Metasploit Penetration Testing Cookbook: Over 70 recipes to master the most widely used penetration testing framework with this book and ebook.

You will notice that there are two types of installer available for Windows. It is recommended to download the complete installer of the Metasploit framework which contains the console and all other relevant dependencies, along with the database and runtime setup. In case you already have a configured database that you want to use for the framework as well, then you can go for the mini installer of the framework which only installs the console and dependencies.

Once you have completed downloading the installer, simply run it and sit back. It will automatically install all the relevant components and set up the database for you. Once the installation is complete, you can access the framework through various shortcuts created by the installer.

You will find that the installer has created lots of shortcuts for you. Most of the things are click-and-go in a Windows environment. Some of the options that you will find are Metasploit web, cmd console, Metasploit update, and so on.

Now let's talk about some other options, or possibly some pieces of general information, that are relevant to installing the Metasploit framework on Windows explicitly.

Database error during installation

There is a common problem with many users while installing the Metasploit framework on the Windows machine. While running the setup you may encounter an error message, as shown in the screenshot:

This is the result of an error in configuring the PostgreSQL server. The possible causes are:

• PostgreSQL not running. Use Netstat to figure out if the port is open and the database is running.

• Some installers require a default installation path. For example, if the default path is C drive, changing it to D drive will give this error.

• Language encoding.

If you face this problem then you can overcome it by downloading the simpler version of the framework which contains only the console and dependencies. Then, configure the database manually and connect it with Metasploit.

Download the setup from the official Metasploit website (http://www.metasploit.com/download).

Again, you will have the option to choose either a minimal setup or full setup. Choose your download according to your need. The full setup will include all the dependencies, database setup, environment etc whereas the minimal setup will only contain the dependencies with no database setup.

The process for installing a full setup is a bit different from a minimal setup. Let us analyze each of them:

The installation process demonstrated above is a simple Ubuntu-based installation procedure for almost all software. Once the installation is complete, you can run hash –r to reload your path.

Now let's talk about some other options, or possibly some pieces of general information that are relevant to this task.

$ sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby     libiconv-ruby libreadline-ruby irb ri rubygems

$ sudo apt-get install subversion

$ sudo apt-get install build-essential ruby-dev libpcap-dev

$ tar xf framework-4.X.tar.gz
$ sudo mkdir -p /opt/metasploit4
$ sudo cp -a msf4/ /opt/metasploit3/msf4
$ sudo chown root:root -R /opt/metasploit4/msf4
$ sudo ln -sf /opt/metasploit3/msf3/msf* /usr/local/bin/

Either you can have a separate installation of BackTrack on your hard disk or you can also use it over a host on a virtual machine. The installation process is simple and the same as installing any Linux-based operating system.

Launching Metasploit from the command line will follow the complete path to msfconsole. Launching it from the Application menu will provide us a direct access to different UIs available to us.

We will be using a virtual box to set up two virtual machines with BackTrack 5 and Windows XP SP2 operating systems. Our host system is a Windows 7 machine. We will need the virtual box installer and either an image file or an installation disk of the two operating systems we want to set up in the virtual machine. So our complete setup will consist of a host system running Windows 7 with two virtual systems running BackTrack 5 and Windows XP SP2 respectively.

The process of installing a virtual machine is simple and self-explanatory. Follow these steps:

Before you start your virtual machines, there is an important configuration that we will have to make in order to make the two virtual machines communicate with each other. Select one of the virtual machines and click on Settings. Then move to Network settings. In the Network adapter, there will be a pre-installed NAT adapter for internet usage of the host machine. Under Adapter 2 select Host only Adapter:

Follow this process for both the virtual machines. The reason for setting up Host-only adapter is to make the two virtual machines communicate with each other. Now, in order to test whether everything is fine, check the IP address of the windows virtual machine by entering ipconfig in the command prompt. Now ping the Windows machine (using the local IP address obtained from the ipconfig command) from the BackTrack machine to see if it is receiving the packets or not. Follow the vice versa process to crosscheck both the machines.

Now let's talk about some other options, or possibly some pieces of general information, that are relevant to this task.

All we need is an SSH client. We will use PuTTY as it is the most popular and free SSH client available for Windows. We will set up an SSH connectivity with the Backtrack machine as it has more memory consumption than the Windows XP machine.

In this SSH session we can now interact with the BackTrack virtual machine using PuTTY. As the GUI is not loaded, it reduces the memory consumption by almost half. Also minimizing the BackTrack virtual machine will further reduce memory consumption as the Windows operating system provides less memory share to the processes that are minimized and provides faster execution of those tasks that are running in maximized mode. This will further reduce the memory consumption to some extent.

