Vulnerability scanning is part of penetration testing. A vulnerability scanner is an automated program designed to look for weaknesses in computer systems, networks, and applications. There are many vulnerability scanners available for penetration Testing. But here we use Metasploit framework for scanning vulnerability.
Various operating systems respond differently because of the different networking implementations in use. These unique responses that vulnerability scanner uses to determine the operating system version and even its patch level. A vulnerability scanner can also use a given set of user credentials to log into the remote system and enumerate the software and services to determine whether they are patched.
The scanner presents a report outlining any vulnerability detected on the system. That report can be useful for both network administrators and penetration testers.
Banner Garbing with Netcat:-
Let’s look at basic scan using “Netcat”. We use netcat to grab a banner from the target. Banner grabbing is the act of connecting to a remote network service and reading the service identification? Many network services such as web, file transfer, and mail servers return their banner either immediately upon connecting to them or in response to a specific command.
#nc 192.168.20.134 80
Vulnerability scans often contain many false positives (reported vulnerability where none exists) and false negatives (failure to log vulnerability where one exists) due to subtle differences in system and application configurations.
Let’s take a look at some of the more useful vulnerability scanners, including Nessus, and some specialized scanners.
Vulnerability Scanning with Nessus:-
Nessus is the vulnerability management solution to analyze vulnerabilities, controls, and configurations to find who, what, and where of IT security risk. Tenable Network Security offers multiple versions of Nessus.
Metasploit’s Nessus plug-in lets you launch scans and pull information from Nessus scans via console.
· After you have downloaded and installed Nessus, open your web browser and navigate to
· Accept the certificate warning, and log into Nessus using the credentials you created during installation.
· You should see the Nessus login window, as shown below.
You should see the Nessus window after login, as shown below.
Creating a Nessus Scan Policy:
Before beginning a scan, you first need to create a Nessus scan policy. On the Policies tab, click the green Add button to open the policy configuration window and select Basic Network Scan shown below:
Basic Scan contains three steps to configure Basic Network Scan Policy. So we select Basic Network Scan from the list and fill details shown as below:
Now next step is select scan type. In this case we scan internal Network Scan, So we choose Internal from dropdown list as shown bellow :
Now final step is fill credentials to detect missing patches and client-side Vulnerabilities As show below:
When you are done with your selections, click Submit to save the new policy. Your newly added policy should be displayed under Policies.
Running a Nessus Scan:
After you have created a scan policy, you are ready to configure a scan.
Select the Scans tab, and then click the New Scan button to open the scan configuration window. Fill credentials as shown bellow button:
In our example, we are scanning only one host, but you can also enter IP address ranges in CIDR notation or even upload a file containing the addresses of the targets you want to scan. When you are satisfied with the scan configuration, click Launch.
After the scan is complete, click on scan and then you can see its status. Now import report as shown below:
Importing Results into the Metasploit Framework:
Now let’s import our results into the Metasploit Framework.
Click the Export button to save the results to your hard drive. The default file format for Nessus reports is “.nessus” that can be supported by Metasploit. So export report as Nessus as shown below:
Load msfconsole, and import the Nessus results file by entering db_import followed by the report filename.
To verify that the scanned host and vulnerability data was imported properly, enter hosts as shown next. This should output a brief listing with the target IP address, the number of services detected, and the number of vulnerabilities found by Nessus.
For a complete listing of the vulnerability data that was imported into Metasploit. Enter vulns command as shown below:
These vulnerabilities are use during your pentesting.
Scanning Vulnerability using Nessus Metasploit’s Plug-in:
The Nessus allows you to control Nessus completely through the Metasploit Framework. Run scans, interpret results, and launch attacks based on the vulnerabilities identified through Nessus.
First destroy the existing database. We can destroy database using db_destroy command and create a new one using db_connect in older version of Metasploit Framework. But now days we use Workspace command to do same. So delete previous pentesting results as shown below:
Load the Nessus plug-in by running load nessus and Running the command nessus_help will display all of the commands that e plug-in supports. As shown below:
Before starting a scan with nessus plug-in, you first need to authenticate to your Nessus server using nessus_connect command.
As with the GUI version of Nessus, you need to initiate a scan using a defined policy by its policy ID number. To list the available scan policies on the server, use nessus_policy_list
Take policy ID to use for your scan, and then launch a new scan with nessus_scan_new followed by the policy number, a name for your scan, and your target IP address as shown below.
While your scan is in progress, you can see its status by running the nessus_scan_status command. When this command’s output responds with “No Scans Running,” as shown next, you will know that your scan has completed.
After the scan has completed, you can list the available scan reports with the nessus_report_list command. Identify the ID of the report you want to import and enter nessus_report_get to download the report and import it into the Metasploit database automatically.
You can use hosts to verify that the scan data was imported successfully.
SMB Logins vulnerability scanning:
To check the validity of a username and password combination, use the SMB Login Check Scanner to connect to a range of hosts. As you might expect, this scan is loud and noticeable, and each login attempt will show up in the event logs of every Windows machine.
After selecting the smb_login module with use, you can run show_options to see the settings listed under the required column. Metasploit allows you to specify a username and password combination, a username and password list, or a combination of either. Also set RHOSTS and THREADS.
Now run our scan using run command. The result is shown bellow.
Most of the time it’s not working, but don’t worry. It’s a part of penetration testing. Penetration testing is not an easy thing at all. Keep testing and testing and you get success. It’s a rule of penetration testing process. So don’t panic for not success.
Vulnerability scanning with Metasploit’s WMAP plug-in:
WMAP is a good web vulnerability scanner. And it was originally created from a tool named SQLMap. This tool is integrated with Metasploit and allows us to conduct webapp scanning. So in this topic we will discuss about WMAP.
So we need to launch msfconsole and load WMAP plug-in as shown below.
Now type help and it will show all usage commands for wmap. We can show bellow screenshot.
Now we need to add site using Wmap_site command. The syntax is wmap_sites -a
. Here we hosted a web application in our local
machine that’s why we add local ip address. So let’s add site as shown below.
After creating site we can check our added sites by typing wmap_sites -l and it will list all sites.
Now we need to add the target. By typing the wmap_targets -h command for listing all wmap_targets usage options. And add our target using –d option. So syntax is wmap_target –d ID as shown below.
We can see that, it loaded the target address. Now we can check the list to see if our target is added or not using wmap_targets –l command.
Now the target is successfully added and we can run our wmap for scanning the web applications. We use wmap_run command to do scan. But before running this command, check all the usage options. Type in wmap_run –h.
Now we can see in the usage option -t is for checking all enabled modules. so we used –t for scanning by typing wmap_run –t command.
Now start scanning by typing wmap_run -e command. And it will start scanning with all enabled modules as shown bellow.
It will take some time. And it’s depending on how big the application is. After completion of scanning, it will look like this.
We can check all vulnerabilities by typing vulns command. As you can see above tutorials Metasploit is power full framework for penetration tester.
A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. And it’s a part of penetration testing. If you do not know target vulnerability then you cannot success most of the time during your penetration testing process.