Using nmap and nessus with metasploit
-
- n00b
- Posts: 18
- Joined: Wed Aug 17, 2011 1:42 pm
Using nmap and nessus with metasploit
I installed a vulnerable version of icecast on my Windows 7 VM and scanned it with nessus. I loaded the .nessus file into a metasploit db then ran db_autopwn but it didn't create any sessions. It tried to run about 50 exploits but didn't run the icecast exploit. I conclude that this approach isn't very effective. I notice that metasploit ran the exploits quite rapidly so I could instead just port scan the victim to get a list of open ports then run every single possible exploit associated with those open ports. Or I could just try every single windows exploit. Is there a command in metasploit to do this?
- Cool_Fire
- Not a sandwich
- Posts: 1912
- Joined: Fri May 09, 2003 1:20 pm
- Location: 41 6d 73 74 65 72 64 61 6d
- Contact:
Re: Using nmap and nessus with metasploit
As far as I know not in metasploit, but this command exists in armitage. It's the hail-mary attack. You can do it either by port or by vulnerability. (If vulnerability scan results are available.)
Besides that, it'd probably be a lot more effective and a LOT more stealthy to just search for icecast exploits trough msfconsole and tune/launch them manually.
Also, make sure you have a clear path for the payload to connect it's session. (An open port on the target for regular sessions, or an open port to your metasploit machine for reverse and/or staged payloads.)
Besides that, it'd probably be a lot more effective and a LOT more stealthy to just search for icecast exploits trough msfconsole and tune/launch them manually.
Also, make sure you have a clear path for the payload to connect it's session. (An open port on the target for regular sessions, or an open port to your metasploit machine for reverse and/or staged payloads.)
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.
- Thor
- htd0rg lieutenant
- Posts: 440
- Joined: Tue Dec 18, 2007 9:39 am
- Location: Location Location
Re: Using nmap and nessus with metasploit
Well I know you can use nmap in metasploit for this purpose. Then you can run autopwn against those ports. I'm not sure if your indicating you tried that or not, but here's pretty much how you would do that:
With that, it would scan port 8000 (that's icecast isn't it?), and launch any exploits that match for that port. You could do whatever nmap options, but need root/admin before you start metasploit. The autopwn attack is the one that normally will try to launch any and all exploits at the machine in hopes one works.
What it doesn't do is any checks that you would normally do manually to see if the unsuccessful launching of an exploit will crash the service or machine. This is why it is better to narrow it down to either only open ports with nmap, or a single service with a targeted exploit. The later being optimal.
Also, mind you I haven't tinkered with metasploit in some time, but I think you still want to tell it what driver to use and create a database first:
Code: Select all
db_nmap 192.168.0.1 -p 8000
db_autopwn -p -e
What it doesn't do is any checks that you would normally do manually to see if the unsuccessful launching of an exploit will crash the service or machine. This is why it is better to narrow it down to either only open ports with nmap, or a single service with a targeted exploit. The later being optimal.
Also, mind you I haven't tinkered with metasploit in some time, but I think you still want to tell it what driver to use and create a database first:
Code: Select all
db_driver sqlite3 or something?
db_create mydb
db_nmap 192.168.0.1 -p 8000
db_autopwn -p -e
Quidquid latine dictum sit, altum sonatur.
- Whatever is said in Latin sounds profound.
Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us
- Whatever is said in Latin sounds profound.
Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us
- Cool_Fire
- Not a sandwich
- Posts: 1912
- Joined: Fri May 09, 2003 1:20 pm
- Location: 41 6d 73 74 65 72 64 61 6d
- Contact:
Re: Using nmap and nessus with metasploit
I think they dropped sqlite3 support a few versions back.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.
- Thor
- htd0rg lieutenant
- Posts: 440
- Joined: Tue Dec 18, 2007 9:39 am
- Location: Location Location
Re: Using nmap and nessus with metasploit
Yeah I think it's on postgresql now.
Quidquid latine dictum sit, altum sonatur.
- Whatever is said in Latin sounds profound.
Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us
- Whatever is said in Latin sounds profound.
Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us
- Cool_Fire
- Not a sandwich
- Posts: 1912
- Joined: Fri May 09, 2003 1:20 pm
- Location: 41 6d 73 74 65 72 64 61 6d
- Contact:
Re: Using nmap and nessus with metasploit
postgres or mysql.Thor wrote:Yeah I think it's on postgresql now.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.
-
- n00b
- Posts: 18
- Joined: Wed Aug 17, 2011 1:42 pm
Re: Using nmap and nessus with metasploit
Yeah of course, I've tried that and it works. Thats the reason I assumed db_autopwn should work, because I've tested the exploit so I know it works. The problem is in a real life scenario, I wouldn't automatically know a computer is running a vulnerable version of a program. I'm not sure if nmap would even tell me that IceCast is running on a particular server.Cool_Fire wrote: Besides that, it'd probably be a lot more effective and a LOT more stealthy to just search for icecast exploits trough msfconsole and tune/launch them manually.
Haven't tried that yet, thanks.Thor wrote:Well I know you can use nmap in metasploit for this purpose. Then you can run autopwn against those ports. I'm not sure if your indicating you tried that or not, but here's pretty much how you would do that:
- Cool_Fire
- Not a sandwich
- Posts: 1912
- Joined: Fri May 09, 2003 1:20 pm
- Location: 41 6d 73 74 65 72 64 61 6d
- Contact:
Re: Using nmap and nessus with metasploit
With the -sV flag, yes it can.CaptainCheeseTits wrote:I'm not sure if nmap would even tell me that IceCast is running on a particular server.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.