NeXpose検証

NeXposeの使い方を載せておきます。
今回は脆弱検証マシンのMetasploitableを検証してみました。
ターゲットのIPアドレスは
192.168.112.130です。
まずはmsfconsoleを立ち上げて、
そこからNeXposeのプラグインを読み込みます。

msf > load nexpose
???   ??            ???  ???
???   ??             ?? ???
????  ??   ??????     ????    ???????    ??????   ????????   ??????
?? ?? ??  ????????     ??     ???  ???  ???  ???  ?????? ?  ????????
??  ????  ????????    ????    ??    ??  ??    ??   ???????  ????????
??   ???  ????????   ??  ??   ????????  ????????  ????????  ????????
??   ???    ?????   ???  ???  ?? ???      ????     ??????     ?????
??
[*] Nexpose integration has been activated
[*] Successfully loaded plugin: nexpose
msf >
msf >

helpと入力すると使用可能なコマンドが表示されます。

msf > help
Nexpose Commands
================
Command                   Description
-------                   -----------
nexpose_activity          Display any active scan jobs on the Nexpose instance
nexpose_command           Execute a console command on the Nexpose instance
nexpose_connect           Connect to a running Nexpose instance ( user:pass@host[:port] )
nexpose_disconnect        Disconnect from an active Nexpose instance
nexpose_discover          Launch a scan but only perform host and minimal service discovery
nexpose_dos               Launch a scan that includes checks that can crash services and devices (caution)
nexpose_exhaustive        Launch a scan covering all TCP ports and all authorized safe checks
nexpose_report_templates  List all available report templates
nexpose_save              Save credentials to a Nexpose instance
nexpose_scan              Launch a Nexpose scan against a specific IP range and import the results
nexpose_site_devices      List all discovered devices within a site
nexpose_site_import       Import data from the specified site ID
nexpose_sites             List all defined sites
nexpose_sysinfo           Display detailed system information about the Nexpose instance
Core Commands
=============
Command       Description
-------       -----------
?             Help menu
back          Move back from the current context
banner        Display an awesome metasploit banner
cd            Change the current working directory
color         Toggle color
connect       Communicate with a host
exit          Exit the console
help          Help menu
info          Displays information about one or more module
irb           Drop into irb scripting mode
jobs          Displays and manages jobs
kill          Kill a job
load          Load a framework plugin
loadpath      Searches for and loads modules from a path
makerc        Save commands entered since start to a file
popm          Pops the latest module off the stack and makes it active
previous      Sets the previously loaded module as the current module
pushm         Pushes the active or list of modules onto the module stack
quit          Exit the console
reload_all    Reloads all modules from all defined module paths
resource      Run the commands stored in a file
route         Route traffic through a session
save          Saves the active datastores
search        Searches module names and descriptions
sessions      Dump session listings and display information about sessions
set           Sets a variable to a value
setg          Sets a global variable to a value
show          Displays modules of a given type, or all modules
sleep         Do nothing for the specified number of seconds
spool         Write console output into a file as well the screen
threads       View and manipulate background threads
unload        Unload a framework plugin
unset         Unsets one or more variables
unsetg        Unsets one or more global variables
use           Selects a module by name
version       Show the framework and console library version numbers
Database Backend Commands
=========================
Command           Description
-------           -----------
creds             List all credentials in the database
db_connect        Connect to an existing database
db_disconnect     Disconnect from the current database instance
db_export         Export a file containing the contents of the database
db_import         Import a scan result file (filetype will be auto-detected)
db_nmap           Executes nmap and records the output automatically
db_rebuild_cache  Rebuilds the database-stored module cache
db_status         Show the current database status
hosts             List all hosts in the database
loot              List all loot in the database
notes             List all notes in the database
services          List all services in the database
vulns             List all vulnerabilities in the database
workspace         Switch between database workspaces
msf >
msf >
msf > nexpose_connect -h
[*] Usage:
[*]        nexpose_connect username:password@host[:port] 
[*]         -OR-
[*]        nexpose_connect username password host port 
msf >
msf >
msf > nexpose_connect [user]:[pass]@127.0.0.1:3780 ok
[*] Connecting to Nexpose instance at 127.0.0.1:3780 with username [user]...
msf >

下記コマンドでスキャンします。

msf > nexpose_scan 192.168.112.130
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
msf >
msf >
msf > hosts -c address,svcs,vulns,workspace
Hosts
=====
address          svcs  vulns  workspace
-------          ----  -----  ---------
192.168.112.130  29    302    default
msf >
msf >

