Fixing db_nmap misidentified operating systems inside the metasploit host database
I was doing some scanning the other day against my test lab of VM’s. I noticed that nmap and db_nmap were seeing my windows XP machine as Server 2003. Nmap identified its OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003. When it’s placed inside of the metasploit db, it has the os_flavor 2003. This could be a problem depending on resource scripts or when you attempt to use an exploit against the box.
135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? |_ssl-cert: ERROR 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds <========= 1027/tcp open msrpc Microsoft Windows RPC 1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM 3389/tcp open microsoft-rdp Microsoft Terminal Service MAC Address: 00:0C:29:91:D5:28 (VMware)
The scan shows 445/tcp and clearly says XP.
Here is that same machine’s info inside the database.
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.101.3 00:0c:29:5f:4f:b7 dc1 Microsoft Windows 2003 SP1 server 10.10.101.5 ns Linux Ubuntu server 10.10.101.8 00:0c:29:60:8a:e8 dc2 Microsoft Windows 2008 server 10.10.101.11 00:0c:29:d4:bc:0d winxpsp3-vm Microsoft Windows 2003 <==== SP3 client 10.10.101.109 Linux Ubuntu server 10.10.101.110 Linux Ubuntu server 10.10.101.111 metasploitable Unknown device
Now the question is how do we fix this?
Start msfconsole and type irb.
msf > irb [*] Starting IRB shell... >>
host = framework.db.workspace.hosts.find_by_address("10.10.101.11") host.os_flavor="XP" host.save exit
Change 10.10.101.11 to the IP address of the host you are trying to modify.
Now run the hosts command and see that the flavor is corrected.
- @shortxstack adorable 1 week ago
- @chmodxx_ I just watched a bunch of your talks on youtube. Very cool stuff! 1 week ago
- @canammissing how was there no other parts of this poor kid found? A skull cap, clothing, and a tooth. 1 week ago
- @packetu @lammle @kmcnam1 @PertoDK @brandoncarroll Thanks Paul! I Haven't played with SW yet. The reason i sparked… twitter.com/i/web/status/1… 2 weeks ago
- @lammle @kmcnam1 @PertoDK @packetu @brandoncarroll Have you ever deployed FP-NGIPSv in discovery only in vmware env… twitter.com/i/web/status/1… 2 weeks ago
- @kmcnam1 @PertoDK @packetu @lammle @brandoncarroll Curious how everyone handles discovery policies in their FMC dep… twitter.com/i/web/status/1… 2 weeks ago
- An error has occurred; the feed is probably down. Try again later.