Metasploit 使用 NeXpose

地球胖头鱼 2021-03-12
系统与内网安全 发布于 2021-03-12 10:08:41 阅读 120 评论 0

Metasploit框架使用NeXpose结果

随着2009年Rapid7对Metasploit的收购,现在Metasploit和NeXpose漏洞扫描器之间具有出色的兼容性。Rapid7的扫描器可在http://www.rapid7.com/vulnerability-scanne...上获得。

在我们安装并更新了NeXpose后,我们对我们易受攻击的Linux机器运行了全面的凭证扫描。

Metasploit使用NeXpose

我们在NeXpose中创建一个新报告,并将扫描结果保存为NeXpose Simple XML格式,我们稍后可以将其导入Metasploit。接下来,我们启动msfconsole,创建一个新的工作区,并使用db_import命令自动检测并导入我们的扫描结果文件。

msf > db_import /root/Nexpose/report.xml
[*] Importing 'NeXpose Simple XML' data
[*] Importing host 172.16.194.172
[*] Successfully imported /root/Nexpose/report.xml
msf > services

Services
========

host            port   proto  name               state  info
----            ----   -----  ----               -----  ----
172.16.194.172  21     tcp    ftp                open   vsFTPd 2.3.4
172.16.194.172  22     tcp    ssh                open   OpenSSH 4.7p1
172.16.194.172  23     tcp    telnet             open   
172.16.194.172  25     tcp    smtp               open   Postfix
172.16.194.172  53     tcp    dns-tcp            open   BIND 9.4.2
172.16.194.172  53     udp    dns                open   BIND 9.4.2
172.16.194.172  80     tcp    http               open   Apache 2.2.8
172.16.194.172  111    tcp    portmapper         open   
172.16.194.172  111    udp    portmapper         open   
172.16.194.172  137    udp    cifs name service  open   
172.16.194.172  139    tcp    cifs               open   Samba 3.0.20-Debian
172.16.194.172  445    tcp    cifs               open   Samba 3.0.20-Debian
172.16.194.172  512    tcp    remote execution   open   
172.16.194.172  513    tcp    remote login       open   
172.16.194.172  514    tcp    remote shell       open   
172.16.194.172  1524   tcp    ingreslock         open   
172.16.194.172  2049   tcp    nfs                open   
172.16.194.172  2049   udp    nfs                open   
172.16.194.172  3306   tcp    mysql              open   MySQL 5.0.51a
172.16.194.172  5432   tcp    postgres           open   
172.16.194.172  5900   tcp    vnc                open   
172.16.194.172  6000   tcp    xwindows           open   
172.16.194.172  8180   tcp    http               open   Apache Tomcat
172.16.194.172  41407  udp    status             open   
172.16.194.172  44841  tcp    mountd             open   
172.16.194.172  47207  tcp    nfs lockd          open   
172.16.194.172  48972  udp    nfs lockd          open   
172.16.194.172  51255  tcp    status             open   
172.16.194.172  58769  udp    mountd             open  

我们现在直接从msfconsole获取 NeXpose的报告。正如前面的模块中所讨论的,使用数据库后端命令,我们可以使用几个简单的按键来搜索这些信息。

然而,没有涉及的是vulns命令。我们可以发出这个命令,看看我们的NeXpose扫描发现了哪些漏洞。如果没有选项,vulns将只显示找到的所有漏洞,例如服务名称,关联端口,CVE(如果有)等。

msf > vulns
[*] Time: 2016-06-20 02:09:50 UTC Vuln: host=172.16.194.172 name=NEXPOSE-vnc-password-password refs=NEXPOSE-vnc-password-password 
[*] Time: 2016-06-20 02:09:50 UTC Vuln: host=172.16.194.172 name=NEXPOSE-backdoor-vnc-0001 refs=NEXPOSE-backdoor-vnc-0001 
[*] Time: 2016-06-20 02:09:49 UTC Vuln: host=172.16.194.172 name=NEXPOSE-cifs-nt-0001 refs=CVE-1999-0519,URL-http://www.hsc.fr/ressources/presentations/null_sessions/,NEXPOSE-cifs-nt-0001

...snip...

