Thursday, June 12, 2014

BackTrack 5r3: Make it a Team Effort

Background

In October 2012, I was prepping for our finals round in the Global CyberLympics competition (where we took 2nd place).

From previous practice sessions, my team and I agreed the best way to distribute information rapidly (and visually) among team members was to use Armitage's Team Server.  At the same time, a couple team members had custom tools they wanted to use, which presented a problem: running those custom tools would not feed the results into the central Team Server instance.  So, we needed a way to have them retain the ability to use their own stuff, but still share that information to everyone.  Our solution was to identify one team member to not only run Armitage Team Server, but also make the Metasploit database externally accessible.  Side note: for those not already familiar, the metasploit framework (msf) does not have a "free" GUI.  Armitage was developed by Raphael Mudge to provide a GUI as well as enable easy team operations.  Read more at Raph's Armitage website: fastandeasyhacking.com.

I also figured I'd change the default listening port and default database credentials since the database would be externally accessible.  You can run Metasploit with different database management systems, but this article's focus is only if it's run on PostgreSQL.

Changing the default port

I decided to make the listening port a higher port, but because I was lazy, it went from 4444 (the default) to 44441.

NOTE: the default port varies depending on what BackTrack distro you're using.  In the one I downloaded from the BackTrack Linux site, the default port was 4444.  In the screen caps below I'm using a BT distro from Black Hat.  To find out what port yours is listening on, run this command:

To change the port bindings, there are two areas where this can be modified, in the postgresql.conf and the setenv.sh files.  Both files are in the directory /opt/metasploit/postgresql/, with postgresql.conf located in the ../postgresql/data directory and setevn.sh located in the ../postgresql/bin directory.

Many configuration settings are available in the postgresql.conf file, including an option to change the default port:


You can either change the port here, or if you notice at the bottom of the file, there's a message advising that settings that can be changed in the setenv.sh file instead.  Since the port parameter is commented out in the postgresql.conf file, I suggest only focusing on the port value in the setenv.sh file.  Change the PGPORT parameter to what you want:


There's one other area we need to amend to reference the new port value, and that's the postgresql startup script.  This is located at:

/opt/metasploit/postgresql/scripts/ctl.sh


Change the port value to match what you set in the setenv.sh file.

Last step - either reboot to restart the postgres process, or restart it manually.

IMPORTANT!  
Now that we've changed the PostgreSQL settings, we need to make metasploit framework aware by changing the postgres_port value in the metasploit properties file, located at:  

/opt/metasploit/properties.ini

And we have to modify the database.yml file to reflect the new port value as well.  While we're there though, why not change the default database credentials?

Changing default credentials

Navigate to /opt/metasploit/config

You can change the database credentials (and the port) by editing the database.yml file and changing the relevant parameters under the production header.



Once you change these settings and launch the metasploit framework console (msfconsole), enter the db_status command to verify database connectivity is successful.  If you see an error, you may have missed a step above.


Modifying PostgreSQL: Listen externally

Change entries in

/opt/metasploit/postgresql/data/pg_hba.conf

The instructions advise you how new entries in the control list should be formatted:



When you scroll down, you'll see the lines specifying what connections the database permits.  NOTE: I've added the second line under IPv4.


You can permit access to all databases (the first all), from all users (the second all), on all addresses.  The line item I added allows external access to all databases from all users on all IP addresses this BackTrack instance, but you can make it more granular for tighter control by changing the database and user values to what you have in the database.yml file above.  Furthermore, you could lock down the subnet or put multiple line items to allow only your teammates to connect.

Now we edit the file

/opt/metasploit/postgresql/data/postgresql.conf

Uncomment the line "listen_addresses".  You'll need to change listen_addresses to '*':


Restart PostgreSQL or reboot and now you're listening for external connections!

End Result

Now you can accept external requests from others to log into your msf database, and the output from tools they run will populate your database.

To test the connection, connect from another BackTrack/Kali session via these steps:

  • Launch msf console
  • Type command string similar to "db_connect msf3:20394965@192.168.229.133:7338/msf3dev"
    •         db_connect, msf command to connect to another database
    •         msf3:20394965, username and hash set in the database.yml file above
    •         IP address of remote instance
    •         Port database is listening on
    •         /msf3dev, the name of the database to connect to
If you like this post and it works for you, or if you have any other related tweaks please let me know in the comments!