m (emphasise that the other guide installs msf with bundled embedded database) |
|||
(18 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
NOTE: You no longer have to setup the Postgres database manually for MSF, see the updated guide on how to install the [[Metasploit Penetration Testing Framework]] with bundled embedded Postgresql database. | |||
This page adapts the instructions on [http://www.metasploit.com/redmine/projects/framework/wiki/Postgres_setup Metasploit Wiki:Postgres setup] to Fedora. | This page adapts the instructions on [http://www.metasploit.com/redmine/projects/framework/wiki/Postgres_setup Metasploit Wiki:Postgres setup] to Fedora. | ||
== Allowing password authentication to access postgres on localhost == | |||
Allow the possibility for account msf_user to use password based authentication to connect to databasse msf_user. | |||
Edit "/var/lib/pgsql/data/pg_hba.conf", change: | |||
host all all 127.0.0.1/32 ident | |||
to | |||
host "msf_database" "msf_user" 127.0.0.1/32 md5 | |||
host all all 127.0.0.1/32 ident | |||
See also: [http://wiki.postgresql.org/wiki/Client_Authentication Postgresql Wiki: Client Authentication] and [http://www.postgresql.org/docs/8.2/static/auth-pg-hba-conf.html Postgresql Documentation: pg_hba.conf] | |||
== Starting postgres == | == Starting postgres == | ||
<pre> | <pre> | ||
user@magnolia:$ sudo -s | user@magnolia:$ sudo -s | ||
user@magnolia:$ postgresql-setup initdb | |||
user@magnolia:$ systemctl start postgresql.service | |||
</pre> | </pre> | ||
Line 16: | Line 28: | ||
<pre> | <pre> | ||
postgres@magnolia:$ createuser msf_user -P | postgres@magnolia:$ createuser msf_user -P | ||
Enter password for new role: | Enter password for new role: yourmsfpassword | ||
Enter it again: | Enter it again: yourmsfpassword | ||
Shall the new role be a superuser? (y/n) n | Shall the new role be a superuser? (y/n) n | ||
Shall the new role be allowed to create databases? (y/n) n | Shall the new role be allowed to create databases? (y/n) n | ||
Shall the new role be allowed to create more new roles? (y/n) n | Shall the new role be allowed to create more new roles? (y/n) n | ||
</pre> | </pre> | ||
== Creating a database == | == Creating a database == | ||
Line 35: | Line 39: | ||
== Configure Metasploit == | == Configure Metasploit == | ||
Start the framework, then enter the following commands: | Start the framework by running msfconsole, then enter the following commands: | ||
<pre> | <pre> | ||
msf> | msf > db_status | ||
msf> db_connect msf_user: | [*] postgresql selected, no connection | ||
msf> db_connect msf_user:yourmsfpassword@127.0.0.1:5432/msf_database | |||
NOTICE: CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id" | |||
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts" | |||
[..] | |||
NOTICE: CREATE TABLE will create implicit sequence "mod_refs_id_seq" for serial column "mod_refs.id" | |||
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "mod_refs_pkey" for table "mod_refs" | |||
</pre> | </pre> | ||
== Enable the database on startup == | == Enable the database on startup == | ||
Write the database configuration to separate configuration file so the password doesn't get printed on the screen | |||
during each start of the msfconsole.Please not the attributes are prepended with spaces characters not tabs. | |||
<pre> | |||
$ cat > /opt/metasploit4/config/database.yml << EOF | |||
production: | |||
adapter: postgresql | |||
database: msf_database | |||
username: msf_user | |||
password: yourmsfpassword | |||
host: 127.0.0.1 | |||
port: 5432 | |||
pool: 75 | |||
timeout: 5 | |||
EOF | |||
</pre> | |||
Use the database configuration file and connect to this database during each startup of msfconsole. Also change to the workspace of yur current pentesting project. | |||
