Identificación de Servicios
De www.metasploit-es.com.ar
Identificación de Servicios
De nuevo, un uso distinto que Nmap para realizar un escaneo de servicios en nuestra red objetivo, Metasploit también incluye una gran variedad de escaneres para distintos servicios, que ayudan a determinar servicios vulnerables que se están ejecutando en la maquina objetivo.
msf auxiliary(tcp) > search auxiliary ^scanner [*] Searching loaded modules for pattern '^scanner'... Auxiliary ========= Name Description ---- ----------- scanner/db2/discovery DB2 Discovery Service Detection. scanner/dcerpc/endpoint_mapper Endpoint Mapper Service Discovery scanner/dcerpc/hidden Hidden DCERPC Service Discovery scanner/dcerpc/management Remote Management Interface Discovery scanner/dcerpc/tcp_dcerpc_auditor DCERPC TCP Service Auditor scanner/dect/call_scanner DECT Call Scanner scanner/dect/station_scanner DECT Base Station Scanner scanner/discovery/arp_sweep ARP Sweep Local Network Discovery scanner/discovery/sweep_udp UDP Service Sweeper scanner/emc/alphastor_devicemanager EMC AlphaStor Device Manager Service. scanner/emc/alphastor_librarymanager EMC AlphaStor Library Manager Service. scanner/ftp/anonymous Anonymous FTP Access Detection scanner/http/frontpage FrontPage Server Extensions Detection scanner/http/frontpage_login FrontPage Server Extensions Login Utility scanner/http/lucky_punch HTTP Microsoft SQL Injection Table XSS Infection scanner/http/ms09_020_webdav_unicode_bypass MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner/http/options HTTP Options Detection scanner/http/version HTTP Version Detection ...snip... scanner/ip/ipidseq IPID Sequence Scanner scanner/misc/ib_service_mgr_info Borland InterBase Services Manager Information scanner/motorola/timbuktu_udp Motorola Timbuktu Service Detection. scanner/mssql/mssql_login MSSQL Login Utility scanner/mssql/mssql_ping MSSQL Ping Utility scanner/mysql/version MySQL Server Version Enumeration scanner/nfs/nfsmount NFS Mount Scanner scanner/oracle/emc_sid Oracle Enterprise Manager Control SID Discovery scanner/oracle/sid_enum SID Enumeration. scanner/oracle/spy_sid Oracle Application Server Spy Servlet SID Enumeration. scanner/oracle/tnslsnr_version Oracle tnslsnr Service Version Query. scanner/oracle/xdb_sid Oracle XML DB SID Discovery ...snip... scanner/sip/enumerator SIP username enumerator scanner/sip/options SIP Endpoint Scanner scanner/smb/login SMB Login Check Scanner scanner/smb/pipe_auditor SMB Session Pipe Auditor scanner/smb/pipe_dcerpc_auditor SMB Session Pipe DCERPC Auditor scanner/smb/smb2 SMB 2.0 Protocol Detection scanner/smb/version SMB Version Detection scanner/smtp/smtp_banner SMTP Banner Grabber scanner/snmp/aix_version AIX SNMP Scanner Auxiliary Module scanner/snmp/community SNMP Community Scanner scanner/ssh/ssh_version SSH Version Scannner scanner/telephony/wardial Wardialer scanner/tftp/tftpbrute TFTP Brute Forcer scanner/vnc/vnc_none_auth VNC Authentication None Detection scanner/x11/open_x11 X11 No-Auth Scanner
En el escaneo de puertos aparecieron varias maquinas con el puerto 22 TCP abierto. SSH es muy seguro pero las vulnerabilidades no son desconocidas por eso hay que recopilar tanta información como sea posible de los objetivos. Vamos a usar nuestro archivo de salida en este ejemplo, analizando el hosts con el puerto 22 abierto y pasándolo a "RHOSTS".
msf auxiliary(arp_sweep) > use scanner/ssh/ssh_version
msf auxiliary(ssh_version) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(ssh_version) > cat subnet_1.gnmap | grep 22/open | awk '{print $2}' > /tmp/22_open.txt
[*] exec: cat subnet_1.gnmap | grep 22/open | awk '{print $2}' > /tmp/22_open.txt
msf auxiliary(ssh_version) > set RHOSTS file:/tmp/22_open.txt
RHOSTS => file:/tmp/22_open.txt
msf auxiliary(ssh_version) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_version) > run
[*] 192.168.1.1:22, SSH server version: SSH-2.0-dropbear_0.52
[*] 192.168.1.137:22, SSH server version: SSH-1.99-OpenSSH_4.4
[*] Auxiliary module execution completed
Servidores FTP configurados pobremente pueden frecuentemente ser el punto de apoyo que se necesita para ganar acceso a una red entera por eso siempre hay que verificar si el acceso anónimo esta permitido en cualquier puerto FTP abierto el cual usualmente es el puerto TCP 21. Vamos a establecer los THREADS en 10 ya que vamos a escaner un rango de 10 hosts.
msf > use scanner/ftp/anonymous msf auxiliary(anonymous) > set RHOSTS 192.168.1.20-192.168.1.30 RHOSTS => 192.168.1.20-192.168.1.30 msf auxiliary(anonymous) > set THREADS 10 THREADS => 10 msf auxiliary(anonymous) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- FTPPASS mozilla@example.com no The password for the specified username FTPUSER anonymous no The username to authenticate as RHOSTS yes The target address range or CIDR identifier RPORT 21 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(anonymous) > run [*] 192.168.1.23:21 Anonymous READ (220 (vsFTPd 1.1.3)) [*] Recording successful FTP credentials for 192.168.1.23 [*] Auxiliary module execution completed
En un corto periodo de tiempo y con muy poco trabajo, hemos podido adquirir una gran informacion sobre los hosts que residen en nuestra red lo que nos da una vision mucho mejor a que nos enfretamos cuando realizamos nuestra prueba de penetracion.
© Offensive Security 2009
Original by www.offensive-security.com Traslated by Jhyx
