devbox
很楠不爱3
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

metasploit 快速入门(二)信息收集和扫描-续_elasticsearch unrestricted access information disc

作者:很楠不爱3 | 2024-03-03 07:41:24

elasticsearch unrestricted access information disclosure

目录

一、与Nessus结合

二、与NeXpose结合

三、与OpenVAS结合

一、与Nessus结合

到目前为止,我们已经了解了端口扫描的基础知识,以及学会了Nmap的使用。通过其他一些工具的学习,进一步提高了扫描和信息收集的技术。在接下来的小节中,我们将介绍其他几种扫描目标可用服务和端口的工具,这些工具还可以帮助我们确定特定服务和端口可能存在的漏洞类型。让我们开始漏洞扫描之旅。

Nessus是使用最广泛的漏洞扫描器之一,它可用通过扫描目标发现漏洞并生成详细的报告。Nessus是渗透测试中非常有用的工具。你可用使用它的GUI版本,也可以在Metasploit控制台中使用它。本书主要介绍在msfconsole中使用它。

 

准备工作

要使用Nessus需要先去Nessus官网注册并取得Licenses。你可以使用Nessus家庭版,此授权是免费的,它允许你扫描个人家庭网络(小于16个IP地址)。然后下载软件安装包进行安装。在Kali中需要下载.deb格式的包,然后使用dpkg -i进行安装。

家庭版密钥申请地址:https://www.tenable.com/products/nessus-home

填写注册信息,完成注册,然后会跳转到下载页面

根据自己的系统版本,下载32bit或者64bit版本

激活密钥会发到你的邮箱里面,请保存下来。

下载完成之后进行安装:

  1. root@osboxes:~# cd ~/Downloads/
  2. root@osboxes:~/Downloads# ls
  3. bettercap bettercap_linux_amd64_2.2.zip libpcap-1.8.1 libpcap-1.8.1.tar.gz Nessus-8.3.1-debian6_amd64.deb
  4. root@osboxes:~/Downloads# dpkg -i Nessus-8.3.1-debian6_amd64.deb //安装
  5. Selecting previously unselected package nessus.
  6. (Reading database ... 435326 files and directories currently installed.)
  7. Preparing to unpack Nessus-8.3.1-debian6_amd64.deb ...
  8. Unpacking nessus (8.3.1) ...
  9. Setting up nessus (8.3.1) ...
  10. Unpacking Nessus Scanner Core Components...
  11.  
  12. - You can start Nessus Scanner by typing /etc/init.d/nessusd start
  13. - Then go to https://osboxes:8834/ to configure your scanner
  14.  
  15. Processing triggers for systemd (241-1) ...
  16. root@osboxes:~/Downloads#

安装完成之后,启动Nessus服务

root@osboxes:~/Downloads# systemctl start nessusd.service

根据提示,使用浏览器打开网址https://osboxes:8834/或者https://127.0.0.1:8834进行配置

1、设置用户名和密码:

2、选择Home,Professional or Manager,填写激活密钥进行授权激活。

3、激活完成后,Nessus还会安装一系列组件,等待安装完成(需要一段时间,请耐心等待)

安装完成后,就可以进行下一步操作了。

 

怎么做

1、在msfconsole里面载入nessus组件。

  1. msf5 > load nessus //载入nessus组件
  2. [*] Nessus Bridge for Metasploit
  3. [*] Type nessus_help for a command listing
  4. [*] Successfully loaded plugin: Nessus
  5. msf5 >

2、输入nessus_help命令,可以查看可用参数和帮助信息

  1. msf5 > nessus_help
  2.  
  3. Command Help Text
  4. ------- ---------
  5. Generic Commands
  6. ----------------- -----------------
  7. nessus_connect Connect to a Nessus server
  8. nessus_logout Logout from the Nessus server
  9. nessus_login Login into the connected Nesssus server with a different username and password
  10. nessus_save Save credentials of the logged in user to nessus.yml
  11. nessus_help Listing of available nessus commands
  12. nessus_server_properties Nessus server properties such as feed type, version, plugin set and server UUID.
  13. nessus_server_status Check the status of your Nessus Server
  14. nessus_admin Checks if user is an admin
  15. nessus_template_list List scan or policy templates
  16. nessus_folder_list List all configured folders on the Nessus server
  17. nessus_scanner_list List all the scanners configured on the Nessus server
  18. Nessus Database Commands

