Tips for an Information Security Analyst/Pentester career - Ep. 72 - Pentest automation and Metasploit
The problem
I've been dealing with larger and larger pentesting engagements as I progress with my career.
Having to check for vulnerabilities or possible exploits when dealing with large networks can be quite challenging. I recently had to scan and enumerate a series of /16 subnets, for example, and, even using scripts, this can be very time-consuming.
Luckily, Metasploit offers a series of advanced database functionalities allowing to solve this problem.
Metasploit can be used along with a database, which allows to import a Nessus scan or an Nmap scan (in XML format) and have all the hosts automatically parsed for you.
This allows to pre-populate the exploit modules you choose with all the relevant hosts included in the scan.
Awesome, right?
Let's see how.
Starting and using the database
In order to use the database, you need to start the postgresql service through the service postgresql start command and then launch Metasploit.
NOTE: Older tutorials might mention you need to start the metasploit service as well, but said service is no longer supported by the current Kali Linux version.
If you never used the database before, you might have to run the msfdb init command to initialize it (note: I didn't do it in the video, as I had gone through this step previously).
To check on the database status, you need to run the db_status command.
The output must be as shown below.
If it shows as not connected, maybe you need to exit out msfconsole and launch postgresql first.
The database allows you to work with something called workspaces.
You can create a workspace for a specific pentest through the workspace -a workspace_name command.
In my case, I had already created a workspace named homescan, where I had imported the Nmap scan for my home network.
You can move to a specific workspace through the workspace workspace_name command.
At this point, you can import a Nessus scan or an Nmap scan in XML format, through the db_import file command.
The real deal
By running the host command, you can now see all imported hosts and you can run exploit modules against them.
You can also understand how many hosts run a specific service.
For example, if we want to know how many hosts run http, we can use the services -S http command.
In some pentests I worked with, this command returned several hundred hosts, for example.
With a simple command like this, you can fully and quickly understand what's running on your target network.
But there's more.
YOU CAN USE THIS COMMAND TO PRE-POPULATE YOUR EXPLOIT MODULES OPTIONS.
For example, say you want to enumerate the directories for all hosts running http, retrieved before.
You can't possibly think of running something like nikto, dirb or dirbuster on each individual host, as it would take forever and would be inefficient.
You can, instead, run an auxiliary module and use the database to pre-populate the RHOSTS parameter, i.e. the list of remote hosts to be scanned.
Nmap has some great auxiliary modules that can be used for web server enumeration, one of which is auxiliary/scanner/http/dir_scanner.
After choosing this module, we can pre-populate its RHOSTS parameter by running the service -S http -R command, which recalls all hosts running http and then includes them automatically in the RHOSTS parameter for us.
We can then run the module against this pre-populated list of hosts and have a result back in a pretty reasonable time.
The above example is referred to my home network, which is quite small.
You can fully appreciate the advantage of this Metasploit automation feature over large or very large engagements, where you got hundreds or thousands of http servers to be scanned.
That's when such functionality becomes critical, because each pentests must be performed within specific and sometimes strictly agreed deadlines, and you have a limited number of working hours for you to wrap up the recon stage.
Wrap-up
Metasploit is mostly known as an exploitation framework, but it also offers awesome automation functionalities, that can play a very critical role over large pentests.
I barely scratched the surface with this post, both for time constraints (I need to get some sleep) and because Offensive Security can do it much better than I ever could.
You can check Metasploit Unleashed for more details about how to work with the database in Metasploit.
Comments
Post a Comment