302個の脆弱性がみつかりました。
下記コマンドで詳細を見ることができます。

msf > vulns
[*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=Debian's OpenSSL Library Predictable Random Number Generator refs=BID-29179,CERT-TA08-137A,CERT-VN-925211,CVE-2008-0166,DEBIAN-DSA-1571,DEBIAN-DSA-1576,SECUNIA-30136,SECUNIA-30220,SECUNIA-30221,SECUNIA-30231,SECUNIA-30239,SECUNIA-30249,URL-http://metasploit.com/users/hdm/tools/debian-openssl/,URL-http://wiki.debian.org/SSLkeys,URL-http://www.debian.org/security/2008/dsa-1571,URL-http://www.debian.org/security/2008/dsa-1576,URL-http://www.debian.org/security/key-rollover/,URL-http://www.ubuntu.com/usn/usn-612-1,URL-http://www.ubuntu.com/usn/usn-612-2,URL-http://www.ubuntu.com/usn/usn-612-3,URL-http://www.ubuntu.com/usn/usn-612-4,URL-http://www.ubuntu.com/usn/usn-612-5,URL-http://www.ubuntu.com/usn/usn-612-6,URL-http://www.ubuntu.com/usn/usn-612-7,URL-http://www.ubuntu.com/usn/usn-612-8,XF-42375,NEXPOSE-openssl-debian-weak-keys
[*] Time: 2013-03-20 12:33:44 UTC Vuln: host=192.168.112.130 name=Anonymous users can obtain the Windows password policy refs=BID-959,CVE-2000-1200,XF-4015,NEXPOSE-CIFS-NT-0002
[*] Time: 2013-03-20 12:33:46 UTC Vuln: host=192.168.112.130 name=PHP Vulnerability: CVE-2007-1581 refs=BID-23062,CVE-2007-1581,SECUNIA-24542,XF-33248,NEXPOSE-php-cve-2007-1581
[*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=DNS server allows cache snooping refs=URL-http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf,NEXPOSE-dns-allows-cache-snooping
[*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=PHP Vulnerability: CVE-2008-0599 refs=APPLE-SA-2008-07-31,BID-29009,CERT-VN-147027,CVE-2008-0599,OVAL-OVAL5510,REDHAT-RHSA-2008:0505,SECUNIA-30048,SECUNIA-30083,SECUNIA-30345,SECUNIA-30616,SECUNIA-30757,SECUNIA-30828,SECUNIA-31200,SECUNIA-31326,SECUNIA-32746,SECUNIA-35650,XF-42137,NEXPOSE-php-cve-2008-0599
[*] Time: 2013-03-20 12:33:44 UTC Vuln: host=192.168.112.130 name=CIFS Share Writeable By Everyone refs=CVE-1999-0520,NEXPOSE-cifs-share-world-writeable
[*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=PHP Vulnerability: CVE-2008-2050 refs=APPLE-SA-2008-07-31,BID-29009,CVE-2008-2050,DEBIAN-DSA-1572,SECUNIA-30048,SECUNIA-30083,SECUNIA-30158,SECUNIA-30345,SECUNIA-30967,SECUNIA-31200,SECUNIA-31326,SECUNIA-32746,URL-http://www.php.net/ChangeLog-5.php,XF-42133,NEXPOSE-php-cve-2008-2050
[*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=PHP Multiple Vulnerabilities Fixed in version 5.2.12 refs=APPLE-SA-2010-03-29-1,BID-37389,BID-37390,CVE-2009-3557,CVE-2009-3558,CVE-2009-4017,CVE-2009-4142,CVE-2009-4143,DEBIAN-DSA-1940,DEBIAN-DSA-2001,OVAL-OVAL10005,OVAL-OVAL10483,OVAL-OVAL6667,OVAL-OVAL7085,OVAL-OVAL7396,OVAL-OVAL7439,SECUNIA-37412,SECUNIA-37482,SECUNIA-37821,SECUNIA-38648,SECUNIA-40262,SECUNIA-41480,SECUNIA-41490,URL-http://www.php.net/ChangeLog-5.php#5.2.12,URL-http://www.php.net/releases/5_2_12.php,XF-54455,NEXPOSE-http-php-multiple-vulns-5-2-12
[*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=PHP Vulnerability: CVE-2008-2051 refs=APPLE-SA-2008-07-31,BID-29009,CVE-2008-2051,DEBIAN-DSA-1572,DEBIAN-DSA-1578,OVAL-OVAL10256,REDHAT-RHSA-2008:0505,REDHAT-RHSA-2008:0544,REDHAT-RHSA-2008:0545,REDHAT-RHSA-2008:0546,REDHAT-RHSA-2008:0582,SECUNIA-30048,SECUNIA-30083,SECUNIA-30158,SECUNIA-30288,SECUNIA-30345,SECUNIA-30411,SECUNIA-30757,SECUNIA-30828,SECUNIA-30967,SECUNIA-31119,SECUNIA-31124,SECUNIA-31200,SECUNIA-31326,SECUNIA-32746,NEXPOSE-php-cve-2008-2051

こういうのがさらに続きます。
長くなってしまうので省略。
検証用のサーバだけあって、かなりの数の脆弱性がみつかりました。
ここからどのように攻撃を仕掛けるか、今後さらに勉強を進めていきたいと思います。
以上

関連する投稿:

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

このサイトはスパムを低減するために Akismet を使っています。コメントデータの処理方法の詳細はこちらをご覧ください