Nessus Part II: Integration with Metasploit
Previously I showed you how to install Nessus vulnerability scanner on your Linux system and run some basic scans. Today I would like to show a few more steps on how you can make the most of this and import your scan results directly into Metasploit, as well as how you can actually run the entire scan from within Metasploit itself. You will need to read the previous write up if you are unfamiliar with Nessus, it can be found here. Assuming you have the basics down we can now begin....
Prerequisites:
Click on 'Download Report' in the upper right corner and choose the ".nessus" format which is easily imported and parsed by Metasploit.
Since I am using Metasploitable 2.0 for my target, my report file is now saved on Desktop as "nessus_report_Metasploitable_2.0.nessus" and now we can shift our attention to Metasploit. You will need to fire up the old MSFCONSOLE to get started. Once you have Metasploit started you need to make sure your database is connected so you can actually store what you import, you can use 'db_status' command to confirm database connection status...
Now we issue the 'db_import' command and point it at the file you want to import.
COMMAND: db_import /path/to/your/nessus_report.nessus
You can use this feature for more than just Nessus by the way, it currently supports a wide variety of tools like Acunetix, Amap, Burp Suite, NeXpose, NMAP, OpenVAS and a few more (issue 'db_import' with no arguments to see a full list). You should see a message indicating your import was successful or not, hopefully it was :) You can verify the imported details by use of the 'hosts' , 'services' and 'vulns' commands which will show what is currently in the database, like so:
SIDE-NOTE: You can share scan results from other tools like NMAP scans by following the same steps, although for NMAP you might use 'services' instead of 'vulns' to see the results. You can also scan directly from within MSF by simply using the 'db_nmap' command followed by your usual NMAP syntax and results will be stored directly into the database for continued reference and use.
OK, this covers how to import things from previously run scans as well as any other supported tool which has ability to parse output in a format MSF can use (usually XML based).
Now to see how we can actually run the Nessus scan itself directly from within the MSFCONSOLE. We can delete our imported results by simply issuing the 'hosts -d <TARGET-IP>' which will remove all records for this host IP which is contained in the database from the previous steps. Now we can start fresh and run from the console and check the database for results when its all said and done. First we need to load Nessus plugin since it is not loaded by default. This is done by simply issuing the following command:
COMMAND: load nessus
Now you can issue the suggested 'nessus_help' command to see all the options that are available to use...
OK, so Nessus plugin is now loaded into MSFCONSOLE but it is not actually connected yet. We now need to actually connect MSF to the running Nessus server. We can accomplish this with the 'nessus_connect' command and a set of valid credentials for Nessus, syntax like so:
COMMAND: nessus_connect userName:Password@<NessusServerIP>:8834 ok
NOTE: the 'ok' at the end to avoid issues with connecting due to certs
Now we are connected, we need to setup our scan as we would do in the Browser based GUI configurator. We can check the available scan "policies" by issuing the 'nessus_policy_list' command. You will need to take note of the policy ID number for the scan type you want to run as we will use it in a sec to launch the actual scan...
NOTE: It's odd but the actual '-' prefix to each number should be used to identify the ID :p
Now to launch the actual scan we put it all together:
COMMAND: nessus_scan_new <policy id> <scan name> <targets>
After you initiate the scan Metasploit doesn't try to bother you with a lot of verbose junk since they know your console space is valuable, so it runs in background and with the Nessus Server. In order to check if the scan is still running you can issue the 'nessus_scan_status' command with no arguments. You will be presented with a table of active running scans if still running otherwise it will simply state that there are no scans running, like so:
NOTE: if you need to pause a scan for some reason you can issue the 'nessus_scan_pause <scanid>' command which will pause your scan.
Once your scan has finished you might notice that the results have not yet actually been imported into Metasploit's database. This is because they are still on the Nessus server we connected to. We need to import them as we learned earlier so that everything pulls in. In order to do it this time we will use the Nessus plugin to handle it. You can issue the 'nessus_report_list' command to see a list of finished reports available to download and import, again you need to take note of the ID for the one you wish to work with. Once you know, you simply get it with the 'nessus_report_get' command followd by the report ID., and now we have a scan run from completely within MSFCONSOLE and all results fully populated in the MSF database of our choosing. You can now take your time to search through the results and what is available in Metasploit to exploit each finding.
Hope you enjoyed this follow up to the previous Nessus write-up. I referenced it before and received a few questions so hopefully this covers things in enough details to get you on your way. More to come soon, so stay tuned and until next time - Enjoy!
