Using The Database

From Metasploit Unleashed
Jump to: navigation, search

Now that we have run some scans, our database should be populated with some initial data so now is a good time to cover how to pull information from the Metasploit database.

hosts

The "hosts" run without any parameters will list all of the hosts in the database.

msf > hosts

Hosts
=====

address         address6  arch  comm  comments  created_at                    info  mac                name  os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at                    svcs  vulns  workspace
-------         --------  ----  ----  --------  ----------                    ----  ---                ----  ---------  -------  -------  -----  -------  -----  ----------                    ----  -----  ---------
192.168.69.100                                  Tue Nov 23 07:43:55 UTC 2010        00:0C:29:DE:1A:00                                                     alive  Tue Nov 23 07:43:55 UTC 2010  4     0      default
192.168.69.105                                  Tue Nov 23 07:43:55 UTC 2010        00:0C:29:9A:FC:E0                                                     alive  Tue Nov 23 07:43:55 UTC 2010  4     0      default
192.168.69.110                                  Tue Nov 23 07:43:55 UTC 2010        00:0C:29:69:9C:44                                                     alive  Tue Nov 23 07:43:55 UTC 2010  6     0      default
192.168.69.125                                  Tue Nov 23 07:43:55 UTC 2010        00:0C:29:F5:00:71                                                     alive  Tue Nov 23 07:43:55 UTC 2010  1     0      default
192.168.69.130                                  Tue Nov 23 07:43:55 UTC 2010        00:0C:29:6E:26:BB                                                     alive  Tue Nov 23 07:43:55 UTC 2010  14    0      default
192.168.69.135                                  Tue Nov 23 07:43:55 UTC 2010        00:0C:29:AC:BC:A5                                                     alive  Tue Nov 23 07:43:55 UTC 2010  12    0      default
192.168.69.140                                  Tue Nov 23 07:43:56 UTC 2010                                                                              alive  Tue Nov 23 07:43:56 UTC 2010  1     0      default
192.168.69.141                                  Tue Nov 23 07:43:56 UTC 2010        00:0C:29:F3:40:70                                                     alive  Tue Nov 23 07:43:56 UTC 2010  12    0      default
192.168.69.142                                  Tue Nov 23 07:43:56 UTC 2010        00:0C:29:57:63:E2                                                     alive  Tue Nov 23 07:43:56 UTC 2010  14    0      default
192.168.69.143                                  Tue Nov 23 07:43:56 UTC 2010        00:0C:29:32:29:79                                                     alive  Tue Nov 23 07:43:56 UTC 2010  11    0      default
192.168.69.146                                  Tue Nov 23 07:43:56 UTC 2010        00:0C:29:97:C4:27                                                     alive  Tue Nov 23 07:43:56 UTC 2010  2     0      default
192.168.69.171                                  Tue Nov 23 07:43:56 UTC 2010        00:0C:29:EC:23:47                                                     alive  Tue Nov 23 07:43:56 UTC 2010  6     0      default
192.168.69.173                                  Tue Nov 23 07:43:57 UTC 2010        00:0C:29:45:7D:33                                                     alive  Tue Nov 23 07:43:57 UTC 2010  3     0      default
192.168.69.175                                  Tue Nov 23 07:43:57 UTC 2010        00:0C:29:BB:38:53                                                     alive  Tue Nov 23 07:43:57 UTC 2010  4     0      default
192.168.69.199                                  Tue Nov 23 07:43:57 UTC 2010        00:0C:29:58:09:DA                                                     alive  Tue Nov 23 07:43:57 UTC 2010  4     0      default
192.168.69.50                                   Tue Nov 23 07:43:55 UTC 2010        00:0C:29:2A:02:5B                                                     alive  Tue Nov 23 07:43:55 UTC 2010  3     0      default

We can also further narrow down the output to display only the columns we are interested in.

msf > hosts -c address,state,svcs

Hosts
=====

address         state  svcs
-------         -----  ----
192.168.69.100  alive  4
192.168.69.105  alive  4
192.168.69.110  alive  6
192.168.69.125  alive  1
192.168.69.130  alive  14
192.168.69.135  alive  12
192.168.69.140  alive  1
192.168.69.141  alive  12
192.168.69.142  alive  14
192.168.69.143  alive  11
192.168.69.146  alive  2
192.168.69.171  alive  6
192.168.69.173  alive  3
192.168.69.175  alive  4
192.168.69.199  alive  4
192.168.69.50   alive  3

We can also limit the output to a single host.

msf > hosts -a 192.168.69.50 -c address,mac,svcs

Hosts
=====

address        mac                svcs
-------        ---                ----
192.168.69.50  00:0C:29:2A:02:5B  3

msf >

notes

Running "notes" will output the notes that Metasploit has for each host. This is where you will find the results of your Nmap scan, along with lots of other valuable information. Like the hosts command, you can filter the information to display only the notes about a single host.

