All Linux HowTo's Security HowTo's

You Don’t Need a Vulnerability Scanner, Use Nmap & Metasploit

This article walks you through the process of installing, configuring and running scans using Metasploit and Nmap. Both CentOS 7 and Ubuntu 20.04 are discussed. Our objective is to be able to run nmap scans and have the results go into a database so we can filter the results later and then use Metasploit to exploit based on our options given the exposed services on hosts discovered in the scans. This article is based on details from several places including:

https://fedoraproject.org/wiki/Metasploit_Postgres_Setup
https://docs.rapid7.com/metasploit/no-database-connection/
https://www.offensive-security.com/metasploit-unleashed/using-databases/

Install Postgres and some other tools we generally use:
CentOS:

yum install postgresql postgresql-server nmap curl wget tcpdump

Ubuntu:

apt install postgresql postgresql-contrib nmap curl wget tcpdump

Install Metasploit:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

Run the initial DB setup. This also creates some directories we need:
CentOS:

postgresql-setup initdb

Update your configuration file. For my system, only the lines indicated below were needed in the file. All other lines were removed. Take a backup of the file before removing anything:

CentOS: /var/lib/pgsql/data/pg_hba.conf
Ubuntu: /etc/postgresql/12/main/pg_hba.conf

CentOS:

host    msf_database    msf_user        127.0.0.1/32            md5

Ubuntu:

local   all             postgres                                peer
local   all             all                                     peer
host    all             all             127.0.0.1/32            md5
host    msf_database    msf_user        127.0.0.1/32            md5

The remainder of this article should be the same on both CentOS and Ubuntu.

Enable and start the DB:

systemctl enable postgresql
systemctl restart postgresql

Create the DB and user:

su postgres
createuser msf_user -P
createdb --owner=msf_user msf_database
	Ignore directory permission errors. 
exit

Install Metasploit:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

TIP: Metasploit will be installed to “/opt/metasploit-framework/”. The “bin” directory is “/opt/metasploit-framework/bin”.

Create the file “/opt/metasploit-framework/embedded/framework/config/database.yml” and add the following content. Change the password to whatever you set in the above steps:

development:
adapter: "postgresql"
database: "msf_database"
username: "msf_user"
password: "MYPASSWORD"
port: 5432
host: "localhost"
pool: 256
timeout: 5
production:
adapter: "postgresql"
database: "msf_database"
username: "msf_user"
password: "MYPASSWORD"
port: 5432
host: "localhost"
pool: 256
timeout: 5

Run Metasploit and see if you can connect to the database:

msfconsole
db_connect msf_user:MYPASSWORD@127.0.0.1:5432/msf_database
db_status

Create a Workspace (see details here “https://docs.rapid7.com/metasploit/managing-workspaces/”) and switch to it:

# workspace -a TestWork
# workspace TestWork

And conduct a scan of your target subnet:

# db_nmap -sV -p 80,443 192.168.1.0/24

192.168.1.143  443   tcp    ssl/https  open      VMware ESXi SOAP API 6.5.0
192.168.1.193  443   tcp    ssl/http   open      Microsoft IIS httpd 10.0
192.168.1.179  443   tcp    ssl/http   open      Apache httpd Express

TIP: The -sV tells nmap to get more details about the services listening on ports. Ie, version numbers.

The above scan is saved to the DB. Now we can sort through the results using basic queries. For example, get all hosts with port 443 or 3306 open:

# services -p 443,3306 -u

host           port  proto  name   state  info
----           ----  -----  ----   -----  ----
192.168.1.175  443   tcp    ssl/http   open      Apache httpd 2.4
192.168.1.176  443   tcp    ssl/http   open      Apache httpd 2.4
192.168.1.177  443   tcp    ssl/http   open      Apache httpd Express
192.168.1.178  443   tcp    ssl/http   open      Apache httpd Express
192.168.1.179  443   tcp    ssl/http   open      Apache httpd Express
192.168.1.143  3306  tcp    mysql  open   MySQL 5.5.5-10.3.28-MariaDB

TIP: The -p allows you to list comma separated port numbers. The -u shows only hosts that list the given port/s as open.

Now we can search for exploits that match our targets. In this example, we’ll focus on exploits relating to “mysql” with a rank of “excellent”:

# search rank:excellent mysql

Actually conducting an exploit attempt:

msf6 > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > options

Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS file:/tmp/msf-db-rhosts-20210824-1501072-r8icdz yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root yes The username to authenticate as

msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set rhost 192.168.1.143
rhost => 192.168.1.143
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run

[+] 192.168.1.143:3306 - 192.168.1.143:3306 The server allows logins, proceeding with bypass test
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 10% complete
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 20% complete
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 30% complete
...
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 90% complete
[*] 192.168.1.143:3306 - 192.168.1.143:3306 Authentication bypass is 100% complete
[-] 192.168.1.143:3306 - 192.168.1.143:3306 Unable to bypass authentication, this target may not be vulnerable
[*] 192.168.1.143:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I suppose it’s good that the test server was not successfully exploited.

You can run your scans in the background on a schedule using the following example command. Put this into a script of cronjob for scheduling:

# nohup msfconsole -x "db_connect msf_user:MYPASSWORD@127.0.0.1:5432/msf_database" -x "db_nmap -A 192.168.1.0/24" &

Check on the progress by running:

tail -f nohup.out

Troubleshooting:

If you have trouble, it’s likely to do with the database. You can see if Metasploit is the issue or the DB config by trying to connect to it using the psgl cli command:

psql -h 127.0.0.1 -U msf_user --password -d msf_database

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.