Metasploit Penetration Testing Manual 3rd Edition Chapter 2 Information Gathering and Scanning - Continued (Translation)

Chapter 2 Information Collection and Scanning – continued

We will learn the following

This parameter is used with the Nessus

Use in conjunction with NeXpose

Use in conjunction with OpenVAS

Chapter 2 Information Collection and Scanning

14. Combine with the Nessus

So far, we’ve looked at the basics of port scanning and learned how to use Nmap. Through the study of some other tools, further improve the scanning and information collection technology. In the following sections, we’ll look at several other tools that scan for available services and ports on target, and they can also help us determine the types of vulnerabilities that may exist for specific services and ports. Let’s begin our vulnerability scanning journey.

Nessus is one of the most widely used vulnerability scanners, scanning targets for vulnerabilities and generating detailed reports. Nessus is a very useful tool for penetration testing. You can use the GUI version of it, or you can use it in the Metasploit console. This book focuses on using it in msfConsole.

The preparatory work

To use the Nessus, you need to register with the Nessus website and obtain Licenses. You can use Nessus Home Edition, a free license that allows you to scan your personal home network (less than 16 IP addresses). Then download the software installation package. You need to download the.deb package in Kali and install it using DPKG -i.

Home edition key application address: https://www.tenable.com/products/nessus-home

Fill in the registration information, complete the registration, then jump to the download page

Download the 32-bit or 64-bit version based on your operating system version

The activation key will be sent to your email. Please save it.

Install after the download is complete:

root@osboxes:~# CD ~/Downloads/ root@osboxes:~/Downloads# ls BetterCap Bettercap_linux_amd64_2.2.zip libpcap-1.8.1 Libpcap-1.8.1.tar. gz Nessus-8.3.1-debian6_amd64.deb root@osboxes:~/ download # DPKG -i Nessus-8.3.1-debian6_amd64.deb // Install a Selecting PREVIOUSLY unselected package nessus. (Reading database... 435326 Files and directories Currently installed.) Preparing to Unpack Nessus-8.3.1-debian6_amd64.deb... Unpacking the nessus (8.3.1)... Setting up the Nessus (8.3.1)... Unpacking Nessus Scanner Core Components... - You can start Nessus Scanner by typing /etc/init.d/nessusd start - Then go to https://osboxes:8834/ to configure your scanner Processing triggers for systemd (241-1) ... root@osboxes:~/Downloads#Copy the code

After the installation, start the Nessus service

root@osboxes:~/Downloads# systemctl start nessusd.service
Copy the code

Use a browser to open https://osboxes:8834/ or https://127.0.0.1:8834 as prompted

1. Set user name and password:

2. Select Home,Professional or Manager, and enter the activation key for authorization activation.

3. After the activation is complete, the Nessus will install a series of components and wait for the installation to complete.

Once the installation is complete, proceed to the next step.

How to do

1. Load the Nessus component into the MSfConsole.

Msf5 > load nessus // Load nessus components [*] Nessus Bridge for Metasploit [*] Type nessus_help for a command listing [*] Successfully loaded plugin: Nessus msf5 >Copy the code

2. Run the nessus_help command to view available parameters and help information

msf5 > nessus_help Command Help Text ------- --------- Generic Commands ----------------- ----------------- nessus_connect Connect to a Nessus server nessus_logout Logout from the Nessus server nessus_login Login into the connected Nesssus server with a different username and password nessus_save Save credentials of the logged in user to nessus.yml nessus_help Listing of available nessus commands nessus_server_properties Nessus server properties such as feed type, version, plugin set and server UUID. nessus_server_status Check the status of your Nessus Server nessus_admin Checks if user is an admin nessus_template_list List scan or policy templates nessus_folder_list List all configured folders on the Nessus  server nessus_scanner_list List all the scanners configured on the Nessus server Nessus Database CommandsCopy the code

3, connected to a Nessus service, using nessus_connect NessusUser: [email protected].

