Sunday, August 25, 2013

Postgress Database in Metasploit

Metasploit comes with PostgreSQL as the default database. For the BackTrack machine, we have one more option—MySQL. You can use either of the two databases. Let us first check out the default settings of the PostgreSQL database. We will have to navigate to database.yml located under opt/framework3/config. To do this, run the following command:
root@bt:~# cd /opt/framework3/config
root@bt:/opt/framework3/config# cat database.yml
production: adapter: postgresql database: msf3 username: msf3 password: 8b826ac0 host: 127.0.0.1 port: 7175 pool: 75 timeout: 5
Notice the default username, password, and default database that has been created. Note down these values as they will be required further. You can also change these values according to your choice as well. Below is the list of commands to get started...

To start the database
Su postgres
To list the list of database
root@bt:/# su postgres
sh-4.1$ \l
sh: l: command not found
sh-4.1$ psql
psql (8.4.14)
Type "help" for help.

postgres=#
Starting postgres


user@brainfold:$ sudo -s
user@brainfold:$ postgresql-setup initdb
user@brainfold:$ systemctl start postgresql.service


Becoming the postgres user

su postgres


Creating a database user

postgres@brainfold:$ createuser msf_user -P
Enter password for new role: yourmsfpassword
Enter it again: yourmsfpassword
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
 

Creating a database

postgres@brainfold:$ createdb --owner=msf_user msf_database

Configure Metasploit

msf > db_status
[*] postgresql selected, no connection
msf> db_connect msf_user:yourmsfpassword@127.0.0.1:5432/msf_database
NOTICE:  CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
[..]
NOTICE:  CREATE TABLE will create implicit sequence "mod_refs_id_seq" for serial column "mod_refs.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "mod_refs_pkey" for table "mod_refs"
  
Enable the database on startup


$ cat > /opt/metasploit4/config/database.yml << EOF
production:
    adapter: postgresql
    database: msf_database
    username: msf_user
    password: yourmsfpassword
    host: 127.0.0.1
    port: 5432
    pool: 75
    timeout: 5
EOF
Use the database configuration file and connect to this database during each startup of msfconsole. Also change to the workspace of yur current pentesting project.
$ cat > ~/.msf4/msfconsole.rc << EOF
db_connect -y /opt/metasploit4/config/database.yml
workspace -a YourProject
EOF


Using the database


msf > db_status
[*] postgresql connected to msf_database

msf > db_nmap 192.168.1.0/24
msf > hosts
Hosts
=====
address        mac                name       os_name  os_flavor  os_sp  purpose  info  comments
-------        ---                ----       -------  ---------  -----  -------  ----  --------
192.168.1.1    11:22:33:44:55:66  router     Linux    2.6.X             device        
192.168.1.100  22:33:44:55:66:77  mixer      Linux    2.6.X             device        



To export a file post scan
To export a file post scan
msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import /tmp/nessus_report_Host_195.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.1.195

To verify that the scanned host and vulnerability data was imported
msf > db_hosts -c address,svcs,vulns
For a complete listing of the vulnerability data that was imported
msf > db_vulns
To import the scan results
db_import ~/Desktop/winXP_vuln.nessus
Checking post import
db_hosts -c address,svcs,vulns
db_hosts -c address,svcs,vulns
Connecting to nessus within metasploit
msf > nessus_connect brainfold:prem1982@bt:8834 ok
To start the new scan
msf > nessus_scan_new




DB_nmap scan
db_nmap -v -sV 192.168.119.131

Db_autopwn
msf > db_autopwn -t -xf >
Msf > db_autopwn -t -p -e -s -b

Usage: db_autopwn [options]
-h          Display this help text
-t          Show all matching exploit modules
-x          Select modules based on vulnerability references
-p          Select modules based on open ports
-e          Launch exploits against all matched targets
-r          Use a reverse connect shell
-b          Use a bind shell on a random port (default)
-q          Disable exploit module output
-R  [rank]  Only run modules with a minimal rank
-I  [range] Only exploit hosts inside this range
-X  [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m  [regex] Only run modules whose name matches the regex
-T  [secs]  Maximum runtime for any exploit in seconds