Using nmap and nessus with metasploit

Get the latest on wired & wireless, talk network setups, get help with connectivity problems, web hosts, etc.
Post Reply
CaptainCheeseTits
n00b
Posts: 18
Joined: Wed Aug 17, 2011 1:42 pm

Using nmap and nessus with metasploit

Post by CaptainCheeseTits » Sun Sep 25, 2011 6:20 am

I installed a vulnerable version of icecast on my Windows 7 VM and scanned it with nessus. I loaded the .nessus file into a metasploit db then ran db_autopwn but it didn't create any sessions. It tried to run about 50 exploits but didn't run the icecast exploit. I conclude that this approach isn't very effective. I notice that metasploit ran the exploits quite rapidly so I could instead just port scan the victim to get a list of open ports then run every single possible exploit associated with those open ports. Or I could just try every single windows exploit. Is there a command in metasploit to do this?

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Using nmap and nessus with metasploit

Post by Cool_Fire » Mon Sep 26, 2011 3:56 pm

As far as I know not in metasploit, but this command exists in armitage. It's the hail-mary attack. You can do it either by port or by vulnerability. (If vulnerability scan results are available.)

Besides that, it'd probably be a lot more effective and a LOT more stealthy to just search for icecast exploits trough msfconsole and tune/launch them manually.

Also, make sure you have a clear path for the payload to connect it's session. (An open port on the target for regular sessions, or an open port to your metasploit machine for reverse and/or staged payloads.)
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

User avatar
Thor
htd0rg lieutenant
Posts: 440
Joined: Tue Dec 18, 2007 9:39 am
Location: Location Location

Re: Using nmap and nessus with metasploit

Post by Thor » Mon Sep 26, 2011 8:16 pm

Well I know you can use nmap in metasploit for this purpose. Then you can run autopwn against those ports. I'm not sure if your indicating you tried that or not, but here's pretty much how you would do that:

Code: Select all

db_nmap 192.168.0.1 -p 8000
db_autopwn -p -e
With that, it would scan port 8000 (that's icecast isn't it?), and launch any exploits that match for that port. You could do whatever nmap options, but need root/admin before you start metasploit. The autopwn attack is the one that normally will try to launch any and all exploits at the machine in hopes one works.

What it doesn't do is any checks that you would normally do manually to see if the unsuccessful launching of an exploit will crash the service or machine. This is why it is better to narrow it down to either only open ports with nmap, or a single service with a targeted exploit. The later being optimal.

Also, mind you I haven't tinkered with metasploit in some time, but I think you still want to tell it what driver to use and create a database first:

Code: Select all

db_driver sqlite3 or something?
db_create mydb
db_nmap 192.168.0.1 -p 8000
db_autopwn -p -e
Quidquid latine dictum sit, altum sonatur.
- Whatever is said in Latin sounds profound.

Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Using nmap and nessus with metasploit

Post by Cool_Fire » Tue Sep 27, 2011 6:32 am

I think they dropped sqlite3 support a few versions back.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

User avatar
Thor
htd0rg lieutenant
Posts: 440
Joined: Tue Dec 18, 2007 9:39 am
Location: Location Location

Re: Using nmap and nessus with metasploit

Post by Thor » Wed Sep 28, 2011 3:00 am

Yeah I think it's on postgresql now.
Quidquid latine dictum sit, altum sonatur.
- Whatever is said in Latin sounds profound.

Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Using nmap and nessus with metasploit

Post by Cool_Fire » Wed Sep 28, 2011 5:40 am

Thor wrote:Yeah I think it's on postgresql now.
postgres or mysql.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

CaptainCheeseTits
n00b
Posts: 18
Joined: Wed Aug 17, 2011 1:42 pm

Re: Using nmap and nessus with metasploit

Post by CaptainCheeseTits » Mon Oct 03, 2011 10:47 am

Cool_Fire wrote: Besides that, it'd probably be a lot more effective and a LOT more stealthy to just search for icecast exploits trough msfconsole and tune/launch them manually.
Yeah of course, I've tried that and it works. Thats the reason I assumed db_autopwn should work, because I've tested the exploit so I know it works. The problem is in a real life scenario, I wouldn't automatically know a computer is running a vulnerable version of a program. I'm not sure if nmap would even tell me that IceCast is running on a particular server.
Thor wrote:Well I know you can use nmap in metasploit for this purpose. Then you can run autopwn against those ports. I'm not sure if your indicating you tried that or not, but here's pretty much how you would do that:
Haven't tried that yet, thanks.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Using nmap and nessus with metasploit

Post by Cool_Fire » Mon Oct 03, 2011 5:36 pm

CaptainCheeseTits wrote:I'm not sure if nmap would even tell me that IceCast is running on a particular server.
With the -sV flag, yes it can.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply