Metasploit and Nessus

Metasploit provides flexibility to penetration testers as it can support some of the most important tools inside the framework like Nessus and Nmap. You can initiate Nessus scans directly from the metasploit console, import existing scans and actually operate Nessus from inside the framework.

The main advantage is that the information is centralized between these tools since Nessus and Nmap scans are stored in the Metasploit database in an organized manner. Therefore it is possible to launch a Nessus scan via Metasploit, identify a vulnerability and then execute the appropriate exploit without leaving the framework and saving pentesting time.

The first step is to start and connect the postgresql database to Metasploit:

screenshot-from-2016-09-26-03-40-28

Starting the Database and Verification of Connectivity

If the database is not created you can initiate it with the following command:

screenshot-from-2016-09-27-11-49-14

Building the Metasploit Database

Then you can load the Nessus plugin:

screenshot-from-2016-09-26-13-58-59

Load Nessus Inside Metasploit

Before you can operate Nessus via Metasploit you need to authenticate with your existing credentials:

screenshot-from-2016-09-26-03-46-50

Nessus Authentication via Metasploit

Metasploit requires the policy UUID before the creation of a new nessus scan and the scan ID in order to execute it:

launching-nessus-scans-metasploit

Launching a Nessus Scan

When the scan is finished the list of vulnerabilities that Nessus has discovered can be generated:

list-vulnerabilities-nessus-metasploit

Listing Nessus Vulnerabilities

Metasploit can divide also the number of findings by host and criticality:

list-of-issues-by-host-nessus-metasploit

List of Findings by Host

Existing Nessus scans can also imported to Metasploit.

screenshot-from-2016-09-28-21-02-44

Importing existing Nessus Scan to Metasploit Database

Running Nessus or Nmap via Metasploit in a large pentest can help the penetration tester to manage his results effectively, save project time and therefore to conduct a quality assessment.

Common Windows Commands for Pentesters

Every penetration tester should be fluent with the Windows command prompt since various commands could be used in different stages of a penetration test like domain recon and post exploitation.

Of course there are plenty of windows commands to use and the purpose of this post is not to cover all of them but only those that are needed during an exam certification, interview or a basic penetration test.

The following commands are considered the most common:

  • whoami – List the current user
  • net share – View current network shares
  • net use X: \\IP_Address\c$ – Mount a remote network share
  • net localgroup – Retrieve the local groups
  • net localgroup Administrators – Retrieve local administrators
  • net user pentestuser pentestpass /add – Add a new user to the current host
  • net localgroup Administrators pentestuser /add – Add pentestuser to the local administrators group
  • net user pentestuser /domain – View information about a domain user
  • net group “Domain Admins” /domain – Retrieve domain administrators
  • net config server/workstation – View the domain name of current host
  • net view – List all hosts in the current workgroup or domain
  • net view /domain – List all domains available
  • net user /domain – List all the domain users

List of Books for Pentest Rookies

For the people that they want to make a start into the penetration testing industry it is really important to build their knowledge in a structure way. Books can provide guidance and build the foundation knowledge that is required for a start.

In nowadays there are plenty of books written by penetration testers for penetration testers that provide technical examples so it would be easier for the reader to understand them and obtain as well some practical skills.

The skills that someone will require by reading a technical book and following the examples in his home lab environment will not only be useful for a potential job interview but on his day to day job as well.

As a starting point the following books are recommended:

 

Top 10 Interview Questions for Junior Pentesting Roles

There are interview questions that will possibly come up more often than others. The majority of the companies will look for candidates that they can demonstrate knowledge regarding networking concepts, some common web application vulnerabilities, they know how to perform basic tasks. are familiar with console commands and they have the passion to learn.

The following questions have been identified as the most common for junior penetration testing roles, so candidates who are able to answer them correctly they have more chances of being successful.

  1. What are the differences between TCP and UDP?
  2. Describe the 3-way handshake?
  3. Describe the layers of OSI model and knowledge some of the protocols for each layer?
  4. What are the differences between a hub a switch and a router?
  5. What is a port?
  6. What is SSL?
  7. What are the differences between symmetric and asymmetric encryption?
  8. What is SQL injection?
  9. What is Cross-Site Scripting?
  10. How you could perform a TCP scan with Nmap?