Forum Thread: How to Metasploit Framework Help

How to Metasploit Framework Help

Hello,

I am exploiting a vulnerability.

http://gyazo.com/2c008d2f8dc654b1ca446ab4b58e28ec

So, I scanned the website first with Nikto. It brought out a vulnerability called MS99-025. So, I went towards Metasploit, started it and typed:

use exploit/windows/iis/msadc

Then, I set the RHOST: 127.0.0.1 (Example).

After I did all that, I typed in "exploit".

But, when I typed in exploit, it was all going fine, but it doesn't show any leakage.

Please tell me what could happen that nothing came up. The Gyazo shows that it didn't show anything.

Thanks,

R00T

9 Responses

A screenshot of your work may do.

# Sergeant

C0D3R:

First, vulnerability scanners like Nikto nearly always produce false positives. Just because this vulnerability showed up in Nikto does not mean that the vulnerability necessarily exists.

Second, this is an old vulnerability. Very few sites still have this vulnerability.

Third, we need more information if we are to help. As Sergeant Sploit wrote above, take a screenshot of your commands and it will help us to help you.

OTW

Dear Occupy,

I know. But, I just typed RHOSTS, typed Exploit and nothing came up. Why did nothing come up??

If you don't listen, we can't help.

Dear Cracker Hacker, OTW and Sargeant,

I don't really want to take screenshots of my commands because it'll show my website.

Other then that... I basically followed instructions as told by Rapid7.

Set Target - {Target ID}/Set RHOST = 127.0.0.1

Exploit

Dear Cracker.

Thank you so much. And as for the Nikto False-Positives... What other vulnerability scanner would you recommend?

Uniscan, Nmap (mostly recon), OpenVAS, and mostly Nexpose.

Also, I agree with OTW. Unless you have purposefully made your website vulnerable, it is very likely Nikto gave a false-positive. Get your "hands dirty" and manually check open ports, etc. with Telnet and Netcat. While Nikto is a wonderful vulnerability scanner, YOU must manually debunk any false-positives. Attempting an attack on a non-vulnerable website in the real world could very well lead to years in prison.

Share Your Thoughts

  • Hot
  • Active