Advanced Ethical Hacking Institute in Pune
NeXpose vulnerability scanning in Metasploit
The Metasploit/NeXpose integration is not limited to simply importing scan results files. You can run NeXpose scans directly from msfconsole by first making use of the ‘nexpose‘ plugin.
msf > load nexpose
▄▄▄ ▄▄ ▄▄▄ ▄▄▄
███ ██ ██ ▄██
██▀█ ██ ▄████▄ ████ ██▄███▄ ▄████▄ ▄▄█████▄ ▄████▄
██ ██ ██ ██▄▄▄▄██ ██ ██▀ ▀██ ██▀ ▀██ ██▄▄▄▄ ▀ ██▄▄▄▄██
██ █▄██ ██▀▀▀▀▀▀ ████ ██ ██ ██ ██ ▀▀▀▀██▄ ██▀▀▀▀▀▀
██ ███ ▀██▄▄▄▄█ ██ ██ ███▄▄██▀ ▀██▄▄██▀ █▄▄▄▄▄██ ▀██▄▄▄▄█
▀▀ ▀▀▀ ▀▀▀▀▀ ▀▀▀ ▀▀▀ ██ ▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀
██
[*] Nexpose integration has been activated
[*] Successfully loaded plugin: nexpose
msf > help
Nexpose Commands
================
Command Description
------- -----------
nexpose_activity Display any active scan jobs on the Nexpose instance
nexpose_command Execute a console command on the Nexpose instance
nexpose_connect Connect to a running Nexpose instance ( user:pass@host[:port] )
nexpose_disconnect Disconnect from an active Nexpose instance
nexpose_discover Launch a scan but only perform host and minimal service discovery
nexpose_dos Launch a scan that includes checks that can crash services and devices (caution)
nexpose_exhaustive Launch a scan covering all TCP ports and all authorized safe checks
nexpose_report_templates List all available report templates
nexpose_save Save credentials to a Nexpose instance
nexpose_scan Launch a Nexpose scan against a specific IP range and import the results
nexpose_site_devices List all discovered devices within a site
nexpose_site_import Import data from the specified site ID
nexpose_sites List all defined sites
nexpose_sysinfo Display detailed system information about the Nexpose instance
...snip...
Before running a scan against a target, we first need to connect to our server running NeXpose by using the ‘nexpose_connect‘ command along with the credentials for the NeXpose instance. Note that you will have to append ‘ok‘ to the end of the connect string to acknowledge that the SSL connections are not verified.
msf > nexpose_connect -h [*] Usage: [*] nexpose_connect username:password@host[:port] <ssl-confirm> [*] -OR- [*] nexpose_connect username password host port <ssl-confirm> msf > nexpose_connect loneferret:something@127.0.0.1:3780 ok [*] Connecting to Nexpose instance at 127.0.0.1:3780 with username loneferret...
Now that we are connected to our server, we can run a vulnerability scan right from within Metasploit.
msf > nexpose_scan -h
Usage: nexpose_scan [options] <Target IP Ranges>
OPTIONS:
-E <opt> Exclude hosts in the specified range from the scan
-I <opt> Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c <opt> Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n <opt> The maximum number of IPs to scan at a time (default is 32)
-s <opt> The directory to store the raw XML files from the Nexpose instance (optional)
-t <opt> The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process
We’ll provide our scanner with the credentials for the ‘ssh‘ services, and use the ‘full-audit’ scan template. Our scan results should be very similar to one we previously imported.
msf > msf > nexpose_scan -c ssh:msfadmin:msfadmin -t full-audit 172.16.194.172 [*] Scanning 1 addresses with template aggressive-discovery in sets of 32 [*] Completed the scan of 1 addresses msf >
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 172.16.194.172 METASPLOITABLE Ubuntu Linux device
Again, we run ‘services‘ and ‘vulns‘ and we can see that the results are of the same quality as those we imported via the XML file.
msf > services Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 172.16.194.172 21 tcp ftp open vsFTPd 2.3.4 172.16.194.172 22 tcp ssh open OpenSSH 4.7p1 172.16.194.172 23 tcp telnet open 172.16.194.172 25 tcp smtp open Postfix 172.16.194.172 53 tcp dns-tcp open BIND 9.4.2 172.16.194.172 53 udp dns open BIND 9.4.2 172.16.194.172 80 tcp http open Apache 2.2.8 172.16.194.172 111 udp portmapper open 172.16.194.172 111 tcp portmapper open 172.16.194.172 137 udp cifs name service open 172.16.194.172 139 tcp cifs open Samba 3.0.20-Debian 172.16.194.172 445 tcp cifs open Samba 3.0.20-Debian 172.16.194.172 512 tcp remote execution open 172.16.194.172 513 tcp remote login open 172.16.194.172 514 tcp remote shell open 172.16.194.172 1524 tcp ingreslock (ingres) open 172.16.194.172 2049 tcp nfs open 172.16.194.172 2049 udp nfs open 172.16.194.172 3306 tcp mysql open MySQL 5.0.51a 172.16.194.172 5432 tcp postgres open 172.16.194.172 5900 tcp vnc open 172.16.194.172 6000 tcp xwindows open 172.16.194.172 8180 tcp http open Tomcat 172.16.194.172 41407 udp status open 172.16.194.172 44841 tcp mountd open 172.16.194.172 47207 tcp nfs lockd open 172.16.194.172 48972 udp nfs lockd open 172.16.194.172 51255 tcp status open 172.16.194.172 58769 udp mountd open
msf > vulns [*] Time: 2012-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-cifs-nt-0001 refs=CVE-1999-0519,URL-http://www.hsc.fr/ressources/presentations/null_sessions/ [*] Time: 2012-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-generic-ip-source-routing-enabled refs=BID-646,CVE-1999-0510,CVE-1999-0909,MSB-MS99-038,URL-http://packetstormsecurity.nl/advisories/nai/nai.99-09-20.windows_ip_source_routing [*] Time: 2012-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-unix-hosts-equiv-allows-access refs= [*] Time: 2012-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-cifs-share-world-writeable refs=CVE-1999-0520 ...snip... [*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-vnc-password-password refs= [*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-default-password refs=BID-38084,CVE-2009-3843,CVE-2010-0557 [*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-example-leaks refs= [*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-default-install-page refs= [*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-nfs-mountd-0002 refs=
Expanding on our NeXpose scanning methods
Other types of scans can be conducted against a target, or targets, by using the ‘nexpose_discover‘, ‘nexpose_dos‘ and ‘nexpose_exhaustive‘ commands. The first performs a minimal service discovery scan, as the other will add denial of servicechecking. Caution should be used when running the ‘nexpose_dos‘, as it may very well crash your target. The ‘nexpose_exhaustive‘ scan will cover all TCP ports and all authorized safe checks.
msf > nexpose_discover -h
Usage: nexpose_scan [options] <Target IP Ranges>
OPTIONS:
-E <opt> Exclude hosts in the specified range from the scan
-I <opt> Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c <opt> Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n <opt> The maximum number of IPs to scan at a time (default is 32)
-s <opt> The directory to store the raw XML files from the Nexpose instance (optional)
-t <opt> The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process
msf > nexpose_dos -h
Usage: nexpose_scan [options] <Target IP Ranges>
OPTIONS:
-E <opt> Exclude hosts in the specified range from the scan
-I <opt> Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c <opt> Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n <opt> The maximum number of IPs to scan at a time (default is 32)
-s <opt> The directory to store the raw XML files from the Nexpose instance (optional)
-t <opt> The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process
msf > nexpose_exhaustive -h
Usage: nexpose_scan [options] <Target IP Ranges>
OPTIONS:
-E <opt> Exclude hosts in the specified range from the scan
-I <opt> Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c <opt> Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n <opt> The maximum number of IPs to scan at a time (default is 32)
-s <opt> The directory to store the raw XML files from the Nexpose instance (optional)
-t <opt> The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process
NeXpose and Metasploit integration has improved greatly over time. Running scans directly from the console using all of NeXpose’s features is a great addition to the Framework. Also we now have the possibility to correlate our findings against Metasploit’s different modules. This feature is offered using the Community Edition which is discussed in a later module.