Setting up Metasploit and Armitage on a Mac

In this guide we will do the following on OSX 10.7.2:

1. Install Metasploit Framework/Armitage prerequisites:
• Install Xcode
• Install PostgreSQL 9.1.1-1 
• Install MacPorts
• Install other plugins/connectors
2. Install Metasploit Framework 4.2
• Install the latest Metasploit Framework
• Update Metasploit
• Link programs/modify PATH$
3. Configure everything
• YMAL database settings file for armitage
• Allow Armitage to run with privileges
4. Run Metasploit & Armitage
• launch msfrpc
5. Optionally Create Services & Automatically update everything
• Automatically update everything
• Create a launchd

1.Metasploit 4.2 prerequisites:  

• Install Xcode - http://developer.apple.com/tools/xcode/
• Install PostgreSQL - http://www.enterprisedb.com/products-services-training/pgdownload#osx
• Fell free to install the mac ports version, BUT I'm using the GUI version in the next steps.
• PostgreSQL may ask you to reboot if it needs to adjust your memory configuration. 
• Give the postgres user a secure password
• Configure a new user
• Open pgAdmin III.app, connect to the local postgresql server (user postgres, if it asks, & whatever password from above), right-click on Login Roles and select New Login Role...
• Set the role name (this will be the username) to whatever you want or use msfuser
• This username will be stored in a plain-text file later!
  
• Under the definition tab, set the password to whatever you want or use msfpassword
• This password will be stored in a plain-text file later!
  
• Configure the database
• Still in pgAdmin III.app, right-click on Databases and select New Database...
• Set the database Name to whatever you want or use metasploitdb
• Set the database Owner to the new user from above (msfuser in the example above)
  
• Install MacPorts - http://www.macports.org/
• add "/opt/local" to your spotlight privacy settings to avoid excessive compile times & unnecessary indexing by spotlight. 
• System Preferences->Spotlight->Privacy->"+"
• Press "command+shift+G" and type in /opt/local
• Update with sudo port selfupdate
• Quit terminal & relaunch to accept new path settings added by MacPorts
• Install other plug-ins
• Install Ruby & RubyGems with sudo port install ruby19 +nosuffix
• Install gem/PostgreSQL connector with
• For 34-bit systems: sudo gem install pg -- --with-opt-include=/Library/PostgreSQL/9.1/include/ --with-opt-lib=/Library/PostgreSQL/9.1/lib/
• For 64-bit systems: sudo env ARCHFLAGS='-arch x86_64' gem install pg -- --with-opt-include=/Library/PostgreSQL/9.1/include/ --with-opt-lib=/Library/PostgreSQL/9.1/lib/
• Install the gsm msgpack with sudo gem install msgpack 
• Add /opt/local/ to your anti-virus exclusion list

2. Install Metasploit Framework 4.2 (includes armitage):  

• Install MSF
• Give metasploit a place to live with sudo mkdir /opt/local/msf
• Download & install the latest framework with sudo svn co https://www.metasploit.com/svn/framework3/trunk/ /opt/local/msf/
• permanently accept the certificate with p
• Create a link to the msf applications with sudo ln -s /opt/local/msf/msf* /opt/local/bin
• Optionally you can edit $path to include /opt/local/msf/ -- BUT this method never worked for me & you would have to do that for each user on the system... or change the system $path
• Create a link to the armitage with sudo ln -s /opt/local/msf/armitage /opt/local/bin
• Update MSF with sudo msfupdate

3. Configure everything:

• YMAL database settings file for armitage
• create the configuration directory: sudo mkdir /opt/local/config
• Create/Edit the following file: sudo vi /opt/local/config/database.yml
  
  # These settings are for the database used by the Metasploit Framework
  # unstable tree included in this installer, not the commercial editions.
  #
  
  production:
    adapter: "postgresql"
    database: "metasploitdb"
    username: "msfuser"
    password: "msfpassword"
    port: 5432
    host: "localhost"
    pool: 256
    timeout: 5</code>

• Allow Armitage to run with privileges
• SOMETHING GOES HERE

4. Run Metasploit & Armitage:

• Run Metasploit
• Launch msfrpcd with sudo msfrpcd -U msfuser2 -P msfpassword2 -t Msg
• feel free to use a different username & password here 
• launch msfconsole with sudo msfconsole
• db_connect -y /opt/local/config/database.yml
• The data will build now 
• how do I make this default (maybe just in armiatge)
• exit out of msfconsole with exit
• Launch Armitage from the command line
• Enter the credentials from the msfrpc command above
• Enjoy!

