Metasploit 渗透测试手册第三版 第二章 信息收集与扫描 -续(翻译)

第二章 信息收集和扫描-续

我们将学习以下内容

Nessus结合使用

NeXpose结合使用

OpenVAS结合使用

接上篇:第二章 信息收集与扫描

14、与Nessus结合

到目前为止,我们已经了解了端口扫描的基础知识,以及学会了Nmap的使用。通过其他一些工具的学习,进一步提高了扫描和信息收集的技术。在接下来的小节中,我们将介绍其他几种扫描目标可用服务和端口的工具,这些工具还可以帮助我们确定特定服务和端口可能存在的漏洞类型。让我们开始漏洞扫描之旅。

Nessus是使用最广泛的漏洞扫描器之一,它可用通过扫描目标发现漏洞并生成详细的报告。Nessus是渗透测试中非常有用的工具。你可用使用它的GUI版本,也可以在Metasploit控制台中使用它。本书主要介绍在msfconsole中使用它。

准备工作

要使用Nessus需要先去Nessus官网注册并取得Licenses。你可以使用Nessus家庭版,此授权是免费的,它允许你扫描个人家庭网络(小于16个IP地址)。然后下载软件安装包进行安装。在Kali中需要下载.deb格式的包,然后使用dpkg -i进行安装。

家庭版密钥申请地址:https://www.tenable.com/products/nessus-home

注册

填写注册信息,完成注册,然后会跳转到下载页面

下载页面

根据自己的系统版本,下载32bit或者64bit版本

选择下载

激活密钥会发到你的邮箱里面,请保存下来。

收到激活密钥

下载完成之后进行安装:

root@osboxes:~# cd ~/Downloads/
root@osboxes:~/Downloads# ls
bettercap  bettercap_linux_amd64_2.2.zip  libpcap-1.8.1  libpcap-1.8.1.tar.gz  Nessus-8.3.1-debian6_amd64.deb
root@osboxes:~/Downloads# dpkg -i Nessus-8.3.1-debian6_amd64.deb //安装
Selecting previously unselected package nessus.
(Reading database ... 435326 files and directories currently installed.)
Preparing to unpack Nessus-8.3.1-debian6_amd64.deb ...
Unpacking nessus (8.3.1) ...
Setting up nessus (8.3.1) ...
Unpacking Nessus Scanner Core Components...

 - You can start Nessus Scanner by typing /etc/init.d/nessusd start
 - Then go to https://osboxes:8834/ to configure your scanner

Processing triggers for systemd (241-1) ...
root@osboxes:~/Downloads#

安装完成之后,启动Nessus服务

root@osboxes:~/Downloads# systemctl start nessusd.service

根据提示,使用浏览器打开网址https://osboxes:8834/或者https://127.0.0.1:8834进行配置

1、设置用户名和密码:

设置用户信息

2、选择Home,Professional or Manager,填写激活密钥进行授权激活。

激活

3、激活完成后,Nessus还会安装一系列组件,等待安装完成(需要一段时间,请耐心等待)

安装组件

安装完成后,就可以进行下一步操作了。

怎么做

1、在msfconsole里面载入nessus组件。

msf5 > load nessus //载入nessus组件
[*] Nessus Bridge for Metasploit
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: Nessus
msf5 >

2、输入nessus_help命令,可以查看可用参数和帮助信息

msf5 > nessus_help

Command                     Help Text
-------                     ---------
Generic Commands
-----------------           -----------------
nessus_connect              Connect to a Nessus server
nessus_logout               Logout from the Nessus server
nessus_login                Login into the connected Nesssus server with a different username and password
nessus_save                 Save credentials of the logged in user to nessus.yml
nessus_help                 Listing of available nessus commands
nessus_server_properties    Nessus server properties such as feed type, version, plugin set and server UUID.
nessus_server_status        Check the status of your Nessus Server
nessus_admin                Checks if user is an admin
nessus_template_list        List scan or policy templates
nessus_folder_list          List all configured folders on the Nessus server
nessus_scanner_list         List all the scanners configured on the Nessus server
Nessus Database Commands