<pre> | |||
$ cat > ~/.msf4/msfconsole.rc << EOF | |||
db_connect -y /opt/metasploit4/config/database.yml | |||
workspace -a YourProject | |||
EOF | |||
</pre> | |||
== Using the database == | |||
Once you have database configured and connected you can use it to store information. | |||
First check the database status: | |||
<pre> | |||
msf > db_status | |||
[*] postgresql connected to msf_database | |||
</pre> | |||
Scan the local network network: | |||
<pre> | <pre> | ||
msf > db_nmap 192.168.1.0/24 | |||
</pre> | |||
List hosts which are in the database: | |||
<pre> | |||
msf > hosts | |||
Hosts | |||
===== | |||
address mac name os_name os_flavor os_sp purpose info comments | |||
------- --- ---- ------- --------- ----- ------- ---- -------- | |||
192.168.1.1 11:22:33:44:55:66 router Linux 2.6.X device | |||
192.168.1.100 22:33:44:55:66:77 mixer Linux 2.6.X device | |||
</pre> | |||
List all the db commands for the version of metasploit you have installed: | |||
<pre> | |||
msf > help database | |||
Database Backend Commands | |||
========================= | |||
Command Description | |||
------- ----------- | |||
creds List all credentials in the database | |||
db_connect Connect to an existing database | |||
db_disconnect Disconnect from the current database instance | |||
db_export Export a file containing the contents of the database | |||
db_import Import a scan result file (filetype will be auto-detected) | |||
db_nmap Executes nmap and records the output automatically | |||
db_status Show the current database status | |||
hosts List all hosts in the database | |||
loot List all loot in the database | |||
notes List all notes in the database | |||
services List all services in the database | |||
vulns List all vulnerabilities in the database | |||
workspace Switch between database workspaces | |||
</pre> | </pre> | ||
== Troubleshooting == | == Troubleshooting == | ||
If you run into issues, or need to modify the user or database, you can always use the psql command to do this. Asusming you're using IDENT authentication (default on Fedora and RHEL), you'll have to become the 'postgres' user before you can modify users or databases with psql. (see | If you run into issues, or need to modify the user or database, you can always use the psql command to do this. Asusming you're using IDENT authentication (default on Fedora and RHEL), you'll have to become the 'postgres' user before you can modify users or databases with psql. (see [[Metasploit_Postgres_Setup#Becoming_the_postgres_user | Becoming the postgres user]] above) | ||
=== To list databases === | === To list databases === | ||
Line 66: | Line 141: | ||
For example: | For example: | ||
postgres@magnolia:$ psql -c "ALTER USER msf_user WITH ENCRYPTED PASSWORD 'omgwtfbbq';" | postgres@magnolia:$ psql -c "ALTER USER msf_user WITH ENCRYPTED PASSWORD 'omgwtfbbq';" | ||
=== To drop a database === | |||
Postgres provides a handy 'dropdb' command. | |||
postgres@magnolia:$ dropdb msf_database | |||
=== To drop a user === | === To drop a user === | ||
Postgres provides a handy 'dropuser' command. | Postgres provides a handy 'dropuser' command. | ||
postgres@magnolia:$ dropuser msf_user | postgres@magnolia:$ dropuser msf_user | ||
=== Other useful postgres tips === | === Other useful postgres tips === | ||
Line 84: | Line 159: | ||
== See Also == | == See Also == | ||
* [ | * [https://community.rapid7.com/docs/DOC-1268 Metasploit Wiki:Postgres setup] | ||
* [[Metasploit]] |
Latest revision as of 20:46, 13 March 2018
NOTE: You no longer have to setup the Postgres database manually for MSF, see the updated guide on how to install the Metasploit Penetration Testing Framework with bundled embedded Postgresql database.
This page adapts the instructions on Metasploit Wiki:Postgres setup to Fedora.
