1、openvas漏洞扫描器
在 Metasploit 内部使用 OpenVAS
0. 开启 openvas 服务
root@attacker:~# openvas-start
1. 在 metasploit 中加载 openvas
msf > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*] Successfully loaded plugin: OpenVAS
2. 连接到 openvas ,用法:openvas_connect username password host port <ssl-confirm>
msf > openvas_connect admin toor 127.0.0.1 9390 ok
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
[+] OpenVAS list of targets
ID Name Hosts Max Hosts In Use Comment
-- ---- ----- --------- ------ -------
5e78a0e1-6569-45d9-8474-d7c83d0ea8ff test2 10.10.10.254 1 0 Metasploitable
971d579a-b65c-406c-9737-b4d946fb68b1 UUUU 10.10.10.254 1 1 Mwtasploitable
3. 列出 openvas 的配置选项
msf > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs
ID Name
-- ----
085569ce-73ed-11df-83c3-002264764cea empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea Full and very deep
74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
daba56c8-73ec-11df-a475-002264764cea Full and fast
4. 创建扫描任务,Usage: openvas_task_create <name> <comment> <config_id> <target_id>
msf > openvas_task_create test-scan "Scan of test2 Metasploitable" daba56c8-73ec-11df-a475-002264764cea 5e78a0e1-6569-45d9-8474-d7c83d0ea8ff
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1
b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable New -1
5. 开始扫描任务,用法:openvas_task_start <id>
msf > openvas_task_start b4baa75d-9d51-4393-a8fd-66a0480bda28
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1
b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Requested 1
6. 列出扫描任务
msf > openvas_task_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1
b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Running 1
7. 列出扫描任务
msf > openvas_task_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
1ff1e36e-1d76-4a62-b17b-8eb0d11977ba UUOO OOOOOOOOO Done -1
b4baa75d-9d51-4393-a8fd-66a0480bda28 test-scan Scan of test2 Metasploitable Done -1
8. 扫描完成后,列出扫描报告
msf > openvas_report_list
ID Task Name Start Time Stop Time
-- --------- ---------- ---------
752e8852-68f4-4bff-a23c-92767a6c9bd7 test-scan 2017-08-30T06:12:51Z 2017-08-30T06:13:06Z
babf1f94-c1ca-4b4e-b678-a0cd355c6a72 UUOO 2017-08-30T00:42:12Z 2017-08-30T01:06:41Z
9. 列出报告支持的格式
msf > openvas_format_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of report formats
ID Name Extension Summary
-- ---- --------- -------
5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report
50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1.
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table.
6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report.
77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report.
9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary.
910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0.
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report.
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image.
a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report.
a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file.
a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report.
c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v3.0.0.
c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list.
c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report.
10. 下载扫描报告,Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
msf > openvas_report_download
[*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
msf > openvas_report_download 752e8852-68f4-4bff-a23c-92767a6c9bd7 c402cc3e-b531-11e1-9163-406186ea4fc5 /root/reports/ tast2_scan_report.pdf
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[*] Saving report to /root/reports/tast2_scan_report.pdf
2、特定漏洞扫描工具nmap
Nmap是针对性扫描工具之一,其拥有很多script的脚本可供使用,具体脚本的使用方法不再详解。
nmap 脚本存放位置:/usr/share/nmap/scripts
由于从NMAP 6.49beta6开始,smb-check-vulns.nse脚本被取消了。
它被分为smb-vuln-conficker、smb-vuln-cve2009-3103、smb-vuln-ms06-025、smb-vuln-ms07-029、smb-vuln-regsvc-dos、smb-vuln-ms08-067这六个脚本。
用户根据需要选择对应的脚本。如果不确定执行哪一个,可以使用smb-vuln-*.nse来指定所有的脚本文件。
cd /usr/share/nmap/scripts
nmap --script=smb-vuln-*.nse 10.10.10.130
root@kali:/usr/share/nmap/scripts# nmap --script=smb-vuln-*.nse 10.10.10.130
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-09-19 13:30 CST
Nmap scan report for service.dvssc.com (10.10.10.130)
Host is up (0.00019s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
777/tcp open multiling-http
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1031/tcp open iad2
1521/tcp open oracle
6002/tcp open X11:2
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
8099/tcp open unknown
MAC Address: 00:0C:29:A0:40:B6 (VMware)
Host script results:
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds