Additional changes to documentation

rapid7 · Mar 25, 2024 · decba43 · decba43
1 parent 2c307f1
commit decba43
Show file tree

Hide file tree

Showing 10 changed files with 79 additions and 48 deletions.
diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md
@@ -8,6 +8,18 @@ MSSQL is frequently found on port on the following ports:
 - 1433/TCP
 - 1434/UDP
 
+For a full list of MSSQL modules run the `search` command within msfconsole:
+
+```msf
+msf6 > search mssql
+```
+
+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:mssql
+```
+
 ### Lab Environment
 
 Environment setup:
@@ -46,18 +58,17 @@ on a successful login:
 [*] Auxiliary module execution completed
 ```
 
-Which you can interact with using `sessions -i <session id>` or `sessions -1` to interact with the most recently opened session.
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
 
 ```msf
 msf6 auxiliary(scanner/mssql/mssql_login) > sessions
 
 Active sessions
 ===============
 
-  Id  Name  Type   Information                     Connection
-  --  ----  ----   -----------                     ----------
-  1         mssql  MSSQL test @ 192.168.2.242:143  192.168.2.1:60963 -> 192.168.2
-                   3                               .242:1433 (192.168.2.242)
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  1         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:60963 -> 192.168.23.242:1433 (192.168.2.242)
 
 msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
 [*] Starting interaction with 1...
@@ -101,8 +112,7 @@ MSSQL Client Commands
     Command            Description
     -------            -----------
     query              Run a single SQL query
-    query_interactive  Enter an interactive prompt for running multiple SQL queri
-                       es
+    query_interactive  Enter an interactive prompt for running multiple SQL queries
 
 
 Local File System Commands
@@ -181,17 +191,20 @@ mssql @ 192.168.2.242:1433 (master) > query_interactive
 [*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
 [*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
 
-SQL >> select top 2 table_catalog, table_schema
-SQL *> from information_schema.tables;
-[*] Executing query: select top 2 table_catalog, table_schema from information_schema.tables;
+SQL >> select *
+SQL *> from information_schema.tables
+SQL *> where table_type = 'BASE TABLE';
+[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
 Response
 ========
-
-    #  table_catalog  table_schema
-    -  -------------  ------------
-    0  master         dbo
-    1  master         dbo
-
+    #  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME             TABLE_TYPE
+    -  -------------  ------------  ----------             ----------
+    0  master         dbo           spt_fallback_db        BASE TABLE
+    1  master         dbo           spt_fallback_dev       BASE TABLE
+    2  master         dbo           spt_fallback_usg       BASE TABLE
+    4  master         dbo           Users                  BASE TABLE
+    5  master         dbo           spt_monitor            BASE TABLE
+    6  master         dbo           MSreplication_options  BASE TABLE
 SQL >>
 ```
 

diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md
@@ -17,6 +17,12 @@ There are more modules than listed here, for the full list of modules run the `s
 msf6 > search mysql
 ```
 
+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:mysql
+```
+
 ### Lab Environment
 
 When testing in a lab environment MySQL can either be installed on the host machine or within Docker:
@@ -81,12 +87,13 @@ run cidr:/24:mysql://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
 
 ### Obtaining an Interactive Session on the Target
 
-The CreateSession option in `scanner/mysql/msql_login` allows you to obtain an interactive session
+The CreateSession option in `auxiliary/scanner/mysql/msql_login` allows you to obtain an interactive session
 for the MySQL client you're connecting to. The run command with CreateSession
 set to true should give you an interactive session:
 
 ```msf
-run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
+msf6 > use scanner/mysql/mysql_login 
+msf6 auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
 
 [+] 127.0.0.1:4306        - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
 [+] 127.0.0.1:4306        - 127.0.0.1:4306 - Success: 'root:password'
@@ -173,7 +180,7 @@ This session also works with the following modules:
   exploit/windows/mysql/mysql_start_up
 ```
 
-Once you've done that, you can run any MySQL query against the target using the `query` command.
+Once you've done that, you can run any MySQL query against the target using the `query` command:
 
 ```msf
 mysql @ 127.0.0.1:4306 > query -h

diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md
@@ -17,6 +17,13 @@ There are more modules than listed here, for the full list of modules run the `s
 msf6 > search postgres
 ```
 
+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:postgres
+```
+
+
 ### Lab Environment
 
 When testing in a lab environment PostgreSQL can either be installed on the host machine or within Docker:
@@ -172,7 +179,7 @@ This session also works with the following modules:
   exploit/windows/postgres/postgres_payload
 ```
 
-Once you've done that, you can run any Postgres query against the target using the `query` command.
+Once you've done that, you can run any Postgres query against the target using the `query` command:
 
 ```msf
 postgresql @ 127.0.0.1:5432 (template1) > query -h

diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md b/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md
@@ -27,6 +27,12 @@ There are more modules than listed here, for the full list of modules run the `s
 msf6 > search smb
 ```
 
+Or to search for modules that work with a specific session type:
+
+```msf
+msf6 > search session_type:smb
+```
+
 ### Lab Environment
 
 When testing in a lab environment - SMB can be used on a Window's host machine, or within Docker.
@@ -80,14 +86,14 @@ Should give you output similar to
 [*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
 [*] 172.14.2.164:445    - Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/smb/smb_login) > sessions -1
+msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
 [*] Starting interaction with 1...
 ```
 