[*] Time: 2016-06-20 02:09:52 UTC Vuln: host=172.16.194.172 name=NEXPOSE-openssl-debian-weak-keys refs=CVE-2008-0166,BID-29179,SECUNIA-30136,SECUNIA-30220,SECUNIA-30221,SECUNIA-30231,SECUNIA-30239,SECUNIA-30249,URL-http://metasploit.com/users/hdm/tools/debian-openssl/,URL-http://wiki.debian.org/SSLkeys,URL-http://www.debian.org/security/2008/dsa-1571,URL-http://www.debian.org/security/2008/dsa-1576,URL-http://www.debian.org/security/key-rollover/,URL-http://www.ubuntu.com/usn/usn-612-1,URL-http://www.ubuntu.com/usn/usn-612-2,URL-http://www.ubuntu.com/usn/usn-612-3,URL-http://www.ubuntu.com/usn/usn-612-4,URL-http://www.ubuntu.com/usn/usn-612-5,URL-http://www.ubuntu.com/usn/usn-612-6,URL-http://www.ubuntu.com/usn/usn-612-7,URL-http://www.ubuntu.com/usn/usn-612-8,NEXPOSE-openssl-debian-weak-keys

hostsservices命令非常相似,我们有几个选项可用于在搜索存储在导入报告中的漏洞时生成更具体的输出。我们来看看这些。

msf > vulns -h
打印数据库中的所有漏洞

Usage: vulns [addr range]

  -h,--help             显示此帮助信息
  -p,--port >portspec>  列出符合此端口规范的恶意软件
  -s >svc names>        列出与这些服务名称匹配的病毒
  -S,--search           搜索字符串进行过滤
  -i,--info             显示Vuln信息

Examples:
  vulns -p 1-65536          # 只与相关服务有关
  vulns -p 1-65536 -s http  # 在任何端口上标识为http

让我们定位一个我们知道在Metasploitable上运行的特定服务,并查看我们的漏洞扫描收集了哪些信息。我们将显示为mysql服务找到的漏洞。使用以下选项- p指定端口号,- s服务名称以及最后的-i漏洞信息。

