lab 1- scanning-ger_pacotes-v1.docx
TRANSCRIPT
1
CASIDCURSO DE
AUDITORESTURMA 2014
LABORATÓRIOS
CASID CIAW
2
LAB- 1Laboratório do Curso de Segurança Ofensiva
Scanning de Portas, Gerador de pacotes e Nessus
1. NMAP
Opções Básicas
-sT = Scaneia portas apenas do protocolo TCP.-sU = Scaneia portas apenas do protocolo UDP.-sS = Scaneia usando pacotes tcp com o flag SYN ativado.-sA = Scaneia usando pacotes tcp com o flago ACK ativado. Ótimo para burlar a segurança de programas firewalls e descobrir suas regras de filtragem.-sP = Scan de ping. Varre uma grande faixa de ips usando mensagens icmp echo request para determinar os hosts ativos("alive") na(s) rede(s).-P0 = Não disparar o ping em scans. Serve para scannear máquinas que bloqueiam tráfego do protocolo icmp.-O = Finger printing. Usado para obter informações remotas sobre o sistema operacional da vitima.-sV = Obtém informações do tipo de serviço rodando em uma porta específica que esteja aceitando conexões. Essa opção é muito útil para saber se é uma versão antiga que possa ser remotamente explorada com o uso de exploits para invasão do sistema ou outros objetivos.-p = Especifica uma faixa de portas, ou uma única porta de serviço a ser scaneada.-T0 até -T5
Ver:http://www.vivaolinux.com.br/artigos/impressora.php?codigo=13548
CASID CIAW
3
Sem parâmetros
Arquivos importantes em /usr/share/nmap/nmap-services (portas e probabilidade)Escanear 172.16.50.40 (Windows2003-XAMP-ENG)
detecção de S.O
CASID CIAW
root@kali:~# nmapNmap 5.61TEST4 ( http://nmap.org )Usage: nmap [Scan Type(s)] [Options] {target specification}TARGET SPECIFICATION:
root@kali:~# nmap 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 17:48 BRTNmap scan report for 172.16.50.40Host is up (1.0s latency).Not shown: 991 closed portsPORT STATE SERVICE21/tcp open ftp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds514/tcp filtered shell1025/tcp open NFS-or-IIS3306/tcp open mysql
root@kali:~# nmap -O 172.16.50.40Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:20 BRTNmap scan report for 172.16.50.40Host is up (0.0011s latency).Not shown: 992 closed portsPORT STATE SERVICE21/tcp open ftp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IIS3306/tcp open mysqlDevice type: general purposeRunning: Microsoft Windows 2003OS CPE: cpe:/o:microsoft:windows_server_2003OS details: Microsoft Windows Server 2003 SP1 or SP2Network Distance: 2 hopsOS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 3.07 secondsroot@kali:~#
4
Scanning UDP
Scanear uma porta
CASID CIAW
root@kali:~# nmap -sU -vv -p1-200 172.16.50.20
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 23:57 BRTInitiating Ping Scan at 23:57Scanning 172.16.50.20 [4 ports]Completed Ping Scan at 23:57, 0.01s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 23:57Completed Parallel DNS resolution of 1 host. at 23:57, 0.05s elapsedInitiating UDP Scan at 23:57Scanning 172.16.50.20 [200 ports]Discovered open port 123/udp on 172.16.50.20Discovered open port 137/udp on 172.16.50.20Completed UDP Scan at 23:57, 1.25s elapsed (200 total ports)Nmap scan report for 172.16.50.20Host is up (0.0041s latency).Scanned at 2012-06-25 23:57:10 BRT for 1sNot shown: 196 closed portsPORT STATE SERVICE123/udp open ntp137/udp open netbios-ns138/udp open|filtered netbios-dgm161/udp open|filtered snmp
Read data files from: /usr/local/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 1.43 seconds Raw packets sent: 206 (6.089KB) | Rcvd: 199 (11.364KB)
root@kali:~# nmap -p T:139 172.16.50.20-40Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:00 BRTNmap scan report for 172.16.50.20Host is up (0.0021s latency).PORT STATE SERVICE139/tcp open netbios-ssn
Nmap scan report for 172.16.50.40Host is up (0.0032s latency).PORT STATE SERVICE139/tcp open netbios-ssnNmap done: 21 IP addresses (2 hosts up) scanned in 2.69 secondsroot@kali:~#
5
Decoy – ver tcpdump
Diretório de Configuração - /usr/share/nmap/scripts/
Discovery OS - smb
CASID CIAW
root@kali:~# nmap 172.16.50.40 --script smb-os-discovery.nse
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-22 08:04 EDTNmap scan report for 172.16.50.40Host is up (0.0014s latency).Not shown: 989 closed portsPORT STATE SERVICE21/tcp open ftp53/tcp open domain80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn
root@kali:~# nmap -sS -D 1.1.1.1,2.2.2.2,3.3.3.3 172.16.50.40
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-22 09:05 EDTNmap scan report for 172.16.50.40Host is up (0.0018s latency).Not shown: 989 closed portsPORT STATE SERVICE21/tcp open ftp53/tcp open domain80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1028/tcp open unknown1029/tcp open ms-lsa3306/tcp open mysql3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 3.24 secondsroot@kali:~#
6
Enumerar Usuários do Windows 2000
CASID CIAW
root@kali:# nmap --script smb-enum-users.nse -p139 172.16.50.50
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:22 BRTNmap scan report for 172.16.50.50Host is up (0.011s latency).PORT STATE SERVICE139/tcp open netbios-ssn
