[Know your tools] Getting organised with Metasploit

Submitted by Penetration Testing on Fri, 22/06/2012 - 09:00

Penetration testers often find themselves in the position where they are testing multiple hosts or groups of hosts at the same time. When you factor in how many services, vulnerabilities and scan results associated with each of these, you quickly start to realise that organising your findings and work is no longer a nice to have - it's essential.

The development team behind metasploit are pretty savvy and have provided a wealth of features to help you get your stuff in order.

Newer is better

Before you worry about what is going about inside metasploit - let's talk about tool hygeine. Metasploit is one of the most actively developed penetration testing tool out there. There are new updates, exploits and scanners being added daily.

To get the best out of your tools, it's crucial you keep them updated. So, why not get yourself into a good daily update routine.

Add these 3 commands to your daily routine:

  1. Update metasploit by querying the metasploit svn repository.
    2. msfupdate
  2. Find the newest package listings for Backtrack
    3. apt-get update
  3. Update the packages and tools within Backtrack
    4. apt-get upgrade

The Metasploit Database

Metasploit can store all of your findings in a database. The specific database technology in use varies according to your specific configuration. For most people this will be either mysql or postgres. Don't be too concerned about which you are using though, the commands you use within Metasploit remain the same regardless.

To connect to a specific database

Should you wish to connect to a specific database - you can use the following syntax.

help db_connect
[*]    Usage: db_connect @/
[*]       OR: db_connect -y [path/to/database.yml]
[*] Examples:
[*]        db_connect user@metasploit3
[*]        db_connect user:pass@192.168.0.2/metasploit3
[*]        db_connect user:pass@192.168.0.2:1500/metasploit3

Tip

Having issues using db_connect? Before you panic - check who you are running metasploit as. If you don't run as root normally then you will need to run metasploit using "sudo" to get access to the database functionality

Tables Galore

The Metasploit stores its findings in 6 core tables. These are hosts, services, creds, notes, vulns and loot.

In addition to these 6, there are a couple of special tables using for exploitation but we will save those for a later article.

Let's take a look at these core 6 and how to use them.

Table : hosts

The hosts table stores the details of all the hosts discovered or input during testing. As well as the IP address, any operating system details gathered are also stored here.

example commands:

hosts
 Show all the hosts in this workspace 
hosts [ip address]
 Show the details of a single host 
hosts -a
Add a host to the database 
hosts -s
Search the hosts table

Table : services

The services table is where you will find the details of all the software and technologies listening on the hosts under examination. Services include software such as ftp, ssh and http.

example commands:

services
 Show all the services in this workspace 
services [ip address]
 Show the services for a single host 
services -s [service name]
 Search the services findings for a service with this name 
services -p [port number]
 Search the services findings for a service on this port number

Table : creds

This is where discovered or input credentials go to live. This includes usernames, passwords and all the service details needed to use them (ie. service name, port and host IP address)

example commands:

creds
 Show all the creds in this workspace 
creds [ip address]
 Show all the creds for this ip address

Table : vulns

Tools such as nikto, qualys and nessus will scan a host( or range of hosts) and check for a range of common vulnerabilities. These findings can be imported into Metasploit and are stored in this table.

Of all the core tables, this is the most difficult to read and can sometimes feel like a log rather than a table - but bear with it. It can be great when you have multiple hosts and findings.

example commands:

vulns
 Show all the discovered vulnerabilities in this workspace 
vulns [ip address]
 Show all the discovered vulnerabilities for a single host

Table : loot

Loot is anything that was retrieved from a host during exploitation. Think files and other treasure.

example commands:

loot
 Show all the loot in this workspace 
loot [ip address]
 Show all the loot gathered from a single host

Table : notes

The clue really is in the name with this one. If you have things that would be worth remembering - this would be where to store them.

example commands:

notes
 Show all the notes in this workspace 
notes [ip address]
 Show the details of a single host

Tip

Can't remember the syntax for a Metasploit command? Want to customise your table output but don't know how? Use the "help" command to get more information - for example "help services" will give you all you need to know about the services table and its options.

Importing and Exporting

To import findings into Metasploit

Metasploit can process and store the findings from many other penetration testing tools including nmap, nikto, qualys and nessus. To make use of this functionality, make sure you make configure the tools to store their output in an appropriate format. Normally, this is just XML.

Example run nmap and store the output as xml

nmap [other config options] [ip address] -oX [output filename]

Example run nikto and store the output as xml

./nikto.pl -h [ip address] -output [output filename].xml

db_import [filename]

To exploit findings and databases from metasploit

db_export [filename]

Wrap Up

Penetration testing generates a lot of data and requires even the most talented person to get organised. Keeping your tools up to date and storing your findings appropriately is essential. Metasploit gives you the tools to get your data under control - all you have to do is make use of them.