NeXposeの使い方を載せておきます。
今回は脆弱検証マシンのMetasploitableを検証してみました。
ターゲットのIPアドレスは
192.168.112.130です。
まずはmsfconsoleを立ち上げて、
そこからNeXposeのプラグインを読み込みます。
msf > load nexpose ??? ?? ??? ??? ??? ?? ?? ??? ???? ?? ?????? ???? ??????? ?????? ???????? ?????? ?? ?? ?? ???????? ?? ??? ??? ??? ??? ?????? ? ???????? ?? ???? ???????? ???? ?? ?? ?? ?? ??????? ???????? ?? ??? ???????? ?? ?? ???????? ???????? ???????? ???????? ?? ??? ????? ??? ??? ?? ??? ???? ?????? ????? ?? [*] Nexpose integration has been activated [*] Successfully loaded plugin: nexpose msf > msf >
helpと入力すると使用可能なコマンドが表示されます。
msf > help Nexpose Commands ================ Command Description ------- ----------- nexpose_activity Display any active scan jobs on the Nexpose instance nexpose_command Execute a console command on the Nexpose instance nexpose_connect Connect to a running Nexpose instance ( user:pass@host[:port] ) nexpose_disconnect Disconnect from an active Nexpose instance nexpose_discover Launch a scan but only perform host and minimal service discovery nexpose_dos Launch a scan that includes checks that can crash services and devices (caution) nexpose_exhaustive Launch a scan covering all TCP ports and all authorized safe checks nexpose_report_templates List all available report templates nexpose_save Save credentials to a Nexpose instance nexpose_scan Launch a Nexpose scan against a specific IP range and import the results nexpose_site_devices List all discovered devices within a site nexpose_site_import Import data from the specified site ID nexpose_sites List all defined sites nexpose_sysinfo Display detailed system information about the Nexpose instance Core Commands ============= Command Description ------- ----------- ? Help menu back Move back from the current context banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host exit Exit the console help Help menu info Displays information about one or more module irb Drop into irb scripting mode jobs Displays and manages jobs kill Kill a job load Load a framework plugin loadpath Searches for and loads modules from a path makerc Save commands entered since start to a file popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack quit Exit the console reload_all Reloads all modules from all defined module paths resource Run the commands stored in a file route Route traffic through a session save Saves the active datastores search Searches module names and descriptions sessions Dump session listings and display information about sessions set Sets a variable to a value setg Sets a global variable to a value show Displays modules of a given type, or all modules sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads unload Unload a framework plugin unset Unsets one or more variables unsetg Unsets one or more global variables use Selects a module by name version Show the framework and console library version numbers Database Backend Commands ========================= Command Description ------- ----------- creds List all credentials in the database db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces msf > msf > msf > nexpose_connect -h [*] Usage: [*] nexpose_connect username:password@host[:port] [*] -OR- [*] nexpose_connect username password host port msf > msf > msf > nexpose_connect [user]:[pass]@127.0.0.1:3780 ok [*] Connecting to Nexpose instance at 127.0.0.1:3780 with username [user]... msf >
下記コマンドでスキャンします。
msf > nexpose_scan 192.168.112.130 [*] Scanning 1 addresses with template pentest-audit in sets of 32 [*] Completed the scan of 1 addresses msf > msf > msf > hosts -c address,svcs,vulns,workspace Hosts ===== address svcs vulns workspace ------- ---- ----- --------- 192.168.112.130 29 302 default msf > msf >
