ASPIRE

在Metasploit中使用Nessus

Metasploit作为一个大的框架,做的是非常给力,不仅自己有众多的模块可供使用,而且还可以和其他的几个安全工具联合使用,比如这里要介绍的Nessus:

1.在Metasploit中使用Nessus之前,你需要给它创建一个Nessus的账号(可参考前面的文章:在BackTrack5 R3上安装Nessus 给Metasploit新建一个Nessus账号),推荐新建一个单独的账号,当然你也可以方便起见直接使用最高权限的Nessus账号给Metasploit用,还可以共享扫描信息,但多人使用的话还是建议账号权限分离;

2.启动Metasploit(要先启动postgresql和metasploit服务),加载Nessus模块:

root@hi:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.
root@hi:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.

进入命令行界面:

root@hi:~# msfconsole

msf > help    #可用于在不熟悉的情况下查看有哪些可用命令

Core Commands
=============

Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
go_pro Launch Metasploit web GUI
grep Grep the output of another command
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers


Database Backend Commands
=========================

Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces


Auxiliary Commands
==================

Command Description
------- -----------
check Check to see if a target is vulnerable
exploit This is an alias for the run command
pry Open a Pry session on the current module
reload Reloads the auxiliary module
rerun Reloads and launches the auxiliary module
rexploit This is an alias for the rerun command
run Launches the auxiliary module

加载Nessus模块:

msf> 

msf> load nessus
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf> nessus_help
[*]
Command Help Text
------- ---------
Generic Commands
----------------- -----------------
nessus_connect Connect to a nessus server
nessus_save Save nessus login info between sessions
nessus_logout Logout from the nessus server
nessus_help Listing of available nessus commands
nessus_server_status Check the status of your Nessus Server
nessus_admin Checks if user is an admin
nessus_server_feed Nessus Feed Type
nessus_find_targets Try to find vulnerable targets from a report
nessus_server_prefs Display Server Prefs

Reports Commands
----------------- -----------------
nessus_report_list List all Nessus reports
nessus_report_get Import a report from the nessus server in Nessus v2 format
nessus_report_vulns Get list of vulns from a report
nessus_report_hosts Get list of hosts from a report
nessus_report_host_ports Get list of open ports from a host from a report
nessus_report_host_detail Detail from a report item on a host

Scan Commands
----------------- -----------------
nessus_scan_new Create new Nessus Scan
nessus_scan_status List all currently running Nessus scans
nessus_scan_pause Pause a Nessus Scan
nessus_scan_pause_all Pause all Nessus Scans
nessus_scan_stop Stop a Nessus Scan
nessus_scan_stop_all Stop all Nessus Scans
nessus_scan_resume Resume a Nessus Scan
nessus_scan_resume_all Resume all Nessus Scans

Plugin Commands
----------------- -----------------
nessus_plugin_list Displays each plugin family and the number of plugins
nessus_plugin_family List plugins in a family
nessus_plugin_details List details of a particular plugin

User Commands
----------------- -----------------
nessus_user_list Show Nessus Users
nessus_user_add Add a new Nessus User
nessus_user_del Delete a Nessus User
nessus_user_passwd Change Nessus Users Password

Policy Commands
----------------- -----------------
nessus_policy_list List all polciies
nessus_policy_del Delete a policy

[*]

查看扫描状态:

msf> nessus_scan_status
[*] You must do this before any other commands.
[*] Usage:
[*] nessus_connect username:password@hostname:port <ssl ok>
[*] Example:> nessus_connect msf:[email protected]:8834 ok
[*] OR
[*] nessus_connect username@hostname:port <ssl ok>
[*] Example:> nessus_connect [email protected]:8834 ok
[*] OR
[*] nessus_connect hostname:port <ssl ok>
[*] Example:> nessus_connect 192.168.1.10:8834 ok
[*] OR
[*] nessus_connect
[*] Example:> nessus_connect
[*] This only works after you have saved creds with nessus_save

提示你需要先登陆才可进行扫描以及查看扫描状态(需要用到之前的账号):

msf> nessus_connect root:root_Pass@localhost:8834

[*] Connecting to https://localhost:8834/ as root
[*] Authenticated

查看登录帐号的扫描情况:

msf> nessus_scan_status
[+] Running Scans
[+]

Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
30000bc6-6e40-ab8e-36ad-f1c4aca48198ba7e1aca9c506f0c local_scan root 13:19 Feb 24 2014 running 253 254

[+]

[*] You can:
[+] Import Nessus report to database : nessus_report_get <reportid>
[+] Pause a nessus scan : nessus_scan_pause <scanid>
msf> nessus_user_list
[+] There are 1 users
[+] Nessus users
[+]

Name Is Admin? Last Login
---- --------- ----------
root TRUE 13:43 Feb 24 2014

查看扫描策略(你可以自己去根据模版新建):

msf> nessus_policy_list
[+] Nessus Policy List
[+]

ID Name Comments
-- ---- --------
-1 scan_android
1 10.10.10.1-92___1st
2 xxx
3 192.168.1.102
4 192.168.179.138

刚看了一下Nessus的官网介绍,说的是:内建的扫描策略显示为负数,用户自己建立的扫描策略ID为从1开始的正数(所以上面的那个扫描策略scan_android的ID为-1,不过我也不记得是不是自己建的o(╯□╰)o);
这里我们使用我们自己建立的扫描策略ID为2的策略来进行扫描,使用下面的命令创建名为“scan_innerNet”的扫描任务:

msf > nessus_scan_new 2 scan_innerNet 192.168.1.101
[*] Creating scan from policy number 2, called "scan_innerNet" and scanning 192.168.1.101
[*] Scan started. uid is d9e7hcea-bec9-5d3d-6bd8-23eb6e7e5895f63871982c9e2aa2

查看扫描插件列表(可以看出可用的扫描插件还是很多的):

msf> nessus_plugin_list
[+] Plugins By Family
[+]

Family Name Total Plugins
----------- -------------

AIX Local Security Checks 11031
Amazon Linux Local Security Checks 259
Backdoors 94
Brute force attacks 26
CGI abuses 2784
CGI abuses : XSS 529
CISCO 413
CentOS Local Security Checks 1603
DNS 76
Databases 324
Debian Local Security Checks 2811
Default Unix Accounts 86
Denial of Service 103
FTP 233
Fedora Local Security Checks 6524
Firewalls 109
FreeBSD Local Security Checks 2383
Gain a shell remotely 268
General 162
Gentoo Local Security Checks 1810
HP-UX Local Security Checks 1963
Junos Local Security Checks 65
MacOS X Local Security Checks 512
Mandriva Local Security Checks 2663
Misc. 652
Mobile Devices 25
Netware 14
Oracle Linux Local Security Checks 1573
Peer-To-Peer File Sharing 68
Policy Compliance 8
Port scanners 7
RPC 36
Red Hat Local Security Checks 2790
SCADA 3
SMTP problems 130
SNMP 30
Scientific Linux Local Security Checks 1545
Service detection 401
Settings 57
Slackware Local Security Checks 655
Solaris Local Security Checks 3308
SuSE Local Security Checks 5265
Total Plugins 60032
Ubuntu Local Security Checks 2280
VMware ESX Local Security Checks 83
Web Servers 791
Windows 2582
Windows : Microsoft Bulletins 870
Windows : User management 28

[*] List plugins for a family : nessus_plugin_family <family name>

扫描暂停命令(你可以试试,nessus_scan_pause命令需要带参数,nessus_scan_pause_all命令用于终止所有正在进行的扫描):

msf> nessus_scan_pause
nessus_scan_pause nessus_scan_pause_all
msf> nessus_scan_pause -h
[*] Usage:
[*] nessus_scan_pause <scan id>
[*] Example:> nessus_scan_pause f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca
[*]
[*] Pauses a running scan
[*] use nessus_scan_status to list all available scans
msf> nessus_scan_pause 30000bc6-6e40-ab8e-36ad-f1c4aca48198ba7e1aca9c506f0c
[*] 30000bc6-6e40-ab8e-36ad-f1c4aca48198ba7e1aca9c506f0c has been paused

