background image

42

Chapter 4

4.

In the Select Devices dialog, select the targets to include in your report 
and then click 

Save

.

5.

Back in the Report Configuration wizard, click 

Save

 to accept the remaining 

defaults for the report. The Reports tab should now list the newly created 
report, as shown in Figure 4-10. (Be sure to save the report file so that 
you can use it with the Framework.)

Figure 4-10: The Reports tab lists your reports.

Importing Your Report into the Metasploit Framework

Having completed a full vulnerability scan with NeXpose, you need to import 
the results into Metasploit. But before you do, you must create a new database 
from 

msfconsole

 by issuing 

db_connect

. After creating that database you’ll import 

the NeXpose XML using the 

db_import

 command. Metasploit will automati-

cally detect that the file is from NeXpose and import the scanned host. You 
can then verify that the import was successful by running the 

db_hosts

 command. 

(These steps are shown in the following listing.) As you can see at  , Metasploit 
knows about the 268 vulnerabilities that your scan picked up.

msf > 

db_connect postgres:toor@127.0.0.1/msf3

msf > 

db_import /tmp/host_195.xml

[*] Importing 'NeXpose Simple XML' data
[*] Importing host 192.168.1.195
[*] Successfully imported /tmp/host_195.xml

msf > 

db_hosts -c address,svcs,vulns

Hosts
=====

address        Svcs  Vulns  Workspace
-------        ----  -----  ---------
192.168.1.195  8     268  default

To display the full details of the vulnerabilities imported into Metasploit, 

including Common Vulnerabilities and Exposures (CVE) numbers and other 
references, run the following:

msf > 

db_vulns

As you can see, running an overt vulnerability scan with full credentials 

can provide an amazing amount of information—268 vulnerabilities found