Host script results:| smb-enum-users: | WIN2KSQL01\Administrator (RID: 500)| Description: Built-in account for administering the computer/domain| Flags: Password does not expire, Normal user account| WIN2KSQL01\backup (RID: 1006)| Full name: backup| Flags: Password does not expire, Normal user account| WIN2KSQL01\Guest (RID: 501)| Description: Built-in account for guest access to the computer/domain| Flags: Password not required, Password does not expire, Account disabled, Normal user account| WIN2KSQL01\IUSR_SRV2 (RID: 1002)| Full name: Internet Guest Account| Description: Built-in account for anonymous access to Internet Information Services| Flags: Password not required, Password does not expire, Normal user account| WIN2KSQL01\IWAM_SRV2 (RID: 1003)| Full name: Launch IIS Process Account| Description: Built-in account for Internet Information Services to start out of process applications| Flags: Password not required, Password does not expire, Normal user account| WIN2KSQL01\sqlusr (RID: 1005)| Full name: sqlusr| Flags: Normal user account| WIN2KSQL01\TsInternetUser (RID: 1000)| Full name: TsInternetUser| Description: This user account is used by Terminal Services.|_ Flags: Password not required, Password does not expire, Normal user accountNmap done: 1 IP address (1 host up) scanned in 0.41 secondsroot@kali:#
root@kali:~# nmap 172.16.50.40 --script smb-os-discovery.nse
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-22 08:04 EDTNmap scan report for 172.16.50.40Host is up (0.0014s latency).Not shown: 989 closed portsPORT STATE SERVICE21/tcp open ftp53/tcp open domain80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn
7
Verificar Vulnerabilidades SMB
CASID CIAW
root@kali:~# nmap -v –-script=smb-check-vulns 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:31 BRTNSE: Loaded 1 scripts for scanning.Initiating Ping Scan at 00:31Scanning 172.16.50.40 [4 ports]Discovered open port 135/tcp on 172.16.50.40Discovered open port 21/tcp on 172.16.50.40Discovered open port 443/tcp on 172.16.50.40Discovered open port 80/tcp on 172.16.50.40Discovered open port 3306/tcp on 172.16.50.40Discovered open port 1025/tcp on 172.16.50.40Discovered open port 445/tcp on 172.16.50.40Discovered open port 3389/tcp on 172.16.50.40Discovered open port 139/tcp on 172.16.50.40Completed SYN Stealth Scan at 00:31, 1.34s elapsed (1000 total ports)NSE: Script scanning 172.16.50.40.Initiating NSE at 00:31Completed NSE at 00:31, 0.08s elapsedNmap scan report for 172.16.50.40Host is up (0.0014s latency).Not shown: 991 closed portsPORT STATE SERVICE21/tcp open ftp80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds1025/tcp open NFS-or-IIS3306/tcp open mysql3389/tcp open ms-term-servHost script results:| smb-check-vulns: | MS08-067: VULNERABLE| Conficker: Likely CLEAN| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
8CASID CIAW
9
LAB-2NESSUS - scanner de vulnerabilidadeshttp://wiki.backbox.org/index.php/Nessus
1. Download Nessus
http://www.tenable.com/products/nessus/select-your-operating-system
32 bit or 64 bit option. http://www.nessus.org/register
2. Instalar NESSUS
(32 or 64 bit version – check the package name).
dpkg -i Nessus-5.2.1-debian6_amd64.deb
/etc/init.d/nessusd start (user admin, senha admin)
CASID CIAW
10
Acessar https://127.0.0.1:8834 e configurar o Nessus (criar conta e ativar)
Link de Ativação
http://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code
Acessar o Nessus https://172.16.50.30:8834 (usuário: admin, senha: admin)
Atualizar Nessus
CASID CIAW
root@kali:/opt/nessus/bin# /opt/nessus/sbin/nessus-update-pluginsFetching the newest updates from nessus.org...Done. The Nessus server will start processing these plugins within a minuteroot@kali:/opt/nessus/bin#
11
Verificar a atualização
Escanear 172.16.50.40
CASID CIAW
root@kali:/opt/nessus/bin# locate plugin_feed_info/opt/nessus/lib/nessus/plugins/plugin_feed_info.inc/opt/nessus/var/nessus/.plugin_feed_info.inc/opt/nessus/var/nessus/plugin_feed_info.incroot@kali:/opt/nessus/bin# more /opt/nessus/lib/nessus/plugins/plugin_feed_info.incPLUGIN_SET = "201404221015";PLUGIN_FEED = "HomeFeed (Non-commercial use only)";
root@kali:/opt/nessus/bin#
12
LAB-32. Wireshark
Verificar se filezilla (FTP Server) está rodando no XAMP-ENG
Startar o wireshark no Kali interno
Escolher uma interface de captura
CASID CIAW
13
Escolher interface eth0 (clicar em Start)
Do Kali tentar acessar o serviço FTP
CASID CIAW
root@ubuntu:~# ftp 172.16.50.40Connected to 172.16.50.40.220-FileZilla Server version 0.9.32 beta220-written by Tim Kosse ([email protected])220 Please visit http://sourceforge.net/projects/filezilla/Name (172.16.50.40:cassio): teste331 Password required for testePassword:
14
Após concluir a tentativa de acesso no firewall parar a captura no wireshark e ver pacotes capturados no Kali interno
Ver toda a sessão FTP - botão direito em qualquer pacote da sessão FTP (Follow TCP Stream)
CASID CIAW
root@ubuntu:~# ftp 172.16.50.40Connected to 172.16.50.40.220-FileZilla Server version 0.9.32 beta220-written by Tim Kosse ([email protected])220 Please visit http://sourceforge.net/projects/filezilla/Name (172.16.50.40:cassio): teste331 Password required for testePassword:
15
Verificar senha capturada
CASID CIAW
16
Abrir no Kali os arquivos que estão localizados na área de trabalho
- ftp.pcap- voip01.pcap
CASID CIAW