Msf5 > nessus_connect Nessusroot :[email protected] // Connecting to the Nessus service [*] https://127.0.0.1:8834/ as nessusroot [*] User nessusroot authenticated successfully. msf5 >Copy the code

4. Use nessus_policy_list to list all scan policies of the Nessus service. If no, create a policy on the WebUI.

msf5 > nessus_policy_list
[-] No policies found
msf5 >
Copy the code

There is no policy, so let’s create one

We choose to create a Basic Network Scan policy

Configure the relevant parameters, and then click Save

Go back to msfConsole and run nessus_policy_list again

msf5 > nessus_policy_list
Policy ID  Name       Policy UUID
---------  ----       -----------
4          PenTest01  731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65

msf5 >
Copy the code

5. To create a Nessus scan, run nessus_scan_new –help to view the help information of the command:

msf5 > nessus_scan_new --help                                                             
[*] Usage:                                                                                
[*] nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>                  
[*] Use nessus_policy_list to list all available policies with their corresponding UUIDs  
msf5 >                                                                                    
Copy the code

6. Create a scan

msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 Metasploitable3 Windows_Machine 192.168.177.144 [*] Creating scan from a8e52 policy number 731-3 ea6 - a291 - ec0a - d2ff0619c19d7bd788d6be818b65, Called Metasploitable3 - Windows_Machine and scanning 192.168.177.144 [*] New scan added [-] Error while running command  nessus_scan_new: undefined method `[]' for nil:NilClass Call stack: /usr/share/metasploit-framework/plugins/nessus.rb:979:in `cmd_nessus_scan_new' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' /usr/bin/msfconsole:49:in `<main>' msf5 >Copy the code

Error while running command nessus_scan_new: undefined method []’ for nil:NilClass This is because Nessus 7 starts to authenticate the remote call, causing the Metasploit call to fail. It is now awaiting repair.

The solution: Nessus Plugin unable to create new Scan · Issue #11117 · Rapid7 / Metasploit · GitHub github.com/rapid7/meta…

Scan successfully created:

Msf5 > nessus_scan_new a8e52 731-3 ea6 - a291 - ec0a - d2ff0619c19d7bd788d6be818b65 test test 192.168.177.144 [*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, Called test-test and scanning 192.168.177.144 [*] New scan added [*] Use nessus_scan_launch 6 to launch the scan scan ID Scanner ID Policy ID the Targets Owner -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 6 1 5 192.168.177.144 nessusroot msf5 >Copy the code

7. Use nessus_scan_list to view the list of scans and their status

msf5 > nessus_scan_list                             
Scan ID  Name  Owner       Started  Status  Folder  
-------  ----  -----       -------  ------  ------  
6        test  nessusroot           empty   3       
                                                    
msf5 >                                              
Copy the code

8. Start the Scan by using nessus_scan_launch

msf5 > nessus_scan_launch 6
[+] Scan ID 6 successfully launched. The Scan UUID is 67d8e87c-17a6-7693-0b41-666f40291e1464ae15bc02832ca3
msf5 >
Copy the code

Check the status again:

msf5 > nessus_scan_list
Scan ID  Name  Owner       Started  Status   Folder
-------  ----  -----       -------  ------   ------
6        test  nessusroot           running  3

msf5 >
Copy the code

9, view the detailed information of the scanning using nessus_scan_details < Scan ID > < info/hosts/vulnerabilities/history >

