Until the release of BackTrack 4 r2, it was possible to get Metasploit working with MYSQL but it was not an altogether seamless experience. Now, however, Metasploit and MYSQL work together “out of the box” so we thought it would be great to highlight the integration. With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.
We then load the mysql driver, start the mysql service and connect to the database. If the database does not already exist, Metasploit will create it for us.
In order to have some hosts to use as targets and to show the information we can add to the database, we import a previously run Nessus scan using the db_import command. Metasploit will automatically detect the filetype and import it for us.
After the successful import, our database should be populated with a number of hosts. Running db_hosts will query the database and allow us to customize the output.
Far more interesting than IP and MAC addresses are what services are running on our target systems which is what db_services will show us.
Most interesting of all is the list of vulnerabilities that are mapped to our specific targets as found in the vulnerability scan. The db_vulns command will list the vulnerabilities along with their corresponding reference numbers, if applicable.
For the sake of brevity, we will just let db_autopwn exploit the low-hanging fruit for us and only run exploits with at least a “good” rating.
In a brief amount of time, Metasploit has delivered 2 Meterpreter sessions to us.
Running db_exploited now will list not only the hosts that were exploited but also the port and exploit that was successful against them.
Post exploitation is critical and you can frequently make use of credentials gathered to penetrate deeper into a target network. Metasploit has the db_add_cred command that allows you to insert credentials into the database as you come across them during your engagement.
All of these database features are very powerful and exciting but just as exciting is that your entire session is now available with MYSQL.
We can now perform queries to access all of the information gathered on exploited hosts, gathered credentials, and much more.
At first glance, database integration is not that compelling but it opens the door for the community to develop customized reporting apps using such a widely used database like MYSQL easing the post-penetration test reporting burden.
For further details on setting up and using the various databases in Metasploit, check out the Using the MSF Database section in Metasploit Unleashed.