Tag: Black Hat Go

Automated Command Execution via Metasploit’s RPC API

Automated Command Execution via Metasploit’s RPC API

Recently I purchased the Black Hat Go book from No Starch Press. The book has a pretty good overview of using Go for offensive security minded people. In Chapter 3 the book has a section on creating a client for Metasploit’s RPC API. The final code is publicly available on the book’s GitHub repo. Download it to follow along.

Rapid7 provides the documentation for Metasploit’s RPC API here: https://metasploit.help.rapid7.com/docs/rpc-api. All of the API calls that are implemented can be found here: https://metasploit.help.rapid7.com/docs/standard-api-methods-reference

First boot up Metasploit and start the RPC server:

msf5 > load msgrpc Pass=password ServerHost=192.168.0.15
[*] MSGRPC Service:  192.168.0.15:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: password
[*] Successfully loaded plugin: msgrpc

The code from Black Hat go relies on two environment variables to be set, MSFHOST and MSFPASS.

$ export MSFHOST=192.168.0.15:55552
$ export MSFPASS=password

The existing code will print out each session id and some basic information about each session that currently exists in the running metasploit instance. This isn’t too particularly helpful, especially with the availability of the other API calls.

$ go run main.go
Sessions:
    1  SSH test:pass (127.0.0.1:22)

The first useful case would be loading a list of commands to be run on all sessions and returning the output. For this exercise I’ll make use of the session.shell_read and session.shell_write methods to run commands on the SSH session that I have.

The session.shell_write method has the following structure:

Client:

[ "session.shell_write", "<token>", "SessionID", "id\n" ]

Server:

{ "write_count" => "3" }

In the rpc/msf.go file, two structs can be added to handle this data:

type sessionWriteReq struct {
	_msgpack  struct{} `msgpack:",asArray"`
	Method    string
	Token     string
	SessionID uint32
	Command   string
}

type sessionWriteRes struct {
	WriteCount string `msgpack:"write_count"`
}

It’s worth noting that the command needs to have a newline delimiter included in the message. I tested out a few inputs and found that consecutive commands didn’t work. Ex: “id;whoami;hostname”. Only the first command would be run.

The following method can be added to rpc/msf.go to write a command to a particular session:

func (msf *Metasploit) SessionWrite(session uint32, command string) error {
	ctx := &sessionWriteReq{
		Method:    "session.shell_write",
		Token:     msf.token,
		SessionID: session,
		Command:   command,
	}

	var res sessionWriteRes
	if err := msf.send(ctx, &res); err != nil {
		return err
	}

	return nil
}

The function doesn’t return anything other than errors as the write_count isn’t helpful to us. A method call can be added to the client/main.go file to execute commands.

msf.SessionWrite(session.ID, "id\n")

This executes commands, but prevents us from seeing the results. The next step is implementing the session.shell_read method so that we can return the results.

The session.shell_read method has the following structure:

Client:

[ "session.shell_read", "<token>", "SessionID", "ReadPointer ]

Server:

{
"seq" => "32",
"data" => "uid=0(root) gid=0(root)…"
}

Similarly to the write operation, two structs for reading the results can be used:

type sessionReadReq struct {
	_msgpack    struct{} `msgpack:",asArray"`
	Method      string
	Token       string
	SessionID   uint32
	ReadPointer string
}

type sessionReadRes struct {
	Seq  uint32 `msgpack:"seq"`
	Data string `msgpack:"data"`
}

The ReadPointer is interesting as it allows for us to maintain state. Rapid7 encourages this behavior as it allows for collaboration. We will need to determine how to obtain the current ReadPointer before writing data to ensure only my client’s output is returned. For now let’s stick with a value of 0 to ensure we capture all output. Add the following method:

func (msf *Metasploit) SessionRead(session uint32, readPointer uint32) (string, error) {
	ctx := &sessionReadReq{
		Method:      "session.shell_read",
		Token:       msf.token,
		SessionID:   session,
		ReadPointer: string(readPointer),
	}

	var res sessionReadRes
	if err := msf.send(ctx, &res); err != nil {
		return "", err
	}

	return res.Data, nil
}

A small addition to client/main.go can be made to read all data from the session:

data, err := msf.SessionRead(session.ID, 0)
if err != nil {
	log.Panicln(err)
}
fmt.Printf("%s\n", data)

Running the new code gives the following

$ go run main.go
Sessions:
    1  SSH test:pass (127.0.0.1:22)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
[snip]
test:x:1001:1001:Mista Test,,,:/home/test:/bin/bash
uid=1001(test) gid=1001(test) groups=1001(test)

Woah. I didn’t list out /etc/passwd! Looks like the results are spitting out more than the “id” command that was specified. It’s time to figure out how to get the latest ReadPointer instead of 0.

