Metasploit實戰一之——使用OpenVAS進行漏洞掃描

攻擊機： Kali 192.168.205.128

靶機： Win2012 R2 192.168.205.130

注：Kali中安裝OpenVAS可以參考：《Kali之——OpenVAS 8.0 Vulnerability Scanning》

1.在Metasploit中加載OpenVAS插件

為了将OpenVAS整合到Metasploit中，首先需要在Metasploit中加載OpenVAS插件。

msfconsole
load
load openvas

msf > load 
load aggregator        load db_credcollect    load ips_filter        load msfd              load openvas           load sample            load sounds            load token_hunter      
load alias             load db_tracker        load komand            load msgrpc            load pcap_log          load session_notifier  load sqlmap            load wiki              
load auto_add_route    load event_tester      load lab               load nessus            load request           load session_tagger    load thread            load wmap              
load beholder          load ffautoregen       load libnotify         load nexpose           load rssfeed           load socket_logger     load token_adduser     
msf > load openvas 
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*] 
[*] OpenVAS integration requires a database connection. Once the 
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*] 
[*] Successfully loaded plugin: OpenVAS

2.将Metasploit中的OpenVAS插件與OpenVAS軟體本身連接配接

可以通過在指令openvas_connect後面添加使用者憑證、伺服器位址、端口号和SSL狀态實作，如下指令所示：

openvas_connect admin admin localhost 9390 ok

msf > openvas_connect admin admin localhost 9390 ok
[*] Connecting to OpenVAS instance at localhost:9390 with username admin...
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS connection successful

3.建立工作區

3-1.檢視幫助資訊

workspace -h

msf > workspace -h
Usage:
    workspace                  List workspaces
    workspace -v               List workspaces verbosely
    workspace [name]           Switch workspace
    workspace -a [name] ...    Add workspace(s)
    workspace -d [name] ...    Delete workspace(s)
    workspace -D               Delete all workspaces
    workspace -r <old> <new>   Rename workspace
    workspace -h               Show this help information

3-2.建立一個名為NetScan的工作區

workspace -a NetScan

msf > workspace -a NetScan
[*] Added workspace: NetScan

3-3.切換到NetScan工作區

workspace NetScan

msf > workspace NetScan 
[*] Workspace: NetScan

4.建立目标

可以使用指令openvas_target_create來建立任意數量的目标。

openvas_target_create
openvas_target_create outer 192.168.205.130 Outer_Interface

msf > openvas_target_create 
[*] Usage: openvas_target_create <name> <hosts> <comment>
msf > 
msf > openvas_target_create outer 192.168.205.130 Outer_Interface
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] 275520c1-9a9e-4e49-865a-cd22ca4f3c6f
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets

ID                                    Name   Hosts            Max Hosts  In Use  Comment
--                                    ----   -----            ---------  ------  -------
275520c1-9a9e-4e49-865a-cd22ca4f3c6f  outer  192.168.205.130  1          0       Outer_Interface

這裡，我們建立了IP位址為192.168.205.130的目标，名字為outer，備注為Outer-Interface，我們需要記住這個目标的ID:275520c1-9a9e-4e49-865a-cd22ca4f3c6f

5.定義政策

可以使用openvas_config_list指令列出示例政策。

openvas_config_list

msf > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs

ID                                    Name
--                                    ----
085569ce-73ed-11df-83c3-002264764cea  empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5  Host Discovery
698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea  Full and very deep
74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196  Discovery
bbca7412-a950-11e3-9109-406186ea4fc5  System Discovery
daba56c8-73ec-11df-a475-002264764cea  Full and fast

這裡，我們選擇Full and fast政策，同樣我們需要記住這個政策ID：daba56c8-73ec-11df-a475-002264764cea

6.建立掃描任務

這裡我們使用的指令是openvas_task_create

首先，我們檢視下目标清單

openvas_target_list

msf > openvas_target_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets

ID                                    Name   Hosts            Max Hosts  In Use  Comment
--                                    ----   -----            ---------  ------  -------
275520c1-9a9e-4e49-865a-cd22ca4f3c6f  outer  192.168.205.130  1          0       Outer_Interface

