VAPE-BRIDGE: Bridging OpenVAS Results for Automating Metasploit Framework

Abstract

Vulnerability assessment (VA) and penetration test (PenTest) are required by many organizations to satisfy their security auditing and compliance. VA and PenTest are conducted in the different stage and they are done through the software tools. Implementing the system that is able to convert the VA scan result to be rendered in the PenTest tool is a real challenge. This paper proposes a design and development of a system called VAPE-BRIDGE that provides the automatic conversion of the scan result of Open Vulnerability assessment scanner (OpenVAS) to be the exploitable scripts that will be executed in the Metasploit which is a widely-used opensource PenTest program. Specifically, the tool is designed to automatically extract the vulnerabilities listed in Open Web Application Security Project 10 (OWASP 10) and exploit them to be tested in the Metasploit. Our VAPE-BRIDGE encompasses three main components including (1) Scan Result Extraction responsible for extracting the VA scan results related to OWASP10 (2) Target List Repository responsible for retaining lists of vulnerabilities to be used in the process of Metasploit, and (3) Automated Shell Scripts Exploitation responsible for generating the script to render the exploit module to be executed in Metasploit. For the implementation, the VAPE-Bridge protype system was tested with a number of test cases in converting the scan results into shell code and rendering results to be tested in Metasploit. The experimental results showed that the system is functionally correct for all cases.