Metasploit Nessus bridge plugin unleashed – Part 3

The Metasploit Team has release a new plugin, a bridge between Metasploit and Nessus. This new plugin is a collaboration between HD Moore, James Lee, Zate Berg, darkoperator and the Nessus Team. If you follow the PaulDotCompodcast, you know that Paul is a employe of the Nessus team and that darkoperator (aka Carlos Perez) is an official developer of the Metasploit project. A good collaboration between the 2 teams how has uncorked on this new important step in Metasploit.

In the first par of the post serie, we have describe all the generic, user and policy command. In the second post we have describe the plugin and scan commands. In this post we will describe the report and “nessus_find_targets” command.

Reports Commands

  • Getting a list of all available reports – nessus_report_list :

To get a list off all available Nessus reports, type the following command :

List of all Nessus reports
List of all Nessus reports
  • Getting all detected hosts from a Nessus report – nessus_report_hosts :

To get all hosts detected by Nessus and present in a report, just run the following command :

nessus_report_hosts

Where “report id” is the unique ID of the report available with the “nessus_report_list” command.

Hosts reported in a Nessus report
Hosts reported in a Nessus report

You will get all the detected hostnames, in the Nessus report, with the number of potential vulnerabilities detected, classified by severities.

  • Getting details on ports vulnerabilities by host – nessus_report_host_ports :

To get ports vulnerabilities details, classified by severities, on a particular host, just run the following command :

nessus_report_host_ports

Where “hostname” is the unique hostname available previous “nessus_report_hosts” command, and “report_id” the unique ID of the report.

Ports vulnerabilities for a host in a Nessus report
Ports vulnerabilities for a host in a Nessus report
  • Getting details on a particular port for a host present in a Nessus report – nessus_report_host_detail :

To get details on a particular port for a host present in a Nessus report, just run the following command :

nessus_report_host_detail

Where “hostname” is the unique hostname available in the “nessus_report_hosts” command, “port” and “protocol” the unique port and protocol available with the previous “nessus_report_host_ports” command, and “report id” the unique ID of the report.

Vulnerabilities Port details by host in a Nessus report
Vulnerabilities Port details by host in a Nessus report
  • Deleting a report – nessus_report_del :

To delete a report just type the following command :

nessus_report_del

Where “reportname” is the unique ID for the report available with the “nessus_report_list” command.

Report deletion
Report deletion
  • Importing a Nessus report into Metasploit – nessus_report_get :

To import a Nessus report, you will thirst need to create a ODBC connexion between Metasploit and your favorite database (for us MySQL).

The connexion, and the database creation is done by the following command, please don’t use these login and passwords 🙂

db_connect root:[email protected]/locallan

To verify that your ODBC connexion is active, use the following command :

Metasploit database connexion verification
Metasploit database connexion verification

Then execute the following command to import the Nessus report into Metasploit.

nessus_report_get

Where “report id” is the unique ID for the report available with the “nessus_report_list” command.

Nessus report importation in Metasploit
Nessus report importation in Metasploit

To check if every thing is imported, run the following commands :

db_hosts, will return you all imported hosts from the Nessus report

db_services, will return you all imported port, by protocols, by hosts from the Nessus report.

db_vulns, will return you all detected vulnerabilities by ports/protocols by hosts from the Nessus report.

  • Finding targets in a scan with CVSS2 > 7 and return scans info – nessus_find_targets :

To get a list of potential targets from the Nessus report, just run the following command.

nessus_find targets

Where “report id” is the unique ID for the report available with the “nessus_report_list” command.

Finding targets CVSS2 above 7 from a Nessus report
Finding targets CVSS2 above 7 from a Nessus report

Metasploit Nessus bridge plugin unleashed – Part 2

The Metasploit Team has release a new plugin, a bridge between Metasploit and Nessus. This new plugin is a collaboration between HD Moore, James Lee, Zate Berg, darkoperator and the Nessus Team. If you follow the PaulDotCompodcast, you know that Paul is a employe of the Nessus team and that darkoperator (aka Carlos Perez) is an official developer of the Metasploit project. A good collaboration between the 2 teams how has uncorked on this new important step in Metasploit.

In the first par of the post serie, we have describe all the generic, user and policy command. In this new post we will describe the plugin, scan, report and “nessus_find_targets” commands.

Plugin Commands

  • Getting a list of plugins by family – nessus_plugin_list :

If you are an admin user or a normal user, by typing this command you will have a list of plugins by family.

Nessus plugins by family
Nessus plugins by family
  • Getting the detail of a family of plugins – nessus_plugin_family :

If you wish to have the detail of a plugin family, just type the following command :

Nessus plugin family detail
Nessus plugin family detail
  • Getting details on a specific plugin of a family – nessus_plugin_details :

To get details on a specific plugin of a family of plugin, you have to precise the plugin file name listed with the previous “nessus_plugin_family” command.

Nessus plugin detail
  • Details of Nessus plugins preferences – nessus_plugin_prefs :

To get details of all Nessus plugins preferences, just type the following command :

nessus_plugin_prefs

Scan Commands

  • Starting a new Nessus scan – nessus_scan_new :

To start a new Nessus scan run the following command :

nessus_scan_new

Where “policy id” is the unique ID of the policy to be used, “scan name” the name of the scan and “targets” the targeted hostnames or IP addresses.