msf > vulns -p 3306 -s mysql -i
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-dispatch_command-multiple-format-string refs=CVE-2009-2446,BID-35609,OSVDB-55734,SECUNIA-35767,SECUNIA-38517,NEXPOSE-mysql-dispatch_command-multiple-format-string info=mysql-dispatch_command-multiple-format-string
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-bug-32707-send-error-bof refs=URL-http://bugs.mysql.com/bug.php?id=32707,NEXPOSE-mysql-bug-32707-send-error-bof info=mysql-bug-32707-send-error-bof
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-bug-37428-user-defind-function-remote-codex refs=URL-http://bugs.mysql.com/bug.php?id=37428,NEXPOSE-mysql-bug-37428-user-defind-function-remote-codex info=mysql-bug-37428-user-defind-function-remote-codex
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-default-account-root-nopassword refs=CVE-2002-1809,BID-5503,NEXPOSE-mysql-default-account-root-nopassword info=mysql-default-account-root-nopassword
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-yassl-certdecodergetname-multiple-bofs refs=CVE-2009-4484,BID-37640,BID-37943,BID-37974,OSVDB-61956,SECUNIA-37493,SECUNIA-38344,SECUNIA-38364,SECUNIA-38517,SECUNIA-38573,URL-http://bugs.mysql.com/bug.php?id=50227,URL-http://dev.mysql.com/doc/refman/5.0/en/news-5-0-90.html,URL-http://dev.mysql.com/doc/refman/5.1/en/news-5-1-43.html,NEXPOSE-mysql-yassl-certdecodergetname-multiple-bofs info=mysql-yassl-certdecodergetname-multiple-bofs
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-yassl-multiple-bof refs=CVE-2008-0226,CVE-2008-0227,BID-27140,BID-31681,SECUNIA-28324,SECUNIA-28419,SECUNIA-28597,SECUNIA-29443,SECUNIA-32222,URL-http://bugs.mysql.com/bug.php?id=33814,NEXPOSE-mysql-yassl-multiple-bof info=mysql-yassl-multiple-bof
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-directory-traversal-and-arbitrary-table-access refs=CVE-2010-1848,URL-http://bugs.mysql.com/bug.php?id=53371,URL-http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html,URL-http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html,NEXPOSE-mysql-directory-traversal-and-arbitrary-table-access info=mysql-directory-traversal-and-arbitrary-table-access
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-vio_verify_callback-zero-depth-x-509-certificate refs=CVE-2009-4028,URL-http://bugs.mysql.com/bug.php?id=47320,URL-http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html,URL-http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html,NEXPOSE-mysql-vio_verify_callback-zero-depth-x-509-certificate info=mysql-vio_verify_callback-zero-depth-x-509-certificate
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-bug-29801-remote-federated-engine-crash refs=URL-http://bugs.mysql.com/bug.php?id=29801,NEXPOSE-mysql-bug-29801-remote-federated-engine-crash info=mysql-bug-29801-remote-federated-engine-crash
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-bug-38296-nested-boolean-query-exhaustion-dos refs=URL-http://bugs.mysql.com/bug.php?id=38296,NEXPOSE-mysql-bug-38296-nested-boolean-query-exhaustion-dos info=mysql-bug-38296-nested-boolean-query-exhaustion-dos
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-com_field_list-command-bof refs=CVE-2010-1850,URL-http://bugs.mysql.com/bug.php?id=53237,URL-http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html,URL-http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html,NEXPOSE-mysql-com_field_list-command-bof info=mysql-com_field_list-command-bof
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-datadir-isam-table-privilege-escalation refs=CVE-2008-2079,BID-29106,BID-31681,SECUNIA-30134,SECUNIA-31066,SECUNIA-31226,SECUNIA-31687,SECUNIA-32222,SECUNIA-36701,URL-http://bugs.mysql.com/32091,URL-http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html,URL-http://dev.mysql.com/doc/refman/6.0/en/news-6-0-4.html,NEXPOSE-mysql-datadir-isam-table-privilege-escalation info=mysql-datadir-isam-table-privilege-escalation
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-my_net_skip_rest-packet-length-dos refs=CVE-2010-1849,URL-http://bugs.mysql.com/bug.php?id=50974,URL-http://bugs.mysql.com/bug.php?id=53371,URL-http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html,NEXPOSE-mysql-my_net_skip_rest-packet-length-dos info=mysql-my_net_skip_rest-packet-length-dos
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-myisam-table-privilege-check-bypass refs=CVE-2008-4097,CVE-2008-4098,SECUNIA-32759,SECUNIA-38517,URL-http://bugs.mysql.com/bug.php?id=32167,URL-http://lists.mysql.com/commits/50036,URL-http://lists.mysql.com/commits/50773,NEXPOSE-mysql-myisam-table-privilege-check-bypass info=mysql-myisam-table-privilege-check-bypass
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-bug-29908-alter-view-priv-esc refs=URL-http://bugs.mysql.com/bug.php?id=29908,NEXPOSE-mysql-bug-29908-alter-view-priv-esc info=mysql-bug-29908-alter-view-priv-esc
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-bug-44798-stored-procedures-server-crash refs=URL-http://bugs.mysql.com/bug.php?id=44798,NEXPOSE-mysql-bug-44798-stored-procedures-server-crash info=mysql-bug-44798-stored-procedures-server-crash
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-empty-bit-string-dos refs=CVE-2008-3963,SECUNIA-31769,SECUNIA-32759,SECUNIA-34907,URL-http://bugs.mysql.com/bug.php?id=35658,NEXPOSE-mysql-empty-bit-string-dos info=mysql-empty-bit-string-dos
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-innodb-dos refs=CVE-2007-5925,BID-26353,SECUNIA-27568,SECUNIA-27649,SECUNIA-27823,SECUNIA-28025,SECUNIA-28040,SECUNIA-28099,SECUNIA-28108,SECUNIA-28128,SECUNIA-28838,URL-http://bugs.mysql.com/bug.php?id=32125,NEXPOSE-mysql-innodb-dos info=mysql-innodb-dos
[*] Time: 2016-06-20 02:09:51 UTC Vuln: host=172.16.194.172 name=NEXPOSE-mysql-html-output-script-insertion refs=CVE-2008-4456,BID-31486,SECUNIA-32072,SECUNIA-34907,SECUNIA-38517,URL-http://bugs.mysql.com/bug.php?id=27884,URL-http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability,NEXPOSE-mysql-html-output-script-insertion info=mysql-html-output-script-insertion
[*] Time: 2016-06-20 02:09:50 UTC Vuln: host=172.16.194.172 name=NEXPOSE-database-open-access refs=URL-https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf,NEXPOSE-database-open-access info=database-open-access

