Setup Metasploit Database

In Kali, you will need to start up the postgresql server before using the database.

Once you start the metasploit service it will create a msf3 datauser user and database called msf3.

 

Using Workspaces in Metasploit

When we load up msfconsole, and run ‘db_status‘, we can confirm that Metasploit is successfully connected to the database.

Seeing this capability is a meant to keep track of our activities and scans in order. It’s imperative we start off on the right foot. Once connected to the database, we can start organizing our different movements by using what are called ‘workspaces’. This gives us the ability to save different scans from different locations/networks/subnets for example.

Issuing the ‘workspace‘ command from the msfconsole, will display the currently selected workspaces. The ‘default‘ workspace is selected when connecting to the database, which is represented by the * beside its name.

As we can see this can be quite handy when it comes to keeping things ‘neat’. Let’s change the current workspace to ‘msfu’.

Creating and deleting a workspace one simply uses the ‘-a‘ or ‘-d‘ followed by the name at the msfconsole prompt.

It’s that simple, using the same command and adding the ‘-h‘ switch will provide us with the command’s other capabilities.

From now on any scan or imports from 3rd party applications will be saved into this workspace.

Now that we are connected to our database and workspace setup, lets look at populating it with some data. First we’ll look at the different ‘db_’ commands available to use using the ‘help’ command from the msfconsole.

Importing & Scanning

There are several ways we can do this, from scanning a host or network directly from the console, or importing a file from an earlier scan. Let’s start by importing an nmap scan of the ‘metasploitable 2’ host. This is done using the ‘db_import‘ followed by the path to our file.

Once completed we can confirm the import by issuing the ‘hosts’ command. This will display all the hosts stored in our current workspace. We can also scan a host directly from the console using the ‘db_nmap’ command. Scan results will be saved in our current database. The command works the same way as the command line version of ‘nmap’

Backing Up Our Data

Exporting our data outside the Metasploit environment is very simple. Using the ‘db_export‘ command all our gathered information can be saved in a XML file. This format can be easily used and manipulated later for reporting purposes. The command has 2 outputs, the ‘xml‘ format which will export all of the information currently stored in our active workspace, and the ‘pwdump‘ format which exports everything related to used/gathered credentials.

Using the Hosts command

Now that we can import and export information to and from our database, let us look at how we can use this information within the msfconsole. Many commands are available to search for specific information stored in our database. Hosts names, address, discovered services etc. We can even use the resulting data to populate module settings such as RHOSTS. We’ll look how this is done a bit later.

The ‘hosts‘ command was used earlier to confirm the presence of data in our database. Let’s look at the different options available and see how we use it to provide us with quick and useful information. Issuing the command with ‘-h’ will display the help menu.

We’ll start by asking the ‘hosts‘ command to display only the IP address and OS type using the ‘-c‘ switch.

Setting up Modules

Another interesting feature available to us, it the ability to search all our entries for something specific. Imagine if we wished to find only the Linux based machines from our scan. For this we’d use the ‘-S‘ option. This option can be combined with our previous example and help fine tune our results.

Using the output of our previous example, we’ll feed that into the ‘tcp’ scan auxiliary module.

We can see by default, nothing is set in ‘RHOSTS‘, we’ll add the ‘-R‘ switch to the hosts command and run the module. Hopefully it will run and scan our target without any problems.

Of course this also works if our results contain more than one address.

You can see how useful this may be if our database contained hundreds of entries. We could search for Windows machines only, then set the RHOSTS option for the smb_version auxiliary module very quickly. The set RHOSTS switch is available in almost all of the commands that interact with the database.

Services

Another way to search the database is by using the ‘services‘ command. Like the previous examples, we can extract very specific information with little effort.

Much in the same way as the hosts command, we can specify which fields to be displayed. Coupled with the ‘-S‘ switch, we can also search for a service containing a particular string.

Here we are searching all hosts contained in our database with a service name containing the string ‘http’.

The combinations for searching are enormous. We can use specific ports, or port ranges. Full or partial service name when using the ‘-s’ or ‘-S’ switches. For all hosts or just a select few… The list goes on and on. Here are a few examples, but you may need to experiment with these features in order to get what you want and need out your searches.


msf > services -c port,proto,state -p 70-81 Services ======== host port proto state —- —- —– —– 172.16.194.134 80 tcp open 172.16.194.172 75 tcp closed 172.16.194.172 71 tcp closed 172.16.194.172 72 tcp closed 172.16.194.172 73 tcp closed 172.16.194.172 74 tcp closed 172.16.194.172 70 tcp closed 172.16.194.172 76 tcp closed 172.16.194.172 77 tcp closed 172.16.194.172 78 tcp closed 172.16.194.172 79 tcp closed 172.16.194.172 80 tcp open 172.16.194.172 81 tcp closed


msf > services -s http -c port 172.16.194.134 Services ======== host port —- —- 172.16.194.134 80 172.16.194.134 443


msf > services -S Unr Services ======== host port proto name state info —- —- —– —- —– —- 172.16.194.172 6667 tcp irc open Unreal ircd 172.16.194.172 6697 tcp irc open Unreal ircd

CSV Export

Both the hosts and services commands give us a means of saving our query results into a file. The file format is a comma separated value, or CSV. Followed by the ‘-o’ with path and filename, the information that has been displayed on the screen at this point will now be saved to disk.

Creds

The ‘creds’ command is used to manage found and used credentials for targets in our database. Running this command without any options will display currently saved credentials.

As with ‘db_nmap‘ command, successful results relating to credentials will be automatically saved to our active workspace. Let’s run the auxiliary module ‘mysql_login‘ and see what happens when Metasploit scans our server.

We can see the module was able to connect to our mysql server, and because of this Metasploit saved the credentials in our database automatically for future reference.

During post-exploitation of a host, gathering user credentials is an important activity in order to further penetrate a target network. As we gather sets of credentials, we can add them to our database with the ‘creds -a’ command.

Loot

Once you’ve compromised a system (or three), one of the objective may be to retrieve hash dumps. From either a Windows or *nix system. In the event of a successful hash dump, this information will be stored in our database. We can view this dumps using the ‘loot’ command. As with almost every command, adding the ‘-h’ switch will display a little more information.

Here’s an example of how one would populate the database with some ‘loot’.

source : https://www.offensive-security.com/metasploit-unleashed/using-databases/