3、连接到Nessus服务,使用nessus_connect NessusUser:NessusPassword@127.0.0.1命令。

  1. msf5 > nessus_connect nessusroot:Passw0rd@127.0.0.1 //连接到 Nessus 服务
  2. [*] Connecting to https://127.0.0.1:8834/ as nessusroot
  3. [*] User nessusroot authenticated successfully.
  4. msf5 >

4、使用nessus_policy_list可用列出Nessus服务上的所有扫描策略。如果没有,需要先在WebUI界面中创建策略。

  1. msf5 > nessus_policy_list
  2. [-] No policies found
  3. msf5 >

提示没有策略,我们去创建一个

我们选择新建一个Basic Network Scan策略

配置好相关的参数,然后点保存

回到msfconsole里面再次执行nessus_policy_list就看看到了

  1. msf5 > nessus_policy_list
  2. Policy ID Name Policy UUID
  3. --------- ---- -----------
  4. 4 PenTest01 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65
  5.  
  6. msf5 >

5、创建nessus扫描,使用nessus_scan_new --help查看命令帮助信息:

  1. msf5 > nessus_scan_new --help
  2. [*] Usage:
  3. [*] nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>
  4. [*] Use nessus_policy_list to list all available policies with their corresponding UUIDs
  5. msf5 >

6、创建扫描

  1. msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 Metasploitable3 Windows_Machine 192.168.177.144
  2. [*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called Metasploitable3 - Windows_Machine and scanning 192.168.177.144
  3. [*] New scan added
  4. [-] Error while running command nessus_scan_new: undefined method `[]' for nil:NilClass
  6. Call stack:
  7. /usr/share/metasploit-framework/plugins/nessus.rb:979:in `cmd_nessus_scan_new'
  8. /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command'
  9. /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single'
  10. /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each'
  11. /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single'
  12. /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
  13. /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
  14. /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
  15. /usr/bin/msfconsole:49:in `<main>'
  16. msf5 >

此次会报错:Error while running command nessus_scan_new: undefined method []' for nil:NilClass。这是由于Nessus 7开始对远程调用进行认证,从而导致Metasploit调用失败。现在正在等待修复。

解决办法:Nessus Plugin unable to create new scan · Issue #11117 · rapid7/metasploit-framework · GitHub https://github.com/rapid7/metasploit-framework/issues/11117

成功创建扫描:

  1. msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 test test 192.168.177.144
  2. [*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called test - test and scanning 192.168.177.144
  3. [*] New scan added
  4. [*] Use nessus_scan_launch 6 to launch the scan
  5. Scan ID Scanner ID Policy ID Targets Owner
  6. ------- ---------- --------- ------- -----
  7. 6 1 5 192.168.177.144 nessusroot
  8.  
  9. msf5 >

7、使用nessus_scan_list可用查看扫描列表,以及它们的状态

  1. msf5 > nessus_scan_list
  2. Scan ID Name Owner Started Status Folder
  3. ------- ---- ----- ------- ------ ------
  4. 6 test nessusroot empty 3
  5.  
  6. msf5 >

8、启动扫描,使用nessus_scan_launch <Scan ID>启动扫描

  1. msf5 > nessus_scan_launch 6
  2. [+] Scan ID 6 successfully launched. The Scan UUID is 67d8e87c-17a6-7693-0b41-666f40291e1464ae15bc02832ca3
  3. msf5 >

再次查看状态:

  1. msf5 > nessus_scan_list
  2. Scan ID Name Owner Started Status Folder
  3. ------- ---- ----- ------- ------ ------
  4. 6 test nessusroot running 3
  5.  
  6. msf5 >

