Hunting for Vulnerabilities using Metasploit

Steps:
1. Installing Nessus in Kali
Exploit Dataset

 Predefined in system (kali machine)

 For a particular vulnerability what are the exploits available
 In the inbuilt exploit database, we are going to perform searches based on
manual method
 For a particular vulnerability how to find exploits
 Tool used here is SEARCHxploit
 Command line search tool
# searchsploit –h
We are going to work with Apache based vulnerability that Apache should be windows
based attack and local attack
#Searchsploit windows remote

All are windows based remote exploits

#searchsploit ssh local
#searchsploit apache remote

All are Apache based remote exploits

Assume you are going to attack windows machine because it has old patch
file(software’s security update is outdated) in it. For this to be performed you need
an exploit but you don’t know the name of exploit but you know the patch number
#searchsploit MS14-040

There are 2 exploits both are local exploits. It’s used for privilege escalation i.e
to bring admin rights
We can search even with version no.
#searchsploit ftp 2.3.4
Searching exploits Online
Search in google vulnerability database

NVD – database
In search vulnerability database, we can search for vulnerabilities

Based on the keyword we can get information about the vulnerability present.
It provides information based on severity and complete description will also be
present.

To find information about any company’s product or vulnerabilities in their company

that can be obtained here
Eg: Tomcat
Click vulnerabilities

You can try for SSH till 2022 with CVE details.
You can also try with Rapid7 vulnerability database with FTP

Nmap Approach
To check how Nmap scanning approach in Metasploit’s.

All the results of the scanning performed through Nmap will be stored in Metasploit’s
backend Database which will be useful when we try later to perform any attack. It’s
like a knowledge base.

It’s not necessary to scan Nmap always and check. All those information can be
integrated to Metasploit’s, so if u want any information about target you can get it
from Metasploit’s itself.

We can use Nmap in our Metasploit’s itself.

Msf5> db_nmap –sT –sV –v (metasploitable2 ip)
-sT – information about TCP

-sV – version of TCP

-v - Verbose

Msf5> hosts

The scanned IP , its OS information, its purpose all those will be obtained and its
stored in backend database of Metasploit’s.
To gather information about target host.
Msf5> services

These are the options of the scanned target host.

We need not scan again and again it will be stored in the database.
This is the way of scanning target using Nmap through Metasploit.