Vulnerability Scanning and 0WNING With Metasploit using Nessus

metasploit logo_Nessus_FullColor_RGB-01

Vulnerability scanning is part of penetration testing. A vulnerability scanner is an automated program designed to look for weaknesses in computer systems, networks, and applications. There are many vulnerability scanners available for penetration Testing. But here we use Metasploit framework for scanning vulnerability.

Various operating systems respond differently because of the different networking implementations in use. These unique responses that vulnerability scanner uses to determine the operating system version and even its patch level. A vulnerability scanner can also use a given set of user credentials to log into the remote system and enumerate the software and services to determine whether they are patched.

The scanner presents a report outlining any vulnerability detected on the system. That report can be useful for both network administrators and penetration testers.

Nessus is the vulnerability management solution to analyze vulnerabilities, controls, and configurations to find who, what, and where of IT security risk. Tenable Network Security offers multiple versions of Nessus.

Metasploit’s Nessus plug-in lets you launch scans and pull information from Nessus scans via console.

Nessus Configuration:

After you have downloaded and installed Nessus, open your web browser and navigate to  https://localhost:8834

Accept the certificate warning, and log into Nessus using the credentials you created during installation.

You should see the Nessus login window, as shown below.

Screenshot from 2014-05-11 10:41:01

You should see the Nessus window after login, as shown below.

Creating a Nessus Scan Policy:

Before beginning a scan, you first need to create a Nessus scan policy. On the Policies tab, click the green Add button to open the policy configuration window and select Basic Network Scan shown below:

Basic Scan contains three steps to configure Basic Network Scan Policy. So we select Basic Network Scan from the list and fill details shown as below:

Screenshot from 2014-05-11 10:41:58

Screenshot from 2014-05-11 10:43:27

Now next step is select scan type. In this case we scan internal Network Scan, So we choose Internal from dropdown list as shown bellow :

Screenshot from 2014-05-11 10:43:43

Now final step is fill credentials to detect missing patches and client-side Vulnerabilities As show below:

Screenshot from 2014-05-11 10:45:24

When you are done with your selections, click Submit to save the new policy. Your newly added policy should be displayed under Policies.

Running a Nessus Scan:

After you have created a scan policy, you are ready to configure a scan.

Select the Scans tab, and then click the New Scan button to open the scan configuration window. Fill credentials as shown bellow button:

Screenshot from 2014-05-11 10:46:42

In our example, we are scanning only one host, but you can also enter IP address ranges in CIDR notation or even upload a file containing the addresses of the targets you want to scan. When you are satisfied with the scan configuration, click Launch.

Nessus Reports:

After the scan is complete, click on scan and then you can see its status. Now import report as shown below:

Screenshot from 2014-05-11 10:49:19

Importing Results into the Metasploit Framework:

Click the Export button to save the results to your hard drive. The default file format for Nessus reports is “.nessus” that can be supported by Metasploit. So export report as Nessus as shown below:

Load msfconsole, and import the Nessus results file by entering db_import followed by the report filename.

#msf> db_import nessus_report_test.nessus

Screenshot from 2014-05-11 10:54:04

To verify that the scanned host and vulnerability data was imported properly, enter hosts as shown next. This should output a brief listing with the target IP address, the number of services detected, and the number of vulnerabilities found by Nessus.


Screenshot from 2014-05-11 10:54:55

For a complete listing of the vulnerability data that was imported into Metasploit. Enter vulns command as shown below:


Screenshot from 2014-05-11 10:55:25

If you are lazy to work with GUI in Nessus, don’t worry you can work with metasploit  by loading nessus plugin.

Scanning Vulnerability using Nessus Metasploit’s Plug-in:

The Nessus allows you to control Nessus completely through the Metasploit Framework. Run scans, interpret results, and launch attacks based on the vulnerabilities identified through Nessus.

First destroy the existing database. We can destroy database using  Workspace command to do same. So delete previous pentesting results as shown below:

#msf > workspace -d default

Screenshot from 2014-05-11 11:34:22

Load the Nessus plug-in by running load nessus and Running the command nessus_help will display all of the commands that e plug-in supports. As shown below:

#msf > load nessus

#msf > nessus_help

Screenshot from 2014-05-11 11:34:56

Before starting a scan with nessus plug-in, you first need to authenticate to your Nessus server using nessus_connect command.

#msf > nessus_connect  sathish:bhuvi@localhost:8834

As with the GUI version of Nessus, you need to initiate a scan using a defined policy by its policy ID number. To list the available scan policies on the server, use nessus_policy_list

#msf > nessus_policy_list

Take policy ID to use for your scan, and then launch a new scan with nessus_scan_new followed by the policy number, a name for your scan, and your target IP address as shown below.

#msf > nessus_scan_new

While your scan is in progress, you can see its status by running the nessus_scan_status command. When this command’s output responds with “No Scans Running,” as shown next, you will know that your scan has completed.

#msf > nessus_scan_new  2  test

After the scan has completed, you can list the available scan reports with the nessus_report_list command. Identify the ID of the report you want to import and enter nessus_report_get to download the report and import it into the Metasploit database automatically.

#msf >  nessus_report_get  ID

Screenshot from 2014-05-11 11:39:22

You can use hosts to verify that the scan data was imported successfully.

We can check all vulnerabilities by typing vulns command. As you can see above tutorials Metasploit is power full framework for penetration tester.

A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. And it’s a part of penetration testing. If you do not know target vulnerability then you cannot success most of the time during your penetration testing process.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s