Metasploit – Storing Pen Test Results

17 Feb

Penetration testers are using different tools and methods in order to keep their penetration testing results.If our preference is to use Metasploit Framework for our activities then we can use the store our results in its database as Metasploit is already integrated with postgresql.This can prove very handy as many penetration tests can run for several days and we will need to have our results in a centralized environment for later use.This will help us not only in the reporting stage but and in the exploitation stage as we constructing our attack path.

If we want to check our database settings we need to type the following commands as the image below indicates:

Databasse Settings

Database Settings


The information that we have obtained above it can be used for connection with the database through the metasploit framework.if we want to check the available database commands we can run the command help in the metasploit console.

Metasploit - Database Commands

Metasploit – Database Commands


Now if we want to connect with the existing database or with another database that we have created we can use the following command:

db_connect username:password@IP:Port/database_name

Now lets say that we have to perform a scan in an IP address.We can use directly the command db_nmap IP from the metasploit console which it will scan the target and automatically it will store the results in the database.

Metasploit - Nmap Scan

Metasploit – Nmap Scan


Now if want to check the results in the database we can use the following commands:

  • creds
  • loot
  • hosts
  • services
  • vulns
  • notes

The following two pictures are just a sample of the commands hosts and services.

List Hosts - Metasploit Database

List Hosts – Metasploit Database


List Services - Metasploit Database

List Services – Metasploit Database


Another thing that we can do here is to export the results in an XML format in order to use it with other tools like Dradis Framework.

Export Results From Metasploit Database

Export Results From Metasploit Database



In this article we saw how we can use the database with metasploit in order to store information from a port scan that we performed.We can use this functionality as well in order to import results from other tools like Nessus or to export the results for integration with Dradis.This function of Metasploit Framework offers the penetration tester the ability to manage his results in an efficient way.

Leave a comment

Posted by on February 17, 2013 in General Lab Notes


Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: