Pasar Resultado de escaneo de Nmap al MSF
[Metasploit By: Shell Root]
En la practica anterior, pudimos observar como logramos pasar el resultado de un scanneo de
Nessus, ahora veremos como hacer lo mismo, pero ahora con el scanner
Nmap.
Recordemos que realizamos este paso para un mejor y rapido acceso a los datos almacenados.Primero que todo ingresemos a la consola del Metasploit. Despues crearemos una nueva base de datos, recordemos de eliminar la base de datos anteriores. Así:
shell@ShellRoot:~/msf3$ ./msfconsole
888 888 d8b888
888 888 Y8P888
888 888 888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888
888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888
888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
888
888
888
=[ metasploit v3.3.3-release [core:3.3 api:1.0]
+ -- --=[ 481 exploits - 220 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
msf > db_destroy
[*] Deleting /home/shell/.msf3/sqlite3.db...
msf > db_create
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /home/shell/.msf3/sqlite3.db
msf >
Ahora escaneemos algunas IP's con el Nmap y la guardamos dentro de un archivo XML.
Para posteriormente leer el archivo desde el Metasploit. El archivo lo llamaremos: Prueba1
msf > nmap -v -sV 192.168.0.1/24 -oA /home/shell/Prueba1
[*] exec: nmap -v -sV 192.168.0.1/24 -oA /home/shell/Prueba1
Starting Nmap 4.62 ( http://nmap.org ) at 2010-01-02 16:06 COT
Initiating Ping Scan at 16:06
Scanning 256 hosts [1 port/host]
Completed Ping Scan at 16:06, 1.03s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 16:06
Completed Parallel DNS resolution of 256 hosts. at 16:06, 13.01s elapsed
Initiating Connect Scan at 16:06
Scanning 3 hosts [1715 ports/host]
Discovered open port 80/tcp on 192.168.0.1
Completed Connect Scan against 192.168.0.1 in 1.48s (2 hosts left)
Completed Connect Scan against 192.168.0.2 in 1.48s (1 host left)
Completed Connect Scan at 16:06, 1.48s elapsed (5145 total ports)
Initiating Service scan at 16:06
Scanning 1 service on 3 hosts
Completed Service scan at 16:06, 5.00s elapsed (1 service on 3 hosts)
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 16:06
Completed SCRIPT ENGINE at 16:06, 0.01s elapsed
Host 192.168.0.1 appears to be up ... good.
Interesting ports on 192.168.0.1:
Not shown: 1714 closed ports
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
Host 192.168.0.2 appears to be up ... good.
All 1715 scanned ports on 192.168.0.2 are closed
Host 192.168.0.3 appears to be up ... good.
All 1715 scanned ports on 192.168.0.3 are closed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (3 hosts up) scanned in 20.856 seconds
msf >
Despues miramos que opciones podemos ejecutar, Usando el comando
Help... xD
msf > help
Database Backend Commands
=========================
Command Description
------- -----------
db_add_host Add one or more hosts to the database
db_add_note Add a note to host
db_add_port Add a port to host
db_autopwn Automatically exploit everything
db_connect Connect to an existing database
db_create Create a brand new database
db_del_host Delete one or more hosts from the database
db_del_port Delete one port from the database
db_destroy Drop an existing database
db_disconnect Disconnect from the current database instance
db_driver Specify a database driver
db_hosts List all hosts in the database
db_import_amap_mlog Import a THC-Amap scan results file (-o -m)
db_import_nessus_nbe Import a Nessus scan result file (NBE)
db_import_nessus_xml Import a Nessus scan result file (NESSUS)
db_import_nmap_xml Import a Nmap scan results file (-oX)
db_nmap Executes nmap and records the output automatically
db_notes List all notes in the database
db_services List all services in the database
db_vulns List all vulnerabilities in the database
db_workspace Switch between database workspaces
msf >
Obviamente usamos el comando
db_import_nmap_xml, que es el que nos permite la importacion del archivo XML que acabamos de crear con el
Nmap.
msf > db_import_nmap_xml /home/shell/Prueba1.xml
msf >
Ahora recordemos los comandos que usamos en el ejemplo de
importacion de resultados del Scanner Nessus.
Miremos los hosts que escanneamos.
msf > db_hosts
Hosts
=====
address address6 arch comm created info mac name os_flavor os_lang os_name os_sp state Svcs Vulns Workspace
------- -------- ---- ---- ------- ---- --- ---- --------- ------- ------- ----- ----- ---- ----- ---------
192.168.0.1 Sat Jan 02 16:10:47 -0500 2010 alive 1 0 default
192.168.0.2 Sat Jan 02 16:10:47 -0500 2010 alive 0 0 default
192.168.0.3 Sat Jan 02 16:10:47 -0500 2010 alive 0 0 default
msf >
Ahora miremos los servicios que estan corriendo.
msf > db_services
Services
========
created info name port proto state Host Workspace
------- ---- ---- ---- ----- ----- ---- ---------
Sat Jan 02 16:10:47 -0500 2010 80 tcp open 192.168.0.1 default
msf >
Como este es un Scanner de puertos y no es tan pontente como el Nessus no podemos ejecutar el comando
db_vulns y el db_autopwn, anque si los ejecutamos no aparecera nada... xD
BY: Shell Root
Mostrar Mensajes
Solo que hay un problema al momento de ejecutarlo en IIS. Pero corre bien, en el Servidor Local de VS...