Aggressive Scan (w/o safe checks) on Metasploitable machine with Nessus and the Exploitation with Metasploit đź’ˇ
🌟 Use an aggressive scan to find as many vulnerabilities as possible.
đź’ˇ Preparation:
👉 Prerequisites: A Kali Machine and Metasploitable Machine in same network. For my case, I have both machine in my virtual box.
Check whether the nessusd is started or not with the “service nessusd status” command. If not, the nessusd can be started with “service nessusd start” command. In addition, the “netstat -tnlp” is used to see whether the nessusd is started or not.
Navigate to the Nessus web interface with the URL being set as https://127.0.0.1:8834. Then, login to the Nessus Account with the username and password.
Click on the New Scan > Advanced Scan.
The target of this scan is set as 10.0.2.4 which is my Metasploitable Machine.
I will just simply accept the default on this section.
Under the assessment section, I will leave everything as default except the “Perform thorough tests”.
The “Override normal verbosity” is ticked and this will make the report as much info as possible.
Under the advanced options, unchecked the “Enable safe checks”. On normal production network, we will leave this box check. This is because that you don’t want to take down the production/working systems when scanning.
👉 Note: However for our purpose here, we want to gather as much information as possible. Thus, we are going to unchecked the it.
Navigate to the credentials and select the SSH. Since we know the username and password for the metasploitable machine, we are going to put those credentials in here. Then, we change the authentication method to “password” and insert username and password for the Metasploitable machine is “msfadmin”.
The plugin is left as default. If you want to, you can disable the plugin related to the Window Machine as the target Metasploitable machine consists of Linux OS.
Start Scanning:
Click on the Triangle button to start the scanning process.
It takes 14 minutes to complete the scanning process. next, we will look into the vulnerabilities report.
All the vulnerabilities of Metasploitable machine is found and recorded here. However the configuration affects the results and target systems may have more vulnerabilities founded and reported in this section.
Start checking on the vulnerabilities:
Note: If there is a vulnerability and it’s not found in the scan, we call it a false negative.
I will select one of the critical vulnerabilities for demonstration which is the “Bind Shell Backdoor Detection”. The description says that a shell is listening on the remote port without any authentication required. Therefore, this is obviously a backdoor with port 1524.
👉Let’s check whether the finding is true positive.
Navigate to the terminal screen and use netcat to simply connect to the target IP and target port. Now, we are in and we have the shell for metasploitable machine.
Since we are root and we will be able to access all the important file such as the shadow file. The shadow file contains hashes of the user’s passwords.
👉Well, It’s too simple. Let’s try something more challenging.
As you know the severity of the vulnerabilities is arranged based on the severity level. Therefore, the information at the bottom of the findings with high level of information and it is identify as the non-vulnerability information which is nice to know. It is also separated from the vulnerability details.
Here, I selected a Info level vulnerabilities that should not have a vulnerabilities. Here, we will try to look for exploits for the vsftpd with the metasploit framework.
Note that it’s a good approach to scan for the open ports of the target system at background.
Run msfconsole which is our metasploit framework at another terminal.
Let’s search the exploit of vsftp and we found one backdoor exploit. Let’s try this exploit.
Now, we will use the exploit founded.
Use show payloads to see the payloads can be used in this module and only one is found. This payloads will be used for exploitation.
Set the payloads that we needed.
Type show options to see the parameter of the exploit and payload as well.
Set the RHOST(remote host) as metasploitable machine IP address which is 10.0.2.4.
The remote port is same with the Nessus information which is port 21. This the only two options that are required to fill in for vsftpd exploitation.
Here, we found another way to exploit the system even though the finding of severity level in Nessus was just information level only.