5. Optional extras that will make your life better:

• Make msfrpcd a launchd service:
• Create/edit the following file: /Library/LaunchDaemons/org.metasploitframework.rpcd.plist
  
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
          <key>Disabled</key>
          <false/>
          <key>Label</key>
          <string>org.metasploitframework.rpcd</string>
          <key>RunAtLoad</key>
          <true/>
          <key>Debug</key>
          <false/>
          <key>ProgramArguments</key>
          <array>
                  <string>/opt/local/bin/ruby</string>
                  <string>/opt/local/msf/msfrpcd</string>
                  <string>-f</string>
                  <string>-U</string>
                  <string>msfuser2</string>
                  <string>-P</string>
                  <string>msfpassword2</string>
                  <string>-t</string>
                  <string>Msg</string>
          </array>
          <key>WorkingDirectory</key>
          <string>/opt/local/bin/</string>
  </dict>
  </plist>

• Start the msfrpcd launchd with sudo launchctl load /Library/LaunchDaemons/org.metasploitframework.rpcd.plist
• Automatically update everything you just installed:
•  Edit you crontab & add the following lines:
  0 6 * * * /opt/local/msf/msfupdate -u
  0 5 * * * /opt/local/bin/port selfupdate; /opt/local/bin/port upgrade outdated
  0 5 * * * /opt/local/bin/gem update --system
• If you don't know what this means then don't touch cron.

Further reading:
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
http://www.symantec.com/connect/articles/metasploit-framework-part-3
http://www.fastandeasyhacking.com/manual#mac

Sources:
http://www.cedric-baillet.fr/IMG/pdf/armitage_configuration_on_macosx.pdf
https://community.rapid7.com/docs/DOC-1037
http://krypted.com/mac-os-x/mac-os-x-enable-and-disable-spotlight/

Rename multiple files' file extensions from the command line with a wildcard

Problem:
I hate not being able to rename multiple files from the command prompt/mac terminal session, ie:

mv *.thisisthewrongextension *.thisiscorrect

or as my example will be for torrent files incorrectly downloaded by a browser as .torrent.html files:

mv *.torrent.html *.torrent

This lack in functionality in bash just drives me crazy.

Solution:
Here are two inline commands, a bash script, a pearl script, and GUI Mac program, that will overcome this shortfall. In these two command examples we will try to rename files that downloaded as myfile.torrent.html to myfile.torrent.

1. find *.torrent.html -exec mv -vn {} `echo {} | cut -f1 -d.`.torrent \;

   find *.torrent.html -exec bash -c 'mv -vn {} $(basename {} .torrent.html).torrent' \;

2. for i in *.torrent.html; do mv -vn "$i" "`basename $i .torrent.html`.torrent"; done

3. bash/pearl script examples located here

4. You could also use this GUI program on a mac, it is VERY, VERY, VERY awesome: A Better Finder Rename

Solution 1 breakdown: In the first example we will use the find command in conjunction with executing another command inline. In the second example we will be using a bash script in a single line. Let's begin. command breakdown:

find *.torrent.html

will output: 

myfile1.torrent.html
myfile2.torrent.html
myfile3.torrent.html

Then we run into the "-exec" parameter of the find command... it may seam a lot to deal wth, but basically it just runs a command each time find returns a result. Moreover it will pass the found file/directory in the form of "{}". for example:

find *.torrent.html -exec echo {} \;

Please note: at the end of an "exec" you must have whitespace(a space in the above example), then a backslash(escape character) followed by a semicolon. If you don't do that you'll get the following error:

find: -exec: no terminating ";" or "+"

anyway, the aforementioned command will output: 

myfile1.torrent.html
myfile2.torrent.html
myfile3.torrent.html

Let's take a break from the "exec" function of the "find" command, and move on to the "mv" command (pun intended). When you move or rename a file you need to specify a source & destination file/directory. Now since we can't move multiple files with a wildcard as the destination with the "mv" command (as is the point of this article) will not work

mv *.torrent.html *.torrent    -   this will not work

However, the following 3 commands will work (and this is exactly what we will be replicating in this first example):

mv myfile1.torrent.html myfile1.torrent
mv myfile2.torrent.html myfile2.torrent
mv myfile3.torrent.html myfile3.torrent