Prerequisites:
- A Vulnerable Machine (Metasploitable 2.0 being used for today's demo, download available here
- Stable up to date Metasploit installation, see here if you need some help gettting started you can see this here
- Nessus v5 fully installed and running
- Nessus scan profiles and scan types already setup as well as a already completed scan
- a little patience
Click on 'Download Report' in the upper right corner and choose the ".nessus" format which is easily imported and parsed by Metasploit.
Since I am using Metasploitable 2.0 for my target, my report file is now saved on Desktop as "nessus_report_Metasploitable_2.0.nessus" and now we can shift our attention to Metasploit. You will need to fire up the old MSFCONSOLE to get started. Once you have Metasploit started you need to make sure your database is connected so you can actually store what you import, you can use 'db_status' command to confirm database connection status...
Now we issue the 'db_import' command and point it at the file you want to import.
COMMAND: db_import /path/to/your/nessus_report.nessus
You can use this feature for more than just Nessus by the way, it currently supports a wide variety of tools like Acunetix, Amap, Burp Suite, NeXpose, NMAP, OpenVAS and a few more (issue 'db_import' with no arguments to see a full list). You should see a message indicating your import was successful or not, hopefully it was :) You can verify the imported details by use of the 'hosts' , 'services' and 'vulns' commands which will show what is currently in the database, like so:
SIDE-NOTE: You can share scan results from other tools like NMAP scans by following the same steps, although for NMAP you might use 'services' instead of 'vulns' to see the results. You can also scan directly from within MSF by simply using the 'db_nmap' command followed by your usual NMAP syntax and results will be stored directly into the database for continued reference and use.
OK, this covers how to import things from previously run scans as well as any other supported tool which has ability to parse output in a format MSF can use (usually XML based).
Now to see how we can actually run the Nessus scan itself directly from within the MSFCONSOLE. We can delete our imported results by simply issuing the 'hosts -d <TARGET-IP>' which will remove all records for this host IP which is contained in the database from the previous steps. Now we can start fresh and run from the console and check the database for results when its all said and done. First we need to load Nessus plugin since it is not loaded by default. This is done by simply issuing the following command:
COMMAND: load nessus
Now you can issue the suggested 'nessus_help' command to see all the options that are available to use...
OK, so Nessus plugin is now loaded into MSFCONSOLE but it is not actually connected yet. We now need to actually connect MSF to the running Nessus server. We can accomplish this with the 'nessus_connect' command and a set of valid credentials for Nessus, syntax like so:
COMMAND: nessus_connect userName:Password@<NessusServerIP>:8834 ok
NOTE: the 'ok' at the end to avoid issues with connecting due to certs
Now we are connected, we need to setup our scan as we would do in the Browser based GUI configurator. We can check the available scan "policies" by issuing the 'nessus_policy_list' command. You will need to take note of the policy ID number for the scan type you want to run as we will use it in a sec to launch the actual scan...
NOTE: It's odd but the actual '-' prefix to each number should be used to identify the ID :p
Now to launch the actual scan we put it all together:
COMMAND: nessus_scan_new <policy id> <scan name> <targets>
After you initiate the scan Metasploit doesn't try to bother you with a lot of verbose junk since they know your console space is valuable, so it runs in background and with the Nessus Server. In order to check if the scan is still running you can issue the 'nessus_scan_status' command with no arguments. You will be presented with a table of active running scans if still running otherwise it will simply state that there are no scans running, like so:
NOTE: if you need to pause a scan for some reason you can issue the 'nessus_scan_pause <scanid>' command which will pause your scan.
Once your scan has finished you might notice that the results have not yet actually been imported into Metasploit's database. This is because they are still on the Nessus server we connected to. We need to import them as we learned earlier so that everything pulls in. In order to do it this time we will use the Nessus plugin to handle it. You can issue the 'nessus_report_list' command to see a list of finished reports available to download and import, again you need to take note of the ID for the one you wish to work with. Once you know, you simply get it with the 'nessus_report_get' command followd by the report ID., and now we have a scan run from completely within MSFCONSOLE and all results fully populated in the MSF database of our choosing. You can now take your time to search through the results and what is available in Metasploit to exploit each finding.
Hope you enjoyed this follow up to the previous Nessus write-up. I referenced it before and received a few questions so hopefully this covers things in enough details to get you on your way. More to come soon, so stay tuned and until next time - Enjoy!
Comments
Post a Comment