重启扫描:

msf> nessus_scan_resume -h
[*] Usage:
[*] nessus_scan_resume <scan id>
[*] Example:> nessus_scan_resume f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca
[*]
[*] resumes a running scan
[*] use nessus_scan_status to list all available scans
msf> nessus_scan_resume 30000bc6-6e40-ab8e-36ad-f1c4aca48198ba7e1aca9c506f0c
[*] 30000bc6-6e40-ab8e-36ad-f1c4aca48198ba7e1aca9c506f0c has been resumed

杂项(这个需要自己慢慢熟悉,有些还是很有用的!):

msf> nessus_plugin_family 

[*] Usage:
[*] nessus_plugin_family <plugin family name>
[*] list all plugins from a Family from nessus_plugin_list
msf> nessus_server_status
[+] Nessus Status
[+]

Feed Nessus Version Nessus Web Version
---- -------------- ------------------
HomeFeed 5.2.4 5.0.0 (Build H20130829A)

[+]

Users Policies Running Scans Reports Plugins
----- -------- ------------- ------- -------
1 5 1 13 60032

msf> nessus_server_feed
[+] Nessus Status
[+]

Feed Nessus Version Nessus Web Version
---- -------------- ------------------
HomeFeed 5.2.4 5.0.0 (Build H20130829A)

msf> nessus_help
[*]
Command Help Text
------- ---------
Generic Commands
----------------- -----------------
nessus_connect Connect to a nessus server
nessus_save Save nessus login info between sessions
nessus_logout Logout from the nessus server
nessus_help Listing of available nessus commands
nessus_server_status Check the status of your Nessus Server
nessus_admin Checks if user is an admin
nessus_server_feed Nessus Feed Type
nessus_find_targets Try to find vulnerable targets from a report
nessus_server_prefs Display Server Prefs

Reports Commands
----------------- -----------------
nessus_report_list List all Nessus reports
nessus_report_get Import a report from the nessus server in Nessus v2 format
nessus_report_vulns Get list of vulns from a report
nessus_report_hosts Get list of hosts from a report
nessus_report_host_ports Get list of open ports from a host from a report
nessus_report_host_detail Detail from a report item on a host

Scan Commands
----------------- -----------------
nessus_scan_new Create new Nessus Scan
nessus_scan_status List all currently running Nessus scans
nessus_scan_pause Pause a Nessus Scan
nessus_scan_pause_all Pause all Nessus Scans
nessus_scan_stop Stop a Nessus Scan
nessus_scan_stop_all Stop all Nessus Scans
nessus_scan_resume Resume a Nessus Scan
nessus_scan_resume_all Resume all Nessus Scans

Plugin Commands
----------------- -----------------
nessus_plugin_list Displays each plugin family and the number of plugins
nessus_plugin_family List plugins in a family
nessus_plugin_details List details of a particular plugin

User Commands
----------------- -----------------
nessus_user_list Show Nessus Users
nessus_user_add Add a new Nessus User
nessus_user_del Delete a Nessus User
nessus_user_passwd Change Nessus Users Password

Policy Commands
----------------- -----------------
nessus_policy_list List all polciies
nessus_policy_del Delete a policy

[*]
msf> nessus_admin
[+] Your Nessus user is an admin
msf> nessus_find_targets
[-] Unknown command: nessus_find_targets.
msf> nessus_find_targets
[-] Unknown command: nessus_find_targets.
msf> nessus_server_
nessus_server_feed nessus_server_prefs nessus_server_status
msf> nessus_server_prefs
[+] Nessus Server Pref List
[+]

