Fixing db_nmap misidentified operating systems inside the metasploit host database
I was doing some scanning the other day against my test lab of VM’s. I noticed that nmap and db_nmap were seeing my windows XP machine as Server 2003. Nmap identified its OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003. When it’s placed inside of the metasploit db, it has the os_flavor 2003. This could be a problem depending on resource scripts or when you attempt to use an exploit against the box.
135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? |_ssl-cert: ERROR 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds <========= 1027/tcp open msrpc Microsoft Windows RPC 1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM 3389/tcp open microsoft-rdp Microsoft Terminal Service MAC Address: 00:0C:29:91:D5:28 (VMware)
The scan shows 445/tcp and clearly says XP.
Here is that same machine’s info inside the database.
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.101.3 00:0c:29:5f:4f:b7 dc1 Microsoft Windows 2003 SP1 server 10.10.101.5 ns Linux Ubuntu server 10.10.101.8 00:0c:29:60:8a:e8 dc2 Microsoft Windows 2008 server 10.10.101.11 00:0c:29:d4:bc:0d winxpsp3-vm Microsoft Windows 2003 <==== SP3 client 10.10.101.109 Linux Ubuntu server 10.10.101.110 Linux Ubuntu server 10.10.101.111 metasploitable Unknown device
Now the question is how do we fix this?
Start msfconsole and type irb.
msf > irb [*] Starting IRB shell... >>
host = framework.db.workspace.hosts.find_by_address("10.10.101.11") host.os_flavor="XP" host.save exit
Change 10.10.101.11 to the IP address of the host you are trying to modify.
Now run the hosts command and see that the flavor is corrected.
- RT @downdetector: RCN is having issues since 7:34 PM EDT. downdetector.com/status/rcn RT if it's down for you as well #RCNdown 1 week ago
- @Bro_IDS @corelight_inc anything special configuration wise besides using 2 different workers for bro when using a… twitter.com/i/web/status/9… 2 weeks ago
- @security_craig Put it this way, there are no vulns or threats for that platform. ;) 2 weeks ago
- @kmcnam1 Thats exciting! Good luck on the CCIE:Sec! 3 weeks ago
- @SysAdmGirl Anything coming up on elk stack? 3 weeks ago
- @Snort @EmergingThreats @TalosSecurity Very interesting and yet very cool! 3 weeks ago
- An error has occurred; the feed is probably down. Try again later.