9、查看扫描的详细信息,使用nessus_scan_details <Scan ID> <info/hosts/vulnerabilities/history>

  1. msf5 > nessus_scan_details 6 info //查看扫描状态
  2. Status Policy Scan Name Scan Targets Scan Start Time Scan End Time
  3. ------ ------ --------- ------------ --------------- -------------
  4. running Basic Network Scan test 192.168.177.144 1555301230
  5.  
  6. msf5 > nessus_scan_details 6 hosts //查看主机
  7. Host ID Hostname % of Critical Findings % of High Findings % of Medium Findings % of Low Findings
  8. ------- -------- ---------------------- ------------------ -------------------- -----------------
  9. 2 192.168.177.144 1 0 0 0
  10.  
  11. msf5 > nessus_scan_details 6 vulnerabilities //查看漏洞信息
  12. Plugin ID Plugin Name Plugin Family Count
  13. --------- ----------- ------------- -----
  14. 10114 ICMP Timestamp Request Remote Date Disclosure General 1
  15. 10150 Windows NetBIOS / SMB Remote Host Information Disclosure Windows 1
  16. 10287 Traceroute Information General 1
  17. 10394 Microsoft Windows SMB Log In Possible Windows 1
  18. 10736 DCE Services Enumeration Windows 8
  19. 10785 Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
  20. .....
  21. msf5 > nessus_scan_details 6 history //查看扫描历史
  22. History ID Status Creation Date Last Modification Date
  23. ---------- ------ ------------- ----------------------
  24. 7 running 1555301230
  25.  
  26. msf5 >

WebUI上也可以看到我们创建的扫描

10、当完成扫描后,使用nessus_db_import <Scan ID>将扫描结果导入到Metasploit中。

  1. msf5 > nessus_scan_details 6 info
  2. Status Policy Scan Name Scan Targets Scan Start Time Scan End Time
  3. ------ ------ --------- ------------ --------------- -------------
  4. completed Basic Network Scan test 192.168.177.144 1555301230 1555302154
  5.  
  6. msf5 > nessus_db_import 6
  7. [*] Exporting scan ID 6 is Nessus format...
  8. [+] The export file ID for scan ID 6 is 2110513949
  9. [*] Checking export status...
  10. [*] Export status: loading
  11. [*] Export status: ready
  12. [*] The status of scan ID 6 export is ready
  13. [*] Importing scan results to the database...
  14. [*] Importing data of 192.168.177.144
  15. [+] Done
  16. msf5 >

导入进去之后,我们就能使用hostsservices命令查看主机和目标服务的信息了。

  1. msf5 > hosts
  2. Hosts
  3. =====
  4. address mac name os_name os_flavor os_sp purpose info comments
  5. ------- --- ---- ------- --------- ----- ------- ---- --------
  6. 192.168.177.1 Unknown device
  7. 192.168.177.144 00:0c:29:41:d2:48 METASPLOITABLE3 Windows 2008 Standard SP1 server
  8. 192.168.177.145 Unknown device
  9. msf5 > services
  10. Services
  11. ========
  12. host port proto name state info
  13. ---- ---- ----- ---- ----- ----
  14. 192.168.177.1 21 tcp ftp open 220 Serv-U FTP Server v15.0 ready...\x0d\x0a
  15. 192.168.177.144 21 tcp ftp open 220 Microsoft FTP Service\x0d\x0a
  16. 192.168.177.144 22 tcp ssh open SSH-2.0-OpenSSH_7.1
  17. 192.168.177.144 80 tcp www open Microsoft IIS httpd 7.5
  18. 192.168.177.144 135 tcp epmap open
  19. 192.168.177.144 137 udp netbios-ns open
  20. .....