Starting a new Nessus scan
Starting a new Nessus scan
  • List of all current Nessus scans – nessus_scan_status :

To get a list of all current Nessus scans, run the following command :

List of all current Nessus scans
List of all current Nessus scans
  • Pausing a running Nessus scan – nessus_scan_pause :

To pause a running Nessus scan run the following command :

nessus_scan_pause

Where “scan id” is the unique ID of the Nessus scan how is available by the previous command “nessus_scan_status“.

Nessus scan pause
Nessus scan pause

To pause all running Nessus scans, just run the following command :

nessus_scan_pause_all

  • Resuming a paused Nessus scan – nessus_scan_resume :

To resume a Nessus scan run the following command :

nessus_scan_resume

Where “scan id” is the unique ID of the Nessus scan how is available by the command “nessus_scan_status“.

Nessus scan resume
Nessus scan resume

To resume all paused Nessus scans, just run the following command :

nessus_scan_resume_all

  • Stopping a Nessus scan – nessus_scan_stop :

To stop a Nessus scan, run the following command :

nessus_scan_stop

Where “scan id” is the unique ID of the Nessus scan how is available by the command “nessus_scan_status“.

Stopping a Nessus scan
Stopping a Nessus scan

To stop all the Nessus scan, just type the following command :

nessus_scan_stop_all

In the following post we will describe the reports and the “nessus_find_targets” commands.

Metasploit Nessus bridge plugin unleashed – Part 1

The Metasploit Team has release a new plugin, a bridge between Metasploit and Nessus. This new plugin is a collaboration between HD Moore, James Lee, Zate Berg, darkoperator and the Nessus Team. If you follow the PaulDotCom podcast, you know that Paul is a employe of the Nessus team and that darkoperator (aka Carlos Perez) is an official developer of the Metasploit project. A good collaboration between the 2 teams how has uncorked on this new important step in Metasploit.

To activate the Nessus bridge plugin, just update you Metasploit installation to the latest revision and log in the Metasploit console. The pre-requirements are that you need to have a running Nessus 4.2.x installation with a valid user account.

  • Loading the nessus plugin
Loading the Nessus plugin
Loading the Nessus plugin

Generic commands

  • Getting help – nessus_help :

To have an overview of all the Metasploit Nessus bridge plugin commands, just type :

msf auxiliary(ssh_version) > nessus_help

Or to have a specific command help, just type :

nessus_help

  • Connecting to Nessus – nessus_connect :

To connect to Nessus, just type :

nessus_connect login:[email protected]_ip:port

login” and “password” variables are you’re Nessus user login and password. “nessusd_ip” variable is the IP address or the hostname of Nessusd. “port” variable is the port where Nessusd is listening, by default 8834/tcp. “ok” variable is for letting you know that nessus use a self signed certificate and that risks are present.

Connecting to Nessus
Connecting to Nessus
  • Saving your connexion configuration – nessus_save :

To save your connexion configuration just run the nessus_save command, a nessus.yaml file will be created into you $HOME/.msf3 directory. You don’t need anymore to provide the nessus_connect variables.

  • Logout from nessus – nessus_logout :

To disconnect from Nessus, just run the following command :

Nessus logout
Nessus logout
  • Checking Nessus status – nessus_server_status :

To check the Nessus version, the feed version, the Nessus Web version, the total number of users, policies, running scans, reports and plugging, run the following command :

Nessus status check
Nessus status check
  • Checking the current Nessus user privileges – nessus_admin :

If the Nessus user used is an admin, the following result is displayed

Nessus admin user check
Nessus admin user check

If the Nessus user used is not an admin, the following result is displayed

Nessus normal user check
Nessus normal user check
  • Checking the Nessusd Feed type – nessus_server_feed :

To check the Nessus version, the feed version and the Nessus Web version, run the following command :

Nessus Feed check
Nessus Feed check

User Commands

  • List of all Nessus users – nessus_user_list :

If you are an admin, you will be able to list all the Nessus users, they’re login, user rights (admin or not), and they’re last login dates.

Nessus users list
Nessus users list
  • Adding a Nessus user – nessus_user_add :

If you are an admin, you will be able to add a normal Nessus user by typing the following command :

nessus_user_add

Adding a Nessus user
Adding a Nessus user
  • Deleting a Nessus user – nessus_user_del :

If you are an admin, you will be able to delete a normal, or an admin, Nessus user.

Deleting a Nessus user
Deleting a Nessus user
  • Changing a Nessus user password – nessus_user_passwd :

If you are an admin, you will be able to change the password of admin, and non admin, Nessus users.

Nessus user password change
Nessus user password change

Policy commands

You still need to first create your policy in Nessus between the Nessus Client or Web Interface.

  • Listing of all Nessus policies – nessus_policy_list :

If you are a normal Nessus user, you will only be able to see the “Shared” Nessus policies.

Shared policies for normal Nessus user
Shared policies for normal Nessus user

But if you are an admin user, you will be able to see the “Shared” and “Private” Nessus policies.

Nessus shared and private policies for Nessus admin user
Nessus shared and private policies for Nessus admin user
  • Deleting a policy – nessus_policy_del :

If you are an admin, you will be able to delete a policy.

Nessus policy deletion
Nessus policy deletion

In the following post we will describe the plugin, scan, report and the “nessus_find_targets” generic command.