Metasploit Unleashed Class 2: Information Gathering and Vulnerability Scanning Georgia Weidman Director of Cyberwarface, Reverse Space
Information Gathering Learning as much as possible about targets Ex: open ports, running services, installed software Identify points of interest for further exploration
Dradis Note taking application Import files from nmap, Nessus etc. In Backtrack: cd /pentest/misc/dradis/server ruby script/server (starts Dradis server) ruby dradis.rb (starts Dradis console) More information: http://dradisframework.org/
Databases Metasploit supports MySQL and PostgreSQL /etc/init.d/mysql start (starts MySQL) Msf > db_driver mysql (loads MySQL driver) Msf > db_connect root:toor@127.0.0.1/msf3 (connects to database server and creates msf3) msf > db_destroy root:toor@127.0.0.1/msf3 (connects to database server and deletes msf3)
Portscanning Queries a host to see if a program is listening Ex: Browsing to a website webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
nmap Port scanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sv 192.168.1.0/24 -oa subnet1 (TCP version scan, all hosts 192.168.1.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
MSF Axillary Portscanners msf > search portscan (shows portscan modules) scanner/portscan/syn (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
Other MSF Scanners scanner/smb/version (scans port 445 for the smb version, good way to get OS version) scanner/ip/ipidseq (searches for hosts that can be used for spoofing in an nmap idle scan) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login) scanner/snmp/community (queries for snmp info)
MSSQL Auxiliaries MSSQL TCP port can change, UDP port is 1434 Msf> search mssql (shows all mssql modules) scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) scanner/mssql/mssql_login (tries passwords to log into mssql) admin/mssql/mssql_exec (logs into mssql and executes a command (ex: add a user))
Password Sniffing: Psnuffle auxiliary/sniffer/psnuffle Sniffs passwords similarly to Dsniff Supports pop3, imap, ftp, and HTTP GET Set Rhost to the host whose credentials you want
Vulnerability Scanning Query systems for potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
SMB Login Given a set of credentials what systems can they access? Very loud! Use with caution scanner/smb/smb_login Set SMBUser amd SMBPass to the credentials
Open VNC and X11 Remote GUI sessions should require credintials If misconfigured may be accessible without scanner/vnc/vnc_none_auth scanner/x11/open_x11
NeXpose and Metasploit Rapid7's vulnerability scanner http://www.rapid7.com/vulnerability-scanner.jsp Import results into MSF database or run with plugin msf>load nexpose msf>nexpose_connect root:toor@<ip> ok (ok says no ssl is ok) msf>nexpose_discover <ip> runs a scan against ip
Metasploit and Nessus Tenable's Vulnerability Scanner http://www.nessus.org msf>load nessus msf > nessus_connect root:toor@<ip> ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new 1 pwnage <ip range> (scan using policy one, name it pwnage)
db_autopwn By default just runs all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
Exercises Run various nmap scans against your victim VMs inside msfconsole. Based on open ports, run MSF scanner and auxiliary modules to identify additional information and vulnerabilities. Extra mile: Install Nessus of NeXpose and do a vulnerability scan of your victim VMs inside msfconsole. Identify MSF exploits for the vulnerabilities found and try to gain a session as we learned last class.