Metasploit/UsingMetasploit

=Using Metasploit= This chapter covers various aspects of using The Metasploit Framework.

For the time being, its a collection of assorted topics. Later these can be organized to make more sense.

Using Databases with MSF
MSF allows storing scan/exploitation results into databases for persistent storage. The framework supports using quite a few database back-ends. These include:


 * Postgres
 * MySQL
 * SQLite (version 2 & 3)

Note: Except for SQLite (which stores the database as a file), you need to start the database server for Postgres or MySQL before starting to use the databases with the Framework.

Note: Using the Framework with postgres requires edits to /etc/postgresql/x.x/main/pg_hba.conf. Replace the default "ident" method with "trust" as shown:



Note: before using postgres, you must run. This requires header files that come with postgresql-dev

Note: For best results use msfconsole to interact with a database from the Framework.

Database storage comes in handy for MSF in quite a few ways. The most interesting/hot topic of automated exploitation (someone please write a good article on that based on H.D's blog) works with database integration. MSF can scan hosts using nmap and store their states in the DB and then automatically tries to exploit vulnerabilities that have exploits present for them in MSF. Auxiliary modules such as scanners can also utilize databases to store different state information. You can even write your own quick scanner and have it store information in the underlying database.

The Database Schema
MSF creates a database for its usage. This database contains following tables


 * hosts
 * creds
 * refs
 * services
 * vulns
 * vulns_refs
 * clients
 * events
 * loots
 * report_templates
 * reports
 * tasks
 * users
 * workspaces

You can easily view the structure of this database in your RDBMS.

Note: The folder framework_base_folder/data/sql/ contains SQL files that are used to create the database tables for a given RDBMS.

Loading A Database Module
Before starting to use databases with MSF, appropriate database module should be loaded. For msfconsole, this can be loaded by using the load db_* commands. Here is a sample session of using MySQL with MSF.

root # /etc/rc.d/rc.mysqld start    # start mysql database server Starting mysqld daemon with databases from /var/lib/mysql

root # msfconsole                   # start MSF console interface 888                          888        d8b888 888                          888        Y8P888 888                          888           888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888       "88b88K     888 "88b888d88""88b888888 888 888  88888888888888   .d888888"Y8888b.888  888888888  888888888 888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b. 888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888                                           888                                            888        =[ msf v3.1-dev + -- --=[ 191 exploits - 104 payloads + -- --=[ 17 encoders - 5 nops =[ 35 aux msf > load db_mysql                # Load mysql database plugin [*] Successfully loaded plugin: db_mysql

msf > help                         # New set of commands are available now MySQL Database Commands =======================    Command        Description ---       ---     db_connect     Connect to an existing database ( user:pass@host:port/db ) db_create     Create a brand new database ( user:pass@host:port/db ) db_destroy    Drop an existing database ( user:pass@host:port/db ) db_disconnect Disconnect from the current database instance

Creating a Database
The first time you want to use a database with MSF, you need to create it. Once a database is created, you can use it by just connecting to it in future sessions. The db_create command allows you to create a new database. Let's create a database named metasploit

msf > db_create root:mydbpass@localhost/metasploit [*] Database creation complete (check for errors)
 * 1) Connect and user root with password mydbpass and create a database named metasploit

Once a database is created, it is automatically usable for that session. For further sessions, you can connect to the db.

Using an Existing Database
If you have created a database previously, then for future sessions you can just use it with the db_connect command.

root # msfconsole                   # start MSF console interface 888                          888        d8b888 888                          888        Y8P888 888                          888           888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888       "88b88K     888 "88b888d88""88b888888 888 888  88888888888888   .d888888"Y8888b.888  888888888  888888888 888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b. 888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888                                           888                                            888        =[ msf v3.1-dev + -- --=[ 191 exploits - 104 payloads + -- --=[ 17 encoders - 5 nops =[ 35 aux msf > load db_mysql                                 # Load mysql database plugin [*] Successfully loaded plugin: db_mysql

msf > db_connect root:mydbpass@localhost/metasploit # Connect to the metasploit db

msf > help                # Upon connecting to a database, we get another new set of commands Database Backend Commands =========================    Command               Description ---              ---     db_add_host           Add one or more hosts to the database db_add_port          Add a port to host db_autopwn           Automatically exploit everything db_hosts             List all hosts in the database db_import_nessus_nbe Import a Nessus scan result file (NBE) db_import_nmap_xml   Import a Nmap scan results file (-oX) db_nmap              Executes nmap and records the output automatically db_services          List all services in the database db_vulns             List all vulnerabilities in the database

msf > db_hosts [*] Host: localhost

Disconnecting a Database
If in a session you feel that you no longer have the need to use the database then you can disconnect from the database by simply issuing the db_disconnect command at the 'MSF >' prompt.

Dropping a Database
When you just want to delete the database with all data in it (perhaps, you have taken a backup and are now looking to free up disk space), then you can do so by using the db_destroy command.

msf > db_destroy root:mydbpass@localhost/metasploit # Drops the metasploit database Database "metasploit" dropped

Database Backend Commands
When MSF is connected to a database, another set of commands called Database Backend Commands are available. These commands allow you to perform port scans on hosts, check for live hosts, what services they are running and the vulnerabilities that these services have.

Command              Description ---              ---                                             db_add_host           Add one or more hosts to the database db_add_note          Add a note to host db_add_port          Add a port to host db_autopwn           Automatically exploit everything db_hosts             List all hosts in the database db_import_nessus_nbe Import a Nessus scan result file (NBE) db_import_nmap_xml   Import a Nmap scan results file (-oX) db_nmap              Executes nmap and records the output automatically db_notes             List all notes in the database db_services          List all services in the database db_vulns             List all vulnerabilities in the database

The important one and most often used is db_nmap which will run nmap with specified commands and record the findings within the database.

msf> db_nmap -sS -P0 192.168.1.1 ...

To list the host(s) found in the scan...

msf> db_hosts [*] Time: Wed Mar 05 15:18:48 -0500 2008 Host: 192.168.1.1

To list possible vulnerabilities found in the scan of the host(s)... msf> db_vulns ...

db_autopwn
You can use another database backend command db_autopwn to execute exploits against the host(s) from the database. H.D. Moore wrote about this functionality when added to the framework -- for more information.

msf > db_autopwn [*] Usage: db_autopwn [options] -h        Display this help text -t        Show all matching exploit modules -x        Select modules based on vulnerability references -p        Select modules based on open ports -e        Launch exploits against all matched targets -s        Only obtain a single shell per target system (NON-FUNCTIONAL) -r        Use a reverse connect shell -b        Use a bind shell on a random port -I [range] Only exploit hosts inside this range -X [range] Always exclude hosts inside this range