查看扫描结果中的漏洞信息,使用vulns指令

  1. msf5 > vulns
  2. Vulnerabilities
  3. ===============
  4. Timestamp Host Name References
  5. --------- ---- ---- ----------
  6. 2019-04-12 07:52:51 UTC 192.168.177.144 MS17-010 SMB RCE Detection CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,MSB-MS17-
  7. 010,URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html,URL-https://github.com/countercept/doublepulsar-detection-script,URL-htt
  8. ps://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  9. 2019-04-12 09:08:20 UTC 192.168.177.144 HTTP Writable Path PUT/DELETE File Access
  10. OSVDB-397
  11. 2019-04-15 04:25:24 UTC 192.168.177.144 Elasticsearch Transport Protocol Unspecified Remote Code Execution CVE-2015-5377,NSS-105752,NSS-119499
  12. 2019-04-15 04:25:25 UTC 192.168.177.144 MySQL Server Detection NSS-10719
  13. 2019-04-15 04:25:25 UTC 192.168.177.144 Elasticsearch Detection NSS-109941
  14. 2019-04-15 04:25:25 UTC 192.168.177.144 ManageEngine Desktop Central 9 < Build 92027 Multiple Vulnerabilities CVE-2018-8722,NSS-108752
  15. 2019-04-15 04:25:25 UTC 192.168.177.144 Elasticsearch Unrestricted Access Information Disclosure NSS-101025 
  16. ....

 

二、与NeXpose结合

在本节,我们将介绍另一个极佳的漏洞扫描器:NeXposeNexPose是领先的漏洞评估工具之一。NeXpose 是 Rapid7 常用的工具,它执行漏洞扫描并将结果导入到 Metasploit 数据库中。NeXpose 的用法与 Nessus 类似,让我们快速了解一下如何使用 NeXpose。至于深入探究就留给大家来完成了。

 

准备工作

NeXpose社区版,可申请免费试用1年:https://www.rapid7.com/info/nexpose-community/

邮箱必须是独立的个人、学校、企业、机构等域名邮箱;第三方邮箱均无效!(如:gmail、新浪、网易、126、腾讯等都视为无效)。

注册,然后下载安装程序进行安装。

注册完成,然后下载安装程序

安装:安装询问过程,直接敲回车即可,然后填写一个用户信息,设置密码等

  1. root@osboxes:~# chmod +x Rapid7Setup-Linux64.bin
  2. root@osboxes:~# ./Rapid7Setup-Linux64.bin
  3. ....
  4. Do you want to continue?
  5. Yes [y, Enter], No [n]
  6. Gathering system information....
  7. Security Console with local Scan Engine
  8. If you do not have a console installed yet, this option is recommended. The console manages scan engines and all administrative operations.
  9. Scan Engine only
  10. This distributed engine can start scanning after being paired with a Security Console.
  11. Select only the set of components you want to install:
  12. Security Console with local Scan Engine [1, Enter]
  13. Scan Engine only [2]
  14. 1
  15. Where should Rapid7 Vulnerability Management be installed?
  16. [/opt/rapid7/nexpose]
  17. ....
  18. Select any additional installation tasks.
  19. Initialize and start after installation?
  20. Yes [y], No [n, Enter]
  21. y
  22. ...
  23. If you chose to start the Security Console as part of the installation, then it will be started upon installer completion.
  24. Using the credentials you created during installation, log onto Nexpose at https://localhost:3780.
  25.  
  26. To start the service run: sudo systemctl start nexposeconsole.service
  27.  
  28. To start the service run: sudo systemctl start nexposeconsole.service
  29. The Security Console is configured to automatically run at startup. See the
  30. installation guide if you wish to modify start modes.
  31.  
  32. [Enter]
  33.  
  34. Finishing installation...

我们设置的用户名:nexpose 密码:Faq3wANIK0 (根据自己喜好设置)

启动脚本,执行/opt/rapid7/nexpose/nsc/nsc.sh 或者systemctl start nexposeconsole,启动需要一段时间,请耐心等待。

