Today, I wrote some automation to make it easier to setup and perform HTTP bruteforcing using a list of IPs and hostnames with Metasploit.

Metasploit has several auxiliary modules that make it easy to perform various types of bruteforce based attacks. For example, we can easy bruteforce all HTTP BASIC AUTH systems by using the http_login module.

		msf > use auxiliary/scanner/http/http_loginmsf  auxiliary(http_login) > set RHOSTS =>  auxiliary(http_login) > run[...snip…]	

The problem with this is when the website is different when you use the hostname and the IP. This is very common in penetration testing. In this case, the VHOST option needs to be set in addition to the RHOSTS option. The VHOST options should contain the hostname of the target. However, VHOST option can only be set to a single hostname. So if we have multiple IPs that have different hostnames, we need a good way to pass this information into Metasploit. To solve this problem, I wrote some automation to make it easier to perform HTTP bruteforcing using a list of IPs and hostnames with Metasploit.

This code helps you work around the following bug in Metasploit:

Hopefully, this will be fixed in the next release.


Contact Praetorian for a zip file of the Perl scripts »


1. Store a list of all of the hostnames you want to test into hostnames.txt

2. Create a CSV with the list of hostnames and the IPs.

		cat hostnames.txt |perl > IPs.txtjoin hostnames.txt IPs.txt > hostnames_IPs.txt	

3. Generate the resource scripts to perform HTTP and HTTPS bruteforcing

		cat hostnames_IPs.txt |perl > brute_http.rccat hostnames_IPs.txt |perl > brute_https.rc	

4. Load the resource scripts into Metasploit to start bruteforcing:

		msf> resource /tmp/brute_https.rc[...bruteforcing https…][...snip…] msf> resource /tmp/brute_http.rc[...bruteforcing http…][...snip…]	

5. Enjoy and Pwn dem v0hns!

Code Preview:

		/*!/usr/bin/perl -w - Metasploit resource script generation forhttp_login bruteforce with SSL*/ use strict;while(<>){chomp;my ($hostname,$ip) = split(',',$_);if ($ip =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/){print "set RHOSTS $ipn";print "set VHOST $hostnamen";print "set SSL truen";print "set RPORT 443n";print "runn";}}

		/* !/usr/bin/perl -w - Metasploit resource script generation forhttp_login bruteforce*/ use strict;while(<>){chomp;my ($hostname,$ip) = split(',',$_);if ($ip =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/){print "set RHOSTS $ipn";print "set VHOST $hostnamen";print "set RPORT 80n";print "runn";}}

		/*!/usr/bin/perl - resolve a hostname to an IP address*/ use strict;use Socket;while(<>) {s/s+//g;chomp;my $packed_ip = gethostbyname( $_ );if ( defined $packed_ip ) {print inet_ntoa($packed_ip) . "n";}else {print "Couldn't resolve $_n";}}

		/*!/usr/bin/perl - combine two files into a CSV*/ use strict;use List::MoreUtils qw(each_array);sub usage {print "Usage: $0 [file1] [file2]n";exit;}if (defined($ARGV[0]) and defined($ARGV[1])) {open(FILE1,$ARGV[0]) and open(FILE2,$ARGV[1]) or usage();my @ary1 = ;my @ary2 = ;if ( scalar(@ary1) == scalar(@ary2) ) {my $ea = each_array(@ary1, @ary2);while ( my ($a, $b) = $ea->() )   {chomp($a);print join(',',$a,$b);}}}else {usage();}