I'm also adding the "-vn" options to the "mv" command so it will be verbose about what it is moving & to prevent "mv" from overwriting an existing file. Now that we know what "mv" will be expecting, let's see how we can get "find" & "-exec" to pass the file names to the "mv" command.

find *.torrent.html -exec mv -vn {} `echo {} | cut -f1 -d.`.torrent \;

find *.torrent.html -exec bash -c 'mv -vn {} $(basename {} .torrent.html).torrent' \;

The {} portion of the above command will be replaced with "myfile1.torrent.html". For the next portion of the command we will look at the bold section in the command above. 

`echo {} | cut -f1 -d.` is translated into:
`echo myfile1.torrent.html | cut -f1 -d.` 

$(basename {} .torrent.html) is translated to:
$(basename myfile1.torrent.html .torrent.html) 

The above example will give the following output (note that anything inside the  ` (tick marks) will be executed first):

myfile1

This output still needs an extension appended to it, so we do the following:

`echo {} | cut -f1 -d.`.torrent

$(basename {} .torrent.html).torrent

And we get the following output:

myfile1.torrent

So now the "mv" command has both a source ("{}" as represented in the example below), and the destination ("`echo {} | cut -f1 -d.`.torrent" "$(basename {} .torrent.html).torrent" also represented below), and we get:

find *.torrent.html -exec mv -vn {} `echo {} | cut -f1 -d.`.torrent \;

find *.torrent.html -exec bash -c 'mv -vn {} $(basename {} .torrent.html).torrent' \;

With the following output:

myfile1.torrent.html -> myfile1.torrent
myfile2.torrent.html -> myfile2.torrent
myfile3.torrent.html -> myfile3.torrent

Phew... all done with the first example.

Solution 2 breakdown... sort of:
Now let's dissect the single line bash script:

for i in *.torrent.html; do mv -vn "$i" "`basename $i .torrent.html`.torrent"; done

Expanded below with added comments it looks like:

for i in *.torrent.html;  #(the for loop begins here)
    do
        mv -vn "$i" "`basename $i .torrent.html`.torrent";  #(here we use the mv command, as we saw above, but we use the "basename" function to split the file name)
    done  #(and then we are done)

I could go into more details, but I think that should be enough for that today. For more details about this function, and to see some other bash function examples go here.

If you need help with a bash script:

1. Feel free to comment/mail me
   
2. Visit a linux forum (www.linuxquestions.org)
3. Take a good long look at the Advanced Bash Scripting Guide
4. Use the "man" pages for further detailed info.

-Brian
=:~)

Fixing double letter issues when naming people in photos in iPhoto

Problem:
When in iPhoto and naming/identifying people using "Faces" when you type in the text field all characters typed are doubled (see below)

Cause:
An address book corruption... yeah annoying hu?

Detection:
in /var/log/system.log look for lines similar to the following:

12/2/10 12:45:00 PM AddressBookSync1871 Critical error fetching ABCDContact in context <ABManagedObjectContext: 0x10012b670>: Fatal error. The database at /Users/kurtpedrosa/Library/Application Support/AddressBook/AddressBook-v22.abcddb is corrupted. SQLite error code:11, 'database disk image is malformed'

The data that's important here is:

database at Application Support/AddressBook/AddressBook-v22.abcddb is corrupted

Solution:
Rebuild you address book database.
I'm partially referencing the instructions from this site:
http://forums.macnn.com/82/applications/431074/corrupt-address-book-how-can-i/
1) Exit iPhoto & other apps that may use the address book.
2) Backup your address book.

• Open Address book.
• Click on "All Contacts" and drag that into a folder of your choosing. (that was easy)
• Make another type of backup, from address book click on the "File" menu->"Export..."->"Address Book Archive..." and save that file somewhere safe too.
• Quit Address Book

3) Fix the address book database.
Run the following code logged in as your user from the terminal:

echo '.dump' | sqlite3 ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb | sqlite3 ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.new; mv ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.bak; mv ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.new ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb

Here is the code broken into three separate commands:

echo '.dump' | sqlite3 ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb | sqlite3 ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.new
mv ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.bak
mv ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.new ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb

Start Address Book & iPhoto, enjoy tagging faces again.