New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve msfdb's rackup file use to work independent of the framework directory location #11262

Merged
merged 3 commits into from Jan 16, 2019

Conversation

Projects
None yet
2 participants
@mkienow-r7
Copy link
Contributor

mkienow-r7 commented Jan 15, 2019

Improves msfdb's rackup file use to allow it to work independent of the framework directory location. The initial msfdb implementation (#10410) to support the Metasploit data web service stored a rackup file in the user's configuration root (~/.msf4/msf-ws-config.ru). The rackup file contained a variable that defined the location of the framework directory. That approach is fragile and results in issues if the user moves their framework directory location, or experiments with multiple Metasploit versions side-by-side.

Ticket: MS-3770

Verification

  • If you already have an existing database run msfdb reinit, otherwise, run msfdb init and follow prompts to initialize both the database and web service
  • Verify a web service username, password and API token are provided by the script
  • Run msfdb status
  • Verify the status reports that both the database and web service are running
  • Execute curl --insecure https://localhost:8080/api/v1/msf/version | python -m json.tool
  • Verify a JSON "Authenticate to access this resource" error message is returned
  • Execute curl --insecure -H "Accept: application/json" -H "Authorization: Bearer <token>" https://localhost:8080/api/v1/msf/version | python -m json.tool
  • Verify a valid JSON message is returned that contains the metasploit_version
  • Open a web browser and navigate to https://localhost:8080/api/v1/auth/account. You will need to add an exception in the browser for the fake SSL certificate to get the page to load.
  • Verify You can click Log In and use the username and password provided earlier by msfdb to log in to the web interface, log out and close the browser.
  • Test msfdb with various options and commands and verify that they operate as expected
  • Start msfconsole and connect to the data service started above if you didn't select the option to connect automatically during initialization. See Metasploit Web Service for more information.
  • Verify db_status reports Connection type: http. Connected to remote_data_service: (https://localhost:8080)
  • Exploit a host, pull creds and loot
  • Verify use of various commands (hosts, loot, vulns, services, etc.) that create, read, update and delete data work as expected

mkienow-r7 added some commits Jan 15, 2019

@ebleiweiss-r7 ebleiweiss-r7 self-assigned this Jan 16, 2019

@ebleiweiss-r7 ebleiweiss-r7 merged commit c1fe334 into rapid7:master Jan 16, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

ebleiweiss-r7 added a commit that referenced this pull request Jan 16, 2019

@ebleiweiss-r7

This comment has been minimized.

Copy link
Contributor

ebleiweiss-r7 commented Jan 16, 2019

Release Notes

This improves the interaction between the thin webservice and the rackup file in msfdb so that it is not tied to a specific framework directory location.

@mkienow-r7 mkienow-r7 deleted the mkienow-r7:MS-3770-improve-msfdb-rackup-use branch Jan 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment