Using Metasploit with Nessus Bridge on Ubuntu

July 9, 2011, by | Start Discussion

Ever wondered how to use the autopwn feature in Metasploit on Ubuntu? Want to run nessus from within metasploit? What database should I use; sqlite3 or postgres? I will explain the benefits of both. The concept will allow you to do various tasks with your nessus server and nmap from within the msf command line.
 
Nessus is a vulnerability scanner program, it is free for personal use using the home home. They also have a nessus for business which requires a fee. I will be discussing the nessus for home use and using it with the popular metasploit framework. Acquire the latest release of nessus homefeed Nessus-4.4.1-ubuntu1010_i386.deb and register for the activation code. Follow the instructions listed in the document ion for installing with Ubuntu and start to configure. Nessus daemon cant be started until nessus has been registered and the plugin (http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code) download has occurred.
 

$ sudo /opt/nessus/bin/nessus-fetch –register 'registration code from nessus'

Add user:-
 

$ sudo /opt/nessus/sbin/nessus-adduser

Make cert:-
 

$ sudo /opt/nessus/sbin/nessus-mkcert
 

Start the nessus Daemon:-
 

$ sudo /etc/init.d/nessusd start

 
Open up web browser to https://localhost:8834, login and complete a policy for your scans. I would create a number of policies based on the different systems that you will be scanning. If your scanning a windows environment then having the plugin for Linux and BSD are pointless. Also make sure that you have safe checks enabled, select a port scanner to use, select credentials, select plugins (remember not to enable ones that will bounce the box), and select preferences. When finished you should have a number of different policies that will be numbered 1 – however many you have and you can give them names for example for scanning windows environment you can label them as windows. Now you can logout of nessus and close the web browser.
 
Now open up a terminal and browse to where metasploit is installed and run an update.
 

$ cd /opt/framework-3.6.0/msf3  $ sudo svn update

 
Before we start the msfconsole lets get our database in proper order. Now I have used sqlite3 in the past and even did a tutorial on my website using sqlite3 http://pbnetworks.net/?cmd=bbs&id=35 which worked fine but sometimes it may not work and give error warning 'Note that sqlite is not supported due to numerous issues. It may work, but don't count on it.' Postgres is the recommended database for Metasploit. So let‟s install the postgres database and libraries.
 

$ sudo apt-get install postgresql-8.4   
$ sudo apt-get install rubygems libpq-dev   
$ sudo gem install pg   
$ sudo apt-get install libreadline-dev   
$ sudo apt-get install libssl-dev   
$ sudo apt-get install libpq5   
$ sudo apt-get install ruby-dev

Now every time you start your system start the database before you start metasploit
 

$ sudo /etc/init.d/postgresql-8.4 start
 

You will need to become the system postgres user:-
 

$ sudo -s  # su postgres

 
Now you will need to create a database user:
 

$ createuser <user account name> -P

 
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
shall the new role be allowed to create more new roles? (y/n) n
Next we need to crate a database:
 

$ createdb –owner=<user account name> msf_database

 
Now we can start up metasploit:
 

:/opt/framework-3.6.0/msf3$ sudo ./msfconsole

 
Enter in the following commands:
 

msf> db_driver postgresql  
msf> db_connect <user account name>:<password>@127.0.0.1:5432/msf_database  
msf> db_hosts

 

Now before, when using sqlite3, creating and connecting to the database was easy. I would start up metasploit and issue the following commands:
 

msf> db_driver sqlite3  msf> db_connect

 
To verify if the database was connected I would issue the following command:
 

msf> db_hosts

 
If everything looked good I would have no errors and I could use the db_nmap command. But sometimes I would encounter errors and it would crash. Using postgres is more reliable than sqlite3 and it is also useful as I will describe later. Finally go ahead and enable the database on startup by issuing the following commands:
 

msf> cat > ~/.msf3/msfconsole.rc  
db_driver postgresql  
db_connect <user name account>:<password>@127.0.0.1:5432/msf_database  
db_workspace -a MyProject  ^D

 
Now the next time you fire up metasploit your database will automatically be up and you will be connected to it. Just make sure that you have postgres running, I run postgres manually before I start metasploit (See Figure #1).
 
Figure 1: Notice that postgresql loads when first starting the msfconsole

Now that we have postgres as the database for metasploit lets start using nessus from within metasploit. Open up a second terminal and make sure nessus is running if not load the daemon. Now from the msfconsole load nessus (see figure #2).
 

msf > load nessus

  
Figure 2: Loading nessus from the msfconsole
 
Now let see what kind of commands the Nessus Bridge for Metasploit 1.1 has given us, type nessus_help (see figure #3).
 

msf > nessus_help

Figure 3: Nessus Help
 
The commands are divided up into different sections labeled Generic, Reports, Scan, Plugin, User, and Policy commands. Before we can run a scan we need to connect to the nessus server by using the nessus_connect command.
 

msf > nessus_connect <nessus username>:<password>@localhost:8834 ok

 
This should connect and authenticate you. From here you can run the scans, review the results, and load the scan results into the database and use autopwn feature. Or you can view the results and find a vulnerability with a system you scanned and throw a single exploit and get a meterpreter shell. Depending on the environment you may want to review the results of your nessus output and find the appropriate exploit to use instead of generating the noise of running autopwn. Now let‟s start our scan by issuing nessus_scan_new command as follows nessus_scan_new <policy id> (this was set in your nessus policy settings) <scan name> (generic) <target> (ip address)
 

msf > nessus_scan_new 1 winXP_home 192.168.1.124

 
To check up on the status of our scan use the nessus scan status feature (see figure #4).
 

msf > nessus_scan_status

 
 
Figure 4: Nessus Scan Status
 
 
When the scan has completed you can view the results using the following commands
 

msf > nessus_report_list

 
We can view a list of hosts from the report with the following command
 

msf > nessus_report_hosts UID

 
To view further information issue the following command:-

msf > nessus_report_host_ports <ip address> UID (see Figure #5)

Figure 5: nessus_report_host_ports 192.168.1.124 UID

To see a list of hosts issue the db_host command. If you want to remove hosts from the db_hosts file then issue the
db_del_host command (see Figure #6)
 

Figure 6: db_del_host command
 
Next we need to load the results into our database with the following command
 

msf> nessus_report_get UID

 
Now with the scan complete and the host listed in the db_hosts file you can run the autopwn tool or find an exploit that will work against the box. More on this in another article next month.
 
Now lets take a look at using nmap within the metasploit framework.
 
To use the nmap command from within the metasploit framework use the 'db_nmap' command to run nmap scans against targets and have the scan results stored in the database. When running on Back|Track I can issue many different nmap commands such as db_nmap -sS -sV -T 3 -P0 -O <ip address> -D RND –packet-trace. Which show the results: -sS TCP SYN stealth scan, -sV version scan, -T 3 normal scan, -O find the operating system, -D RND use a decoy and generate a random, non-reserved IP address, and finally –packet-trace will trace packets and data sent and received. I like to use the packet-trace feature on large scans because if it fails you can see it. Now this is great feature to use while in the msfconsole but I can‟t do this when using Unbuntu and connected to the postgres database as the postgres user. Why? Because I get an error saying that only the root user has the ability to use this nmap option (see Figure #7). I can use 'db_nmap -v -sV 192.168.15.0/24 –packet-trace' and the scan runs and produces an output. I have view the results with the following commands (Figure 8)
 

msf > db_hosts  msf > db_services -c port,state


Figure 7: nmap error with postgres
 

Now if I want to issue complex nmap scans I can exit out of the msf prompt, exit out of postgres, stop the database and login with sudo and use the sqlite3 database. The same command that the OS didn't allow me to use now can be used with no problem (Figure #9)
 

Figure 8: db_namp using postgres database
 

Figure 9: db_nmap using sqlite3
 
 

msf > db_nmap -sS -sV -T 4 -P0 -O 192.168.15.0/24 -D RND –packet-trace

 
Look at the difference in results we now have after viewing information in the db_hosts and db_services -c port,state commands. Compare difference between figure #10 & figure #8.
 

Figure 10: nmap results showing sqlite3
 

Conclusion

This information can be useful in checking the integrity and strength of your network if you are the Network Security Engineer for your workplace, and have permission to do so. Doing this to networks that you have no authorization to be on is against the law in many if not all countries. For more information and some video tutorial please visit my website at http://pbnetworks.net
 

On the 'Net

Link to postgres setup: http://dev.metasploit.com/redmine/projects/framework/wiki/Postgres_setup
Link to video tutorials: http://pbnetworks.net/?cmd=bbs

David J. Dodd is currently in the United States and holds a current 'Secret' DoD Clearance. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference He works for pbnetworks Inc. http://pbnetworks.net a small service disabled veteran owned business located in San Diego, CA

Leave a Reply