1.登录!以及之前的准备
当然,首先你还是需要先下载好Nessus,我的实验是发现不下载的话我无法开启一些列服务的,Metasploit应该只是调用了它的一个接口吧!(如果有错误欢迎指正!),具体需要如何配置请看我之前的文章
http://blog.csdn.net/qq_35078631/article/details/76160336
万物之始我们需要开启Nessus服务,然后使用Metasploit中的登录,首先要
load nessus加载模块,然后登录
nessus_connect username:passwrod@localhost:8834 ok注意这里面的usernmae和password是之前Nessus申请的帐号哈。如果没有也应该使用命令行建立也是可以的,这里就不实验了。
申请链接成功后是这样的
msf > nessus_connect Assassin:password@localhost:8834 ok
[*] Connecting to https://localhost:8834/ as Assassin
[*] User Assassin authenticated successfully.然后我们看一下help,输入指令
nessus_help然后这里贴一下help的内容
Command Help Text
------- ---------
Generic Commands
----------------- -----------------
nessus_connect Connect to a Nessus server
nessus_logout Logout from the Nessus server
nessus_login Login into the connected Nesssus server with a different username and password
nessus_save Save credentials of the logged in user to nessus.yml
nessus_help Listing of available nessus commands
nessus_server_properties Nessus server properties such as feed type, version, plugin set and server UUID.
nessus_server_status Check the status of your Nessus Server
nessus_admin Checks if user is an admin
nessus_template_list List scan or policy templates
nessus_folder_list List all configured folders on the Nessus server
nessus_scanner_list List all the scanners configured on the Nessus server
Nessus Database Commands
----------------- -----------------
nessus_db_scan Create a scan of all IP addresses in db_hosts
nessus_db_scan_workspace Create a scan of all IP addresses in db_hosts for a given workspace
nessus_db_import Import Nessus scan to the Metasploit connected database
Reports Commands
----------------- -----------------
nessus_report_hosts Get list of hosts from a report
nessus_report_vulns Get list of vulns from a report
nessus_report_host_details Get detailed information from a report item on a host
Scan Commands
----------------- -----------------
nessus_scan_list List of all current Nessus scans
nessus_scan_new Create a new Nessus Scan
nessus_scan_launch Launch a newly created scan. New scans need to be manually launched through this command
nessus_scan_pause Pause a running Nessus scan
nessus_scan_pause_all Pause all running Nessus scans
nessus_scan_stop Stop a running or paused Nessus scan
nessus_scan_stop_all Stop all running or paused Nessus scans
nessus_scan_resume Resume a pasued Nessus scan
nessus_scan_resume_all Resume all paused Nessus scans
nessus_scan_details Return detailed information of a given scan
nessus_scan_export Export a scan result in either Nessus, HTML, PDF, CSV, or DB format
nessus_scan_export_status Check the status of an exported scan
Plugin Commands
----------------- -----------------
nessus_plugin_list List all plugins in a particular plugin family.
nessus_family_list List all the plugin families along with their corresponding family IDs and plugin count.
nessus_plugin_details List details of a particular plugin
User Commands
----------------- -----------------
nessus_user_list Show Nessus Users
nessus_user_add Add a new Nessus User
nessus_user_del Delete a Nessus User
nessus_user_passwd Change Nessus Users Password
Policy Commands
----------------- -----------------
nessus_policy_list List all polciies
nessus_policy_del Delete a policy
内容不算很多,这里就讲一些最基本的操作吧
2.过滤策略
首先看一下之前设置的策略
我们用命令行如下
nessus_policy_list 可以看到
我们注意有一个很长的串,这个就是我们后面会用道德Policy_UUID
但是吧很遗憾貌似这里没有添加policy的功能,我们能做的只有查看和删除,所以在这里默认的都是全部扫一遍(如有错误欢迎指正哈)。
3.建立并运行扫描策略
这里就演示单个目标扫描吧!我们的目标机器是192.168.1.5哈
首先需要建立一个新任务!
msf > nessus_scan_new ad629e16-03b6-8c1d-cef6-ef8c9dd3c658d24bd260ef5f9e66 Windows7scan None 192.168.1.5
[*] Creating scan from policy number ad629e16-03b6-8c1d-cef6-ef8c9dd3c658d24bd260ef5f9e66, called Windows7scan - None and scanning 192.168.1.5
[*] New scan added
[*] Use nessus_scan_launch 9 to launch the scan
Scan ID Scanner ID Policy ID Targets Owner
------- ---------- --------- ------- -----
9 1 8 192.168.1.5 Assassin
验证一下
2333,然后需要运行它,运行
nessus_scan_launch 9注意这里的9是前面的scan UUID,然后就会发现前端他已经在运行了!
但是这就很奇怪…你有不让人家建立policy,却在new的时候必须有policy,发现还是得用前端提前建立好,否则还用步鸟……心情复杂…
4.查看结果
说真的还是前端展示的棒棒哒,还有图,不过bash中咋展示呢?
msf > nessus_report_hosts 9
Host ID Hostname % of Critical Findings % of High Findings % of Medium Findings % of Low Findings
------- -------- ---------------------- ------------------ -------------------- -----------------
2 192.168.1.5 2 0 2 0
结果倒是对的,太简单了吧…
还可以这样查看细节
nessus_report_vulns 9
其中9是scan ID
msf > nessus_report_vulns 9
\
Plugin ID Plugin Name Plugin Family Vulnerability Count
--------- ----------- ------------- -------------------
10114 ICMP Timestamp Request Remote Date Disclosure General 1
10150 Windows NetBIOS / SMB Remote Host Information Disclosure Windows 1
10287 Traceroute Information General 1
10394 Microsoft Windows SMB Log In Possible Windows 1
10736 DCE Services Enumeration Windows 8
10785 Microsoft Windows SMB NativeLanManager Remote System Information Disclosure Windows 1
11011 Microsoft Windows SMB Service Detection Windows 2
11936 OS Identification General 1
12053 Host Fully Qualified Domain Name (FQDN) Resolution General 1
19506 Nessus Scan Information Settings 1
24786 Nessus Windows Scan Not Performed with Admin Privileges Settings 1
25220 TCP/IP Timestamps Supported General 1
26917 Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry Windows 1
35716 Ethernet Card Manufacturer Detection Misc. 1
45590 Common Platform Enumeration (CPE) General 1
46215 Inconsistent Hostname and IP Address Settings 1
53513 Link-Local Multicast Name Resolution (LLMNR) Detection Service detection 1
53514 MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remote check) Windows 1
54615 Device Type General 1
57608 SMB Signing Disabled Misc. 1
90510 MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock) (uncredentialed check) Windows 1
96982 Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check) Misc. 1
97833 MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check) Windows 1
100871 Microsoft Windows SMB Versions Supported (remote check) Windows 1
这个还算良心…
下载的打开姿势是用nessus_scan_export命令生成文件,比如
msf > nessus_scan_export 9 html
[+] The export file ID for scan ID 9 is 823941573
[*] Checking export status...
[*] Export status: loading
[*] Export status: ready
[+] The status of scan ID 9 export is ready这个时候我们看到有文件编号了吧!
在使用如下命令!
msf > nessus_report_download 9 823941573
[*] Report downloaded to /home/ubuntu/.msf4/local directory
然后我们呢就能看到已经生成成功了!而且打开是有内容的嗯!
比如我们生成了html,用如下
firefox 9-823941573查看即可
5.将nessus内容导入metasploit
首先还是需要创建文件,注意我们需要以文件nessus的格式导出
msf > nessus_scan_export 9 nessus
[+] The export file ID for scan ID 9 is 2062214253
[*] Checking export status...
[*] Export status: loading
[*] Export status: ready
[+] The status of scan ID 9 export is ready
msf > nessus_report_download 9 2062214253
[*] Report downloaded to /home/ubuntu/.msf4/local directory然后我们需要用msf的db_import命令导入
msf > db_import /home/ubuntu/.msf4/local/9-2062214253
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.1.5
[*] Successfully imported /home/ubuntu/.msf4/local/9-2062214253查看的时候只需要输入如下即可
vulns 192.168.1.5
347
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
