Metasploit is a very cool tool to use in your penetration testing, if you didn’t already knew that. There is a few things you should add to it for a really good time: Armitage and XSS Framework.
Armitage makes Metasploit a multi-player exploitation tool with a graphical user interface, and XSS Framework makes XSS-attacks with Metasploit easier to perform. You can also use BeEF to exploit XSS-vulnerabilities.
But before I go and talk about all those tools I thought I should start off with how you can perform and import vulnerability scans from within Metasploit itself. It has been known for a while that you can use “db_import” to import data from various security tools:
msf> db_import
Usage: db_import <filename> [file2...]Filenames can be globs like *.xml, or **/*.xml which will search recursively
Currently supported file types include:
Acunetix XML
Amap Log
Amap Log -m
Appscan XML
Burp Session XML
Foundstone XML
IP360 ASPL
IP360 XML v3
Microsoft Baseline Security Analyzer
Nessus NBE
Nessus XML (v1 and v2)
NetSparker XML
NeXpose Simple XML
NeXpose XML Report
Nmap XML
OpenVAS Report
Qualys Asset XML
Qualys Scan XML
Retina XML
But that means that you need to first run the scan and then import it to Metasploit. A much cooler feature is to run the vulnerability scan directly from your Metasploit console.
Nessus from msfconsole / Armitage
To run a Nessus vulnerability scan from the Metasploit console you first need to have a Nessus installation somewhere. I’ll wait while you install it, and don’t forget to register your installation so you can download the latest plugins for it.
In Metasploit you start with loading the nessus plugin:
msf> load nessus
and then connect to the Nessus installation
msf> nessus_connect -h
[*] You must do this before any other commands.
[*] Usage:
[*] nessus_connect username:password@hostname:port <ssl ok>
[*] Example:> nessus_connect msf:msf@192.168.1.10:8834 ok
[*] OR
[*] nessus_connect username@hostname:port <ssl ok>
[*] Example:> nessus_connect msf@192.168.1.10:8834 ok
[*] OR
[*] nessus_connect hostname:port <ssl ok>
[*] Example:> nessus_connect 192.168.1.10:8834 ok
[*] OR
[*] nessus_connect
[*] Example:> nessus_connect
[*] This only works after you have saved creds with nessus_save
[*]
[*] username and password are the ones you use to login to the nessus web front end
[*] hostname can be an ip address or a dns name of the web front end.
[*] port is the standard that the nessus web front end runs on : 8834. This is NOT 1241.
[*] The "ok" on the end is important. It is a way of letting you
[*] know that nessus used a self signed cert and the risk that presents.msf> nessus_connect user:password@localhost:8834 ok
If you save the credentials using
msf> nessus_save
You only need to issue
msf> nessus_connect
to automatically connect to your Nessus instance. Be warned, your Nessus credentials are stored in the clear in ~/.msf4/nessus.yaml - but it saves on typing…
After you have connected to the Nessus scan it is time to scan the target. First we need to select a policy:
msf> nessus_policy_list
[+] Nessus Policy List
[+][+] ID Name Comments
-- ---- --------
-1 Web App Tests
-2 Internal Network Scan
-3 Prepare for PCI DSS audits
-4 External Network Scan
Then we need to start the scan:
msf> nessus_scan_new -h
[*] Usage:
[*] nessus_scan_new <policy id> <scan name> <targets>
[*] Example:> nessus_scan_new 1 "My Scan" 192.168.1.250
[*]
[*] Creates a scan based on a policy id and targets.
[*] use nessus_policy_list to list all available policiesmsf> nessus_scan_new -4 “Metasploit Scan” 192.168.1.0/24
Once the scan is completed it is time to import the result into Metasploit
msf> nessus_report_list
msf> nessus_report_get -h
[*] Usage:
[*] nessus_report_get <report id>
[*] Example:> nessus_report_get f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca
[*]
[*] This command pulls the provided report from the nessus server in the nessusv2 format
[*] and parses it the same way db_import_nessus does. After it is parsed it will be
[*] available to commands such as db_hosts, db_vulns, db_services and db_autopwn.
[*] Use: nessus_report_list to obtain a list of report id'smsf> nessus_report_get f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca
After which it is time to check what we now know about our target network using the “hosts”, “services” and “vulns” commands.
