Sunday, March 29, 2009

Owning with Nessus and Metasploit

Today I'm going to show you how to use Nessus to create a vulnerability report that Metasploit can use to tell us what our target is vulnerable against. Nessus is not included in Backtrack 4, so you either have to go to Nessus's Website or use apt-get. The command for apt-get is...
apt-get install nessus nessusd
Now that you have nessus installed, you need to run "nessusd" in a terminal window. Nessusd is the server side of nessus and it holds all of the plugins. Nessusd will take quite a while to load up, but once it's done, launch the client side of nessus (found in the menu, or run "nessus" in a terminal).

NOTE: You may have to add a user. Use "nessus-adduser" for this.

Now that you have nessus running, in the "Nessusd host" tab, put in the username and password. Now hit "Log in." This should connect nessus to your nessusd server (connecting may take a while). Now go over to the "Target" tab and put in the ip address of your target. Click "Start the scan." After a while, another window will popup with your results. Save them into a file for later (e.g. /root/nessus.nbe).

Now open a terminal window and go to your Metaploit Framework directory (Mine is /pentest/exploits/framework3). Now run ./msfconsole. This will give you the Metasploit prompt and now you can create a database to load our nessus nbe file into.
db_create /root/database.db
This will create the database in our root folder and connect to it. Now do "db_import_nessus_nbe /root/nessus.nbe" which will load in the nessus scan results.

Now do:
db_autopwn -t -x
Metasploit will check the file to see what exploits will work against the machine. Now pick one of the exploits. I'm going to be using "windows/smb/ms08_067" against a windows XP SP2 machine.
use windows/smb/ms08_067
(change it to your exploit). Set the payload that you want. I'm going to be using Meterpreter.
set PAYLOAD windows/meterpreter/bind_tcp
Now set the ip address of your target in the RHOST variable...
Now your ready to exploit!
If everything went well, you should now have a Meterpreter session! I've already filmed this tutorial and I'm doing a little post-production work on it and I should have it uploaded tonight. Again, if you need to contact me, you can reach me at nulbyte [-@-]


  1. the apt-get wont work if i have backtrack three right? cause its still Slackware?

  2. Stephen, I'm sorry it took me so long to respond, but I've been putting up with some real-life stuff. To answer your question: No, apt-get will not work with slackware. You can, however, manually install Nessus. In fact, it's not that hard to manually install. I believe I've done it a couple times when I used to use 3. Good Luck.

  3. im using bt4 beta i get everything working but db_create /root/database.db in metasploit gives me the error unknown command

  4. Very impressive article and also very nice home page