Msf5 > nessus_scan_details 6 info // Check the Scan Status Status Policy Scan Name Scan Targets Scan Start Time Scan End Time ------ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- running, Basic Network Scan test 192.168.177.144 1555301230 Msf5 > nessus_scan_details 6 hosts // View the Host Host ID Hostname % of Critical Findings % of High Findings % of Medium Findings % of Low Findings ------- -------- ---------------------- ------------------ -------------------- ----------------- 2 192.168.177.144 1 0 0 0 msf5 > nessus_scan_details 6, the Plugin ID, the Plugin Name, the vulnerability information back then was cleared Plugin Family Count --------- ----------- ------------- ----- 10114 ICMP Timestamp Request Remote Date Disclosure General 1 10150 Windows NetBIOS / SMB Remote Host Information Disclosure Windows 1 10287 Traceroute Information General 1 10394 Microsoft Windows SMB Log In Possible Windows 1 10736 DCE Services Enumeration Windows 8 10785 Microsoft Windows  SMB NativeLanManager Remote System Information Disclosure ..... Msf5 > nessus_scan_details 6 history // View scan history history ID Status Creation Date Last Modification Date ---------- ------ ------------- ---------------------- 7 running 1555301230 msf5 >Copy the code

The scan we created can also be seen on the WebUI

10. When the Scan is complete, use nessus_db_import

to import the Scan results into Metasploit.

msf5 > nessus_scan_details 6 info Status Policy Scan Name Scan Targets Scan Start Time Scan End Time ------ ------ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- completed Basic Network Scan test 192.168.177.144 1555301230 1555302154 msf5 > nessus_db_import 6 [*] Exporting scan ID 6 is Nessus format... [+] The export file ID for scan ID 6 is 2110513949 [*] Checking export status... [*] Export status: loading [*] Export status: ready [*] The status of scan ID 6 export is ready [*] Importing scan results to the database... [*] cypher data of 192.168.177.144 [+] Done msf5 >Copy the code

Once imported, we can use the hosts and services commands to view the host and target service information.

msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 192.168.177.1 Unknown device 192.168.177.144 00:0 c: 29:41: d2:48 METASPLOITABLE3 Windows 2008 Standard SP1 Server 192.168.177.145 Unknown Device MSF5 > Services Services ======== Host port Proto name State the info -- -- -- -- -- -- -- -- -- -- -- -- -- -- 192.168.177.1 21 TCP FTP open 220 Serv -u FTP Server v15.0 ready... \x0d\x0a 192.168.177.144 21 TCP FTP open 220 Microsoft FTP Service\x0d\x0a 192.168.177.144 22 TCP SSH open Ssh-2.0-openssh_7.1 192.168.177.144 80 TCP WWW open Microsoft IIS HTTPD 7.5 192.168.177.144 135 TCP EPmap open 192.168.177.144 137 UDP netbios-ns open.....Copy the code

To view the vulnerability information in the scan results, use the vulns command

msf5 > vulns Vulnerabilities =============== Timestamp Host Name References --------- ---- ---- ---------- 2019-04-12 07:52:51 UTC 192.168.177.50 MS17-010 SMB RCE Detection CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,MSB-MS17- 010,URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html,URL-https://github.com/count ercept/doublepulsar-detection-script,URL-htt ps://technet.microsoft.com/en-us/library/security/ms17-010.aspx 2019-04-12 09:08:20 UTC 192.168.177.144 HTTP Writable Path PUT/DELETE File Access OSvdb-397 2019-04-15 04:25:24 UTC 192.168.177.144  Elasticsearch Transport Protocol Unspecified Remote Code Execution CVE-2015-5377,NSS-105752,NSS-119499 2019-04-15 04:25:25 UTC 192.168.177.144 MySQL Server Detection NSS-10719 2019-04-15 04:25:25 UTC 192.168.177.144 Elasticsearch Detection NSS-109941 2019-04-15 04:25:25 UTC 192.168.177.144 ManageEngine Desktop Central 9 < Build 92027 Multiple Nss-108752 2019-04-15 04:25:25 UTC 192.168.177.144 Elasticsearch Unrestricted Access after all the certificates were patched Information Disclosure NSS-101025 ....Copy the code

15. Combine with NeXpose

In this section, we’ll look at another great vulnerability scanner: NeXpose. NexPose is one of the leading vulnerability assessment tools. NeXpose, a common Rapid7 tool, performs a vulnerability scan and imports the results into the Metasploit database. The NeXpose is used in a similar way to the Nessus, so let’s take a quick look at how to use it. I’ll leave it to you to explore.