Allowing password authentication to access postgres on localhost
Allow the possibility for account msf_user to use password based authentication to connect to databasse msf_user. Edit "/var/lib/pgsql/data/pg_hba.conf", change:
host all all 127.0.0.1/32 ident
to
host "msf_database" "msf_user" 127.0.0.1/32 md5 host all all 127.0.0.1/32 ident
See also: Postgresql Wiki: Client Authentication and Postgresql Documentation: pg_hba.conf
Starting postgres
user@magnolia:$ sudo -s user@magnolia:$ postgresql-setup initdb user@magnolia:$ systemctl start postgresql.service
Becoming the postgres user
root@magnolia:# su postgres
Creating a database user
postgres@magnolia:$ createuser msf_user -P Enter password for new role: yourmsfpassword Enter it again: yourmsfpassword Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n
Creating a database
postgres@magnolia:$ createdb --owner=msf_user msf_database
Configure Metasploit
Start the framework by running msfconsole, then enter the following commands:
msf > db_status [*] postgresql selected, no connection msf> db_connect msf_user:yourmsfpassword@127.0.0.1:5432/msf_database NOTICE: CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id" NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts" [..] NOTICE: CREATE TABLE will create implicit sequence "mod_refs_id_seq" for serial column "mod_refs.id" NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "mod_refs_pkey" for table "mod_refs"
Enable the database on startup
Write the database configuration to separate configuration file so the password doesn't get printed on the screen during each start of the msfconsole.Please not the attributes are prepended with spaces characters not tabs.
$ cat > /opt/metasploit4/config/database.yml << EOF production: adapter: postgresql database: msf_database username: msf_user password: yourmsfpassword host: 127.0.0.1 port: 5432 pool: 75 timeout: 5 EOF
Use the database configuration file and connect to this database during each startup of msfconsole. Also change to the workspace of yur current pentesting project.
$ cat > ~/.msf4/msfconsole.rc << EOF db_connect -y /opt/metasploit4/config/database.yml workspace -a YourProject EOF
Using the database
Once you have database configured and connected you can use it to store information. First check the database status:
msf > db_status [*] postgresql connected to msf_database
Scan the local network network:
msf > db_nmap 192.168.1.0/24
List hosts which are in the database:
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.1.1 11:22:33:44:55:66 router Linux 2.6.X device 192.168.1.100 22:33:44:55:66:77 mixer Linux 2.6.X device
List all the db commands for the version of metasploit you have installed:
msf > help database Database Backend Commands ========================= Command Description ------- ----------- creds List all credentials in the database db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces
Troubleshooting
If you run into issues, or need to modify the user or database, you can always use the psql command to do this. Asusming you're using IDENT authentication (default on Fedora and RHEL), you'll have to become the 'postgres' user before you can modify users or databases with psql. (see Becoming the postgres user above)
To list databases
postgres@magnolia:$ psql -l
To assign ownership of a database
To change the owner of a database, pass the following command to psql: "ALTER DATABASE name OWNER TO new_owner" For example:
postgres@magnolia:$ psql -c "ALTER DATABASE msf_database OWNER TO msf_user;"
To add or change the password for a user
To change the password for a postgres user, pass the following command to psql: "ALTER USER username WITH ENCRYPTED PASSWORD 'passwd';" For example:
postgres@magnolia:$ psql -c "ALTER USER msf_user WITH ENCRYPTED PASSWORD 'omgwtfbbq';"
To drop a database
Postgres provides a handy 'dropdb' command.
postgres@magnolia:$ dropdb msf_database
To drop a user
Postgres provides a handy 'dropuser' command.
postgres@magnolia:$ dropuser msf_user
Other useful postgres tips
psql is a handy tool if you need to modify anything inside the postgres system. If you prefer a graphical tool, pgadmin3 is quite good. For more information, see the (extensive) documentation here: http://www.postgresql.org/docs/manuals/
psql commands
- select version(); - show the db version
- \h - get help
- \q - quit