Fixing db_nmap misidentified operating systems inside the metasploit host database
I was doing some scanning the other day against my test lab of VM’s. I noticed that nmap and db_nmap were seeing my windows XP machine as Server 2003. Nmap identified its OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003. When it’s placed inside of the metasploit db, it has the os_flavor 2003. This could be a problem depending on resource scripts or when you attempt to use an exploit against the box.
135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? |_ssl-cert: ERROR 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds <========= 1027/tcp open msrpc Microsoft Windows RPC 1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM 3389/tcp open microsoft-rdp Microsoft Terminal Service MAC Address: 00:0C:29:91:D5:28 (VMware)
The scan shows 445/tcp and clearly says XP.
Here is that same machine’s info inside the database.
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.101.3 00:0c:29:5f:4f:b7 dc1 Microsoft Windows 2003 SP1 server 10.10.101.5 ns Linux Ubuntu server 10.10.101.8 00:0c:29:60:8a:e8 dc2 Microsoft Windows 2008 server 10.10.101.11 00:0c:29:d4:bc:0d winxpsp3-vm Microsoft Windows 2003 <==== SP3 client 10.10.101.109 Linux Ubuntu server 10.10.101.110 Linux Ubuntu server 10.10.101.111 metasploitable Unknown device
Now the question is how do we fix this?
Start msfconsole and type irb.
msf > irb [*] Starting IRB shell... >>
host = framework.db.workspace.hosts.find_by_address("10.10.101.11") host.os_flavor="XP" host.save exit
Change 10.10.101.11 to the IP address of the host you are trying to modify.
Now run the hosts command and see that the flavor is corrected.
- @PertoDK @packetu @brandoncarroll @kmcnam1 @iggdawg @PolskiSergey Its def the modem. We had them swapped out at oth… twitter.com/i/web/status/9… 3 days ago
- @PertoDK @packetu @brandoncarroll @kmcnam1 @iggdawg @PolskiSergey Was hoping maybe there was a secret tac way to get it accomplished. :-/ 3 days ago
- @PertoDK @packetu @brandoncarroll @kmcnam1 @iggdawg @PolskiSergey Asa w/fp services. ASA5506 at each of the sites.… twitter.com/i/web/status/9… 3 days ago
- @PertoDK @packetu @brandoncarroll @kmcnam1 @iggdawg @PolskiSergey Yea some how scp the config from fpm to the modul… twitter.com/i/web/status/9… 3 days ago
- @packetu @brandoncarroll @kmcnam1 @iggdawg @PolskiSergey @PertoDK waiting for them to replace the modems but in the meantime out of sync 3 days ago
- @packetu @brandoncarroll @kmcnam1 @iggdawg @PolskiSergey @PertoDK I have a unique situation with some Comcast sites. Their modems drop ipsec 3 days ago
- An error has occurred; the feed is probably down. Try again later.