The preparatory work

NeXpose community edition, you may apply for a free trial 1 year: www.rapid7.com/info/nexpos…

The email address must be the domain name email address of an individual, school, enterprise, or organization. Third party mailbox is invalid! (Such as: Gmail, Sina, netease, 126, Tencent are invalid).

After registration is complete, download the installation program

Installation: installation inquiry process, directly hit enter, and then fill in a user information, set password and so on

root@osboxes:~# chmod +x Rapid7Setup-Linux64.bin
root@osboxes:~# ./Rapid7Setup-Linux64.bin
....
Do you want to continue?                                                                                                                      
Yes [y, Enter], No [n]                                                                                    
Gathering system information....                                                                    
Security Console with local Scan Engine                                                                                                       
If you do not have a console installed yet, this option is recommended. The console manages scan engines and all administrative operations. 
Scan Engine only                          
This distributed engine can start scanning after being paired with a Security Console.   
Select only the set of components you want to install:                                                                                        
Security Console with local Scan Engine [1, Enter]    
Scan Engine only [2]                     
1                                                                                                                                            
Where should Rapid7 Vulnerability Management be installed?                                                                                    
[/opt/rapid7/nexpose]
....
Select any additional installation tasks.    
Initialize and start after installation?     
Yes [y], No [n, Enter]                       
y 
...
If you chose to start the Security Console as part of the installation, then it will be started upon installer completion.
Using the credentials you created during installation, log onto Nexpose at https://localhost:3780.

To start the service run: sudo systemctl start nexposeconsole.service

To start the service run: sudo systemctl start nexposeconsole.service
The Security Console is configured to automatically run at startup. See the
installation guide if you wish to modify start modes.

[Enter]

Finishing installation...
Copy the code

We set username: Nexpose Password: Faq3wANIK0 (according to your preference)

Implementation of startup script, / opt/rapid7 / nexpose/NSC/NSC. Sh or systemctl start nexposeconsole, start over a period of time, please be patient.

Then go to https://localhost:3780 configuration, wait for the startup to complete, log in with the user name and password, and enter the Key we applied for to activate the product

Load the Nexpose component into msFConsole and connect to the Nexpose service

Msf5 > load nexpose ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ ▄ █ █ █ █ █ █ █ ▄ █ █ █ █ ▀ █ █ █ ▄ █ █ █ █ ▄ █ █ █ █ █ █ ▄ █ █ █ ▄ ▄ █ █ █ █ ▄ ▄ ▄ █ █ █ █ █ ▄ ▄ █ █ █ █ ▄ █ █ █ █ █ █ █ █ ▄ ▄ ▄ ▄ █ █ █ █ █ █ ▀ ▀ █ █ █ █ ▀ ▀ █ █ █ █ ▄ ▄ ▄ ▄ ▀ █ █ ▄ ▄ ▄ ▄ █ █ █ █ █ ▄ █ █ █ █ ▀ ▀ ▀ ▀ ▀ ▀ █ █ █ █ █ █ █ █ █ █ █ █ ▀ ▀ ▀ ▀ █ █ ▄ █ █ ▀ ▀ ▀ ▀ ▀ ▀ █ █ █ █ █ ▀ █ █ ▄ ▄ ▄ ▄ █ █ █ █ █ █ █ █ ▄ ▄ █ █ ▀ ▀ █ █ ▄ ▄ █ █ ▀ █ ▄ ▄ ▄ ▄ ▄ █ █ ▀ █ █ ▄ ▄ ▄ ▄ █ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ █ █ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ ▀ █ █ [*] Nexpose integration has had been activated [*] Successfully loaded plugin: Nexpose msf5 > nexpose_connect Nexpose :[email protected]:3780 [*] Connecting to Nexpose instance at 127.0.0.1:3780 with username nexpose... msf5 >Copy the code

How to do

Once connected to the NeXpose service, we can scan the target and generate a report. NeXpose supports two scanning commands: Nexpose_SCAN, which scans the target and imports the results to the Metasploit database, and Nexpose_Discover, which only finds hosts and services but does not import the results.

