BT5 + nesses pentest help

[dinvisible1]

good day all,

the situation - using metasploit + nessus to give justification to expand the IT budget:

what i have done - set up a laptop with BT 5 (updated metasploit) install nessus (updated as well) got postgres to work with metasploit.

what i have - a nmap scan (all 3 file formats) of our work subnet, from which i got a list of all ip address that i am interested in, broke that up into groups of 15 ip address and fed that into nessus; from which i got an xml file to put into msf

so to sum it up complete venerability scan of our network...

did a db_vulns and single out some of the ip that i wanted to check...ran msf>use <exploit> with the necessary option for the one i am interested in.

the problem - all of them said that the exploit finished successful but no sessions was started...now my question is how can i go further without a session? i am looking to either do a dir dump or copy a file or write a file to anyone off the pc, in order to show that it can be breach...the aim of all of this is to justify buying either qualys, netexpose to use within the company...

if i missed out some of the steps involved or if there is anything else that i can do pleas let me know..thanks

[Dudeman02379]

The exploits aren't going to work if the machines aren't vulnerable. Are all of the machines patched? Which exploits in particular are you trying?

[pLinc]

I would refrain from using Nessus at work unless you have purchased a "ProfessionalFeed" license... (http://www.tenable.com/products/nessus-professionalfeed)

That being said if you want to show your boss how vulnerable your system(s) is/are check out SET. Shoot your boss an email with a link to a cloned site or a .pdf with an embedded java applet to open a reverse meterpreter shell.

After all you can patch your systems and spend millions of dollars on gadgets but all it takes is one user clicking something they shouldn't and it's all over.

[dinvisible1]

firstly, thanks for the reply, from what the nessus scan returned i got some exploits, for some of the hosts, i didnt want to use the autopawn so seeing that they were a handfull i didnt them manually one by one..see the list below

exploit/windows/mssql/ms09_004_sp_replwritetovarbin
exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli
exploit/windows/smb/ms08_067_netapi
exploit/windows/smb/psexec
exploit/multi/samba/nttrans
exploit/windows/http/apache_chunked
exploit/windows/http/apache_mod_rewrite_ldap
exploit/linux/ftp/proftp_sreplace
exploit/freebsd/ftp/proftp_telnet_iac
exploit/linux/ftp/proftp_telnet_iac
exploit/windows/mssql/ms02_039_slammer
exploit/windows/brightstor/ca_arcserve_342

all I am getting is "exploit completed but no sessions started...not to sure what to do from there, also i am interested in "/windows/smb/psexec" but i need to pass credentials for that to work if I understand that any way that i can capture those (w/out using the ones that I have offically)

[dinvisible1]

I would refrain from using Nessus at work unless you have purchased a "ProfessionalFeed" license... (http://www.tenable.com/products/nessus-professionalfeed)

That being said if you want to show your boss how vulnerable your system(s) is/are check out SET. Shoot your boss an email with a link to a cloned site or a .pdf with an embedded java applet to open a reverse meterpreter shell.

After all you can patch your systems and spend millions of dollars on gadgets but all it takes is one user clicking something they shouldn't and it's all over.

while that is an option, and a very good point, at the time we have other looking into that, basically my task(s) test the internal network, but i will let them know about it

[VYCanisMajoris]

Seems like you're stuck in the middle. I'm on the network security side and we don't have time to deal with OS vulnerabilities. That is up to the sys admins. If I had to worry about every box's footprint AND layers 3 and 4, I would quit. Tomorrow. Good luck!

[dinvisible1]

Seems like you're stuck in the middle. I'm on the network security side and we don't have time to deal with OS vulnerabilities. That is up to the sys admins. If I had to worry about every box's footprint AND layers 3 and 4, I would quit. Tomorrow. Good luck!

we got a good report out of it, we are looking to do it from and outside perspective, no i agree its up to the sys admins but I am on the security team, so its good to know, it took about a week to get all the data that we needed and plan out some exploits, thankfully we are management is giving us some money to get a lab where we can do these test now,

when you say your on the network security side can you explain a bit more about that? do you only deal with routers and layer 3 devices?