Rich Services Output

[wdahlenburg]

Summary

The Metasploit database is extremely useful for managing and searching through open network services. Currently the -R option can be used on a services command to set the RHOSTS variable. This ends up writing a temporary file containing just the hosts for larger result sets.

It would be helpful to enrich the data stored when setting RHOSTS through this method. The TLS status and the port would be two additional fields that would be useful to export.

This enhancement could allow for the temporary file to be used more effectively inside and outside of Metasploit. It would be really neat if Metasploit could use this richer data when auto-setting RHOSTS to allow for modules to be ran on hosts with different ports and TLS statuses. This could be done to run a module once instead of adjusting the settings for each different port. Users could parse the temporary file outside of Metasploit to format commands instead of having to regenerate a new temporary file for each port.

I don't have strong opinions on the file format (CSV, JSON, XML, etc). I'd like to see that the file format is kept simple to allow for quick parsing outside of Metasploit.

Basic example

As a user with many database services in my MSF database across various ports, I'd like to run any applicable login module to test for credentials. auxiliary/scanner/postgres/postgres_login can be used as an example.

msf6 > services -S postgres -R
Services
========

host          port  proto  name        state  info
----          ----  -----  ----        -----  ----
192.168.1.53   5433  tcp    postgresql  open   PostgreSQL DB 9.6.0 or later
192.168.1.203  5432  tcp    postgresql  open   PostgreSQL DB 9.6.0 or later
192.168.5.7    6011  tcp    postgresql  open   PostgreSQL DB 10.15 - 10.18
192.168.5.21   9009  tcp    postgresql  open   PostgreSQL DB 9.6.0 or later
...

RHOSTS => file:/tmp/msf-db-rhosts-20241205-10521-7dqklx

msf6 auxiliary(scanner/postgres/postgres_login) > run
[-] 192.168.1.53:5433 - LOGIN FAILED: postgres:postgres
[-] 192.168.1.203:5432 - LOGIN FAILED: postgres:postgres
[-] 192.168.5.7:6011 - LOGIN FAILED: postgres:postgres
[-] 192.168.5.21:9009 - LOGIN FAILED: postgres:postgres

For other protocols it'd be nice to automatically pick up and apply the TLS status based on the service data. Web-based checks are another common one that skew across different ports and have plaintext and TLS-enabled ports.

Motivation

The user experience can be tedious when reviewing thousands of network services via the Metasploit database. The searching is really powerful, however it frequently occurs that network services are scattered across different ports. In many cases it makes sense to run a module against all services for a technology. A user can currently set RHOSTS with -R based on their database, but has to filter port-by-port and account for the TLS status. This requires running the same module many times after tweaking the options.

Each module already indicates to a user if they run the module incorrectly or if the options are invalid (Ex: non-TLS connection when SSL is configured to be true). Those errors should be sufficient to indicate to users to manually adjust the options and re-run the module for that network service.