msf > notes -a 192.168.69.135
[*] Time: Tue Nov 23 07:43:55 UTC 2010 Note: host=192.168.69.135 type=host.os.nmap_fingerprint data={:os_version=>"2.6.X", :os_accuracy=>"100", :os_match=>"Linux 2.6.9 - 2.6.31", :os_vendor=>"Linux", :os_family=>"Linux"}
[*] Time: Tue Nov 23 07:43:56 UTC 2010 Note: host=192.168.69.135 type=host.last_boot data={:time=>"Sun Nov 21 23:23:54 2010"}
[*] Time: Tue Nov 23 07:54:48 UTC 2010 Note: host=192.168.69.135service=smb type=smb.fingerprint data={:os_flavor=>"Unix", :os_name=>"Unknown", :os_sp=>"Samba 3.0.20-Debian"}
msf >

services

The "services" command will, as you can imagine, display the identified services on the target machines. This is the information that will provide us with valuable information with respect to what targets merit further attack.

msf > services 

Services
========

created_at                    info                                                                                                 name           port   proto  state  updated_at                    Host            Workspace
----------                    ----                                                                                                 ----           ----   -----  -----  ----------                    ----            ---------
Tue Nov 23 07:43:55 UTC 2010  Microsoft Windows RPC                                                                                msrpc          135    tcp    open   Tue Nov 23 07:43:55 UTC 2010  192.168.69.100  default
Tue Nov 23 07:43:55 UTC 2010                                                                                                       netbios-ssn    139    tcp    open   Tue Nov 23 07:43:55 UTC 2010  192.168.69.100  default
Tue Nov 23 07:43:55 UTC 2010  Windows XP Service Pack 2 (language: English) (name:V-XPSP2-TEMPLAT) (domain:WORKGROUP)              smb            445    tcp    open   Tue Nov 23 07:54:50 UTC 2010  192.168.69.100  default
...snip...
Tue Nov 23 07:43:55 UTC 2010  lighttpd 1.4.26                                                                                      ip             80     tcp    open   Tue Nov 23 07:55:42 UTC 2010  192.168.69.50   default
Tue Nov 23 07:43:55 UTC 2010  Samba smbd 3.X workgroup: WORKGROUP                                                                  netbios-ssn    139    tcp    open   Tue Nov 23 07:43:55 UTC 2010  192.168.69.50   default
Tue Nov 23 07:43:55 UTC 2010  Unix Samba 3.0.37 (language: Unknown) (domain:WORKGROUP)                                             smb            445    tcp    open   Tue Nov 23 07:54:41 UTC 2010  192.168.69.50   default

msf >

We also have the option of narrowing down the information on our target. Passing "-h" will display the available options.

msf > services -h

Usage: services [-h|--help] [-u|--up] [-a ] [-r ] [-p ] [-n ]

  -a   Search for a list of addresses
  -c     Only show the given columns
  -h,--help         Show this help information
  -n   Search for a list of service names
  -p   Search for a list of ports
  -r      Only show [tcp|udp] services
  -u,--up           Only show services which are up

Available columns: created_at, info, name, port, proto, state, updated_at

msf >

We can filter down the output all the way down to a particular TCP port that we are looking for.

msf > services -a 192.168.69.135 -c info -p 445 -r tcp

Services
========

info                                                             Host            Workspace
----                                                             ----            ---------
Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)  192.168.69.135  default

msf >

vulns

Running "vulns" will list all of the vulnerabilities stored in the database, matched to each target. It will also list the appropriate references if available.

msf > vulns -h
[*] Time: Tue Nov 23 09:09:19 UTC 2010 Vuln: host=192.168.69.50 name=NSS- refs=
[*] Time: Tue Nov 23 09:09:20 UTC 2010 Vuln: host=192.168.69.50 port=445 proto=tcp name=NSS-26920 refs=CVE-1999-0519,CVE-1999-0520,CVE-2002-1117,BID-494,OSVDB-299
[*] Time: Tue Nov 23 09:09:21 UTC 2010 Vuln: host=192.168.69.50 port=445 proto=tcp name=NSS-26919 refs=CVE-1999-0505
...snip...
[*] Time: Tue Nov 23 09:18:54 UTC 2010 Vuln: host=192.168.69.1 name=NSS-43067 refs=
[*] Time: Tue Nov 23 09:18:54 UTC 2010 Vuln: host=192.168.69.1 name=NSS-45590 refs=
[*] Time: Tue Nov 23 09:18:54 UTC 2010 Vuln: host=192.168.69.1 name=NSS-11936 refs=
msf >

creds

During post-exploitation of a host, gathering user credentials is an important activity in order to further penetrate a target network. As we gather sets of credentials, we can add them to our database with the "creds -a" command and list them later by running "creds".

msf > creds -a 192.168.69.100 445 Administrator 7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
[*] Time: Tue Nov 23 09:28:24 UTC 2010 Credential: host=192.168.69.100 port=445 proto=tcp sname=192.168.69.100 type=password user=Administrator pass=7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
msf > creds
[*] Time: Tue Nov 23 09:28:24 UTC 2010 Credential: host=192.168.69.100 port=445 proto=tcp sname=192.168.69.100 type=password user=Administrator pass=7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
[*] Found 1 credential.
msf >

This has just been a brief overview of some of the major database commands available within Metasploit. As always, the best way to learn more and become proficient is to experiment with them in your lab environment.



Vulnerability Scanning > Using The Database