# Metasploit Framework ## Setup MSF Database ### Begin MSF Database Is not started by default ```bash sudo msfdb init ``` ### Enable Database Launch on System Start Uses postgresql ```bash sudo systemctl enable postgresql ``` ### Enter CLI ```bash sudo msfconsole ``` ### Verify Database Connectivity ```bash msf6> db_status ``` ## Setup and Work with MSF ### Start database service and initialize MSF database ``` kali@kali:~$ sudo msfdb init [+] Starting database [+] Creating database user 'msf' [+] Creating databases 'msf' [+] Creating databases 'msf_test' [+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml' [+] Creating initial database schema ``` #### Enable database service at boot time {% code overflow="wrap" %} ``` kali@kali:~$ sudo systemctl enable postgresql Synchronizing state of postgresql.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable postgresql Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /lib/systemd/system/postgresql.service. ``` {% endcode %} ### Workspaces When we perform a penetration test with Metasploit, it will stare all information about our target in its infrastructure in the database. When we start the next penetration test, this information still exists in the database. We can avoid mixing each assessment's results by using workspaces. The Metasploit workspace command lists all previously created workspaces. Here is how you would create a workspace: ``` msf6 > workspace * default msf6 > workspace -a pen200 [*] Added workspace: pen200 [*] Workspace: pen200 ``` ## Database Backend Commands #### db\_nmap a wrapper to execute nmap inside metasploit and save the findings in the database: ``` msf6 > db_nmap [*] Usage: db_nmap [--save | [--help | -h]] [nmap options] msf6 > db_nmap -A 192.168.50.202 [*] Nmap: Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 03:48 EDT [*] Nmap: Nmap scan report for 192.168.50.202 [*] Nmap: Host is up (0.11s latency). [*] Nmap: Not shown: 993 closed tcp ports (reset) [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 21/tcp open ftp? ... [*] Nmap: 135/tcp open msrpc Microsoft Windows RPC [*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn [*] Nmap: 445/tcp open microsoft-ds? [*] Nmap: 3389/tcp open ms-wbt-server Microsoft Terminal Services ... [*] Nmap: 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) ... [*] Nmap: 8000/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) ... [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 67.72 seconds ``` #### hosts provides a list of all discovered hosts ``` msf6 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.50.202 Windows 2016 server ``` #### services display discovered services from our port scan {% code overflow="wrap" %} ``` msf6 > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.50.202 21 tcp ftp open 192.168.50.202 135 tcp msrpc open Microsoft Windows RPC 192.168.50.202 139 tcp netbios-ssn open Microsoft Windows netbios-ssn 192.168.50.202 445 tcp microsoft-ds open 192.168.50.202 3389 tcp ms-wbt-server open Microsoft Terminal Services 192.168.50.202 5357 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP 192.168.50.202 8000 tcp http open Golang net/http server Go-IPFS json-rpc or InfluxDB API msf6 > services -p 8000 Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.50.202 8000 tcp http open Golang net/http server Go-IPFS json-rpc or InfluxDB API ``` {% endcode %}