Pwn Faster with Metasploit's Multi-Host Check Command

Last updated at Fri, 12 Jan 2024 16:13:27 GMT

One of the most popular requests I've received from professional penetration testers is that they often need to be able to break into a network as fast as possible, and as many as possible during an engagement. While Metasploit Pro or even the community edition already gives you a significant advantage in speed and efficiency, there is still quite a large group of hardcore Framework users out there, so we do whatever we can to improve everybody's hacking experience. A new trick we'd like to introduce today is the modified "check" command, which allows you to quickly identify vulnerable, or likely exploitable machines in a more accurate manner.

However, you should also understand that Metasploit isn't a real vulnerability scanner even though it has checks. For your vulnerability scanning needs, we recommend using a real scanner like Nexpose (or whatever it is you prefer), and import the results to Metasploit.

New Check Command Usage

Before these changes, users could only run the check command one host at a time, which made it less practical against a large network. You could write resource scripts to overcome this problem, but in reality not everybody is equipped with hands-on programming experience in Ruby and the Metasploit API. Well, this is no longer a challenge starting today. What you can do now is being able to check a range of hosts with whatever exploit or auxiliary module you're using, and you can specify the number of threads needed to perform this task. A very basic usage is demonstrated below:

msf> use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > set rhost 192.168.0.123
rhost => 192.168.0.123
msf exploit(ms08_067_netapi) > check

Or it can be as simple as the following without the need to specify the RHOST or RHOSTS datastore option (auxiliary scanning modules use RHOSTS):

msf> use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > check 192.168.0.100-192.168.0.120

The default thread count is 1, but this is configurable. How many threads you can create depends on your system, so we advice you play around with it a little bit with a process monitor tool and decide for yourself. Here's an example of running a multi-threaded check to make the module scan faster:

msf exploit(ms08_067_netapi) > set THREADS 10
THREADS => 10
msf exploit(ms08_067_netapi) > check 192.168.1.1/24

Please note that all checks now are also less verbose than before by default, but if you prefer to be more well informed about what's happening, you can always set the VERBOSE datastore option to true.

New CheckCode Definitions

While adding this new feature to Metasploit, we also spent quite a lot of time redefining check codes and tweaking hundreds of existing modules and other files as an effort to allow users to better understand what the check is telling them, and use the module with more confidence. Please take your time to read the new guidelines before you decide to exploit anything:

• Exploit::CheckCode::Unknown - The module fails to retrieve enough information from the target machine, such as due to a timeout or some kind of connection issue.
• Exploit::CheckCode::Safe - The check fails to trigger the vulnerability, or even detect the service.
• Exploit::CheckCode::Detected - The target is running the service in question, but the check fails to determine whether the target is vulnerable or not.
• Exploit::CheckCode::Appears - This is used if the vulnerability is determined based on passive reconnaissance. For example: version, banner grabbing, or simply having the resource that's known to be vulnerable. There is no solid proof whether the target machine is actually exploitable or not.
• Exploit::CheckCode::Vulnerable - The check is able to actually take advantage of the bug, and obtain some sort of hard evidence. For example: for a command execution type bug, it's able to execute a command and obtain an expected output. For a directory traversal, read a file from the target, etc. This level of check is pretty aggressive in nature, but normally shouldn't be DoSing the host as a way to prove the vulnerability.
• Exploit::CheckCode::Unsupported - The module does not support the check method.

Module Developers

If you're interested in Metasploit module development, please also read our guidelines on how to write a check() method here.

And that's it for today. Current Metasploit users can simply run msfupdate and you shall receive these changes. However, to maximize your lightning-fast pwn power, feel free to try out Metasploit Pro or the community edition (free), and watch our recently-made video from David 'TheLightCosine' Maloney on "From Framework to Pro: How to Use Metasploit Pro in Penetration Tests."