Fixing db_nmap misidentified operating systems inside the metasploit host database
I was doing some scanning the other day against my test lab of VM’s. I noticed that nmap and db_nmap were seeing my windows XP machine as Server 2003. Nmap identified its OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003. When it’s placed inside of the metasploit db, it has the os_flavor 2003. This could be a problem depending on resource scripts or when you attempt to use an exploit against the box.
135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? |_ssl-cert: ERROR 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds <========= 1027/tcp open msrpc Microsoft Windows RPC 1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM 3389/tcp open microsoft-rdp Microsoft Terminal Service MAC Address: 00:0C:29:91:D5:28 (VMware)
The scan shows 445/tcp and clearly says XP.
Here is that same machine’s info inside the database.
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.101.3 00:0c:29:5f:4f:b7 dc1 Microsoft Windows 2003 SP1 server 10.10.101.5 ns Linux Ubuntu server 10.10.101.8 00:0c:29:60:8a:e8 dc2 Microsoft Windows 2008 server 10.10.101.11 00:0c:29:d4:bc:0d winxpsp3-vm Microsoft Windows 2003 <==== SP3 client 10.10.101.109 Linux Ubuntu server 10.10.101.110 Linux Ubuntu server 10.10.101.111 metasploitable Unknown device
Now the question is how do we fix this?
Start msfconsole and type irb.
msf > irb [*] Starting IRB shell... >>
host = framework.db.workspace.hosts.find_by_address("10.10.101.11") host.os_flavor="XP" host.save exit
Change 10.10.101.11 to the IP address of the host you are trying to modify.
Now run the hosts command and see that the flavor is corrected.
- @kmcnam1 Just seen you were on network collective on youtube in 2017. Very cool! 3 days ago
- @Abdirahman_Hish @joff_thyer Joff why are all your repos deleted? 1 week ago
- Check out this item on Nextdoor: Elliptical 200 — nextdoor.com/for_sale_and_f… 2 weeks ago
- @CompTIA I would like to but i need information on certmaster and when its coming for pentest+? Thanks! 1 month ago
- @PertoDK HI Dennis, is there any way to get nessus importing hosts into firepower manager? I am getting the hash er… twitter.com/i/web/status/1… 1 month ago
- @CompTIA Hi, is there an ETA on Pentest+ certmaster? Thanks! 1 month ago
- An error has occurred; the feed is probably down. Try again later.