Oracle, RPC, FTP, SMB, SMTP, and much more. Take a look at the mssql.rb and mssql_commands.rb, these two have undergone some significant changes by HD Moore, myself, and Dark Operator recently as we are adding quite a bit of functionality through the MSSQL aspects.
If you look starting on line 126 in mssql.rb, this is the section we will be heavily focusing on, read through it and get a basic understanding as we will be covering this area later.
Lets leave core, and head to the "modules" directory, if we add any new file into here, it will dynamically be imported into Metasploit for us. Let's try a very simple program, go into framework3/modules/auxiliary/scanner/mssql
Do a quick "cp mssql_ping.rb ihaz_sql.rb"
Edit the file real quick using nano or vi and lets modify it just slightly, I'm going to walk you through each line and what it means:
## # $Id: ihaz_sql.rb 7243 2009-12-04 21:13:15Z rel1k $ <--- automatically gets set for us when we check in ##
## # This file is part of the Metasploit Framework and may be subject to <---- licensing agreement, keep standard # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##
require 'msf/core' <--- use the msf core library
class Metasploit3 < Msf::Auxiliary <---- its going to be an auxiliary module
include Msf::Exploit::Remote::MSSQL <----- we are using remote MSSQL right? include Msf::Auxiliary::Scanner <----------- it use to be a SQL scanner
def initialize <---- initialize the main section super( 'Name' => 'I HAZ SQL Utility', <------- name of the exploit 'Version' => '$Revision: 7243 $', <------- svn number 'Description' => 'This just prints some funny stuff.', <------------ description of the exploit 'Author' => 'relik', <--- thats you bro! 'License' => MSF_LICENSE <---- keep standard )
deregister_options('RPORT', 'RHOST') <---- dont specify RPORT or RHOST end
def run_host(ip) <--- define the main function
begin <---begin the function puts "I HAZ SQL!!!!" <---- print to screen i haz SQL!!! end <--- close end <---- close end <---- close
Now that you have a basic idea of the module, save this (without the <------) and lets run it in msfconsole.
Name Description ---- ----------- scanner/mssql/ihaz_sql MSSQL Ping Utility
msf > use scanner/mssql/ihaz_sql msf auxiliary(ihaz_sql) > show options
Module options:
Name Current Setting Required Description ---- --------------- -------- ----------- HEX2BINARY /pentest/exploits/framework3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_USER sa no The username to authenticate as RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads
msf auxiliary(ihaz_sql) > set RHOSTS doesntmatter RHOSTS => doesntmatter msf auxiliary(ihaz_sql) > exploit I HAZ SQL!!!!
