Content

New Nessus Plug-In For Metasploit

Zate Berg has contributed this week the a plug-in for controlling Nessus from inside msfconsole. I do have to say he has put a lot of work in a very small amount of time learning Ruby and coding this plugin in only a few weeks. The plug-in is now part of the Development Brach of the project and several patches have been summited by him and progress has been quick.

First thing is to get the new plugin is to “svn up” to the latest development version of the project and do make sure that your Nessus server is up and running. One note do you must have already created Policies in you server and have them available to the account you will use to login to the Nessus Server.

Lets load the plugin and get and output of the commands available:

 

msf > load nessus
[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf > nessus_help 
[+] Nessus Help
[+] type nessus_help <command> for help with specific commands

Command                    Help Text
-------                    ---------
Generic Commands           
-----------------          -----------------
nessus_connect             Connect to a nessus server
nessus_logout              Logout from the nessus server
nessus_help                Listing of available nessus commands
nessus_server_status       Check the status of your Nessus Server
nessus_admin               Checks if user is an admin
nessus_server_feed         Nessus Feed Type
nessus_find_targets        Try to find vulnerable targets from a report
                           
Reports Commands           
-----------------          -----------------
nessus_report_list         List all Nessus reports
nessus_report_get          Import a report from the nessus server in Nessus v2 format
nessus_report_hosts        Get list of hosts from a report
nessus_report_host_ports   Get list of open ports from a host from a report
nessus_report_host_detail  Detail from a report item on a host
                           
Scan Commands              
-----------------          -----------------
nessus_scan_new            Create new Nessus Scan
nessus_scan_status         List all currently running Nessus scans
nessus_scan_pause          Pause a Nessus Scan
nessus_scan_pause_all      Pause all Nessus Scans
nessus_scan_st
op           Stop a Nessus Scan
nessus_scan_stop_all       Stop all Nessus Scans
nessus_scan_resume         Resume a Nessus Scan
nessus_scan_resume_all     Resume all Nessus Scans
                           
Plugin Commands            
-----------------          -----------------
nessus_plugin_list         Displays each plugin family and the number of plugins
nessus_plugin_family       List plugins in a family
nessus_plugin_details      List details of a particular plugin
                           
User Commands              
-----------------          -----------------
nessus_user_list           Show Nessus Users
nessus_user_add            Add a new Nessus User
nessus_user_del            Delete a Nessus User
nessus_user_passwd         Change Nessus Users Password
                           
Policy Commands            
-----------------          -----------------
nessus_policy_list         List all polciies
nessus_policy_del          Delete a policy

 

As it can be seen there are a lot of commands to choose from. According to Zate Berg not all commands are implemented and that he has 80% of them done at the time of this blog post is written. With the development version we can start playing and familiarizing ourselves with the plugin as it advances. Lets connect to our Nessus Server, this server can be local or remote:

msf > nessus_connect carlos:[email protected] ok
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
msf >

Once we have connected to our server we can check what policies have we defined and use those for performing a scan:

 

msf > nessus_policy_list 
[+] Nessus Policy List

ID  Name     Owner   visability
--  ----     -----   ----------
-1  General  carlos  shared

msf > nessus_scan_new -h
[*] Usage: 
[*]        nessus_scan_new <policy id> <scan name> <targets>
[*]        use nessus_policy_list to list all available policies
msf > nessus_scan_new -1 homelab 192.168.1.1/24
[*] Creating scan from policy number -1, called "homelab" and scanning 192.168.1.1/24
[*] Scan started.  uid is 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196

The scan started and we get an uid of 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196 this ID is important because we will use this ID in next commands so we can check the status of the scan:

msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[+] Running Scans

Scan ID                                               Name     Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----     -----   -------            ------   -------------  -----------
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  carlos  15:46 Sep 26 2010  running  79             254


[*] You can:
[+] 		Import Nessus report to database : 	nessus_report_get <reportid>
[+] 		Pause a nessus scan : 			nessus_scan_pause <scanid>
msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[+] Running Scans

Scan ID                                               Name     Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----     -----   -------            ------   -------------  -----------
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  carlos  15:46 Sep 26 2010  running  239            254


[*] You can:
[+] 		Import Nessus report to database : 	nessus_report_get <reportid>
[+] 		Pause a nessus scan : 			nessus_scan_pause <scanid>
msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[+] Running Scans

Scan ID                                               Name     Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----     -----   -------            ------   -------------  -----------
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  carlos  15:46 Sep 26 2010  running  242            254


[*] You can:
[+] 		Import Nessus report to database : 	nessus_report_get <reportid>
[+] 		Pause a nessus scan : 			nessus_scan_pause <scanid>
msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[+] Running Scans

Scan ID                                               Name     Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----     -----   -------            ------   -------------  -----------
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  carlos  15:46 Sep 26 2010  running  249            254


[*] You can:
[+] 		Import Nessus report to database : 	nessus_report_get <reportid>
[+] 		Pause a nessus scan : 			nessus_scan_pause <scanid>
msf > nessus_scan_status 
[*] Connecting to https://192.168.1.231:8834/ as carlos
[*] Authenticated
[*] No Scans Running.
[*] You can:
[*]         List of completed scans:     	nessus_report_list
[*]         Create a scan:           		nessus_scan_new <policy id> <scan name> <target(s)>
msf > n

As it can be seen in the example above we can see the host count as they are scanned once finished we will see that the scan disappears from the status info. Lets check the results of our scan:

msf > nessus_report_list 
[+] Nessus Report List

ID                                                    Name     Status     Date
--                                                    ----     ------     ----
1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196  homelab  completed  15:52 Sep 26 2010