Boot up your operating system on which you have installed Metasploit. If you are using it on a virtual machine then start it.

Launching msfconsole is an easy task. Follow these steps:

root@bt:/pentest/exploits/framework3# ./msfconsole

Now, our msfconsole interface is up and running, and ready to receive the commands.

Metasploit interfaces extend the base library which enables them to evoke initial functionalities of the framework. Simple commands, such as setting up exploits and payloads, running updates, and configuring the database can be executed. Once the process grows deep, the other functional libraries are called accordingly.

Let us add some additional stuff that you can perform at this stage with the msfconsole interface.

Metasploit comes with PostgreSQL as the default database. For the BackTrack machine, we have one more option—MySQL. You can use either of the two databases. Let us first check out the default settings of the PostgreSQL database. We will have to navigate to database.yml located under opt/framework3/config. To do this, run the following command:

root@bt:~# cd /opt/framework3/config
root@bt:/opt/framework3/config# cat database.yml
production:
adapter: postgresql
database: msf3
username: msf3
password: 8b826ac0
host: 127.0.0.1
port: 7175
pool: 75
timeout: 5

Notice the default username, password, and default database that has been created. Note down these values as they will be required further. You can also change these values according to your choice as well.

Now our job is to connect the database and start using it. Let us launch the msfconsole and see how we can set up the databases and store our results.

Let us first check the available database drivers.

msf > db_driver
[*]Active Driver: postgresql
[*]Available: postgresql, mysql

PostgreSQL is set as the default database. If you want to change the database driver then you can execute the following command:

Msf> db_driver mysql
[*]Active Driver: Mysql

This will change the active driver to MySQL. In this book, we will primarily be using PostgreSQL for demonstrations.

To connect the driver to msfconsle we will be using the db_connect command. This command will be executed using the following syntax:

db_connect username:password@hostIP:port number/database_name

Here we will use the same default values of username, password, database name, and port number which we just noted down from the database.yml file:

msf > db_connect msf3:8b826ac0@127.0.0.1:7175/msf3

On successful execution of the command, our database is fully configured.

Let us discuss some more important facts related to setting up the database.

msf> gem install postgres
msf> apt-get install libpq-dev

msf> db_destroy msf3:8b826ac0@127.0.0.1:7175/msf3
Database "msf3" dropped.
msf>

If you have successfully executed the previous recipe, you are all set to use the database for storing the results. Enter the help command in msfconsole to have a quick look at the important database commands available to us.

Let us start with a quick example. The db_nmap command stores the results of the port scan directly into the database, along with all relevant information. Launch a simple Nmap scan on the target machine to see how it works:

msf > db_nmap 192.168.56.102
[*] Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-04 20:03 IST
[*] Nmap: Nmap scan report for 192.168.56.102
[*] Nmap: Host is up (0.0012s latency)
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT  STATE SERVICE
[*] Nmap: 135/tcp open  msrpc
[*] Nmap: 139/tcp open  netbios-ssn
[*] Nmap: 445/tcp open  microsoft-ds
[*] Nmap: MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds

As we can see, Nmap has produced the scan results and it will automatically populate the msf3 database that we are using.

We can also use the –oX parameter in the Nmap scan to store the result in XML format. This will be very beneficial for us to import the scan results in other third-party software, such as the Dardis framework which we will be analyzing in our next chapter.

msf > nmap 192.168.56.102 –A -oX report
[*] exec: nmap 192.168.56.102 –A -oX report
Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-05 11:57 IST
Nmap scan report for 192.168.56.102
Host is up (0.0032s latency)
Not shown: 997 closed ports
PORT	STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds

Here report is the name of the file where our scanned result will be stored. This will be helpful for us in later recipes of the book.

The db_nmap command creates an SQL query with various table columns relevant to the scan results. Once the scan is complete, it starts storing the values into the database. The flexibility to store results in the form of spreadsheets makes it easier to share the results locally or with third-party tools.

Launch msfconsole and follow the steps mentioned in the previous recipe to establish the database connectivity. We can either use it to store fresh results or analyze the previously stored results as well. The XML file for the Nmap scan created in the previous recipe can be imported to analyze the previous scan results.

Let us analyze some of the important commands to have a clearer understanding of the stored results:

The analysis process is simple and can be easily filtered to get the desired results. We have seen how to read the database output and how we can manage it efficiently. The last two commands, vulns and db_autopwn are post-exploitation commands, which we will deal with in later chapters.