Sunday, August 25, 2013

Postgress Database in Metasploit

Metasploit comes with PostgreSQL as the default database. For the BackTrack machine, we have one more option—MySQL. You can use either of the two databases. Let us first check out the default settings of the PostgreSQL database. We will have to navigate to database.yml located under opt/framework3/config. To do this, run the following command:
root@bt:~# cd /opt/framework3/config
root@bt:/opt/framework3/config# cat database.yml
production: adapter: postgresql database: msf3 username: msf3 password: 8b826ac0 host: port: 7175 pool: 75 timeout: 5
Notice the default username, password, and default database that has been created. Note down these values as they will be required further. You can also change these values according to your choice as well. Below is the list of commands to get started...

To start the database
Su postgres
To list the list of database
root@bt:/# su postgres
sh-4.1$ \l
sh: l: command not found
sh-4.1$ psql
psql (8.4.14)
Type "help" for help.

Starting postgres

user@brainfold:$ sudo -s
user@brainfold:$ postgresql-setup initdb
user@brainfold:$ systemctl start postgresql.service

Becoming the postgres user

su postgres

Creating a database user

postgres@brainfold:$ createuser msf_user -P
Enter password for new role: yourmsfpassword
Enter it again: yourmsfpassword
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

Creating a database

postgres@brainfold:$ createdb --owner=msf_user msf_database

Configure Metasploit

msf > db_status
[*] postgresql selected, no connection
msf> db_connect msf_user:yourmsfpassword@
NOTICE:  CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column ""
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE:  CREATE TABLE will create implicit sequence "mod_refs_id_seq" for serial column ""
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "mod_refs_pkey" for table "mod_refs"
Enable the database on startup

$ cat > /opt/metasploit4/config/database.yml << EOF
    adapter: postgresql
    database: msf_database
    username: msf_user
    password: yourmsfpassword
    port: 5432
    pool: 75
    timeout: 5
Use the database configuration file and connect to this database during each startup of msfconsole. Also change to the workspace of yur current pentesting project.
$ cat > ~/.msf4/msfconsole.rc << EOF
db_connect -y /opt/metasploit4/config/database.yml
workspace -a YourProject

Using the database

msf > db_status
[*] postgresql connected to msf_database

msf > db_nmap
msf > hosts
address        mac                name       os_name  os_flavor  os_sp  purpose  info  comments
-------        ---                ----       -------  ---------  -----  -------  ----  --------    11:22:33:44:55:66  router     Linux    2.6.X             device  22:33:44:55:66:77  mixer      Linux    2.6.X             device        

To export a file post scan
To export a file post scan
msf > db_connect postgres:toor@
msf > db_import /tmp/nessus_report_Host_195.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host

To verify that the scanned host and vulnerability data was imported
msf > db_hosts -c address,svcs,vulns
For a complete listing of the vulnerability data that was imported
msf > db_vulns
To import the scan results
db_import ~/Desktop/winXP_vuln.nessus
Checking post import
db_hosts -c address,svcs,vulns
db_hosts -c address,svcs,vulns
Connecting to nessus within metasploit
msf > nessus_connect brainfold:prem1982@bt:8834 ok
To start the new scan
msf > nessus_scan_new

DB_nmap scan
db_nmap -v -sV

msf > db_autopwn -t -xf >
Msf > db_autopwn -t -p -e -s -b

Usage: db_autopwn [options]
-h          Display this help text
-t          Show all matching exploit modules
-x          Select modules based on vulnerability references
-p          Select modules based on open ports
-e          Launch exploits against all matched targets
-r          Use a reverse connect shell
-b          Use a bind shell on a random port (default)
-q          Disable exploit module output
-R  [rank]  Only run modules with a minimal rank
-I  [range] Only exploit hosts inside this range
-X  [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m  [regex] Only run modules whose name matches the regex
-T  [secs]  Maximum runtime for any exploit in seconds