Vulnerability scanning is
part of penetration testing. A vulnerability scanner is an automated
program designed to look for weaknesses in computer systems, networks, and
applications. There are many vulnerability scanners available for penetration
Testing. But here we use Metasploit framework for scanning vulnerability.
Various operating systems
respond differently because of the different networking implementations in use.
These unique responses that vulnerability scanner uses to determine the
operating system version and even its patch level. A vulnerability scanner can
also use a given set of user credentials to log into the remote system and
enumerate the software and services to determine whether they are patched.
The scanner presents a
report outlining any vulnerability detected on the system. That report can be
useful for both network administrators and penetration testers.
Banner
Garbing with Netcat:-
Let’s look at basic scan
using “Netcat”. We use netcat to grab a banner from the target.
Banner grabbing is the act of connecting to a remote network service and
reading the service identification? Many network services such as web, file
transfer, and mail servers return their banner either immediately upon connecting
to them or in response to a specific command.
#nc
192.168.20.134 80
Vulnerability scans often
contain many false positives (reported vulnerability where none exists)
and false negatives (failure to log vulnerability where one exists) due
to subtle differences in system and application configurations.
Let’s take a look at some
of the more useful vulnerability scanners, including Nessus, and some
specialized scanners.
Vulnerability
Scanning with Nessus:-
Nessus is
the vulnerability management solution to analyze vulnerabilities, controls, and
configurations to find who, what, and where of IT security risk. Tenable
Network Security offers multiple versions of Nessus.
Metasploit’s Nessus plug-in lets you launch scans and pull information
from Nessus scans via console.
Nessus Configuration:
·
After you have downloaded and
installed Nessus, open your web browser and navigate to https://:8834
·
Accept the certificate warning,
and log into Nessus using the credentials you created during installation.
·
You should see the Nessus login
window, as shown below.
You should see the Nessus window after login, as
shown below.
Creating
a Nessus Scan Policy:
Before
beginning a scan, you first need to create a Nessus scan policy. On the
Policies tab, click the green Add button
to open the policy configuration window and select Basic Network Scan shown below:
Basic Scan contains three steps to configure Basic
Network Scan Policy. So we select Basic Network Scan from the list and fill
details shown as below:
Now next step is select scan
type. In this case we scan internal Network Scan, So we choose Internal from dropdown list as shown
bellow :
Now
final step is fill credentials to detect missing patches and client-side
Vulnerabilities As show below:
When you are done with your selections, click Submit to save the
new policy. Your newly added policy should be displayed under Policies.
Running a Nessus Scan:
After you have created a scan policy, you are ready to
configure a scan.
Select the Scans
tab, and then click the New Scan button
to open the scan configuration window. Fill credentials as shown bellow button:
In our example, we are scanning only one host, but you
can also enter IP address ranges in CIDR notation or even upload a file
containing the addresses of the targets you want to scan. When you are
satisfied with the scan configuration, click Launch.
Nessus Reports:
After the scan is complete, click on scan and then you
can see its status. Now import report as shown below:
Importing Results into the
Metasploit Framework:
Now let’s import our results into the Metasploit
Framework.
Click the Export
button to save the results to your hard drive. The
default file format for Nessus reports is “.nessus” that can be supported by
Metasploit. So export report as Nessus as shown below:
Load msfconsole, and import the Nessus results file by entering db_import followed by
the report filename.
To verify that the scanned host and vulnerability data
was imported properly, enter hosts as shown next. This should output a brief listing with
the target IP address, the number of services detected, and the number of
vulnerabilities found by Nessus.
For a complete listing of
the vulnerability data that was imported into Metasploit. Enter vulns command
as shown below:
These vulnerabilities are use during your pentesting.
Scanning Vulnerability
using Nessus Metasploit’s Plug-in:
The Nessus allows you to control Nessus completely
through the Metasploit Framework. Run scans, interpret results, and launch
attacks based on the vulnerabilities identified through Nessus.
First destroy the existing database. We can destroy
database using db_destroy
command and create a new one
using db_connect in older version of Metasploit Framework. But now
days we use Workspace command to do
same. So delete previous pentesting results as shown below:
Load the Nessus plug-in by running load nessus and Running the
command nessus_help will display all of the commands that e plug-in
supports. As shown below:
Before starting a scan with nessus plug-in, you first
need to authenticate to your Nessus server using nessus_connect
command.
As with the GUI version of
Nessus, you need to initiate a scan using a defined policy by its policy ID
number. To list the available scan policies on the server, use nessus_policy_list
Take policy ID to use for your scan, and then launch a
new scan with nessus_scan_new
followed by the policy number, a
name for your scan, and your target IP address as shown below.
While your scan is in
progress, you can see its status by running the nessus_scan_status command.
When this command’s output responds with “No Scans Running,” as shown next, you
will know that your scan has completed.
After the scan has completed, you can list the
available scan reports with the nessus_report_list command.
Identify the ID of the report you want to import and enter nessus_report_get to download the report and import it into the Metasploit database
automatically.
You can use hosts to
verify that the scan data was imported successfully.
SMB Logins vulnerability scanning:
To check the validity of a username and password
combination, use the SMB Login Check Scanner to connect to a range of hosts. As
you might expect, this scan is loud and noticeable, and each login attempt will
show up in the event logs of every Windows machine.
After selecting the smb_login module with use, you can
run show_options to see the settings listed under the required column.
Metasploit allows you to specify a username and password combination, a
username and password list, or a combination of either. Also set RHOSTS and THREADS.
#use auxiliary/scanner/smb/smb_login
Now run our scan using run command. The result is shown
bellow.
Most of the time it’s not working, but don’t worry.
It’s a part of penetration testing. Penetration testing is not an easy thing at
all. Keep testing and testing and you get success. It’s a rule of penetration
testing process. So don’t panic for not success.
Vulnerability
scanning with Metasploit’s WMAP plug-in:
WMAP is a good web vulnerability
scanner. And it was originally created from a tool named SQLMap. This tool is
integrated with Metasploit and allows us to conduct webapp scanning. So in this
topic we will discuss about WMAP.
So we need to launch msfconsole and load WMAP plug-in as shown below.
Now
type help and it will show all usage
commands for wmap. We can show bellow screenshot.
Now we need to add site using Wmap_site command. The
syntax is wmap_sites -a
After
creating site we can check our added sites by typing wmap_sites -l and it will list
all sites.
Now we
need to add the target. By typing the wmap_targets
-h command for listing all wmap_targets usage options. And add our target
using –d option. So syntax is wmap_target –d ID as shown below.
We can
see that, it loaded the target address. Now we can check the list to see if our
target is added or not using wmap_targets
–l command.
Now
the target is successfully added and we can run our wmap for scanning the web
applications. We use wmap_run
command to do scan. But before running this command, check all the usage
options. Type in wmap_run
–h.
Now we can see in the usage option
-t is for checking all enabled modules. so we used –t for scanning by typing wmap_run –t command.
Now
start scanning by typing wmap_run
-e command. And it will
start scanning with all enabled modules as shown bellow.
It
will take some time. And it’s depending on how big the application is. After
completion of scanning, it will look like this.
We can
check all vulnerabilities by typing vulns
command. As you can see above tutorials Metasploit is power full framework for
penetration tester.
A vulnerability
scanner is a computer program designed to assess computers, computer systems,
networks or applications for weaknesses. And it’s a part of penetration
testing. If you do not know target vulnerability then you cannot success most
of the time during your penetration testing process.
References
4. https://kindle.amazon.com/work/metasploit-the-penetration-testers-guide-ebook/B005ARBUWK/B005EI84KQ
No comments:
Post a Comment