One of my favourite features of Metasploit is the ability to organise all the data collected throughout a penetration test into an easily searchable format. This greatly assists in mapping a network and finding vulnerable high value targets to go after.
Metasploit uses ‘workspaces’ to separate data sets. Before starting a new penetration test it is a good idea to create a new workspace where all the data collected during the test can be stored without contamination from previous tests. To create a new workspace, from msfconsole, issue the command ‘workspace –a [name of workspace]’. Then change to the newly created workspace using ‘workspace [name of workspace]’.
Typically, one of the first activities that would be performed in a penetration test is host and service discovery. This almost always involves port scanning and the most popular tool to do this is nmap. Metasploit can import nmap outputs in the XML format. To do this, from msfconsole, issue the command ‘db_import [path to file]’.
Metasploit has now added all of the results from the nmap file ‘top1000TCP.xml’ into the ‘example’ workspace. Alternatively, nmap scans can be launched from within Metasploit with the db_nmap command. This will automatically add the results to the current workspace.
Now that the workspace is populated with nmap results the ‘hosts’ and ‘services’ commands can be used to search for interesting targets to exploit.
Using the command ‘hosts’ without any parameters will list all hosts in the current workspace and some additional data about them.
Similarly the ‘services’ command without any parameters will list all of the services that are stored in the current workspace.
Both the ‘services’ and ‘hosts’ commands have a number of options to limit their output to specific results. By typing ‘help [command]’ Metasploit will list the options and what they do.
Metasploit provides functionality to use the results of a ‘services’ or ‘hosts’ command to set the RHOSTS field of a module. In this way, Metasploit modules can be run against specific hosts in the workspace that share common properties.
To filter out all the hosts that have port 445 open and use this as the RHOSTS field for a module the following command is issued ‘services –p 445 –u –R’. The ‘-p’ option means only return hosts with port 445, the ‘-u’ option means only return hosts where the service is up, and the ‘-R’ option means set the output as the RHOSTS field.
Now when the module is set and run, it will be run against all the hosts in the ‘example’ workspace with port 445 open.
This demonstrates a simple use case of the usefulness of workspaces and is something that I find myself using frequently on infrastructure tests. There are many other commands that can be used within workspaces to view credentials found and write or view notes on particular hosts.
No comments:
Post a Comment