background image


Chapter 4

could also pass a range of hosts to the scanner ( or a subnet 
in Classless Inter-Domain Routing (CIDR) notation (

msf > 


[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
msf >

After the NeXpose scan completes, the database you created earlier 

should contain the results of the vulnerability scan. To view the results, enter 


, as shown next. (In this example, the output has been trimmed by filter-

ing on the address column.)

msf > 

db_hosts -c address


address        Svcs  Vulns  Workspace
-------        ----  -----  ---------  8    7     default

msf >

As you can see, NeXpose has discovered seven vulnerabilities. Run 



to display the vulnerabilities found:

msf > 


Although this scan has found significantly fewer than the 268 vulnerabilities 

discovered with our prior use of NeXpose through the GUI with credentials, 
you should have enough vulnerabilities here to get a great head start on 
exploiting the system.

Scanning with Nessus

The Nessus vulnerability scanner from Tenable Security (



) is one of the most widely used vulnerability scanners. Metasploit’s 

Nessus plug-in lets you launch scans and pull information from Nessus scans 
via the console, but in the example that follows, we’ll import Nessus scan 
results independently. Using Nessus 4.4.1 with a free Home Feed, we’ll run 
this scan against the same target we’ll use throughout this chapter, with 
known credentials. In these early stages of a penetration test, the more 
tools you can use to fine-tune your future attacks, the better.

Nessus Configuration

After you have downloaded and installed Nessus, open your web browser and 
navigate to 


, accept the certificate warning, and 

log into Nessus using the credentials you created during installation. You 
should see the main Nessus window, as shown in Figure 4-11.