Metasploit/UsingMetasploit
Using Metasploit
editThis chapter covers various aspects of using The Metasploit Framework.
For the time being, its a collection of assorted topics. Later these can be organized to make more sense.
Using Databases with MSF
editMSF allows storing scan/exploitation results into databases for persistent storage. The framework supports using quite a few database back-ends. These include:
- Postgres
- MySQL
- SQLite (version 2 & 3)
Note: Except for SQLite (which stores the database as a file), you need to start the database server for Postgres or MySQL before starting to use the databases with the Framework.
Note: Using the Framework with postgres requires edits to /etc/postgresql/x.x/main/pg_hba.conf. Replace the default "ident" method with "trust" as shown:
Note: before using postgres, you must run $ gem install postgres
. This requires header files that come with postgresql-dev
Note: For best results use msfconsole to interact with a database from the Framework.
Database storage comes in handy for MSF in quite a few ways. The most interesting/hot topic of automated exploitation (someone please write a good article on that based on H.D's blog) works with database integration. MSF can scan hosts using nmap and store their states in the DB and then automatically tries to exploit vulnerabilities that have exploits present for them in MSF. Auxiliary modules such as scanners can also utilize databases to store different state information. You can even write your own quick scanner and have it store information in the underlying database.
The Database Schema
editMSF creates a database for its usage. This database contains following tables
- hosts
- creds
- refs
- services
- vulns
- vulns_refs
- clients
- events
- loots
- report_templates
- reports
- tasks
- users
- workspaces
You can easily view the structure of this database in your RDBMS.
Note: The folder framework_base_folder/data/sql/ contains SQL files that are used to create the database tables for a given RDBMS.
Loading A Database Module
editBefore starting to use databases with MSF, appropriate database module should be loaded. For msfconsole, this can be loaded by using the load db_* commands. Here is a sample session of using MySQL with MSF.
root # /etc/rc.d/rc.mysqld start # start mysql database server
Starting mysqld daemon with databases from /var/lib/mysql
root # msfconsole # start MSF console interface 888 888 d8b888 888 888 Y8P888 888 888 888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888 =[ msf v3.1-dev + -- --=[ 191 exploits - 104 payloads + -- --=[ 17 encoders - 5 nops =[ 35 aux msf > load db_mysql # Load mysql database plugin [*] Successfully loaded plugin: db_mysql
msf > help # New set of commands are available now
MySQL Database Commands
=======================
Command Description
------- -----------
db_connect Connect to an existing database ( user:pass@host:port/db )
db_create Create a brand new database ( user:pass@host:port/db )
db_destroy Drop an existing database ( user:pass@host:port/db )
db_disconnect Disconnect from the current database instance
Creating a Database
editThe first time you want to use a database with MSF, you need to create it. Once a database is created, you can use it by just connecting to it in future sessions. The db_create command allows you to create a new database. Let's create a database named metasploit
# Connect and user root with password mydbpass and create a database named metasploit
msf > db_create root:mydbpass@localhost/metasploit
[*] Database creation complete (check for errors)
Once a database is created, it is automatically usable for that session. For further sessions, you can connect to the db.
Using an Existing Database
editIf you have created a database previously, then for future sessions you can just use it with the db_connect command.
root # msfconsole # start MSF console interface 888 888 d8b888 888 888 Y8P888 888 888 888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888 =[ msf v3.1-dev + -- --=[ 191 exploits - 104 payloads + -- --=[ 17 encoders - 5 nops =[ 35 aux msf > load db_mysql # Load mysql database plugin [*] Successfully loaded plugin: db_mysql
msf > db_connect root:mydbpass@localhost/metasploit # Connect to the metasploit db
msf > help # Upon connecting to a database, we get another new set of commands
Database Backend Commands
=========================
Command Description
------- -----------
db_add_host Add one or more hosts to the database
db_add_port Add a port to host
db_autopwn Automatically exploit everything
db_hosts List all hosts in the database
db_import_nessus_nbe Import a Nessus scan result file (NBE)
db_import_nmap_xml Import a Nmap scan results file (-oX)
db_nmap Executes nmap and records the output automatically
db_services List all services in the database
db_vulns List all vulnerabilities in the database
msf > db_hosts [*] Host: localhost
Disconnecting a Database
editIf in a session you feel that you no longer have the need to use the database then you can disconnect from the database by simply issuing the db_disconnect command at the 'MSF >' prompt.
Dropping a Database
editWhen you just want to delete the database with all data in it (perhaps, you have taken a backup and are now looking to free up disk space), then you can do so by using the db_destroy command.
msf > db_destroy root:mydbpass@localhost/metasploit # Drops the metasploit database
Database "metasploit" dropped
Database Backend Commands
editWhen MSF is connected to a database, another set of commands called Database Backend Commands are available. These commands allow you to perform port scans on hosts, check for live hosts, what services they are running and the vulnerabilities that these services have.
Command Description ------- ----------- db_add_host Add one or more hosts to the database db_add_note Add a note to host db_add_port Add a port to host db_autopwn Automatically exploit everything db_hosts List all hosts in the database db_import_nessus_nbe Import a Nessus scan result file (NBE) db_import_nmap_xml Import a Nmap scan results file (-oX) db_nmap Executes nmap and records the output automatically db_notes List all notes in the database db_services List all services in the database db_vulns List all vulnerabilities in the database
The important one and most often used is db_nmap which will run nmap with specified commands and record the findings within the database.
msf> db_nmap -sS -P0 192.168.1.1 ...
To list the host(s) found in the scan...
msf> db_hosts [*] Time: Wed Mar 05 15:18:48 -0500 2008 Host: 192.168.1.1
To list possible vulnerabilities found in the scan of the host(s)...
msf> db_vulns ...
db_autopwn
editYou can use another database backend command db_autopwn to execute exploits against the host(s) from the database. H.D. Moore wrote about this functionality when added to the framework -- for more information.
msf > db_autopwn [*] Usage: db_autopwn [options] -h Display this help text -t Show all matching exploit modules -x Select modules based on vulnerability references -p Select modules based on open ports -e Launch exploits against all matched targets -s Only obtain a single shell per target system (NON-FUNCTIONAL) -r Use a reverse connect shell -b Use a bind shell on a random port -I [range] Only exploit hosts inside this range -X [range] Always exclude hosts inside this range