0% found this document useful (0 votes)
14 views10 pages

Lab 3

The document outlines the process of vulnerability scanning using the Metasploit Framework, highlighting tools such as the SMB Login Check and VNC Authentication Check. It discusses the importance of understanding the limitations of vulnerability scanning, including high false positive and negative rates. Additionally, it introduces WMAP for web application scanning and provides steps for conducting scans with Nexpose and Nessus.

Uploaded by

Dagim Mengesha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
14 views10 pages

Lab 3

The document outlines the process of vulnerability scanning using the Metasploit Framework, highlighting tools such as the SMB Login Check and VNC Authentication Check. It discusses the importance of understanding the limitations of vulnerability scanning, including high false positive and negative rates. Additionally, it introduces WMAP for web application scanning and provides steps for conducting scans with Nexpose and Nessus.

Uploaded by

Dagim Mengesha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Lab 3

Vulnerability Scanning with Metasploit


Discovery Through Vulnerability Scanning

• Vulnerability scanning will allow you to quickly scan a target IP


range looking for known vulnerabilities, giving a penetration tester
a quick idea of what attacks might be worth conducting.
• When used properly, this is a great asset to a pen tester, yet it is
not without it’s draw backs. Vulnerability scanning is well known
for a high false positive and false negative rate. This has to be
kept in mind when working with any vulnerability scanning
software.
• Lets look through some of the vulnerability scanning capabilities
that the Metasploit Framework can provide.
SMB Login Check
• A common situation to find yourself in is being in possession of a
valid username and password combination, and wondering where
else you can use it. This is where the SMB Login Check Scanner
can be very useful, as it will connect to a range of hosts and
determine if the username/password combination can access the
target.
• Keep in mind that this is very “loud” as it will show up as a failed
login attempt in the event logs of every Windows box it touches.
• Be thoughtful on the network you are taking this action on. Any
successful results can be plugged into the windows/smb/psexec
exploit module (exactly like the standalone tool), which can be
used to create Meterpreter Sessions.
Cont.

• Usage
– use auxiliary/scanner/smb/smb_login
– set RHOSTS 192.168.1.0/24
– set SMBUser Bit
– set SMBPass 123456
– set THREADS 50
– run
VNC Authentication Check with the None Scanner

• The VNC(Virtual Network Computing) Authentication None


Scanner is an Auxiliary Module for Metasploit.
• This tool will search a range of IP addresses looking for targets
that are running a VNC Server without a password configured.
• Pretty well every administrator worth his/her salt sets a password
prior to allowing inbound connections but you never know when
you might catch a lucky break and a successful pen-test leaves
no stone unturned.
Cont.

• Usage
– use auxiliary/scanner/vnc/vnc_none_auth
– set RHOSTS 192.168.1.0/24
– set THREADS 50
– run
Vulnerability Scanning with WMAP
• WMAP is a feature-rich web application vulnerability scanner.
• This tool is integrated with Metasploit and allows us to conduct
web application scanning from within the Metasploit Framework.
• We begin by first creating a new database to store our WMAP
scan results in, load the wmap plugin, and run help to see what
new commands are available to us.
– load wmap
– help
Cont.

• Prior to running a web app scan, we first need to add a


new target URL by passing the -a switch to wmap_sites.
Afterwards, running wmap_sites -l will print out the
available targets.
– wmap_sites -a https://45.33.49.119
– wmap_sites -l
• Next, we add the site as a target with wmap_targets.
– wmap_targets -t https://45.33.49.119/book/man-target-
specification.html
Cont.
• Using the wmap_run command will scan the target system
– wmap_run -t
– wmap_run -e
• we can see that WMAP has reported one vulnerability. Running vulns
will list the details for us.
– vulns
• Because of our vulnerability scanning with WMAP, we can now use
these results to gather further information on the reported vulnerability.
• As pentesters, we would want to investigate each finding further and
identify if there are potential methods for attack.
Lab report(from 6 point in group)

• Show necessary step how to scan vulnerability using


nexpose
• Show necessary step how to scan vulnerability using
nessus

You might also like