Metasploit中的NeXpose漏洞扫描

Metasploit / NeXpose集成并不局限于简单地导入扫描结果文件。您可以通过首先使用nexpose插件直接从msfconsole运行NeXpose扫描。

Metasploit使用NeXpose

Metasploit使用NeXpose

在针对目标运行扫描之前,我们首先需要使用nexpose_connect命令连同运行NeXpose的服务器以及NeXpose实例的凭证。请注意,您必须在连接字符串的末尾追加ok以确认SSL连接未验证。

Metasploit使用NeXpose

现在我们已连接到我们的服务器,我们可以在Metasploit中运行漏洞扫描。

msf> nexpose_scan -h

用法:

  • nexpose_scan [选项] <目标IP范围>

选项:

  • -E <opt> 从扫描中排除指定范围内的主机
  • -I <opt> 只扫描地址在指定范围内的系统
  • -P 当服务器完成时,将扫描数据保留在服务器上(这与计算最大许可IP数相关)
  • -c <opt> 指定用于这些目标的凭据(格式为type:user:pass)
  • -d 基于现有数据库的内容扫描主机
  • -h 这个帮助菜单
  • -n <opt> 一次扫描的最大IP数(默认值为32)
  • -s <opt> 存储Nexpose实例中原始XML文件的目录(可选)
  • -t <opt> 要使用的扫描模板(默认值:pentest-audit选项:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-auditdos)
  • -v 显示有关扫描过程的诊断信息

我们将为我们的扫描仪提供ssh服务的凭证,并使用full-audit扫描模板。我们的扫描结果应该与我们之前导入的扫描结果非常相似。

msf > nexpose_scan  -c ssh:msfadmin:msfadmin -t full-audit 172.16.194.172
[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses
msf >
msf > hosts

Hosts
=====

address         mac  name            os_name       os_flavor  os_sp  purpose  info  comments
-------         ---  ----            -------       ---------  -----  -------  ----  --------
172.16.194.172       METASPLOITABLE  Ubuntu Linux                    device         

再次,我们运行’ services ‘和’ vulns ‘,我们可以看到结果与我们通过XML文件导入的结果具有相同的质量。

Metasploit使用NeXpose

msf > vulns
[*] Time: 2017-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-cifs-nt-0001 refs=CVE-1999-0519,URL-http://www.hsc.fr/ressources/presentations/null_sessions/ 
[*] Time: 2017-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-generic-ip-source-routing-enabled refs=BID-646,CVE-1999-0510,CVE-1999-0909,MSB-MS99-038,URL-http://packetstormsecurity.nl/advisories/nai/nai.99-09-20.windows_ip_source_routing 
[*] Time: 2017-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-unix-hosts-equiv-allows-access refs= 
[*] Time: 2017-06-20 16:34:21 UTC Vuln: host=172.16.194.172 name=NEXPOSE-cifs-share-world-writeable refs=CVE-1999-0520

...省略...

[*] Time: 2017-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-vnc-password-password refs= 
[*] Time: 2017-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-default-password refs=BID-38084,CVE-2009-3843,CVE-2010-0557 
[*] Time: 2017-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-example-leaks refs= 
[*] Time: 2017-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-apache-tomcat-default-install-page refs= 
[*] Time: 2017-06-20 16:34:22 UTC Vuln: host=172.16.194.172 name=NEXPOSE-nfs-mountd-0002 refs= 

扩展我们的NeXpose扫描方法

其他类型的扫描可以通过使用nexpose_discovernexpose_dosnexpose_exhaustive命令针对目标或目标进行。第一个执行最小的服务发现扫描,因为另一个会添加拒绝服务检查。

运行nexpose_dos时应该谨慎,因为它可能会很好地崩溃你的目标。

nexpose_exhaustive扫描将覆盖所有TCP端口和所有授权的安全检查。

msf > nexpose_discover -h
msf > nexpose_dos -h
msf > nexpose_exhaustive -h
本作品采用《CC 协议》,转载必须注明作者和本文链接
讨论数量: 0
(= ̄ω ̄=)··· 暂无内容!
请勿发布不友善或者负能量的内容。与人为善,比聪明更重要!