Using the Metasploit Database

The Metasploit database is a good way of keeping track of the things you get your hands on during a penetration test. The database can hold things like hosts, services, usernames and passwords. One particular useful feature of the Metasploit database is the integration it has with Nmap. You can utilize Nmap scans from within Metasploit and store the results directly in the database. Let's see how this works.Step 1 is to make sure that PostgreSQL is running on your Kali Linux machine.

> service postgresql start

 Step 2 is to verify that Metasploit has a connection to the database.

> msfconsole (to start the Metasploit console)msf> db_status (to check the database connection)It should come back as [*] postgresql connected to msf3

If the database is not connected, you need to initialize it first.

msf> exit> msfdb init (this is for Kali Linux 2.0)

Then try step 2 again, it should be good now. The first thing to do is to create a new workspace. A workspace is simply just a table in the database to store data in, but it helps you stay organized. You might try to see workspaces as projects or clients. When you have a new client or project, create a new workspace.The workspace command is what you use to to manage workspaces. You can have several workspaces and easily switch between them.

msf> workspace

This gives you the workspace you're currently using. You can easily create a new workspace using the -a flag and delete one with the -d flag. Switching between workspaces is simply done by entering workspace .

msf> workspace -a test (create a workspace named test)msf> workspace -d test (delete workspace named test)msf> workspace test (switch to the workspace test)msf> workspace -r test test2 (rename workspace test to test2)

 Now, it's time to get some Nmap data into your database. You can do this in two ways: either by importing a Nmap scan or by issuing a Nmap scan from within the Metasploit console. To import data, you use the db_import command. The Nmap scan result file that you import must be in XML format.

msf> db_import /root/nmap_scan.xml (to import a previous Nmap scan result file)

msf > db_import /root/nmap_router_scan[*] Importing 'Nmap XML' data[*] Import: Parsing with 'Nokogiri v1.6.6.2'[*] Importing host 192.168.1.1[*] Successfully imported /root/nmap_router_scanmsf >

Now that we've imported data, let's see what we got. First, we use the hosts command to list all the hosts we have in our database workspace.

msf > hosts

 Hosts=====

address mac name os_name os_flavor os_sp purpose info comments------- --- ---- ------- --------- ----- ------- ---- --------192.168.1.1 08:63:61:8e:8f:4e homerouter.cpe Unknown device

msf >

Second, we check which services we got listed from our imported Nmap scan:

msf > services

 Services========

host port proto name state info---- ---- ----- ---- ----- ----192.168.1.1 22 tcp ssh open192.168.1.1 23 tcp telnet filtered192.168.1.1 53 tcp domain open192.168.1.1 80 tcp http open192.168.1.1 443 tcp https open192.168.1.1 631 tcp ipp filtered192.168.1.1 3000 tcp ppp open192.168.1.1 8081 tcp blackice-icecap filtered

msf >

You can import a lot of different data into the Metasploit database simply by using the db_import command to get a complete list of available file imports.

msf > db_importUsage: db_import [file2...]

Filenames can be globs like *.xml, or **/*.xml, which will search recursively.Currently supported file types include:

AcunetixAmap LogAmap Log -mAppscanBurp Session XMLCIFoundstoneFusionVM XMLIP Address ListIP360 ASPLIP360 XML v3Libpcap Packet CaptureMetasploit PWDump ExportMetasploit XMLMetasploit Zip ExportMicrosoft Baseline Security AnalyzerNeXpose Simple XMLNeXpose XML ReportNessus NBE ReportNessus XML (v1)Nessus XML (v2)NetSparker XMLNikto XMLNmap XMLOpenVAS ReportOpenVAS XMLOutpost24 XMLQualys Asset XMLQualys Scan XMLRetina XMLSpiceworks CSV ExportWapiti XML

msf >

 As you can see, there are a lot of options for importing data into Metasploit. Then, there's the other possibility: executing a Nmap scan from within the Metasploit console. You use the db_nmap command to do this. Here's an example from my home network:

msf > db_nmap 192.168.1.3[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-08-27 20:33 CEST[*] Nmap: Nmap scan report for 192.168.1.3[*] Nmap: Host is up (0.0014s latency).[*] Nmap: Not shown: 995 closed ports[*] Nmap: PORT STATE SERVICE[*] Nmap: 139/tcp open netbios-ssn[*] Nmap: 445/tcp open microsoft-ds[*] Nmap: 548/tcp open afp[*] Nmap: 5009/tcp open airport-admin[*] Nmap: 10000/tcp open snet-sensor-mgmt[*] Nmap: MAC Address: 90:72:40:04:88:4B (Apple)[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 91.73 secondsmsf >

 Now, lets check the hosts and services commands again:

msf > hosts

Hosts=====address mac name os_name os_flavor os_sp purpose info comments------- --- ---- ------- --------- ----- ------- ---- --------192.168.1.1 08:63:61:8e:8f:4e homerouter.cpe Unknown device192.168.1.3 90:72:40:04:88:4b Unknown devicemsf >msf > services Services========host port proto name state info---- ---- ----- ---- ----- ----192.168.1.1 22 tcp ssh open192.168.1.1 23 tcp telnet filtered192.168.1.1 53 tcp domain open192.168.1.1 80 tcp http open192.168.1.1 8081 tcp blackice-icecap filtered192.168.1.1 443 tcp https open192.168.1.1 3000 tcp ppp open192.168.1.1 631 tcp ipp filtered192.168.1.3 445 tcp microsoft-ds open192.168.1.3 548 tcp afp open192.168.1.3 5009 tcp airport-admin open192.168.1.3 139 tcp netbios-ssn open192.168.1.3 10000 tcp snet-sensor-mgmt openmsf > As you scan additional hosts or networks, your database will hold more and more information about your target. So, as a last step in this tutorial, I'll mention the db_export command, which allows you to make a backup. The db_export command allows for saving your workspace as an XML file or as a pwdump file. The pwdump format is for credentials only; XML format saves everything.

msf > db_export -f xml /root/test_workspace.xml[*] Starting export of workspace test to /root/test_workspace.xml [ xml ]...[*] >> Starting export of report[*] >> Starting export of hosts[*] >> Starting export of events[*] >> Starting export of services[*] >> Starting export of web sites[*] >> Starting export of web pages[*] >> Starting export of web forms[*] >> Starting export of web vulns[*] >> Starting export of module details[*] >> Finished export of report[*] Finished export of workspace test to /root/test_workspace.xml [ xml ]...msf >

In my next tutorial I will show more features of the Metasploit database and how you can use them to your advantage.