1. Perform a quick scan on the target (perform a minimum service discovery scan)

Msf5 > Nexpose_Discover 192.168.177.144 [*] Scanning 1 addresses with Template aggressive discovery in sets of 32 [*] Completed the scan of 1 addresses msf5 >Copy the code

2. View the nexpose_SCAN help

msf5 > nexpose_scan -h Usage: nexpose_scan [options] <Target IP Ranges> OPTIONS: -E <opt> Exclude hosts in the specified range from the scan -I <opt> Only scan systems with an address within the specified range -P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs) -c  <opt> Specify credentials to use against these targets (format is type:user:pass -d Scan hosts based on the contents of  the existing database -h This help menu -n <opt> The maximum number of IPs to scan at a time (default is 32) -s <opt> The directory to store the raw XML files from the Nexpose instance (optional) -t <opt> The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit) -v Display diagnostic information about the scanning process msf5 >Copy the code

3. To scan the target, run nexpose_scan -t

Msf5 > Nexpose_scan -t full-audit 192.168.177.144 [*] Scanning 1 addresses with template full-audit in sets of 32 [*] Completed the scan of 1 addresses msf5 >Copy the code

4, after the scan is complete, import the result into the database, use nexpose_site_import

msf5 > nexpose_site_import 7
[*] Generating the export data file...
[*] Downloading the export data...
[*] Importing Nexpose data...
Copy the code

16. Combine with OpenVAS

OpenVAS (Open Vulnerability Assessment System) is a branch of the Nessus project. Is a free open source vulnerability scanning and vulnerability management tool. It is currently the most widely used open source vulnerability scanning and management solution.

How to do

Install OpenVAS on Kali

root@osboxes:~# apt install openvas -y
Copy the code

2. Set openVAS, including download rules, and create administrator users and services.

root@osboxes:~# openvas-setup // This step will download a lot of things, please be patient
[>] Updating OpenVAS feeds[*] [1/3] Updating: NVT --2019-04-15 13:54:37-- http://dl.greenbone.net/community-nvt-feed-current.tar.bz2 Connecting to 192.168.1.91:1080... connected. Proxy request sent, awaiting response... 200 OK Length: 22288483 (21M) [application/octet-stream] .... After a long wait... [*] Opening Web UI (https://127.0.0.1:9392) : in 5... 4... 3... 2... 1...
[>] Checking for admin user
[*] Creating admin user
User created with password 'dc63c468-3780-4e3c-b30c-1597f4b91623'.

[+] Done
Copy the code

3. After the configuration is complete, start OpenVAS, which is already started in the previous step. You can also start it with the following command

root@osboxes:~# openvas-start
Copy the code

You can log in to the WebUI by visiting https://127.0.0.1:9392

4. Load the OpenVAS component in msfConsole

msf5 > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS
msf5 >
Copy the code

5. View help information

msf5 > help openvas OpenVAS Commands ================ Command Description ------- ----------- openvas_config_list Quickly display list of configs openvas_connect Connect to an OpenVAS manager using OMP openvas_debug Enable/Disable debugging openvas_disconnect Disconnect from OpenVAS manager openvas_format_list Display list of available report formats openvas_help Displays help openvas_report_delete Delete a report specified by ID openvas_report_download Save a report to disk openvas_report_import Import report specified by ID into framework openvas_report_list Display a list of available report formats openvas_target_create Create target (name, hosts, comment) openvas_target_delete Delete target by ID openvas_target_list Display list of targets openvas_task_create Create a task (name, comment, target, config) openvas_task_delete Delete task by ID openvas_task_list Display list of tasks openvas_task_pause Pause task by ID openvas_task_resume Resume task by ID openvas_task_resume_or_start Resume task or start task by ID openvas_task_start  Start task by ID openvas_task_stop Stop task by ID openvas_version Display the version of the OpenVAS server msf5 >Copy the code