3、连接到Nessus服务,使用nessus_connect NessusUser:NessusPassword@127.0.0.1命令。

msf5 > nessus_connect nessusroot:Passw0rd@127.0.0.1 //连接到 Nessus 服务
[*] Connecting to https://127.0.0.1:8834/ as nessusroot
[*] User nessusroot authenticated successfully.
msf5 >

4、使用nessus_policy_list可用列出Nessus服务上的所有扫描策略。如果没有,需要先在WebUI界面中创建策略。

msf5 > nessus_policy_list
[-] No policies found
msf5 >

提示没有策略,我们去创建一个

新建策略

我们选择新建一个Basic Network Scan策略

image

配置好相关的参数,然后点保存

设置参数

回到msfconsole里面再次执行nessus_policy_list就看看到了

msf5 > nessus_policy_list
Policy ID  Name       Policy UUID
---------  ----       -----------
4          PenTest01  731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65

msf5 >

5、创建nessus扫描,使用nessus_scan_new --help查看命令帮助信息:

msf5 > nessus_scan_new --help                                                             
[*] Usage:                                                                                
[*] nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>                  
[*] Use nessus_policy_list to list all available policies with their corresponding UUIDs  
msf5 >                                                                                    

6、创建扫描

msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 Metasploitable3 Windows_Machine 192.168.177.144
[*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called Metasploitable3 - Windows_Machine and scanning 192.168.177.144
[*] New scan added
[-] Error while running command nessus_scan_new: undefined method `[]' for nil:NilClass

Call stack:
/usr/share/metasploit-framework/plugins/nessus.rb:979:in `cmd_nessus_scan_new'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:49:in `<main>'
msf5 >

此次会报错:Error while running command nessus_scan_new: undefined method []' for nil:NilClass。这是由于Nessus 7开始对远程调用进行认证,从而导致Metasploit调用失败。现在正在等待修复。

解决办法:Nessus Plugin unable to create new scan · Issue #11117 · rapid7/metasploit-framework · GitHub https://github.com/rapid7/metasploit-framework/issues/11117

成功创建扫描:

msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 test test 192.168.177.144
[*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called test - test and scanning 192.168.177.144
[*] New scan added
[*] Use nessus_scan_launch 6 to launch the scan
Scan ID  Scanner ID  Policy ID  Targets          Owner
-------  ----------  ---------  -------          -----
6        1           5          192.168.177.144  nessusroot

msf5 >

7、使用nessus_scan_list可用查看扫描列表,以及它们的状态

msf5 > nessus_scan_list                             
Scan ID  Name  Owner       Started  Status  Folder  
-------  ----  -----       -------  ------  ------  
6        test  nessusroot           empty   3       
                                                    
msf5 >                                              

8、启动扫描,使用nessus_scan_launch <Scan ID>启动扫描

msf5 > nessus_scan_launch 6
[+] Scan ID 6 successfully launched. The Scan UUID is 67d8e87c-17a6-7693-0b41-666f40291e1464ae15bc02832ca3
msf5 >

再次查看状态:

msf5 > nessus_scan_list
Scan ID  Name  Owner       Started  Status   Folder
-------  ----  -----       -------  ------   ------
6        test  nessusroot           running  3

msf5 >

9、查看扫描的详细信息,使用nessus_scan_details <Scan ID> <info/hosts/vulnerabilities/history>

msf5 > nessus_scan_details 6 info  //查看扫描状态
Status   Policy              Scan Name  Scan Targets     Scan Start Time  Scan End Time
------   ------              ---------  ------------     ---------------  -------------
running  Basic Network Scan  test       192.168.177.144  1555301230

