Metasploit: Using Workspaces

The Metasploit database is great for tracking a Penetration Testing engagement, the biggest the engagement the more that the database can offer you. It tracks alive hosts, pwned boxes and stolen loot – plus it timestamps actions too just in case you need to track what happened when.

Before you get knee deep in the metasploit database you’ll need to get everything set up. If you’re using Kali then things should work out of the box if, like me, you use Fedora then check this link out – you can get database setup instructions here!

To see if you’ve managed to hit all of the right settings you can test the database connection:

msf > db_status 
[*] postgresql connected to msf_database
msf >

If your output looks something like the above then you’re good to go.

When it comes to PenTesting, it’s a really good idea to keep everything seperate – all of you scan results, vulns and loot. Metasploit allows you to keep things need like this through “Workspaces”. There’s a default workspace, and you can add a new one per assessment easily.

To list your workspaces enter the workspace command:

msf > workspace 
* Spaaace
msf >

The active workspace is tagged with a *

To create a new workspace use -a, to delete one use -d and to swap to a new workspace just refer to it by name, like “workspace default”. Here’s an example of what it looks like in the console:

Adding a workspace:
msf > workspace -a ClientName
[*] Added workspace: ClientName
Swapping workspaces:
msf > workspace ClientName 
[*] Workspace: ClientName
Deleting a workspace
msf > workspace -d ClientName 
[*] Deleted workspace: ClientName
[*] Switched workspace: default

As you work with the console it will track a lot of information that you gather. The first thing no doubt you’ll start working with is a list of target hosts, your scope. There are a few ways to import your scope and host information into metasploit: Manually, importing an nmap .xml, or running nmap within the console:

Adding a host manually:
hosts -a
Importing an Nmap scan:
(nmap -sS -oX Scope.xml
db_import Scope.xml
Running Nmap within the console:
db_nmap -sS

The db_nmap command takes standard Nmap syntax, but automatically places found hosts and related information into the database! Now that you’ve got a database filled with tasty host information, you can take a look at what you’ve enumerated with the hosts command:

msf > hosts
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- -------- 72:ea:d6:ac:da:64 iOS 7.X device

You can search through the hosts list for machines that fit specific criteria and set the RHOSTS variable to the results of the search, like this:

msf > hosts -S 172.20.10.[1-10] -c address,os_name -R
address os_name
------- ------- iOS

Alternatively you can select targets based on open ports or available services, like this:

msf > services -s domain -u -R
host port proto name state info
---- ---- ----- ---- ----- ---- 53 tcp domain open ISC BIND com
msf > services -p 21 -u -R
host port proto name state info
---- ---- ----- ---- ----- ---- 21 tcp tcpwrapped open

Once you’ve started using your hosts and services information to pop boxes and gather passwords, hashes and other information remember to check out your loot store to see what you’ve gathered: using the loot command. Here I show an example of gathering some credentials with an active meterpreter session and then show that the gathered hashes have automatically been added to the loot list:

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against WIN-H64STA52327
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20160215222539_Spaaace_172.20.10.2_windows.hashes_680595.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 1f39e60415696dc633e2958032f765d4...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[*] No users with password hints on this system
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] user:1000:aad3b435b51404eeaad3b435b51404ee:7df82f2faaaaaa61645c6d6bbbbcd7c8:::
Background session 1? [y/N] 
msf > loot
host service type name content info path
---- ------- ---- ---- ------- ---- ---- windows.hashes WIN-H64STA52327_hashes.txt text/plain Windows Hashes /root/.msf4/loot/20160215222539_Spaaace_172.20.10.2_windows.hashes_680595.txt

If you want the credentials themselves however, hit the Creds command:

msf > creds
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------ 445/tcp (cifs) user DemoPass . Password 445/tcp (cifs) user aad3b435b51404eeaad3b435b51404ee:7df82f2faaaaaa61645c6d6bbbbcd7c8 NTLM hash

Finally, if you’re working with Nessus then you know that you can also import nessus files into metasploit! It’ll automatically populate your hosts and services tables with target information, but it’ll also inform metasploit of vulnerabilities that it has found! So before, how you could filter hosts by service or name, you could filter them by vulnerability or CVE!
Go ahead and run db_import again but this time run it on a Nessus file:

msf > db_import /home/user/Downloads/Demonstration_me9lzg.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host
[*] Importing host
[*] Successfully imported /home/user/Downloads/Demonstration_me9lzg.nessus
msf >

Now you can filter by vulnerability!

msf > vulns -S MS11-030
[*] Time: 2016-02-15 22:40:27 UTC Vuln: host= name=MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remote check) refs=CVE-2011-0657,BID-47242,OSVDB-71780,IAVA-2011-A-0039,MSFT-MS11-030,MSF-Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS,NSS-53514 
msf >

and find interesting services like LLMNR to abuse:

msf > vulns -S "Link-Local"
[*] Time: 2016-02-15 22:40:27 UTC Vuln: host= name=Link-Local Multicast Name Resolution (LLMNR) Detection refs=NSS-53513 
msf >

So to summarise, by utilising the database you’re tying together all of your tools, like Nmap, Nessus and Metasploit. By using workspaces you’re separating out all of your assessment data and keeping host information, service information, vulnerabilities, loot and timestamps of it all.