INFORMATION GATHERING
Nmap
Nmap uses raw IP packets to determine if host is up or down, if he uses a firewall or not, which ports are open, what services are running on the remote system and their version. Nmap's GUI is called ZenMap. But we will not be using that today. Nmap is built in feature of Metasploit, so you won't have to download anything. Open Metasploit console and type: Nmap (IP Address) -(options that you want).
For example:
Over time you will memorize a lot of exploits. But always remember that there is much more to learn, you just must be willing to give it a shot.
Nessus
Nessus is world's leading and most popular vulnerability scanner for a good reason. It's awesome. It finds all vulnerabilities and makes the job much easier because you can import nessus scan to metasploit. This will automatically find exploits that you need. For that you need to create a database, which I will cover later in this tutorial. Okay, so let's start!
First we need to make an account.
Go to (http://www.nessus.org/products/nessus/ne...ation-code) and register.
Activation code will be sent to your email address. You want to copy it. Now open Backtrack console and type:
Nessus will start fetching latest plugins. This might take a while so be patient. Next, you want to create a new user. Do this by typing:
Now input your username and password. That's it. Now we need to start Nessus itself. In console, type:
You have successfully installed Nessus on BackTrack.
Open Nessus interface by going to this address in your browser.
Input Username and Password and you're in. Nessus has some pretty cool features. You can add your own Policies by clicking on Policies tab. There you can enable/disable Nessus scan options.
Let's continue. Click scans and then hit add. Input scan name, Policy and Input Address/es that you want to scan.
For local network scan choose network policy. For scanning over Internet choose policy that will scan external IPs. After the scan is complete, click on it and then click download report. Save it as .nbe
This can be later used for automated exploitation.
Nmap
Nmap uses raw IP packets to determine if host is up or down, if he uses a firewall or not, which ports are open, what services are running on the remote system and their version. Nmap's GUI is called ZenMap. But we will not be using that today. Nmap is built in feature of Metasploit, so you won't have to download anything. Open Metasploit console and type: Nmap (IP Address) -(options that you want).
For example:
PHP Code:
nmap 192.168.2.104 -sV
This would give us services that are running and their
version. If they are outdated, they are more likely to be exploitable.
Take note of service name. For example, if you see MSRPC running on port 135, then in metasploit console type:
Take note of service name. For example, if you see MSRPC running on port 135, then in metasploit console type:
PHP Code:
search MSRPC
This would return all exploits that could be used.
However, what if we got this as a scan result?
PHP Code:
Microsoft-DS 445/TCP Open# Smb directly over IP
We could also go to http://www.metasploit.com and type service name in the search box. It might return
a matching exploit that we need. So let's paste Microsoft-DS in the search
engine and Woah! We got a match:
PHP Code:
ms08_067_netapi
ExploitDB is also very usefull. (http://www.exploit-db.com)
You will often find yourself in a situation where target is protected by firewall. To scan for open ports when he has it turned on, do:
You will often find yourself in a situation where target is protected by firewall. To scan for open ports when he has it turned on, do:
PHP Code:
nmap (IP) -sV -Pn
Over time you will memorize a lot of exploits. But always remember that there is much more to learn, you just must be willing to give it a shot.
Nessus
Nessus is world's leading and most popular vulnerability scanner for a good reason. It's awesome. It finds all vulnerabilities and makes the job much easier because you can import nessus scan to metasploit. This will automatically find exploits that you need. For that you need to create a database, which I will cover later in this tutorial. Okay, so let's start!
First we need to make an account.
Go to (http://www.nessus.org/products/nessus/ne...ation-code) and register.
Activation code will be sent to your email address. You want to copy it. Now open Backtrack console and type:
Code:
/opt/nessus/bin/nessus-fetch
--register *Your code*
Nessus will start fetching latest plugins. This might take a while so be patient. Next, you want to create a new user. Do this by typing:
Code:
/opt/nessus/sbin/nessus-adduser
Now input your username and password. That's it. Now we need to start Nessus itself. In console, type:
Code:
/etc/init.d/nessusd start
You have successfully installed Nessus on BackTrack.
Open Nessus interface by going to this address in your browser.
Code:
http://127.0.0.1:8834
Input Username and Password and you're in. Nessus has some pretty cool features. You can add your own Policies by clicking on Policies tab. There you can enable/disable Nessus scan options.
Let's continue. Click scans and then hit add. Input scan name, Policy and Input Address/es that you want to scan.
For local network scan choose network policy. For scanning over Internet choose policy that will scan external IPs. After the scan is complete, click on it and then click download report. Save it as .nbe
This can be later used for automated exploitation.
No comments:
Post a Comment