Scripting a basic attack with Cortana will help us understand Cortana with a much wider approach. So, let's see an example script that automates the exploitation on port 8081 for a Windows OS:
on service_add_8081 {
println("Hacking a Host running $1 (" . host_os($1) . ")");
if (host_os($1) eq "Windows 7") {
exploit("windows/http/rejetto_hfs_exec", $1, %(RPORT => "8081"));
}
}
The preceding script will execute when an Nmap or MSF scan finds port 8081 open. The script will check whether the target is running on a Windows 7 system upon which Cortana will automatically attack the host with the rejetto_hfs_exec exploit on port 8081.
In the preceding script, $1 specifies the IP address of the host. print_ln prints out the strings and variables. host_os is a function in Cortana that returns the operating system of the host. The exploit function launches an exploit module at the address specified by the $1 parameter, and % signifies options that it can be set for an exploit in case a service is running on a different port or requires additional details. service_add_8081 specifies an event that is to be triggered when port 8081 is found open on a particular client.
Let's save the earlier-mentioned script and load this script into Armitage by navigating to the Armitage tab and clicking on Scripts:
To run the script against a target, perform the following steps:
- Click on the Load button to load a Cortana script into Armitage:
- Select the script and click on Open. The action will load the script into Armitage forever:
- Move on to the Cortana console and type the help command to list the various options that Cortana can make use of while dealing with scripts.
- Next, to see the various operations that are performed when a Cortana script run, we will use the logon command followed by the name of the script. The logon command will provide logging features to a script and will log every operation performed by the script, as shown in the following screenshot:
- Now, let's perform an intense scan of the target by browsing the Hosts tab and selecting Intense Scan from the Nmap submenu.
- As we can see, we found a host with port 8081 open. Let's move back on to our Cortana console and see whether some activity has occurred:
- Bang! Cortana has already taken over the host by launching the exploit automatically on the target host.
As we can see, Cortana made penetration testing very easy for us by performing the operations automatically. In the next few sections, we will look at how we can automate post-exploitation and handle further operations of Metasploit with Cortana.