Fixing db_nmap misidentified operating systems inside the metasploit host database
I was doing some scanning the other day against my test lab of VM’s. I noticed that nmap and db_nmap were seeing my windows XP machine as Server 2003. Nmap identified its OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003. When it’s placed inside of the metasploit db, it has the os_flavor 2003. This could be a problem depending on resource scripts or when you attempt to use an exploit against the box.
135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? |_ssl-cert: ERROR 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds <========= 1027/tcp open msrpc Microsoft Windows RPC 1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM 3389/tcp open microsoft-rdp Microsoft Terminal Service MAC Address: 00:0C:29:91:D5:28 (VMware)
The scan shows 445/tcp and clearly says XP.
Here is that same machine’s info inside the database.
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.101.3 00:0c:29:5f:4f:b7 dc1 Microsoft Windows 2003 SP1 server 10.10.101.5 ns Linux Ubuntu server 10.10.101.8 00:0c:29:60:8a:e8 dc2 Microsoft Windows 2008 server 10.10.101.11 00:0c:29:d4:bc:0d winxpsp3-vm Microsoft Windows 2003 <==== SP3 client 10.10.101.109 Linux Ubuntu server 10.10.101.110 Linux Ubuntu server 10.10.101.111 metasploitable Unknown device
Now the question is how do we fix this?
Start msfconsole and type irb.
msf > irb [*] Starting IRB shell... >>
host = framework.db.workspace.hosts.find_by_address("10.10.101.11") host.os_flavor="XP" host.save exit
Change 10.10.101.11 to the IP address of the host you are trying to modify.
Now run the hosts command and see that the flavor is corrected.
- @canammissing wallpaper inspired by missing 411 #missing411 #davidpaulides https://t.co/bD3Ua0yYvB 2 days ago
- @dabeave666 @katzsp @_lennart Of course! I use the syslog output from Sagan into Graylog extracting the elements fr… twitter.com/i/web/status/9… 5 days ago
- @graylog2 #graylog Amazed with how awesome this open source product is! Under 1hr and I have extractors giving me u… twitter.com/i/web/status/9… 5 days ago
- #homescreensaturdays https://t.co/aQ0UkKW5Ch 6 days ago
- @graylog2 #graylog any good resources for Windows log extractor regex? Failed rdp, failed auth ect? 6 days ago
- @Hacker_Horse Where at in Jersey ? I'm in PA and not much infosec going on here. 6 days ago
- An error has occurred; the feed is probably down. Try again later.