接着建立掃描任務

openvas_task_create
openvas_task_create Netscan ScanForVulns 政策id 目标id

msf > openvas_task_create 
[*] Usage: openvas_task_create <name> <comment> <config_id> <target_id>
msf > 
msf > openvas_task_create  Netscan ScanForVulns daba56c8-73ec-11df-a475-002264764cea 275520c1-9a9e-4e49-865a-cd22ca4f3c6f
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] f1311593-6ffb-4eef-817f-3c0f1df521b7
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name     Comment       Status  Progress
--                                    ----     -------       ------  --------
f1311593-6ffb-4eef-817f-3c0f1df521b7  Netscan  ScanForVulns  New     -1

這裡的目标id就是第4步中建立的目标id，政策id就是第5步中建立的政策id

這裡，我們也需要記下這個任務id：f1311593-6ffb-4eef-817f-3c0f1df521b7

7.開始掃描

openvas_task_start
openvas_task_start 任務id

msf > openvas_task_start
[*] Usage: openvas_task_start <id>
msf > 
msf > openvas_task_start f1311593-6ffb-4eef-817f-3c0f1df521b7
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>cdfbf3e8-cf79-4f5e-a34d-6076457bd16b</report_id></start_task_response></X>

這裡的任務id就是第6步中得出的任務id

8.檢視任務進度

openvas_task_list

msf > openvas_task_list 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name     Comment       Status   Progress
--                                    ----     -------       ------   --------
f1311593-6ffb-4eef-817f-3c0f1df521b7  Netscan  ScanForVulns  Running  94

msf > openvas_task_list 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name     Comment       Status  Progress
--                                    ----     -------       ------  --------
f1311593-6ffb-4eef-817f-3c0f1df521b7  Netscan  ScanForVulns  Done    -1

9.列出掃描報告

openvas_report_list

msf > openvas_report_list 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of reports

ID                                    Task Name  Start Time            Stop Time
--                                    ---------  ----------            ---------
cdfbf3e8-cf79-4f5e-a34d-6076457bd16b  Netscan    2019-01-20T09:39:11Z  2019-01-20T09:44:11Z

這些報告可以下載下傳,如果需要導出報告，那麼我們就要選擇一個報告id

10.檢視所有的格式ID

openvas_format_list

msf > openvas_format_list 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of report formats

ID                                    Name           Extension  Summary
--                                    ----           ---------  -------
5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report
50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.
6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.
77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.
9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.
910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.
a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.
a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.
a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.
c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.
c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.
c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.

11.将報告導入資料庫

這裡使用openvas_report_import指令後面加上報告ID和格式ID導入到資料庫中。

openvas_report_import 報告id 格式id

msf > openvas_report_import cdfbf3e8-cf79-4f5e-a34d-6076457bd16b a994b278-1f62-11e1-96ac-406186ea4fc5
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] Importing report to database.

12.檢視MSF中的漏洞資料庫

将報告成功導入資料庫之後，就可以使用vulns指令檢視MSF中的漏洞資料庫，如下所示：

msf > vulns
[*] Time: 2019-01-20 09:48:02 UTC Vuln: host=192.168.205.130 name=ICMP Timestamp Detection refs=CVE-1999-0524

13.通過浏覽器通路

所有的漏洞都已經儲存到了資料庫中，我們還可以通過浏覽器9392端口來登入Greenbone助手，對漏洞數量進行交替确認，并深入了解這些漏洞的細節。如下圖所示：

Metasploit實戰一之——使用OpenVAS進行漏洞掃描

1.在Metasploit中加載OpenVAS插件

2.将Metasploit中的OpenVAS插件與OpenVAS軟體本身連接配接

3.建立工作區

3-1.檢視幫助資訊

3-2.建立一個名為NetScan的工作區

3-3.切換到NetScan工作區

4.建立目标

5.定義政策

6.建立掃描任務

7.開始掃描

8.檢視任務進度

9.列出掃描報告

10.檢視所有的格式ID

11.将報告導入資料庫

12.檢視MSF中的漏洞資料庫

13.通過浏覽器通路

繼續閱讀

comet的實質

Git 與 GitHub 的來曆

ruby-Jruby，Xruby 轉

《Ruby從入門到精通》資料、表達式和流程控制

CentOS6.5 安裝snorby

gitlab 6.5 on centos 6.4

mac安裝thrift一、安裝brew包管理工具二、安裝bison三、安裝thrift四、降級thrift

ruby 和rails 的配置

ajax跨域——Jsonp

緻年輕開發人員的一封信

Rails應用性能優化1Rails應用性能優化1

Linux系列——ruby cannot load such file -- zlib

對自己發展的一些思考

web多重攻擊向量滲透測試——SET工具包

【轉載】如何辨識優秀的程式員

Cloud Studio初體驗