The post exploitation phase always begins after you have compromised one or more systems but you’re not even close to being done yet.
Metasploit generally offers more than one interface to its underlying functionality, including console, command line, and graphical interfaces. In addition to these interfaces, utilities provide direct access to functions that are normally internal to the Metasploit Framework. These utilities can be invaluable for exploit development and situations for which you do not need the flexibility of the entire Framework.
When you encounter the Metasploit Framework (MSF) for the first time, you might be overwhelmed by its many interfaces, options, utilities, variables, and modules.
In this article, we’ll focus on the basics that will help you make sense of the big picture regarding database commands used by Metasploit Framework. Before using the database, you need to start the PostgreSQL server by typing “systemctl start postgresql” in your terminal.
After starting the PostgreSQL server, you need to create and initialize the msf database with “msfdb init“.
Now start the metasploit framework in console mode, by typing “msfconsole” and run “db_status” to confirm that whether your database is connected with metasploit or not.
Msfconsole is by far the most popular part of the Metasploit Framework,and for good reason. It is one of the most flexible, feature-rich, and well supported tools within the Framework. Msfconsole provides a handy all-in-one interface to almost every option and setting available in the Framework; it’s like a one-stop shop for all of your exploitation dreams.
You can use msfconsole to do everything, including launching an exploit, loading auxiliary modules, performing enumeration, creating listeners, or running mass exploitation against an entire network.
Once connected to the database, we can start organizing our different movements by using what are called “workspaces” which gives us the ability to save different scans from different networks/subnets/locations.
Type “workspace -a name” to create a new workspace followed by the name at msfconsole prompt.
To see all the workspaces, just type “workspace” and to delete any workspace, type “workspace -d name“.
It’s that simple, using the same command and adding the -h switch will provide us with the command’s other capabilities as shown below:
Now that we are connected to our database and workspace setup, lets look at populating it with some data. First we’ll look at the different db_ commands available to use using the ‘help‘ command from the msfconsole.
In first step, just initialize a scan against your target with Nmap and save the output of Nmap into a XML file with -oX option. In this case, we are using Metasploitable2 as a target whose IP address is 192.168.36.132 which might be different in your case and Kali Linux machine as an attacker machine.
Let’s start by importing an nmap scan using db_import command followed by the path to our file. Once completed, you can easily confirm it by typing the hosts command to see all available targets.
You can also scan a host directly from the console using the “db_nmap” command. Scan results will be saved in the current database. The command works the same way as the command line version of nmap.
Command: db_nmap -A 192.168.36.132
Nmap is, by far, the most popular port scanning tool. It integrates with Metasploit quite elegantly, storing scan output in a database backend for later use. Nmap lets you scan hosts to identify the services running on each, any of which might offer a way in.
Now next step is to export all the output to a file. Exporting all data outside the Metasploit environment is very simple. Using the “db_export” command all the gathered information can be saved in a XML file. This format can be easily used and manipulated later for reporting purposes.
This command has 2 outputs, the xml format which will export all of the information currently stored in our active workspace, and the pwdump format which exports everything related to used/gathered credentials.
To export all the output in a XML format, type “db_export -f xml /root/filename.xml“.
Now that we can easily import and export all the information to and from our database, let us look at how we can use this information within the msfconsole. Many commands are available to search for specific information stored in our database. Hosts names, address, discovered services etc. We can even use the resulting data to populate module settings such as RHOSTS.
We’ll start by asking the hosts command to display only the IP address and Mac address using the -c switch.
Command: hosts -c address,mac
Another interesting feature available to us, is the ability to search all our entries for something specific with the help of -S switch to tune up fine results.
Command: hosts -c address,mac,os_name -S Linux
Let’s try to use hosts command within an auxiliary scanning module. Here in this case, we just load up a TCP scanning module(auxiliary/scanner/portscan/tcp).
In above screen, as you can see that, RHOSTS entry is empty, so here we have to two options to set a RHOSTS option. You can set the RHOSTS option by typing “set RHOSTS <target>” or you can directly set the RHOSTS option by typing “hosts -c address,os_name -S Linux -R” command.
Another way to search the database is by using the services command. Like the previous examples, we can extract very specific information with little effort.
Type services -h to view all the available options.
Much in the same way as the hosts command, you can also specify which fields to be displayed. Coupled with the -S switch, we can also search for a service containing a particular string as shown below:
Here we are searching all hosts contained in our database with a service name containing the string http.
You can also use specific ports, or port ranges. Full or partial service name when using the -s or -S switches. For all hosts or just a select few. The list goes on and on.
Here are a few examples, but you may need to experiment with these features in order to get what you want and need out your searches.
Both the hosts and services commands give us a means of saving our query results into a file. The file format is a comma separated value, or CSV. Followed by the -o with path and filename, the information that has been displayed on the screen at this point will now be saved to disk.
Command: services -s http -c port 192.168.36.132 -o /root/filename.csv
Let’s suppose you got the correct credentials of any service/module by any means. The creds command is used to manage found and used credentials for targets in our database. Running this command without any options will display currently saved credentials.
Poorly configured Microsoft SQL Server (MS SQL) installations often provide an initial way into a target network. In fact, many system administrators don’t even realize that they have MS SQL servers installed on their workstations at all, because the service is installed as a prerequisite for some common software, such as Microsoft Visual Studio. These installations are often unused, unpatched, or never even configured.