302個の脆弱性がみつかりました。
下記コマンドで詳細を見ることができます。
msf > vulns [*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=Debian's OpenSSL Library Predictable Random Number Generator refs=BID-29179,CERT-TA08-137A,CERT-VN-925211,CVE-2008-0166,DEBIAN-DSA-1571,DEBIAN-DSA-1576,SECUNIA-30136,SECUNIA-30220,SECUNIA-30221,SECUNIA-30231,SECUNIA-30239,SECUNIA-30249,URL-http://metasploit.com/users/hdm/tools/debian-openssl/,URL-http://wiki.debian.org/SSLkeys,URL-http://www.debian.org/security/2008/dsa-1571,URL-http://www.debian.org/security/2008/dsa-1576,URL-http://www.debian.org/security/key-rollover/,URL-http://www.ubuntu.com/usn/usn-612-1,URL-http://www.ubuntu.com/usn/usn-612-2,URL-http://www.ubuntu.com/usn/usn-612-3,URL-http://www.ubuntu.com/usn/usn-612-4,URL-http://www.ubuntu.com/usn/usn-612-5,URL-http://www.ubuntu.com/usn/usn-612-6,URL-http://www.ubuntu.com/usn/usn-612-7,URL-http://www.ubuntu.com/usn/usn-612-8,XF-42375,NEXPOSE-openssl-debian-weak-keys [*] Time: 2013-03-20 12:33:44 UTC Vuln: host=192.168.112.130 name=Anonymous users can obtain the Windows password policy refs=BID-959,CVE-2000-1200,XF-4015,NEXPOSE-CIFS-NT-0002 [*] Time: 2013-03-20 12:33:46 UTC Vuln: host=192.168.112.130 name=PHP Vulnerability: CVE-2007-1581 refs=BID-23062,CVE-2007-1581,SECUNIA-24542,XF-33248,NEXPOSE-php-cve-2007-1581 [*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=DNS server allows cache snooping refs=URL-http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf,NEXPOSE-dns-allows-cache-snooping [*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=PHP Vulnerability: CVE-2008-0599 refs=APPLE-SA-2008-07-31,BID-29009,CERT-VN-147027,CVE-2008-0599,OVAL-OVAL5510,REDHAT-RHSA-2008:0505,SECUNIA-30048,SECUNIA-30083,SECUNIA-30345,SECUNIA-30616,SECUNIA-30757,SECUNIA-30828,SECUNIA-31200,SECUNIA-31326,SECUNIA-32746,SECUNIA-35650,XF-42137,NEXPOSE-php-cve-2008-0599 [*] Time: 2013-03-20 12:33:44 UTC Vuln: host=192.168.112.130 name=CIFS Share Writeable By Everyone refs=CVE-1999-0520,NEXPOSE-cifs-share-world-writeable [*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=PHP Vulnerability: CVE-2008-2050 refs=APPLE-SA-2008-07-31,BID-29009,CVE-2008-2050,DEBIAN-DSA-1572,SECUNIA-30048,SECUNIA-30083,SECUNIA-30158,SECUNIA-30345,SECUNIA-30967,SECUNIA-31200,SECUNIA-31326,SECUNIA-32746,URL-http://www.php.net/ChangeLog-5.php,XF-42133,NEXPOSE-php-cve-2008-2050 [*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=PHP Multiple Vulnerabilities Fixed in version 5.2.12 refs=APPLE-SA-2010-03-29-1,BID-37389,BID-37390,CVE-2009-3557,CVE-2009-3558,CVE-2009-4017,CVE-2009-4142,CVE-2009-4143,DEBIAN-DSA-1940,DEBIAN-DSA-2001,OVAL-OVAL10005,OVAL-OVAL10483,OVAL-OVAL6667,OVAL-OVAL7085,OVAL-OVAL7396,OVAL-OVAL7439,SECUNIA-37412,SECUNIA-37482,SECUNIA-37821,SECUNIA-38648,SECUNIA-40262,SECUNIA-41480,SECUNIA-41490,URL-http://www.php.net/ChangeLog-5.php#5.2.12,URL-http://www.php.net/releases/5_2_12.php,XF-54455,NEXPOSE-http-php-multiple-vulns-5-2-12 [*] Time: 2013-03-20 12:33:45 UTC Vuln: host=192.168.112.130 name=PHP Vulnerability: CVE-2008-2051 refs=APPLE-SA-2008-07-31,BID-29009,CVE-2008-2051,DEBIAN-DSA-1572,DEBIAN-DSA-1578,OVAL-OVAL10256,REDHAT-RHSA-2008:0505,REDHAT-RHSA-2008:0544,REDHAT-RHSA-2008:0545,REDHAT-RHSA-2008:0546,REDHAT-RHSA-2008:0582,SECUNIA-30048,SECUNIA-30083,SECUNIA-30158,SECUNIA-30288,SECUNIA-30345,SECUNIA-30411,SECUNIA-30757,SECUNIA-30828,SECUNIA-30967,SECUNIA-31119,SECUNIA-31124,SECUNIA-31200,SECUNIA-31326,SECUNIA-32746,NEXPOSE-php-cve-2008-2051
こういうのがさらに続きます。
長くなってしまうので省略。
検証用のサーバだけあって、かなりの数の脆弱性がみつかりました。
ここからどのように攻撃を仕掛けるか、今後さらに勉強を進めていきたいと思います。
以上