-Which you can interact with using `sessions -i <session id>` or `sessions -1` to interact with the most recently opened session.
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
 
 ```msf
-msf6 auxiliary(scanner/smb/smb_login) > sessions -1
+msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
 [*] Starting interaction with 1...
 
 SMB (172.14.2.164) > shares

diff --git a/documentation/modules/auxiliary/scanner/mssql/mssql_login.md b/documentation/modules/auxiliary/scanner/mssql/mssql_login.md
@@ -24,7 +24,7 @@ session within the MSSQL instance. Running the following commands with all other
 msf6 auxiliary(scanner/mssql/mssql_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
 ```
 
-Should give you output containing
+Should give you output containing:
 
 ```msf
 [*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
@@ -35,18 +35,17 @@ Should give you output containing
 [*] Auxiliary module execution completed
 ```
 
-Which you can interact with using `sessions -i <session id>` or `sessions -1` to interact with the most recently opened session.
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
 
 ```msf
 msf6 auxiliary(scanner/mssql/mssql_login) > sessions
 
 Active sessions
 ===============
 
-  Id  Name  Type   Information                     Connection
-  --  ----  ----   -----------                     ----------
-  1         mssql  MSSQL test @ 192.168.2.242:143  192.168.2.1:60963 -> 192.168.2
-                   3                               .242:1433 (192.168.2.242)
+  Id  Name  Type   Information                      Connection
+  --  ----  ----   -----------                      ----------
+  1         mssql  MSSQL test @ 192.168.2.242:1433  192.168.2.1:60963 -> 192.168.2.242:1433 (192.168.2.242)
 
 msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
 [*] Starting interaction with 1...

diff --git a/documentation/modules/auxiliary/scanner/mysql/mysql_login.md b/documentation/modules/auxiliary/scanner/mysql/mysql_login.md
@@ -156,7 +156,7 @@ This session also works with the following modules:
   exploit/windows/mysql/mysql_start_up
 ```
 
-Once you've done that, you can run any MySQL query against the target using the `query` command.
+Once you've done that, you can run any MySQL query against the target using the `query` command:
 
 ```msf
 mysql @ 127.0.0.1:4306 > query -h
@@ -212,5 +212,3 @@ Response
 
 SQL >>
 ```
-
-
diff --git a/documentation/modules/auxiliary/scanner/postgres/postgres_login.md b/documentation/modules/auxiliary/scanner/postgres/postgres_login.md
@@ -4,12 +4,12 @@ This auxiliary module is a brute-force login tool for Postgres servers.
 
 ## Verification Steps
 
-1. Do: ```use auxiliary/scanner/postgres/postgres_login```
-2. Do: ```set PASS_FILE [file containing passwords]```
-3. Do: ```set RHOSTS [IP]```
-4. Do: ```set USER_FILE [file containing usernames]```
-5. Do: ```set DATABASE [template name]```
-6. Do: ```run```
+1. Do: `use auxiliary/scanner/postgres/postgres_login`
+2. Do: `set PASS_FILE [file containing passwords]`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set USER_FILE [file containing usernames]`
+5. Do: `set DATABASE [template name]`
+6. Do: `run`
 
 The above USER_FILE and PASS_FILE options can be replaced with USERNAME
 and PASSWORD if you know the credentials.
@@ -107,7 +107,7 @@ This session also works with the following modules:
   exploit/windows/postgres/postgres_payload
 ```
 
-Once you've done that, you can run any Postgres query against the target using the `query` command.
+Once you've done that, you can run any Postgres query against the target using the `query` command:
 
 ```msf
 postgresql @ 127.0.0.1:5432 (template1) > query -h

diff --git a/documentation/modules/auxiliary/scanner/smb/smb_login.md b/documentation/modules/auxiliary/scanner/smb/smb_login.md
@@ -47,22 +47,22 @@ session within the smb instance. Running with the following options:
 msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
 ```
 
-Should give you output containing
+Should give you output containing:
 
 ```msf
 [*] 172.14.2.164:445    - 172.14.2.164:445 - Starting SMB login bruteforce
 [+] 172.14.2.164:445    - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator
 [*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
 [*] 172.14.2.164:445    - Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/smb/smb_login) > sessions -1
+msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
 [*] Starting interaction with 1...
 ```
 
-Which you can interact with using `sessions -i <session id>` or `sessions -1` to interact with the most recently opened session.
+Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
 
 ```msf
-msf6 auxiliary(scanner/smb/smb_login) > sessions -1
+msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
 [*] Starting interaction with 1...
 
 SMB (172.14.2.164) > shares

diff --git a/documentation/modules/exploit/windows/smb/smb_relay.md b/documentation/modules/exploit/windows/smb/smb_relay.md
@@ -90,12 +90,13 @@ I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv
 
 ### DOMAIN
 
-The domain name used during smb exchange.
+The domain name used during SMB exchange.
 
 ### ACTION
+
 Determines which of two actions smb_relay will use against the target. 
-The default is to run PSEXEC, but can be changed to CREATE_SMB_SESSION to 
-open an interactive smb session against the target instead of running
+The default is to run `PSEXEC`, but can be changed to `CREATE_SMB_SESSION` to 
+open an interactive SMB session against the target instead of running
 psexec.
 
 ### TIMEOUT

diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb
@@ -149,10 +149,10 @@ module is not able to clean up after itself. The service and payload
 
   def available_actions
     actions = [
-      ['PSEXEC', { 'Description' => 'Run psexec against the relay target' }]
+      ['PSEXEC', { 'Description' => 'Use the SMB Connection to run the exploit/windows/psexec module against the relay target' }]
     ]
     if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
-      actions << ['CREATE_SMB_SESSION', { 'Description' => 'Get an SMB session' }]
+      actions << ['CREATE_SMB_SESSION', { 'Description' => 'Do not close the SMB connection after relaying, and instead create an SMB session' }]
     end
 
     actions