Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Metasploit Telnet Auxiliary Modules

Metasploit

Metasploit provide some Telnet auxiliary modules who will permit you to scan the running version, do brute force login and simulate fake Telnet server.

You can find all these auxiliary modules through the Metasploit search command.

Telnet version scanner (telnet_version)

To invoke this auxiliary module just type the following command :

Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable. In order to reduce the Telnet connexion timeout, decrease the value of “TIMEOUT” variable.

Telnet authentication brute force login (telnet_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against a Telnet server using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit provide files for “USER_FILE” (/opt/metasploit3/msf3/data/wordlists/unix_users.txt) and “PASS_FILE” (/opt/metasploit3/msf3/data/wordlists/unix_passwords.txt). You can also use SkullSecurity password lists, or my own list how is updated regularly. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file. Each discovered matching login and password will create a Metasploit session.

Valid login attempts are displayed in green and non valid in red.

Fake Telnet server emulator (telnet)

To invoke this auxiliary module just type the following command :

This module emulate a fake Telnet server in order to capture authentication credentials.

Metasploit SSH Auxiliary Modules

Metasploit

Metasploit provide some SSH auxiliary modules who will permit you to scan the running version and do brute force login.

You can find all these auxiliary modules through the Metasploit search command.

SSH version scanner (ssh_version)

To invoke this auxiliary module just type the following command :

Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable. In order to reduce the SSH connexion timeout, decrease the value of “TIMEOUT” variable.

SSH authentication brute force login (ssh_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against a SSH server using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit provide files for “USER_FILE” (/opt/metasploit3/msf3/data/wordlists/unix_users.txt) and “PASS_FILE” (/opt/metasploit3/msf3/data/wordlists/unix_passwords.txt). You can also use SkullSecurity password lists, or my own list how is updated regularly. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file. Each discovered matching login and password will create a Metasploit session.

Valid login attempts are displayed in green and non valid in red.

Metasploit MySQL Auxiliary Modules

Metasploit, ,

Metasploit provide some MySQL database auxiliary modules who will permit you to scan the running version, do brute force login, execute sql queries and gather some useful informations.

You can find all these auxiliary modules through the Metasploit search command.

MySQL version scanner (mysql_version)

To invoke this auxiliary module just type the following command :

Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable.

MySQL authentication brute force login (mysql_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against a MySQL instance using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit doesn’t provide default “USER_FILE“, default “PASS_FILE” and default “USERPASS_FILE“. You can use SkullSecurity password lists, or my own list how is updated regularly. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file.

Valid login attempts are displayed in green and non valid in red.

MySQL generic SQL query execution (mysql_sql)

To invoke this auxiliary module just type the following command :

This module will allow you to execute a simple SQL query against  a MySQL instance. The default SQL query will check the running version of MySQL database. You will require valid login and password previously discovered with the “mysql_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.

Some useful SQL MySQL queries for pen testing are available on pentestmonkey website.

MySQL password hashdump (mysql_hashdump)

To invoke this auxiliary module just type the following command :

Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize scans, just increase the number of concurrent threads by setting the “THREADS” variable. You also need to have valid “USERNAME” and “PASSWORD“, maybe obtained through the “mysql_login” auxiliary module.

MySQL enumeration (mysql_enum)

To invoke this auxiliary module just type the following command :

This auxiliary module will allow you to gather useful informations from a MySQL server :

  • The MySQL version
  • The MySQL OS compilation target
  • The server architecture
  • The server hostname
  • The MySQL datas directory location
  • If logging of queries and logins is activated or not, and log files location
  • If the old password hashing algorithm support is activated or not
  • If local files loading (infile) is activated or not
  • If logins with old Pre-4.1 passwords is authorized or not
  • If the “–skip-grant-tables” option is activated or not
  • If symlinks are authorized to be used for database files
  • If table merges are allowed
  • If the “–safe-show-database” option is activated or not
  • If SSL connexions are enabled or not
  • All accounts with their password hashes
  • List of accounts that can log in with SSL if SSL is enabled
  • List of all accounts with “GRANT“, “CREATE USER”, RELOAD“, “SHUTDOWN“, “SUPER“, “FILE” and “PROCESS” privileges.
  • List of all accounts with “SELECT“, “INSERT“, “UPDATE“, “DELETE“, “CREATE” and “DROP” privileges.
  • List of all anonymous accounts.
  • List of all accounts without passwords
  • List of all accounts with host wildcard authorized access.
To use this auxiliary module you need to have a access to the database with a privileges user account, maybe gathered with the “mysql_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.

Metasploit PostgreSQL Auxiliary Modules

Metasploit,

Metasploit provide some PostgreSQL database auxiliary modules who will permit you to scan the running version, do brute force login, execute sql queries and read file on remote system through the database.

You can find all these auxiliary modules through the Metasploit search command.

PostgreSQL version scanner (postgres_version)

To invoke this auxiliary module just type the following command :

Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable. If you use a login and password the database to authenticate against will be by default “template1“.

If you don’t provide a valid username or password, you will get, for example, this output.

But if you provide a valid username and password, you will get, for example, this output.

You can see that there is a version difference between an non authenticated and authenticated version scan (8.3.8 against 8.3.1).

PostgreSQL authentication brute force login (postgres_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. The Metasploit default “USER_FILE” is located in “/opt/metasploit3/msf3/data/wordlists/postgres_default_user.txt“, the default “PASS_FILE” in “/opt/metasploit3/msf3/data/wordlists/postgres_default_pass.txt” and the default “USERPASS_FILE” in “/opt/metasploit3/msf3/data/wordlists/postgres_default_userpass.txt“. The default targeted database will be “template1“, a default PostgreSQL created database. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file.

Valid login attempts are displayed in green and non valid in red.

PostgreSQL generic SQL query execution (postgres_sql)

To invoke this auxiliary module just type the following command :

This module will allow you to execute a simple SQL query against  a PostgreSQL instance. The default PostgreSQL instance is “template1” and the default SQL query will check the running version of PostgreSQL database. You will require valid login and password previously discovered with the “postgres_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.

Some useful SQL PostgreSQL queries for pen testing are available on pentestmonkey website.

This module with the default SQL query will provide you the same output as with the “postgres_version“.

PostgreSQL READ FILE SQL query execution (postgres_readfile)

To invoke this auxiliary module just type the following command :

This module will allow you to read a system file from the PostgreSQL server with the “COPY” statement. You will require valid login and password previously discovered with the “postgres_login” auxiliary module. But the user how is executing the query require “COPY” and “CREATE” privileges. By default the “/etc/password” file is configured in the “RFILE” variable. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address. Also don’t forget that majority of PostgreSQL servers are running under dedicated system users, so you will not be able to gather file who are not accessible by this user, for example “/etc/shadow“.