6. Run openvas_connect
to connect to the OpenVAS service

Msf5 > openVAS_connect admin dc63C468-3780-4e3C-b30c-1597F4b91623 127.0.0.1 9390 [*] Connecting to OpenVAS instance at. Msf5 > openVAS_connect admin dc63C468-3780-4e3C-b30c-1597F4b91623 127.0.0.1 9390 [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with the username admin... The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS connection successful msf5 >Copy the code

7. To add a scan target, run the openVAS_target_create

command. The parameters include the description and the IP address of the target

Msf5 > OpenVAS_target_CREATE "Metasploitable3" 192.168.177.144 "Windows Target" The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeout.timeout instead. [*] 6455a780-092a-40dd-8c01-191a7612505a The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS list of targets ID Name Hosts Max Hosts In Use Comment -- ---- ----- --------- ------ ------- 6455a780-092A-40dD-8c01-191a7612505A Metasploitable3 192.168.177.144 1 0 Windows Target msf5 >Copy the code

8. List configuration list: openvas_config_list

msf5 > openvas_config_list The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS list of configs ID Name -- ---- 085569ce-73ed-11df-83c3-002264764cea empty 2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery 698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate 708f25c4-7489-11df-8094-002264764cea Full and very deep 74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate  8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery daba56c8-73ec-11df-a475-002264764cea Full and fast msf5 >Copy the code

9. Create a task using the following command

 openvas_task_create <name> <Comment> <config_id> <target_id>
Copy the code

msf5 > openvas_task_create "Metasploitable3" "Windows" 698f691e-7489-11df-9d8c-002264764cea 6455a780-092a-40dd-8c01-191a7612505a The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeout.timeout instead. [*] fb18cf93-a94b-4c9b-aadf-9408bd9a9186 The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeout.timeout instead. [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- fb18cf93-a94b-4c9b-aadf-9408bd9a9186 Metasploitable3 Windows New -1 msf5 >Copy the code

To start a task, run openvas_task_start

msf5 > openvas_task_start fb18cf93-a94b-4c9b-aadf-9408bd9a9186 The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeout.timeout instead. [*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_ response status='202' status_text='OK, request submitted'><report_id>7993d76a-43b3-48c6-ac94-ca630e20db68</report_id></start_task_response></X>msf5 >Copy the code

11. To view the progress, use openvas_task_list

msf5 > openvas_task_list The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeou t.timeout instead. [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- fb18cf93-a94b-4c9b-aadf-9408bd9a9186 Metasploitable3 Windows Requested 1 msf5 >Copy the code

12. Use openVAS_format_list to view the report formats supported by OpenVAS.

msf5 > openvas_format_list The/usr/share/metasploit framework/vendor/bundle/ruby / 2.5.0 / gems/openvas - omp - 0.0.4 / lib/openvas - omp. Rb: 201: warning: Object#timeout is deprecated, use Timeout.timeout i nstead. [+] OpenVAS list of report formats ID Name Extension Summary -- ---- --------- ------- 5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report 50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, V1.0.1. 5ceff8ba-1f62-11E1-ab9F-406186eA4FC5 CPE CSV Common Product Enumeration CSV table. 6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report. 77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report. 9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary. 910200ca-dc05-11E1-954f-406186eA4FC5 ARF XML Reporting Format v1.0.0. 910200ca-dc05-11e1-954f-406186eA4FC5 ARF XML Reporting Format V1.0.0  Legacy OpenVAS report. 9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image. a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report. a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file. a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report. c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, V3.0.0.c1645568-627a-11e3-a660-406186ea4fc5 CSV Results CSV Result List. C402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report. msf5 >Copy the code

