Using Host Tagging in Metasploit for Penetration Testing

Last updated at Wed, 07 Feb 2024 19:25:32 GMT

Hello my fellow hackers! Tag, you're it!

For today's blog post, I'd like to talk about host tagging a little bit in Metasploit. If you are a penetration tester, a CTF player, or you just pop a lot of shells like a rock star, then perhaps this will interest you. If you have never used this kind of feature, then hopefully this blog post will bring you a new idea on how to approach host management.

So what is host tagging? Well, the idea is simple really. It's a way to label your targets and make them more meaningful to you. As a professional, you probably know how painful it is to break into a large network and deal with so many IP addresses, because let's be honest, you can't always remember what they are. Instead of digging through IPs and find what you're looking for, it would be much nicer to ask your tool to search for "all the sales people" or "all domain controllers" or "all android devices", etc. This will significantly improve your work efficiency, and you can use the extra time for more pwnage. If you're a CTF player, sometimes you will find this useful too.

The practice of host tagging is actually nothing new, but it was never in Metasploit Framework until now. Let's talk about how to use it.

To begin, make sure your Framework is up to date. Running the msfupdate utility or git pull (if you checked out Framework from Github) will get you there. Go ahead and start msfconsole, and first off let's look at the host command's help menu because this is where we implemented tagging:

As you can see, the -t (or --tag) option is for tagging. It is important to know that your tag is case-sensitive, and should not contain any whitespace characters, ideally just keep it alphanumeric. In addition, you will probably also need to combine it with other options such as -R (allows you to specify a range of hosts), the -S (allows you to search hosts), and -d (to delete a tag).

Let's cover some common usage scenarios:

Tagging a host or a range of hosts

Syntax: hosts -R [IP Range] -t "New_Tag"

Example:

Listing hosts with the tags column

Technically speaking, the tags column is treated as a virtual column, and virtual columns aren't displayed by default. So in order to see what tags are used, you will have to use the -c option and specify all the columns you want to see. Again, you can use the -h menu to see what columns are available.

Syntax: hosts -c 'address,name,os_name,os_flavor,os_sp,info,comments,tags'

Example:

Searching hosts with a specific tag

You probably didn't realize this, but by default, the hosts command is already in search mode. The -S option is just adding a filter to that search. When you use -S, here's what happens under the hood: first your input will be converted to a regex and be used to find matching data in different columns. The same input will also be used as a string to look for tags, not a regex search.

Also, by default the search results will not display the tags column (again, because it's a virtual column). So if you want to see that, make sure to use the -c option, too.

Syntax: hosts -S [tag name]

or

Syntax: hosts -S [tag name] -c 'address,name,os_name,os_flavor,os_sp,info,comments,tags'

Example:

Deleting a tag

This is pretty self-explanatory

Syntax: hosts -d -t "tag"

Deleting a tag for a specific range of hosts

This is handy if you only want to remove the tag of some hosts, without going through the trouble of deleting them all and retag them.

Syntax: hosts -R [IP range] -d -t "tag"

Metasploit Pro: Tagging on Steroids

Truth be told, Metasploit Pro has had host tagging for years, and can do even more. If you are a Pro user, mouse over Analysis, click on Hosts, and then you should see the TAGS column like the following:

Note that these tags are clickable. When you click one, the interface will only show hosts with that tag. If there are a lot of hosts, then there will be pages. By default there's 100 hosts each page, and that is user-configurable, which is a handy feature if you have a lot of hosts and you don't want it to take forever to load all of them in one single page.

To tag one or more hosts, first select the hosts - you can select all by clicking on the first check box, or you can use the shift key to select some of them like you do with files. And then click on the Tag button, which will bring you a Tag editing menu:

In this menu, you can add as many tags as you want. You can also remove them.

If you wish to manage your tags for an individual host, you can just click on that IP, and then the tags for it will be on the right:

If you wish to manage all the tags you've created, then you can mouse over Analysis again, click on Tags, and then you should see this:

In here, you can delete tags, add a description, or tell Pro to use them for reporting.

Another neat trick with Pro is that if for some reason you don't like clicking things and you actually like typing better, then you can bring up msfconsole by first enabling "Debugging" under Global Settings. And then when you're looking at the hosts, press: [CTRL] [~], you will get this:

And then at that point you can use the hosts command to tag. But remember you will need to refresh the page to see the results.

Metasploit Community and Express

Host tagging used to be a feature exclusively for Pro users. But soon this will open up to the Community and Express edition too so everybody can enjoy it. Please keep an eye on the upcoming updates.

Try Metasploit

As you can see, tagging can be a powerful feature for host management. It allows you to identify what you want quickly and save time for your penetration test. For Metasploit Framework, it provides some basic functionalities you need for tagging. But if you use Metasploit Pro, or even the Express/Community edition, you can do more. If you have never used Metasploit, clearly you are missing out, why don't you download it here.