Digging through the other methods:

The session.ring_last method will return the last issued ReadPointer (sequence number) for the specified Shell session.

https://metasploit.help.rapid7.com/docs/standard-api-methods-reference#section-session-ring-last

Perfect! Let’s add two additional structs to manage the request and response:

type sessionRingLastReq struct {
	_msgpack    struct{} `msgpack:",asArray"`
	Method      string
	Token       string
	SessionID   uint32
}

type sessionRingLastRes struct {
	Seq  uint32 `msgpack:"seq"`
}

The structs should all look very similar since the requests and responses are nearly identical.

First off let’s send a request to connect and get the last sequence number for our ReadPointer. I’ll create a SessionReadPointer method to obtain this value:

func (msf *Metasploit) SessionReadPointer(session uint32) (uint32, error) {
	ctx := &sessionRingLastReq{
		Method:    "session.ring_last",
		Token:     msf.token,
		SessionID: session,
	}

	var sesRingLast sessionRingLastRes
	if err := msf.send(ctx, &sesRingLast); err != nil {
		return 0, err
	}

	return sesRingLast.Seq, nil
}

In my client/main.go code I can add a call to this function prior to writing a command and then update the read call to use this returned value.

readPointer, err := msf.SessionReadPointer(session.ID)
if err != nil {
	log.Panicln(err)
}
msf.SessionWrite(session.ID, "id\n")
data, err := msf.SessionRead(session.ID, readPointer)
if err != nil {
	log.Panicln(err)
}
fmt.Printf("%s\n", data)

I can then go ahead and update the code:

$ go run main.go
Sessions:
    1  SSH test:pass (127.0.0.1:22)
uid=1001(test) gid=1001(test) groups=1001(test)

Awesome. Only the results of the command specified will be printed out. How can I expand on this to automate running scripts on each session?

For this second part I will ingest a file that has as many commands as I wish to run that are separated by new line characters.

An example would be:

whoami
date
id
hostname

I’ll transfer the code from the client/main.go into the rpc/msf.go file to make it reusable:

func (msf *Metasploit) SessionExecute(session uint32, command string) (string, error) {
	readPointer, err := msf.SessionReadPointer(session)
	if err != nil {
		return "", err
	}
	msf.SessionWrite(session, command)
	data, err := msf.SessionRead(session, readPointer)
	if err != nil {
		return "", err
	}
	return data, nil
}

The next step is reading the file into a slice. I went ahead and used the bufio package to scan the file line by line. I added the following underneath the variable declarations to my client/main.go file.

commands := []string{}
if len(os.Args) == 2 {
	file, err := os.Open(os.Args[1])
	if err != nil {
		log.Fatalln(err)
	}
	defer file.Close()

	scanner := bufio.NewScanner(file)
	for scanner.Scan() {
		commands = append(commands, scanner.Text())
	}
}

The contents of the file specified in the first argument will be read into the commands slice. Printing out the contents of commands provides:

[whoami date id hostname]

In the rpc/msf.go file I added a new function to wrap around SessionExecute. The bufio scanner removed the newline character from each line, so this helper method can add it back and reuse the SessionExecute method as many times as needed. The results are returned on an error or once all the commands are done.

func (msf *Metasploit) SessionExecuteList(session uint32, commands []string) (string, error) {
	var results string
	for _, command := range commands {
		tCommand  := fmt.Sprintf("%s\n", command)
		result, err := msf.SessionExecute(session, tCommand)
		if err != nil {
			return results, err
		}
		results += result
	}

	return results, nil
}

Finally within the client/main.go file I added a check to see if the commands variable has any commands to run on each session. If it does, we can call msf.SessionExecuteList and print out the results.

if len(commands) > 0 {
	data, _ := msf.SessionExecuteList(session.ID, commands)
	fmt.Printf("%s", data)
}

Running the code gives the following:

go run main.go commands.txt
Sessions:
    1  SSH test:pass (127.0.0.1:22)
zepher
test
Mon Apr 27 16:20:51 CDT 2020
uid=1001(test) gid=1001(test) groups=1001(test)

The output could be cleaned up a bit especially with multiple sessions. Perhaps the command output along with more of the session metadata could be put into JSON for easy parsing.

The proof of concept is powerful. It allows for command execution in a collaborative environment that scales well. Overall the API provides an opportunity to automate some of the manual tasks that are restricted to msfconsole. I recommend playing around with some of the other API calls and taking a look at Black Hat Go.

The final code can be found on my Github repo: https://github.com/wdahlenburg/msf-rpc-client