Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: using nessus/nmap along with metasploit

From: egypt () metasploit com
Date: Mon, 16 Aug 2010 12:31:08 -0600
The <> are there to indicate something that you need to provide.  You
don't need them when running the command.  If your filename is hts.xml
and is in the current directory, your command should be
"db_import_nmap_xml hts.xml".  Also, nmap never reports
vulnerabilities, only services (since it is a port scanner, not a
vulnerability scanner), so "db_autopwn -x -t" will never show you any
exploits after only an nmap scan.

egypt

On Mon, Aug 16, 2010 at 11:51 AM, Robert Portvliet
<robert.portvliet () gmail com> wrote:

Was the XML file you used generated by nmap using the -oX switch?

You can use  'db_autopwn -x -t' to show you exploits matched to services.

The easiest way to do all of this is just run db_nmap -A (like you
did), this will run nmap with service & OS scanning as well as any NSE
scripts nmap findfs relevant to a given service based on it's service
scan. It will then import these finding into the Metasploit database
where you can then (as mentioned above) match exploits to potentially
vulnerable services using 'db_autopwn -x -t'.



On Mon, Aug 16, 2010 at 1:26 PM, Binoy Dalal <lttazz99 () gmail com> wrote:

as you can see metasploit was unable to read the nmap file hts.xml what
could be the reason?
i did manage to get nmap working along with metasploit. you can see the
report below.


msf > db_connect
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Successfully connected to the database
[*] File: /home/BINOY/.msf3/sqlite3.db
msf > db_add_host 64.32.24.200
[*] Adding 1 hosts...
[*] Time: 2010-08-16 17:14:46 UTC Host: host=64.32.24.200
msf > db_import_nmap_xml <hts.xml>
[*] Could not read the NMAP file

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-16 22:46 India
Standard
msf > db_nmap -A -Pn 64.32.24.200

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-08-16 22:47 India
Standard Time
Nmap scan report for rdns.hackthissite.org (64.32.24.200)
WARNING:  RST from 64.32.24.200 port 22 -- is this port really open?
WARNING:  RST from 64.32.24.200 port 22 -- is this port really open?
WARNING:  RST from 64.32.24.200 port 22 -- is this port really open?
WARNING:  RST from 64.32.24.200 port 22 -- is this port really open?
WARNING:  RST from 64.32.24.200 port 22 -- is this port really open?
WARNING:  RST from 64.32.24.200 port 22 -- is this port really open?
Host is up (0.0083s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh?
53/tcp open  domain?
80/tcp open  http?
Device type: firewall
Running: ZyXEL ZyNOS 3.X
OS details: ZyXEL ZyWALL 2 or Prestige 660HW-61 ADSL router (ZyNOS 3.62)
Network Distance: 1 hop

TRACEROUTE (using port 1720/tcp)
HOP RTT     ADDRESS
1   0.00 ms rdns.hackthissite.org (64.32.24.200)

OS and Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.42 seconds
msf > dn_services
[-] Unknown command: dn_services.
msf > db_services

Services
========

created_at               info  name  port  proto  state
updated_at               Host          Workspace
----------               ----  ----  ----  -----  -----
----------               ----          ---------
2010-08-16 17:18:24 UTC              22    tcp    open   2010-08-16 17:18:24
UTC  64.32.24.200  default
2010-08-16 17:18:24 UTC              53    tcp    open   2010-08-16 17:18:24
UTC  64.32.24.200  default
2010-08-16 17:18:24 UTC              80    tcp    open   2010-08-16 17:18:24
UTC  64.32.24.200  default


i then did this...did i do it right?
msf > db_vulns
msf > db_autopwn
[*] Usage: db_autopwn [options]
        -h          Display this help text
        -t          Show all matching exploit modules
        -x          Select modules based on vulnerability references
        -p          Select modules based on open ports
        -e          Launch exploits against all matched targets
        -r          Use a reverse connect shell
        -b          Use a bind shell on a random port (default)
        -q          Disable exploit module output
        -R  [rank]  Only run modules with a minimal rank
        -I  [range] Only exploit hosts inside this range
        -X  [range] Always exclude hosts inside this range
        -PI [range] Only exploit hosts with these ports open
        -PX [range] Always exclude hosts with these ports open
        -m  [regex] Only run modules whose name matches the regex
        -T  [secs]  Maximum runtime for any exploit in seconds

msf > db_autopwn -e

it did not return a reverse shell probably because the victim isnt
vulnerable but did i use it right or is there more to it?

thanks

On Mon, Aug 16, 2010 at 9:46 PM, Robert Portvliet
<robert.portvliet () gmail com> wrote:


Did you use the -oX switch (saves as xml) to save your nmap output?

Actually, can I see your full syntax for both cases?


On Mon, Aug 16, 2010 at 7:24 AM, Binoy Dalal <lttazz99 () gmail com> wrote:

i tried using the db_import_nmap_xml <name.xml> to import scans but
every
time i tried it said: could not read the nmap file
am i doing something wrong or is there some problem with my nmap?
also i added hosts to the database using the db_add_host command and
then
tried db_nmap -A but everytime it said that the host is not up and didnt
scan it. i then tried the same thing using nmap and i got a proper scan
report. i cant figure out where i am going wrong. please help
thanks

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework






--







--
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: