Metasploit Community Unleased

A few weeks ago, I saw a message on the Metasploit mailing list (which you should also join, or at least follow on  seclists.org) regarding Metasploit Community Edition. The fine folks at Offensive Security have an outstanding training site covering the Metasploit Framework, but do not cover the Community Edition. While by no means is this on the same level as Metasploit Unleashed, I  present to you...


Metasploit Community Unleashed


Background

Metasploit Community Edition is a free subset of the paid versions of Metasploit available from Rapid 7. It is initendied to simplify network discovery and vulnerability verification.
Further information about this excellent project can be obtained at: http://www.rapid7.com/products/metasploit-community.jsp

To install Metasploit Community on Backtrack, simply type apt-get install Metasploit at a shell prompt. The wizards at backtrack-linux made the install seamless.

Once the install is complete, start the Metasploit web interface, by selecting the Backtrack Miscellaneous menu or /opt/metasploit/ctlscript.sh start. Metasploit Community Edition runs as a ssl web application on port 3790. On first run, you must license your copy with Rapid 7 and create a user.

Metasploit Community Edition Scanning

Begin by creating a new project and filling in the project name, description and network range. On the new workspace select the scan button. Enter the IP address or range to scan. Selecting  Show Advanced Options  allows fine grained tuning of the scan details including adding specific nmap scanning options. exclusions and timing options.

Once the scan is completed, the analysis section can be used to sort the discovered devices.

Clicking on Hosts will provide a summary of what was found.

You can also import scans from a variety of different vulnerability scanners. Metaspolit Community Edition will parse through the vulnerabilities and display the relevant Metasploit modules.

To run  Metasploit modules against discovered devices, check zero or more devices in the Anlysis section and click on the Modules icon, or select the Modules section.

Search the modules to find the Metasploit module to run. Search keywords can be used as shown in the example for smb version scanning.

Depending on the module selected, extra options may need to be provided.

Exploiting 

Select services and we cam see that one of our targets is running Windows XP SP2 so we will attempt to run the exploit for MS08-067 against it.  

In the analysis section, select the XP machine and click on Modules and search for ms08-067. By default, a Meterpreter TCP connection will be used as the payload.

After a succesful exploit click on session and then click on the new session. Several ways are available to interact with the system including shells, file browsing and the numerous Post Exploitation Modules available in Metasploit.

Have Fun and consider making a donation to Hackers for Charity http://www.offensive-security.com/metasploit-unleashed/Donate

Nessus and WSUS

Tenable recently added the ability to query various patch deployment management systems to get the patching status of the system being scanned.

This is a handy feature when you can not use scans in order to query the scanned system directly because of credential or port restrictions.

The set up is explained very well at http://blog.tenablesecurity.com/2011/12/wsus-patch-management-and-nessus.html.

When testing in my environment, the WSUS scan was not working. Looking at the event logs on the WSUS server, showed several account logon failures. A little searching  lead me to make the changes detailed in http://technet.microsoft.com/en-us/library/cc720470(WS.10).aspx and voilà...patch management status and other vulnerability details all in one handy report.