msf5 > nessus_scan_details 6 hosts //查看主机
Host ID  Hostname         % of Critical Findings  % of High Findings  % of Medium Findings  % of Low Findings
-------  --------         ----------------------  ------------------  --------------------  -----------------
2        192.168.177.144  1                       0                   0                     0

msf5 > nessus_scan_details 6 vulnerabilities //查看漏洞信息
Plugin ID  Plugin Name  Plugin Family      Count
---------  -----------  -------------      -----
10114      ICMP Timestamp Request Remote Date Disclosure    General            1
10150      Windows NetBIOS / SMB Remote Host Information Disclosure Windows            1
10287      Traceroute Information   General            1
10394      Microsoft Windows SMB Log In Possible    Windows            1
10736      DCE Services Enumeration Windows            8
10785      Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
.....
msf5 > nessus_scan_details 6 history //查看扫描历史
History ID  Status   Creation Date  Last Modification Date
----------  ------   -------------  ----------------------
7           running  1555301230

msf5 >

WebUI上也可以看到我们创建的扫描

image
image

10、当完成扫描后,使用nessus_db_import <Scan ID>将扫描结果导入到Metasploit中。

msf5 > nessus_scan_details 6 info                                                            
Status     Policy              Scan Name  Scan Targets     Scan Start Time  Scan End Time    
------     ------              ---------  ------------     ---------------  -------------    
completed  Basic Network Scan  test       192.168.177.144  1555301230       1555302154       
                                                                                             
msf5 > nessus_db_import 6                                                                    
[*] Exporting scan ID 6 is Nessus format...                                                  
[+] The export file ID for scan ID 6 is 2110513949                                           
[*] Checking export status...                                                                
[*] Export status: loading                                                                   
[*] Export status: ready                                                                     
[*] The status of scan ID 6 export is ready                                                  
[*] Importing scan results to the database...                                                
[*] Importing data of 192.168.177.144                                                        
[+] Done                                                                                     
msf5 >                                                                                       

导入进去之后,我们就能使用hostsservices命令查看主机和目标服务的信息了。

msf5 > hosts   
Hosts                                                                                                              
=====                                                                                                              
address          mac                name             os_name       os_flavor  os_sp  purpose  info  comments       
-------          ---                ----             -------       ---------  -----  -------  ----  --------       
192.168.177.1                                        Unknown                         device                        
192.168.177.144  00:0c:29:41:d2:48  METASPLOITABLE3  Windows 2008  Standard   SP1    server                        
192.168.177.145                                      Unknown                         device                   
msf5 > services     
Services       
========                                                                                                                                                                                                              
host             port   proto  name              state  info      
----             ----   -----  ----              -----  ----      
192.168.177.1    21     tcp    ftp               open   220 Serv-U FTP Server v15.0 ready...\x0d\x0a               
192.168.177.144  21     tcp    ftp               open   220 Microsoft FTP Service\x0d\x0a   
192.168.177.144  22     tcp    ssh               open   SSH-2.0-OpenSSH_7.1     
192.168.177.144  80     tcp    www               open   Microsoft IIS httpd 7.5    
192.168.177.144  135    tcp    epmap             open                   
192.168.177.144  137    udp    netbios-ns        open 
.....

查看扫描结果中的漏洞信息,使用vulns指令

msf5 > vulns                                                    
Vulnerabilities                                                
===============                                               
Timestamp                Host             Name         References                                                                                   
---------                ----             ----           ----------                                                                                   
2019-04-12 07:52:51 UTC  192.168.177.144  MS17-010 SMB RCE Detection                                CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,MSB-MS17-
010,URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html,URL-https://github.com/countercept/doublepulsar-detection-script,URL-htt
ps://technet.microsoft.com/en-us/library/security/ms17-010.aspx            
2019-04-12 09:08:20 UTC  192.168.177.144  HTTP Writable Path PUT/DELETE File Access    
                                                                       OSVDB-397       
2019-04-15 04:25:24 UTC  192.168.177.144  Elasticsearch Transport Protocol Unspecified Remote Code Execution  CVE-2015-5377,NSS-105752,NSS-119499                                                          
2019-04-15 04:25:25 UTC  192.168.177.144  MySQL Server Detection      NSS-10719                                                                                    
2019-04-15 04:25:25 UTC  192.168.177.144  Elasticsearch Detection     NSS-109941                                                                                   
2019-04-15 04:25:25 UTC  192.168.177.144  ManageEngine Desktop Central 9 < Build 92027 Multiple Vulnerabilities  CVE-2018-8722,NSS-108752                                                                     
2019-04-15 04:25:25 UTC  192.168.177.144  Elasticsearch Unrestricted Access Information Disclosure  NSS-101025  
....

15、与NeXpose结合

在本节,我们将介绍另一个极佳的漏洞扫描器:NeXposeNexPose是领先的漏洞评估工具之一。NeXposeRapid7 常用的工具,它执行漏洞扫描并将结果导入到 Metasploit 数据库中。NeXpose 的用法与 Nessus 类似,让我们快速了解一下如何使用 NeXpose。至于深入探究就留给大家来完成了。

准备工作

NeXpose社区版,可申请免费试用1年:https://www.rapid7.com/info/nexpose-community/

邮箱必须是独立的个人、学校、企业、机构等域名邮箱;第三方邮箱均无效!(如:gmail、新浪、网易、126、腾讯等都视为无效)。

注册,然后下载安装程序进行安装。

image

注册完成,然后下载安装程序

image

安装:安装询问过程,直接敲回车即可,然后填写一个用户信息,设置密码等

root@osboxes:~# chmod +x Rapid7Setup-Linux64.bin
root@osboxes:~# ./Rapid7Setup-Linux64.bin
....
Do you want to continue?                                                                                                                      
Yes [y, Enter], No [n]                                                                                    
Gathering system information....                                                                    
Security Console with local Scan Engine                                                                                                       
If you do not have a console installed yet, this option is recommended. The console manages scan engines and all administrative operations. 
Scan Engine only                          
This distributed engine can start scanning after being paired with a Security Console.   
Select only the set of components you want to install:                                                                                        
Security Console with local Scan Engine [1, Enter]    
Scan Engine only [2]                     
1                                                                                                                                            
Where should Rapid7 Vulnerability Management be installed?                                                                                    
[/opt/rapid7/nexpose]
....
Select any additional installation tasks.    
Initialize and start after installation?     
Yes [y], No [n, Enter]                       
y 
...
If you chose to start the Security Console as part of the installation, then it will be started upon installer completion.
Using the credentials you created during installation, log onto Nexpose at https://localhost:3780.

To start the service run: sudo systemctl start nexposeconsole.service

To start the service run: sudo systemctl start nexposeconsole.service
The Security Console is configured to automatically run at startup. See the
installation guide if you wish to modify start modes.

[Enter]

Finishing installation...

我们设置的用户名:nexpose 密码:Faq3wANIK0 (根据自己喜好设置)

启动脚本,执行/opt/rapid7/nexpose/nsc/nsc.sh 或者systemctl start nexposeconsole,启动需要一段时间,请耐心等待。

然后访问https://localhost:3780配置,等待启动完成,使用用户名和密码登录,然后输入我们申请的Key激活产品

image
image
image

msfconsole中载入nexpose组件,然后连接到nexpose服务

msf5 > load nexpose                                                        
                                                                           
 ▄▄▄   ▄▄            ▄▄▄  ▄▄▄                                              
 ███   ██             ██ ▄██                                               
 ██▀█  ██   ▄████▄     ████    ██▄███▄    ▄████▄   ▄▄█████▄   ▄████▄       
 ██ ██ ██  ██▄▄▄▄██     ██     ██▀  ▀██  ██▀  ▀██  ██▄▄▄▄ ▀  ██▄▄▄▄██      
 ██  █▄██  ██▀▀▀▀▀▀    ████    ██    ██  ██    ██   ▀▀▀▀██▄  ██▀▀▀▀▀▀      
 ██   ███  ▀██▄▄▄▄█   ██  ██   ███▄▄██▀  ▀██▄▄██▀  █▄▄▄▄▄██  ▀██▄▄▄▄█      
 ▀▀   ▀▀▀    ▀▀▀▀▀   ▀▀▀  ▀▀▀  ██ ▀▀▀      ▀▀▀▀     ▀▀▀▀▀▀     ▀▀▀▀▀       
                               ██                                          
                                                                           
[*] Nexpose integration has been activated                                 
[*] Successfully loaded plugin: nexpose                                    
msf5 > nexpose_connect nexpose:Faq3wANIK0@127.0.0.1:3780
[*] Connecting to Nexpose instance at 127.0.0.1:3780 with username nexpose...
msf5 >
怎么做

NeXpose服务连接后,我们就可以扫描目标生成报告。NeXpose支持两个扫描命令,一个是nexpose_scan,此命令会扫描目标然后导入结果到metasploit数据库中,另外一个是nexpose_discover,此命令仅发现主机和服务,不导入结果。

1、对目标进行快速扫描(执行最小服务发现扫描)

msf5 > nexpose_discover 192.168.177.144
[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses
msf5 >

2、查看nexpose_scan帮助

msf5 > nexpose_scan -h
Usage: nexpose_scan [options] <Target IP Ranges>

OPTIONS:

    -E <opt>  Exclude hosts in the specified range from the scan
    -I <opt>  Only scan systems with an address within the specified range
    -P        Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
    -c <opt>  Specify credentials to use against these targets (format is type:user:pass
    -d        Scan hosts based on the contents of the existing database
    -h        This help menu
    -n <opt>  The maximum number of IPs to scan at a time (default is 32)
    -s <opt>  The directory to store the raw XML files from the Nexpose instance (optional)
    -t <opt>  The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
    -v        Display diagnostic information about the scanning process

msf5 >

3、要扫描目标,使用nexpose_scan -t <template> <target_id>

msf5 > nexpose_scan -t full-audit 192.168.177.144
[*] Scanning 1 addresses with template full-audit in sets of 32
[*] Completed the scan of 1 addresses
msf5 >

4、扫描完成后,导入结果到数据库中,使用nexpose_site_import <site_id>

msf5 > nexpose_site_import 7
[*] Generating the export data file...
[*] Downloading the export data...
[*] Importing Nexpose data...

16、与OpenVAS结合

OpenVAS( Open Vulnerability Assessment System)是Nessus项目的分支。是一个免费开源的漏洞扫描和漏洞管理工具。也是当前使用最为广泛的漏洞扫描和管理开源解决方案。

怎么做

1、在Kali上安装 OpenVAS

root@osboxes:~# apt install openvas -y

2、设置openvas,包括下载规则,创建管理员用户和服务。

root@osboxes:~# openvas-setup //这一步会下载很多东西,请耐心等待

[>] Updating OpenVAS feeds
[*] [1/3] Updating: NVT
--2019-04-15 13:54:37--  http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
Connecting to 192.168.1.91:1080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 22288483 (21M) [application/octet-stream]
....    
经过漫长的等待...
[*] Opening Web UI (https://127.0.0.1:9392) in: 5... 4... 3... 2... 1...

[>] Checking for admin user
[*] Creating admin user
User created with password 'dc63c468-3780-4e3c-b30c-1597f4b91623'.

[+] Done

3、配置完成后,启动openvas ,其实在上一步中已经启动了。也可以用下面的命令启动

root@osboxes:~# openvas-start

访问https://127.0.0.1:9392可登录WebUI

image

4、在msfconsole中载入openvas组件

msf5 > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS
msf5 >

5、查看帮助信息

msf5 > help openvas

OpenVAS Commands
================

    Command                       Description
    -------                       -----------
    openvas_config_list           Quickly display list of configs
    openvas_connect               Connect to an OpenVAS manager using OMP
    openvas_debug                 Enable/Disable debugging
    openvas_disconnect            Disconnect from OpenVAS manager
    openvas_format_list           Display list of available report formats
    openvas_help                  Displays help
    openvas_report_delete         Delete a report specified by ID
    openvas_report_download       Save a report to disk
    openvas_report_import         Import report specified by ID into framework
    openvas_report_list           Display a list of available report formats
    openvas_target_create         Create target (name, hosts, comment)
    openvas_target_delete         Delete target by ID
    openvas_target_list           Display list of targets
    openvas_task_create           Create a task (name, comment, target, config)
    openvas_task_delete           Delete task by ID
    openvas_task_list             Display list of tasks
    openvas_task_pause            Pause task by ID
    openvas_task_resume           Resume task by ID
    openvas_task_resume_or_start  Resume task or start task by ID
    openvas_task_start            Start task by ID
    openvas_task_stop             Stop task by ID
    openvas_version               Display the version of the OpenVAS server


msf5 >

6、使用 openvas_connect <username> <password> <host> <port>连接到OpenVAS服务

msf5 > openvas_connect admin dc63c468-3780-4e3c-b30c-1597f4b91623 127.0.0.1 9390
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS connection successful
msf5 >

7、添加扫描目标,使用openvas_target_create <Name> <Hosts> <Comment>指令,参数包括描述信息,目标的IP

msf5 > openvas_target_create "Metasploitable3" 192.168.177.144 "Windows Target"
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] 6455a780-092a-40dd-8c01-191a7612505a
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets

ID                                    Name             Hosts            Max Hosts  In Use  Comment
--                                    ----             -----            ---------  ------  -------
6455a780-092a-40dd-8c01-191a7612505a  Metasploitable3  192.168.177.144  1          0       Windows Target


msf5 >

8、列出配置列表:openvas_config_list

msf5 > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs

ID                                    Name
--                                    ----
085569ce-73ed-11df-83c3-002264764cea  empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5  Host Discovery
698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea  Full and very deep
74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196  Discovery
bbca7412-a950-11e3-9109-406186ea4fc5  System Discovery
daba56c8-73ec-11df-a475-002264764cea  Full and fast


msf5 >

9、创建任务,使用如下指令

 openvas_task_create <name> <Comment> <config_id> <target_id>
msf5 > openvas_task_create  "Metasploitable3" "Windows" 698f691e-7489-11df-9d8c-002264764cea 6455a780-092a-40dd-8c01-191a7612505a
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] fb18cf93-a94b-4c9b-aadf-9408bd9a9186
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name             Comment  Status  Progress
--                                    ----             -------  ------  --------
fb18cf93-a94b-4c9b-aadf-9408bd9a9186  Metasploitable3  Windows  New     -1


msf5 >

10、启动任务,使用openvas_task_start <task_id>

msf5 > openvas_task_start fb18cf93-a94b-4c9b-aadf-9408bd9a9186
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>7993d76a-43b3-48c6-ac94-ca630e20db68</report_id></start_task_response></X>msf5 >

11、查看进度,使用openvas_task_list

msf5 > openvas_task_list                                                                                                                                 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeou
t.timeout instead.                                                                                                                                       
[+] OpenVAS list of tasks                                                                                                                                
ID                                    Name             Comment  Status     Progress                                                                      
--                                    ----             -------  ------     --------                                                                      
fb18cf93-a94b-4c9b-aadf-9408bd9a9186  Metasploitable3  Windows  Requested  1      
msf5 >                                               

12、使用openvas_format_list 可以查看OpenVAS支持的报告格式。

msf5 > openvas_format_list                                                                                                                                          
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout i
nstead.                                                                                                                                                             
[+] OpenVAS list of report formats                                                                                                                                  
ID                                    Name           Extension  Summary                                                                                             
--                                    ----           ---------  -------                                                                                             
5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report                                                             
50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.                                                              
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.                                                               
6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.    
77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.                                                            
9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.     
910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.   
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.     
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.   
a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.   
a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.   
a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.  
c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.                                                              
c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.  
c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.  
msf5 >   