然后访问https://localhost:3780配置,等待启动完成,使用用户名和密码登录,然后输入我们申请的Key激活产品

msfconsole中载入nexpose组件,然后连接到nexpose服务

  1. msf5 > load nexpose
  2.  
  3. ▄▄▄ ▄▄ ▄▄▄ ▄▄▄
  4. ███ ██ ██ ▄██
  5. ██▀█ ██ ▄████▄ ████ ██▄███▄ ▄████▄ ▄▄█████▄ ▄████▄
  6. ██ ██ ██ ██▄▄▄▄██ ██ ██▀ ▀██ ██▀ ▀██ ██▄▄▄▄ ▀ ██▄▄▄▄██
  7. ██ █▄██ ██▀▀▀▀▀▀ ████ ██ ██ ██ ██ ▀▀▀▀██▄ ██▀▀▀▀▀▀
  8. ██ ███ ▀██▄▄▄▄█ ██ ██ ███▄▄██▀ ▀██▄▄██▀ █▄▄▄▄▄██ ▀██▄▄▄▄█
  9. ▀▀ ▀▀▀ ▀▀▀▀▀ ▀▀▀ ▀▀▀ ██ ▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀
  10. ██
  11.  
  12. [*] Nexpose integration has been activated
  13. [*] Successfully loaded plugin: nexpose
  14. msf5 > nexpose_connect nexpose:Faq3wANIK0@127.0.0.1:3780
  15. [*] Connecting to Nexpose instance at 127.0.0.1:3780 with username nexpose...
  16. msf5 >

怎么做

NeXpose服务连接后,我们就可以扫描目标生成报告。NeXpose支持两个扫描命令,一个是nexpose_scan,此命令会扫描目标然后导入结果到metasploit数据库中,另外一个是nexpose_discover,此命令仅发现主机和服务,不导入结果。

1、对目标进行快速扫描(执行最小服务发现扫描)

  1. msf5 > nexpose_discover 192.168.177.144
  2. [*] Scanning 1 addresses with template aggressive-discovery in sets of 32
  3. [*] Completed the scan of 1 addresses
  4. msf5 >

2、查看nexpose_scan帮助

  1. msf5 > nexpose_scan -h
  2. Usage: nexpose_scan [options] <Target IP Ranges>
  3.  
  4. OPTIONS:
  5.  
  6. -E <opt> Exclude hosts in the specified range from the scan
  7. -I <opt> Only scan systems with an address within the specified range
  8. -P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
  9. -c <opt> Specify credentials to use against these targets (format is type:user:pass
  10. -d Scan hosts based on the contents of the existing database
  11. -h This help menu
  12. -n <opt> The maximum number of IPs to scan at a time (default is 32)
  13. -s <opt> The directory to store the raw XML files from the Nexpose instance (optional)
  14. -t <opt> The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
  15. -v Display diagnostic information about the scanning process
  16.  
  17. msf5 >

3、要扫描目标,使用nexpose_scan -t <template> <target_id>

  1. msf5 > nexpose_scan -t full-audit 192.168.177.144
  2. [*] Scanning 1 addresses with template full-audit in sets of 32
  3. [*] Completed the scan of 1 addresses
  4. msf5 >

4、扫描完成后,导入结果到数据库中,使用nexpose_site_import <site_id>

  1. msf5 > nexpose_site_import 7
  2. [*] Generating the export data file...
  3. [*] Downloading the export data...
  4. [*] Importing Nexpose data...

 

三、与OpenVAS结合

OpenVAS( Open Vulnerability Assessment System)是Nessus项目的分支。是一个免费开源的漏洞扫描和漏洞管理工具。也是当前使用最为广泛的漏洞扫描和管理开源解决方案。

 

怎么做

1、在Kali上安装 OpenVAS

root@osboxes:~# apt install openvas -y

2、设置openvas,包括下载规则,创建管理员用户和服务。

  1. root@osboxes:~# openvas-setup //这一步会下载很多东西,请耐心等待
  2.  
  3. [>] Updating OpenVAS feeds
  4. [*] [1/3] Updating: NVT
  5. --2019-04-15 13:54:37-- http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
  6. Connecting to 192.168.1.91:1080... connected.
  7. Proxy request sent, awaiting response... 200 OK
  8. Length: 22288483 (21M) [application/octet-stream]
  9. ....
  10. 经过漫长的等待...
  11. [*] Opening Web UI (https://127.0.0.1:9392) in: 5... 4... 3... 2... 1...
  12.  
  13. [>] Checking for admin user
  14. [*] Creating admin user
  15. User created with password 'dc63c468-3780-4e3c-b30c-1597f4b91623'.
  16.  
  17. [+] Done

3、配置完成后,启动openvas ,其实在上一步中已经启动了。也可以用下面的命令启动

root@osboxes:~# openvas-start

访问https://127.0.0.1:9392可登录WebUI

4、在msfconsole中载入openvas组件

  1. msf5 > load openvas
  2. [*] Welcome to OpenVAS integration by kost and averagesecurityguy.
  3. [*]
  4. [*] OpenVAS integration requires a database connection. Once the
  5. [*] database is ready, connect to the OpenVAS server using openvas_connect.
  6. [*] For additional commands use openvas_help.
  7. [*]
  8. [*] Successfully loaded plugin: OpenVAS
  9. msf5 >

5、查看帮助信息​​​​​​​

  1. msf5 > help openvas
  2.  
  3. OpenVAS Commands
  4. ================
  5.  
  6. Command Description
  7. ------- -----------
  8. openvas_config_list Quickly display list of configs
  9. openvas_connect Connect to an OpenVAS manager using OMP
  10. openvas_debug Enable/Disable debugging
  11. openvas_disconnect Disconnect from OpenVAS manager
  12. openvas_format_list Display list of available report formats
  13. openvas_help Displays help
  14. openvas_report_delete Delete a report specified by ID
  15. openvas_report_download Save a report to disk
  16. openvas_report_import Import report specified by ID into framework
  17. openvas_report_list Display a list of available report formats
  18. openvas_target_create Create target (name, hosts, comment)
  19. openvas_target_delete Delete target by ID
  20. openvas_target_list Display list of targets
  21. openvas_task_create Create a task (name, comment, target, config)
  22. openvas_task_delete Delete task by ID
  23. openvas_task_list Display list of tasks
  24. openvas_task_pause Pause task by ID
  25. openvas_task_resume Resume task by ID
  26. openvas_task_resume_or_start Resume task or start task by ID
  27. openvas_task_start Start task by ID
  28. openvas_task_stop Stop task by ID
  29. openvas_version Display the version of the OpenVAS server
  30.  
  31.  
  32. msf5 >

6、使用 openvas_connect <username> <password> <host> <port>连接到OpenVAS服务​​​​​​​

  1. msf5 > openvas_connect admin dc63c468-3780-4e3c-b30c-1597f4b91623 127.0.0.1 9390
  2. [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
  3. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
  4. [+] OpenVAS connection successful
  5. msf5 >

7、添加扫描目标,使用openvas_target_create <Name> <Hosts> <Comment>指令,参数包括描述信息,目标的IP​​​​​​​

  1. msf5 > openvas_target_create "Metasploitable3" 192.168.177.144 "Windows Target"
  2. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
  3. [*] 6455a780-092a-40dd-8c01-191a7612505a
  4. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
  5. [+] OpenVAS list of targets
  6.  
  7. ID Name Hosts Max Hosts In Use Comment
  8. -- ---- ----- --------- ------ -------
  9. 6455a780-092a-40dd-8c01-191a7612505a Metasploitable3 192.168.177.144 1 0 Windows Target
  10.  
  11.  
  12. msf5 >

8、列出配置列表:openvas_config_list​​​​​​​

  1. msf5 > openvas_config_list
  2. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
  3. [+] OpenVAS list of configs
  4.  
  5. ID Name
  6. -- ----
  7. 085569ce-73ed-11df-83c3-002264764cea empty
  8. 2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
  9. 698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
  10. 708f25c4-7489-11df-8094-002264764cea Full and very deep
  11. 74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
  12. 8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
  13. bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
  14. daba56c8-73ec-11df-a475-002264764cea Full and fast
  15.  
  16.  
  17. msf5 >

9、创建任务,使用如下指令 openvas_task_create <name> <Comment> <config_id> <target_id>​​​​​​​

  1. msf5 > openvas_task_create "Metasploitable3" "Windows" 698f691e-7489-11df-9d8c-002264764cea 6455a780-092a-40dd-8c01-191a7612505a
  2. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
  3. [*] fb18cf93-a94b-4c9b-aadf-9408bd9a9186
  4. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
  5. [+] OpenVAS list of tasks
  6.  
  7. ID Name Comment Status Progress
  8. -- ---- ------- ------ --------
  9. fb18cf93-a94b-4c9b-aadf-9408bd9a9186 Metasploitable3 Windows New -1
  10.  
  11.  
  12. msf5 >

10、启动任务,使用openvas_task_start <task_id>​​​​​​​

  1. msf5 > openvas_task_start fb18cf93-a94b-4c9b-aadf-9408bd9a9186
  2. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
  3. [*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>7993d76a-43b3-48c6-ac94-ca630e20db68</report_id></start_task_response></X>msf5 >

11、查看进度,使用openvas_task_list​​​​​​​

  1. msf5 > openvas_task_list
  2. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeou
  3. t.timeout instead.
  4. [+] OpenVAS list of tasks
  5. ID Name Comment Status Progress
  6. -- ---- ------- ------ --------
  7. fb18cf93-a94b-4c9b-aadf-9408bd9a9186 Metasploitable3 Windows Requested 1
  8. msf5 >

12、使用openvas_format_list 可以查看OpenVAS支持的报告格式。​​​​​​​

  1. msf5 > openvas_format_list
  2. /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout i
  3. nstead.
  4. [+] OpenVAS list of report formats
  5. ID Name Extension Summary
  6. -- ---- --------- -------
  7. 5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report
  8. 50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1.
  9. 5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table.
  10. 6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report.
  11. 77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report.
  12. 9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary.
  13. 910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0.
  14. 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report.
  15. 9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image.
  16. a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report.
  17. a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file.
  18. a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report.
  19. c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v3.0.0.
  20. c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list.
  21. c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report.
  22. msf5 >

13、在WebUI同样可以看到我们创建的任务状态信息

14、任务完成后,使用openvas_report_list 查看报告列表。​​​​​​​

  1. msf5 > openvas_report_list
  2. [+] OpenVAS list of reports
  3.  
  4. ID Task Name Start Time Stop Time
  5. -- --------- ---------- ---------
  6. 4ee7b572-a470-484c-962e-773d3a7eb7b1 Metasploitable3 2019-04-16T02:40:24Z 2019-04-16T03:07:15Z
  7. 7993d76a-43b3-48c6-ac94-ca630e20db68 Metasploitable3 2019-04-16T01:15:44Z

15、使用openvas_report_import命令将报告导入到Metasploit中,仅支持NBE(legacy OpenVAS report)和XML格式导入。​​​​​​​

  1. msf5 > openvas_report_import 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
  2. [*] Importing report to database.

但是这里我们使用的 Metasploit-5.0直接这么导入会报错,无法导入,我们先导出为文件再用db_import导入就可以了。​​​​​​​

  1. msf5 > openvas_report_download
  2. [*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
  3. msf5 > openvas_report_download 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 /tmp/ Metasploitable3
  4. [*] Saving report to /tmp/Metasploitable3
  5. msf5 > db_import /tmp/Metasploitable3
  6. [*] Importing 'OpenVAS XML' data
  7. [*] Successfully imported /tmp/Metasploitable3
  8. msf5 >

16、查看OpenVAS扫描的漏洞信息​​​​​​​

  1. msf5 > vulns
  2.  
  3. Vulnerabilities
  4. ===============
  5.  
  6. Timestamp Host Name References
  7. --------- ---- ---- ----------
  8. 2019-04-16 08:15:22 UTC 192.168.177.144 ICMP Timestamp Detection CVE-1999-0524
  9. 2019-04-16 08:15:23 UTC 192.168.177.144 Microsoft Windows IIS CVE-2010-3972,BID-45542
  10. 2019-04-16 08:15:23 UTC 192.168.177.144 Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,BID-96703,BID-96704,BID-96705,BID-96706,BID-96707,BID-96709
  11. 2019-04-16 08:15:23 UTC 192.168.177.144 MS15-034 HTTP.sys Remote Code CVE-2015-1635
  12. 2019-04-16 08:15:23 UTC 192.168.177.144 Oracle Glass Fish Server CVE-2017-1000028
  13. 2019-04-16 08:15:23 UTC 192.168.177.144 SSL/TLS: Report 'Anonymous' Cipher Suites .....

 

 

 

 

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/很楠不爱3/article/detail/184107
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号