Performing a vulnerability assessment with only nmap is insufficient since vulnerabilities keep increasing in number, day after day. There are many vulnerabilities reported within a month, and therefore it is recommended that you make use of more than one vulnerability scanning tool. In the previous chapter, we saw how we can export the output of the nmap scan to an XML file; here, we will learn how to integrate the nmap output with Metasploit for vulnerability assessment purposes.
We will have to first set up and update Metasploit in the Kali Linux machine.
One thing to note is that, for demonstration purposes, we have added more services to the Windows operating system to understand the activity better, since by default only a handful of ports are shown open. To prepare for the activity, we perform a scan on the Windows machine and save an XML output for the same.
nmap -sT -oX Windows.xml <IP Address>
The file will be saved in the current working directory of your terminal.
service postgresql start service metasploit start
The output will be as shown in the following screenshot:
msfconsole
The output will be as shown in the following screenshot:
db_import /root/Windows.xml db_import <path to the file>
The command imports the file from the specified path. Make sure to keep a note to import from the path where the reader has stored the file.
Services -p 445 -R
The output for this will be as follows:
use auxiliary/scanner/smb/smb_enumshares
The output will be as shown in the following screenshot:
run
or exploit
in the Metasploit console; both commands work for the job.The output will be as shown in the following screenshot:
use auxiliary/scanner/smb/pipe_auditor
A named pipe serves as an endpoint for communication; it is a logical connection between the client and the server; an smb
name pipe is related to the connection with respect to Server Message blog. If we are lucky, we might be able to retrieve information like available public shares.
Once you are done, you can check that all the parameters are entered properly. Since there are a few tabs that must be entered before the exploit can be checked for the attack, you can use the following command:
show options run
It should look like this:
ms08_067_netapi
attacks for all Windows versions earlier than Windows XP Service Pack 2. Let's try and find out if our live host is vulnerable to this attack. Enter the following to load the ms08_067_netapi
module in the Metasploit window:use exploit/windows/smb/ms08_067_netapi
To check if the IP is vulnerable, use the check
command and you will get the output stating if it can be a successful attack vector:
As you can see, the target is vulnerable.
As you can see, we first imported the nmap result into Metasploit. This is very convenient when we have a bulk list of IP outputs in nmap, as we can import all of them and, at our convenience, perform the vulnerability assessment phase. Let us have a look at the understanding of all preceding the commands we used:
service postgresql start
: This starts the Postgres SQL service.service metasploit start
: This starts the Metasploit client servicemsfconsole
: This starts the Metasploit consoledb_import
: This command allows Metasploit to import the nmap result from the XML file and adds it to the database containing the host list with all the information available via nmapservices -p ( port no) -R
: This command shows the service running on the specified port and, if an IP exists which satisfies the criteria, then it would add it to the Metasploit host list via the -R
commanduse <scanning module>
: The use
command selects the type of module you want to select from Metasploitcheck
: In certain scenarios Metasploit allows the user to run the check command which in turn fingerprints the service and tells us if it is vulnerable or not. However it will not work in cases of DDOS modules.3.128.94.171