13. You can also view the status of the created task on the WebUI

14. After the task is complete, use openvas_report_list to view the report list.

msf5 > openvas_report_list
[+] OpenVAS list of reports

ID                                    Task Name        Start Time            Stop Time
--                                    ---------        ----------            ---------
4ee7b572-a470-484c-962e-773d3a7eb7b1  Metasploitable3  2019-04-16T02:40:24Z  2019-04-16T03:07:15Z
7993d76a-43b3-48c6-ac94-ca630e20db68  Metasploitable3  2019-04-16T01:15:44Z

Copy the code

15. Run the openvas_report_import command to import the report to Metasploit. Only Legacy OpenVAS Report (NBE) and XML formats are supported.

msf5 > openvas_report_import 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
[*] Importing report to database.
Copy the code

However, metasploit-5.0 will not be able to import directly, so we will import the file first and then use db_import to import it.

msf5 > openvas_report_download
[*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
msf5 > openvas_report_download 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 /tmp/ Metasploitable3
[*] Saving report to /tmp/Metasploitable3
msf5 > db_import /tmp/Metasploitable3
[*] Importing 'OpenVAS XML' data
[*] Successfully imported /tmp/Metasploitable3
msf5 >
Copy the code

16. View vulnerability information scanned by OpenVAS

msf5 > vulns Vulnerabilities =============== Timestamp Host Name References --------- ---- ---- ---------- 2019-04-16 08:15:22 UTC 192.168.177.144 ICMP Timestamp Detection CVE-1999-0524 2019-04-16 08:15:23 UTC 192.168.177.144 Microsoft Windows IIS CVE-2010-3972, bid-45542 2019-04-16 08:15:23 UTC 192.168.177.144 Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,BID-96703,BID-96704,BID-96705,BID-96 706, bid-96707, bid-96709 2019-04-16 08:15:23 UTC 192.168.177.144 ms15-034 http. sys Remote Code CVE-2015-1635 2019-04-16 08:15:23 UTC 192.168.177.144 Oracle Glass Fish Server CVE-2017-1000028 2019-04-16 08:15:23 UTC 192.168.177.144 Oracle Glass Fish Server CVE-2017-1000028 2019-04-16 08:15:23 UTC 192.168.177.144 SSL/TLS: Report 'Anonymous' Cipher Suites .....Copy the code

Chapter 3 Server Vulnerability Exploitation (Notice)

In this chapter, we will look at the following

1. Attack the Linux server

2. SQL injection attacks

3. Shell type

4. Attack Windows servers

5. Use public services

6, MS17-010 Eternal Blue SMB remote code execution Windows kernel corruption

7, EternalRomance/EternalSynergy/EternalChampion MS17-010

8. Implant a back door

Denial of service attacks

instructions

Metasploit Penetration Testing Cookbook-Third Edition

www.packtpub.com/networking-…

This article is compiled by hetian Network security laboratory, please indicate the source of reprint.

About hetian Net security laboratory

Hetian Network security Laboratory (www.hetianlab.com) – China’s leading practical network security online education platform

Real environment, online practice learning network security; The experiment covers: system security, software security, network security, Web security, mobile security, CTF, forensic analysis, penetration testing, network security awareness education, etc.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Metasploit Penetration Testing Manual 3rd Edition Chapter 2 Information Gathering and Scanning – Continued (Translation)

Chapter 2 Information Collection and Scanning – continued

14. Combine with the Nessus

The preparatory work

How to do

15. Combine with NeXpose

The preparatory work

How to do

16. Combine with OpenVAS

How to do

Chapter 3 Server Vulnerability Exploitation (Notice)

instructions

Metasploit Penetration Testing Manual 3rd Edition Chapter 2 Information Gathering and Scanning – Continued (Translation)

Chapter 2 Information Collection and Scanning – continued

14. Combine with the Nessus

The preparatory work

How to do

15. Combine with NeXpose

The preparatory work

How to do

16. Combine with OpenVAS

How to do

Chapter 3 Server Vulnerability Exploitation (Notice)

instructions

Related Posts

Install Jenkins in Docker environment

[GDI+] Measure string size, width, and height based on Font, not string length (number of characters)

Introduction to QML (1)