HTTP/HTTPS Bruteforcing Using a List of IPs and Hostnames with Metasploit

Today, I wrote some automation to make it easier to setup and perform HTTP bruteforcing using a list of IPs and hostnames with Metasploit.

Metasploit has several auxiliary modules that make it easy to perform various types of bruteforce based attacks. For example, we can easy bruteforce all HTTP BASIC AUTH systems by using the http_login module.

		msf > use auxiliary/scanner/http/http_loginmsf  auxiliary(http_login) > set RHOSTS 10.0.0.0/24RHOSTS => 10.0.0.0/24msf  auxiliary(http_login) > run[...snip…]	

The problem with this is when the website is different when you use the hostname and the IP. This is very common in penetration testing. In this case, the VHOST option needs to be set in addition to the RHOSTS option. The VHOST options should contain the hostname of the target. However, VHOST option can only be set to a single hostname. So if we have multiple IPs that have different hostnames, we need a good way to pass this information into Metasploit. To solve this problem, I wrote some automation to make it easier to perform HTTP bruteforcing using a list of IPs and hostnames with Metasploit.

This code helps you work around the following bug in Metasploit: http://dev.metasploit.com/redmine/issues/6828

Hopefully, this will be fixed in the next release.

Regards,
@jabra

Contact Praetorian for a zip file of the Perl scripts »

Usage:

1. Store a list of all of the hostnames you want to test into hostnames.txt

2. Create a CSV with the list of hostnames and the IPs.

		cat hostnames.txt |perl resolve.pl > IPs.txtjoin hostnames.txt IPs.txt > hostnames_IPs.txt	

3. Generate the resource scripts to perform HTTP and HTTPS bruteforcing

		cat hostnames_IPs.txt |perl brute_http.pl > brute_http.rccat hostnames_IPs.txt |perl brute_https.pl > brute_https.rc	

4. Load the resource scripts into Metasploit to start bruteforcing:

		msf> resource /tmp/brute_https.rc[...bruteforcing https…][...snip…] msf> resource /tmp/brute_http.rc[...bruteforcing http…][...snip…]	

5. Enjoy and Pwn dem v0hns!

Code Preview:

brute_https.pl

		/*!/usr/bin/perl -w brute_https.pl - Metasploit resource script generation forhttp_login bruteforce with SSL*/ use strict;while(<>){chomp;my ($hostname,$ip) = split(',',$_);if ($ip =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/){print "set RHOSTS $ipn";print "set VHOST $hostnamen";print "set SSL truen";print "set RPORT 443n";print "runn";}}	

brute_http.pl

		/* !/usr/bin/perl -w brute_http.pl - Metasploit resource script generation forhttp_login bruteforce*/ use strict;while(<>){chomp;my ($hostname,$ip) = split(',',$_);if ($ip =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/){print "set RHOSTS $ipn";print "set VHOST $hostnamen";print "set RPORT 80n";print "runn";}}	

resolve.pl

		/*!/usr/bin/perl -wresolve.pl - resolve a hostname to an IP address*/ use strict;use Socket;while(<>) {s/s+//g;chomp;my $packed_ip = gethostbyname( $_ );if ( defined $packed_ip ) {print inet_ntoa($packed_ip) . "n";}else {print "Couldn't resolve $_n";}}	

join.pl

		/*!/usr/bin/perl -wjoin.pl - combine two files into a CSV*/ use strict;use List::MoreUtils qw(each_array);sub usage {print "Usage: $0 [file1] [file2]n";exit;}if (defined($ARGV[0]) and defined($ARGV[1])) {open(FILE1,$ARGV[0]) and open(FILE2,$ARGV[1]) or usage();my @ary1 = ;my @ary2 = ;if ( scalar(@ary1) == scalar(@ary2) ) {my $ea = each_array(@ary1, @ary2);while ( my ($a, $b) = $ea->() )   {chomp($a);print join(',',$a,$b);}}}else {usage();}	
icon-praetorian-

See Praetorian in Action

Request a 30-day free trial of our Managed Continuous Threat Exposure Management solution.

About the Authors

Catch the Latest

Catch our latest exploits, news, articles, and events.

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions