Finding the right vulnerability and exploit from Nessus report in Metasploit


If you have trouble setting up a database in Metasploit, see here.

Once you have already scanned your target using Nessus, download the report as .nessus file.  Run Metasploit and select the .nessus file with db_import /path/to/nessus/file.nessus.  I am running on Metasploit framework-3.6.0 while my Nessus is on 4.4.1Ubuntu 8.04 32bit.  Basically I got this file from either my friend or professor so I did not realize that it was actually Ubuntu 8.04.  It worked so I’m going to stick with it till the end of the month.  To get the latest version of Nessus, click here.  Agree to the license agreement before proceeding.

Next, type db_autopwn -x -t to see the available exploits from the reference that we have added earlier (the .nessus file).   You will see something similar to off below when you have gotten the result.  Please be reminded that I am using Ubuntu 10.10.

With the given result above, you can now use the available vulnerabilities listed.  This way it is much simpler than analyzing the Nessus report.  Metasploit automatically checks whether it have the vulnerability and those that matches with it from the report.  You don’t have to consume time finding the right exploit name or ID for it this way.  Always test with the given permission, never test this on another computer without the authority to do it, especially when you are in an organization.  You never know what kind of trouble you get into.

Not familiar with Nessus itself?  See here!

If you are not familiar with Nessus, you can execute it right from Msfconsole!  Offensive-security.com explains more here.

And few related offensive-security.com links that are pretty useful
1.) Metasploit Unleashed
2.) Nessus via Msfconsole
3.) SMB Login Check
4.) Vulnerability Scanning
5.) Working with Nessus

Other available resources

1.) Owning with Nessus and Metasploit
2.) Tenable Nessus
3.) Installing the Metasploit Project
4.) Everything Nessus
5.) Everything Metasploit

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: