In this section, we are going to understand how the general_interactive() method works. Although we could have Metasploit commands implemented with this method as well, to keep the separation of categories, we implemented Metasploit separately.
The objective of general_interactive is to automate interactive tools and Bash commands. This means that the JSON file contains both success patterns and failure patterns, which define the workflow of execution. We will be using Pexpect to accommodate this as shown here:
Let's take a closer look at this method by carrying out a dry run, as shown here:
As we can see in the args[], the first argument is the timeout. The second index holds the command that we wish to automate using the general interactive method. As always for this category, the first argument will be the timeout and the second will be the command to be fired. From here on, an alternate pattern is defined. The third index will hold the expected output list and the success criteria. If the success criteria is met, the fourth index will hold the next command to be send to the console. The fifth index will again hold the expected output list based upon the command sent in the fourth index, and it also holds the success criteria. The pattern is straightforward, and the same alternating sequence is carried on as required by the underlying command or tool that we plan to automate.
The success criteria is defined at the first index of the expected output list. If there are multiple success outcomes or indices, they can be given as a comma separated input at the first index. Let's take the above example of rlogin, where we are trying to do a remote login with root as the username and password, and try to understand what the expected output list holds and signifies. The list at index 3 holds ['0,1','.* password: .*","[$,#]",".*No route.*"]. Here, the 0th index "0,1" defines the success criteria. This means that if the terminal expects either ".* password: .*" or "[$,#]", we assume that the output is as expected and therefore we send the next command to the console, which is "root" in our case. If we get anything other than index 0 or 1, we assume that the tool or script is not behaving as expected, and thus abort the operation.
To configure commands and scripts that belong to this category, the tester needs to know how the script executes under both success and failure conditions, and formulate the configuration file once. The preceding code is straightforward and implements the same logic we discussed previously.