[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf > nessus_report_hosts
[*] Usage: 
[*]        nessus_report_hosts <report id>
[*]        use nessus_report_list to list all available reports
msf > nessus_report_hosts 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196
[+] Report Info

Hostname       Severity  Sev 0  Sev 1  Sev 2  Sev 3  Current Progress  Total Progress
--------       --------  -----  -----  -----  -----  ----------------  --------------
192.168.1.1    24        4      23     1      0      38873             38873
192.168.1.100  5         0      5      0      0      38873             38873
192.168.1.109  3         0      3      0      0      38873             38873
192.168.1.171  214       15     61     20     133    35764             38873
192.168.1.229  12        1      11     1      0      38096             38873
192.168.1.231  38        6      27     5      6      38873             38873
192.168.1.234  20        4      20     0      0      38873             38873
192.168.1.236  28        5      26     2      0      38096             38873
192.168.1.237  5         0      5      0      0      38873             38873
192.168.1.240  159       15     62     12     85     38873             38873
192.168.1.241  32        5      30     1      1      38096             38873
192.168.1.242  31        5      29     1      1      19437             38873
192.168.1.243  6         0      6      0      0      38873             38873
192.168.1.244  23        6      23     0      0      38873             38873
192.168.1.245  17        3      16     1      0      38873             38873

[*] You can:
[*]         Get information from a particular host:          nessus_report_host_ports <hostname> <report id>

As it can be seen from the output above I can see the number of plugins that returned positive and their count. We can now connect to our database and import the data so we can use other modules and plugins. I will connect to a SQLite DB <NOT RECOMMENDED FON PRODUCTION> I know it is buggy and not supported anymore but I will use it for simplicity for my example. Once the DB is created I import the report and parse it in to my MSF DB:

msf > db_connect msf.db
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: msf.db
msf > nessus_report_get 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196
[*] importing 1ca69132-f191-d8df-5cd2-97e488acac118301371fb2d6d196
msf > 

Know that it said it finished let’s check with db_hosts the imported records:

msf > db_hosts 

Hosts
=====

address        address6  arch  comm  comments  created_at               info  mac                name                          os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at               svcs  vulns  workspace
-------        --------  ----  ----  --------  ----------               ----  ---                ----                          ---------  -------  -------  -----  -------  -----  ----------               ----  -----  ---------
192.168.1.1                                    2010-09-26 20:23:07 UTC        00:0D:B9:1D:8E:B4  ASAFW.local                                                              alive  2010-09-26 20:23:07 UTC  6     22     default
192.168.1.100                                  2010-09-26 20:23:06 UTC        00:26:BB:15:05:D8  loki.local                                                                 alive  2010-09-26 20:23:06 UTC  1     5      default
192.168.1.109                                  2010-09-26 20:23:06 UTC        7C:6D:62:E0:5E:CD  darkoperator-iPad.local                                                   alive  2010-09-26 20:23:06 UTC  0     3      default
192.168.1.171                                  2010-09-26 20:22:11 UTC        00:0C:29:A7:BD:AF                                                                             alive  2010-09-26 20:22:11 UTC  15    204    default
192.168.1.229                                  2010-09-26 20:22:09 UTC        00:23:32:34:1D:B7  AppleTV.local                                                              alive  2010-09-26 20:22:09 UTC  2     12     default
192.168.1.231                                  2010-09-26 20:22:03 UTC        00:0C:29:EE:13:87  ubuntu.local                                                               alive  2010-09-26 20:22:03 UTC  5     33     default
192.168.1.234                                  2010-09-26 20:22:03 UTC        00:1E:EC:A5:B9:86  pwnage01.local                                                             alive  2010-09-26 20:22:03 UTC  12    20     default
192.168.1.236                                  2010-09-26 20:22:01 UTC        00:0C:29:A2:19:2A  freenas.local                                                              alive  2010-09-26 20:22:01 UTC  6     28     default
192.168.1.237                                  2010-09-26 20:22:01 UTC        00:0C:29:F1:5D:96  winxp01.local                                                              alive  2010-09-26 20:22:01 UTC  0     5      default
192.168.1.240                                  2010-09-26 20:20:49 UTC        00:0C:29:F8:8F:82  win2k801.local                                                             alive  2010-09-26 20:20:49 UTC  15    154    default
192.168.1.241                                  2010-09-26 20:20:48 UTC        00:16:CB:9F:9E:11  infidel02.local                                                            alive  2010-09-26 20:20:48 UTC  7     31     default
192.168.1.242                                  2010-09-26 20:20:44 UTC        00:17:F2:99:D7:CF  infidel03.local                                                            alive  2010-09-26 20:20:44 UTC  7     30     default
192.168.1.243                                  2010-09-26 20:20:44 UTC        00:0C:29:25:89:66  win701.local                                                               alive  2010-09-26 20:20:44 UTC  1     6      default
192.168.1.244                                  2010-09-26 20:20:43 UTC        00:24:8C:5B:FC:B8  Infidel01.local                                                            alive  2010-09-26 20:20:43 UTC  12    23     default
192.168.1.245                                  2010-09-26 20:20:41 UTC        00:17:E0:3E:73:AA  TSGAP01.local                                                              alive  2010-09-26 20:20:41 UTC  3     15     default

As you can see you can do a lot with the plugin and it will get better with time because Zate is now addicted like many of us to coding for the framework. Do follow him on Twitter for updates @zate.

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.