13、在WebUI同样可以看到我们创建的任务状态信息

image

14、任务完成后,使用openvas_report_list 查看报告列表。

msf5 > openvas_report_list
[+] OpenVAS list of reports

ID                                    Task Name        Start Time            Stop Time
--                                    ---------        ----------            ---------
4ee7b572-a470-484c-962e-773d3a7eb7b1  Metasploitable3  2019-04-16T02:40:24Z  2019-04-16T03:07:15Z
7993d76a-43b3-48c6-ac94-ca630e20db68  Metasploitable3  2019-04-16T01:15:44Z

15、使用openvas_report_import命令将报告导入到Metasploit中,仅支持NBE(legacy OpenVAS report)和XML格式导入。

msf5 > openvas_report_import 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
[*] Importing report to database.

但是这里我们使用的 Metasploit-5.0直接这么导入会报错,无法导入,我们先导出为文件再用db_import导入就可以了。

msf5 > openvas_report_download
[*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
msf5 > openvas_report_download 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 /tmp/ Metasploitable3
[*] Saving report to /tmp/Metasploitable3
msf5 > db_import /tmp/Metasploitable3
[*] Importing 'OpenVAS XML' data
[*] Successfully imported /tmp/Metasploitable3
msf5 >

16、查看OpenVAS扫描的漏洞信息

msf5 > vulns

Vulnerabilities
===============

Timestamp                Host             Name      References
---------                ----             ----                                                                    ----------
2019-04-16 08:15:22 UTC  192.168.177.144  ICMP Timestamp Detection    CVE-1999-0524
2019-04-16 08:15:23 UTC  192.168.177.144  Microsoft Windows IIS   CVE-2010-3972,BID-45542
2019-04-16 08:15:23 UTC  192.168.177.144  Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)  CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,BID-96703,BID-96704,BID-96705,BID-96706,BID-96707,BID-96709
2019-04-16 08:15:23 UTC  192.168.177.144  MS15-034 HTTP.sys Remote Code  CVE-2015-1635
2019-04-16 08:15:23 UTC  192.168.177.144  Oracle Glass Fish Server CVE-2017-1000028
2019-04-16 08:15:23 UTC  192.168.177.144  SSL/TLS: Report 'Anonymous' Cipher Suites                 .....

第三章 服务端漏洞利用(预告)

在本章中,我们将学习以下内容

1、攻击Linux服务器

2、SQL注入攻击

3、shell类型

4、攻击Windows服务器

5、利用公用服务

6、MS17-010 永恒之蓝 SMB远程代码执行Windows内核破坏

7、MS17-010 EternalRomance/EternalSynergy/EternalChampion

8、植入后门

9、拒绝服务攻击

说明

原书:《Metasploit Penetration Testing Cookbook - Third Edition》

https://www.packtpub.com/networking-and-servers/metasploit-penetration-testing-cookbook-third-edition

本文由合天网安实验室编译,转载请注明来源。

关于合天网安实验室

合天网安实验室(www.hetianlab.com)-国内领先的实操型网络安全在线教育平台

真实环境,在线实操学网络安全 ; 实验内容涵盖:系统安全,软件安全,网络安全,Web安全,移动安全,CTF,取证分析,渗透测试,网安意识教育等。

©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 212,294评论 6 493
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,493评论 3 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 157,790评论 0 348
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,595评论 1 284
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,718评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,906评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,053评论 3 410
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,797评论 0 268
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,250评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,570评论 2 327
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,711评论 1 341
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,388评论 4 332
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,018评论 3 316
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,796评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,023评论 1 266
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,461评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,595评论 2 350

推荐阅读更多精彩内容