Name Value
---- -----
allow_post_scan_editing yes
auto_enable_dependencies yes
auto_update yes
cgi_path /cgi-bin:/scripts
checks_read_timeout 5
feed_type HomeFeed
listen_address 0.0.0.0
listen_port 1241
log_whole_attack no
max_checks 5
max_hosts 100
non_simult_ports 139, 445, 3389
optimize_test yes
plugin_selection.family.AIX Local Security Checks enabled
plugin_selection.family.Amazon Linux Local Security Checks enabled
plugin_selection.family.Backdoors enabled
plugin_selection.family.Brute force attacks enabled
plugin_selection.family.CGI abuses enabled
plugin_selection.family.CGI abuses : XSS enabled
plugin_selection.family.CISCO enabled
plugin_selection.family.CentOS Local Security Checks enabled
plugin_selection.family.DNS enabled
plugin_selection.family.Databases enabled
plugin_selection.family.Debian Local Security Checks enabled
plugin_selection.family.Default Unix Accounts enabled
plugin_selection.family.Denial of Service disabled
plugin_selection.family.FTP enabled
plugin_selection.family.Fedora Local Security Checks enabled
plugin_selection.family.Firewalls enabled
plugin_selection.family.FreeBSD Local Security Checks enabled
plugin_selection.family.Gain a shell remotely enabled
plugin_selection.family.General enabled
plugin_selection.family.Gentoo Local Security Checks enabled
plugin_selection.family.HP-UX Local Security Checks enabled
plugin_selection.family.Junos Local Security Checks enabled
plugin_selection.family.MacOS X Local Security Checks enabled
plugin_selection.family.Mandriva Local Security Checks enabled
plugin_selection.family.Misc. enabled
plugin_selection.family.Mobile Devices enabled
plugin_selection.family.Netware enabled
plugin_selection.family.Oracle Linux Local Security Checks enabled
plugin_selection.family.Peer-To-Peer File Sharing enabled
plugin_selection.family.Policy Compliance enabled
plugin_selection.family.RPC enabled
plugin_selection.family.Red Hat Local Security Checks enabled
plugin_selection.family.SCADA enabled
plugin_selection.family.SMTP problems enabled
plugin_selection.family.SNMP enabled
plugin_selection.family.Scientific Linux Local Security Checks enabled
plugin_selection.family.Service detection enabled
plugin_selection.family.Settings enabled
plugin_selection.family.Slackware Local Security Checks enabled
plugin_selection.family.Solaris Local Security Checks enabled
plugin_selection.family.SuSE Local Security Checks enabled
plugin_selection.family.Ubuntu Local Security Checks enabled
plugin_selection.family.VMware ESX Local Security Checks enabled
plugin_selection.family.Web Servers enabled
plugin_selection.family.Windows enabled
plugin_selection.family.Windows : Microsoft Bulletins enabled
plugin_selection.family.Windows : User management enabled
plugin_upload yes
plugins_timeout 320
port_range default
reduce_connections_on_congestion no
report_crashes yes
safe_checks yes
silent_dependencies yes
slice_network_addresses no
ssl_cipher_list strong
stop_scan_on_disconnect no
stop_scan_on_hang no
throttle_scan yes
use_kernel_congestion_detection no
xmlrpc_listen_port 8834


msf> nessus_scan_
nessus_scan_new nessus_scan_pause_all nessus_scan_resume_all nessus_scan_stop
nessus_scan_pause nessus_scan_resume nessus_scan_status nessus_scan_stop_all
msf> nessus_scan_new -h
[*] Usage:
[*] nessus_scan_new <policy id> <scan name> <targets>
[*] Example:> nessus_scan_new 1 "My Scan" 192.168.1.250
[*]
[*] Creates a scan based on a policy id and targets.
[*] use nessus_policy_list to list all available policies
msf>

可供参考的文章:

http://www.tenable.com/blog/using-nessus-and-metasploit-together

admin

, ,
, , ,

《 “在Metasploit中使用Nessus” 》 有 4 条评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注