Metasploit/UsingMetasploit


Using Metasploit

edit

This chapter covers various aspects of using The Metasploit Framework.

For the time being, its a collection of assorted topics. Later these can be organized to make more sense.

Using Databases with MSF

edit

MSF allows storing scan/exploitation results into databases for persistent storage. The framework supports using quite a few database back-ends. These include:

  • Postgres
  • MySQL
  • SQLite (version 2 & 3)

Note: Except for SQLite (which stores the database as a file), you need to start the database server for Postgres or MySQL before starting to use the databases with the Framework.

Note: Using the Framework with postgres requires edits to /etc/postgresql/x.x/main/pg_hba.conf. Replace the default "ident" method with "trust" as shown:

 

Note: before using postgres, you must run $ gem install postgres. This requires header files that come with postgresql-dev

Note: For best results use msfconsole to interact with a database from the Framework.

Database storage comes in handy for MSF in quite a few ways. The most interesting/hot topic of automated exploitation (someone please write a good article on that based on H.D's blog) works with database integration. MSF can scan hosts using nmap and store their states in the DB and then automatically tries to exploit vulnerabilities that have exploits present for them in MSF. Auxiliary modules such as scanners can also utilize databases to store different state information. You can even write your own quick scanner and have it store information in the underlying database.

The Database Schema

edit

MSF creates a database for its usage. This database contains following tables

  • hosts
  • creds
  • refs
  • services
  • vulns
  • vulns_refs
  • clients
  • events
  • loots
  • report_templates
  • reports
  • tasks
  • users
  • workspaces

You can easily view the structure of this database in your RDBMS.

Note: The folder framework_base_folder/data/sql/ contains SQL files that are used to create the database tables for a given RDBMS.

Loading A Database Module

edit

Before starting to use databases with MSF, appropriate database module should be loaded. For msfconsole, this can be loaded by using the load db_* commands. Here is a sample session of using MySQL with MSF.

root # /etc/rc.d/rc.mysqld start     # start mysql database server
Starting mysqld daemon with databases from /var/lib/mysql
root # msfconsole                    # start MSF console interface

                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888


       =[ msf v3.1-dev
+ -- --=[ 191 exploits - 104 payloads
+ -- --=[ 17 encoders - 5 nops
       =[ 35 aux

msf > load db_mysql                 # Load mysql database plugin
[*] Successfully loaded plugin: db_mysql
msf > help                          # New set of commands are available now
MySQL Database Commands
=======================

    Command        Description
    -------        -----------
    db_connect     Connect to an existing database ( user:pass@host:port/db )
    db_create      Create a brand new database ( user:pass@host:port/db )
    db_destroy     Drop an existing database ( user:pass@host:port/db )
    db_disconnect  Disconnect from the current database instance

Creating a Database

edit

The first time you want to use a database with MSF, you need to create it. Once a database is created, you can use it by just connecting to it in future sessions. The db_create command allows you to create a new database. Let's create a database named metasploit

# Connect and user root with password mydbpass and create a database named metasploit
msf > db_create root:mydbpass@localhost/metasploit
[*] Database creation complete (check for errors)

Once a database is created, it is automatically usable for that session. For further sessions, you can connect to the db.

Using an Existing Database

edit

If you have created a database previously, then for future sessions you can just use it with the db_connect command.

root # msfconsole                    # start MSF console interface

                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888


       =[ msf v3.1-dev
+ -- --=[ 191 exploits - 104 payloads
+ -- --=[ 17 encoders - 5 nops
       =[ 35 aux

msf > load db_mysql                                  # Load mysql database plugin
[*] Successfully loaded plugin: db_mysql
msf > db_connect root:mydbpass@localhost/metasploit  # Connect to the metasploit db
msf > help                 # Upon connecting to a database, we get another new set of commands
Database Backend Commands
=========================

    Command               Description
    -------               -----------
    db_add_host           Add one or more hosts to the database
    db_add_port           Add a port to host
    db_autopwn            Automatically exploit everything
    db_hosts              List all hosts in the database
    db_import_nessus_nbe  Import a Nessus scan result file (NBE)
    db_import_nmap_xml    Import a Nmap scan results file (-oX)
    db_nmap               Executes nmap and records the output automatically
    db_services           List all services in the database
    db_vulns              List all vulnerabilities in the database
msf > db_hosts
[*] Host: localhost

Disconnecting a Database

edit

If in a session you feel that you no longer have the need to use the database then you can disconnect from the database by simply issuing the db_disconnect command at the 'MSF >' prompt.


Dropping a Database

edit

When you just want to delete the database with all data in it (perhaps, you have taken a backup and are now looking to free up disk space), then you can do so by using the db_destroy command.

msf > db_destroy root:mydbpass@localhost/metasploit  # Drops the metasploit database
Database "metasploit" dropped

Database Backend Commands

edit

When MSF is connected to a database, another set of commands called Database Backend Commands are available. These commands allow you to perform port scans on hosts, check for live hosts, what services they are running and the vulnerabilities that these services have.

   Command               Description                                         
   -------               -----------                                         
   db_add_host           Add one or more hosts to the database               
   db_add_note           Add a note to host                                  
   db_add_port           Add a port to host                                  
   db_autopwn            Automatically exploit everything                    
   db_hosts              List all hosts in the database                      
   db_import_nessus_nbe  Import a Nessus scan result file (NBE)              
   db_import_nmap_xml    Import a Nmap scan results file (-oX)               
   db_nmap               Executes nmap and records the output automatically  
   db_notes              List all notes in the database                      
   db_services           List all services in the database                   
   db_vulns              List all vulnerabilities in the database

The important one and most often used is db_nmap which will run nmap with specified commands and record the findings within the database.

msf> db_nmap -sS -P0 192.168.1.1
...

To list the host(s) found in the scan...

msf> db_hosts
[*] Time: Wed Mar 05 15:18:48 -0500 2008 Host: 192.168.1.1

To list possible vulnerabilities found in the scan of the host(s)...

msf> db_vulns
...

db_autopwn

edit

You can use another database backend command db_autopwn to execute exploits against the host(s) from the database. H.D. Moore wrote about this functionality when added to the framework -- for more information.

msf > db_autopwn
[*] Usage: db_autopwn [options]
       -h         Display this help text
       -t         Show all matching exploit modules
       -x         Select modules based on vulnerability references
       -p         Select modules based on open ports
       -e         Launch exploits against all matched targets
       -s         Only obtain a single shell per target system (NON-FUNCTIONAL)
       -r         Use a reverse connect shell
       -b         Use a bind shell on a random port
       -I [range] Only exploit hosts inside this range
       -X [range] Always exclude hosts inside this range