[MAD-METASPLOIT] 0x12 - Vulnerability Scanning

by hahwul 2 min read

Vulnerability Scanning

auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner auxiliary/scanner/vnc/vnc_none_auth normal VNC Authentication None Detection

HAHWUL exploit(handler) > db_nmap -PN 192.168.56.101 [] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-07 15:04 KST [] Nmap: Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan [] Nmap: SYN Stealth Scan Timing: About 99.99% done; ETC: 15:04 (0:00:00 remaining) [] Nmap: Nmap scan report for 192.168.56.101 [] Nmap: Host is up (0.00066s latency). [] Nmap: Not shown: 985 closed ports [] Nmap: PORT STATE SERVICE [] Nmap: 135/tcp open msrpc [] Nmap: 139/tcp open netbios-ssn [] Nmap: 445/tcp open microsoft-ds [] Nmap: 554/tcp open rtsp [] Nmap: 2869/tcp open icslap [] Nmap: 5357/tcp open wsdapi [] Nmap: 5500/tcp open hotline [] Nmap: 5800/tcp open vnc-http [] Nmap: 5900/tcp open vnc

HAHWUL exploit(handler) > search vnc

Matching Modules

Name Disclosure Date Rank Description —- ————— —- ———– auxiliary/admin/vnc/realvnc_41_bypass 2006-05-15 normal RealVNC NULL Authentication Mode Bypass auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner auxiliary/scanner/vnc/vnc_none_auth normal VNC Authentication None Detection auxiliary/server/capture/vnc normal Authentication Capture: VNC exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Legend Perl IRC Bot Remote Code Execution exploit/multi/vnc/vnc_keyboard_exec

WMAP을 이용한 Web service 취약점 스캔

먼저 WMAP 사용을 위헤 plugin을 로드합니다.

HAHWUL > load wmap

.-.-.-..-.-.-..—..—. | | | || | | || | || |-‘ -----'-‘-‘-‘-^-'-‘ [WMAP 1.5.1] === et [ ] metasploit.com 2012 [*] Successfully loaded plugin: wmap

HAHWUL > help wmap

wmap Commands

Command       Description
-------       -----------
wmap_modules  Manage wmap modules
wmap_nodes    Manage nodes
wmap_run      Test targets
wmap_sites    Manage sites
wmap_targets  Manage targets
wmap_vulns    Display web vulns

먼저 wmap_sites 로 대상 사이트 지정합니다.

wmap_sites -a (vhost,url)

HAHWUL > wmap_sites -a 172.217.27.78,google.com [*] Site created.

HAHWUL > wmap_sites -l [*] Available sites ===============

 Id  Host            Vhost          Port  Proto  # Pages  # Forms
 --  ----            -----          ----  -----  -------  -------
 0   172.217.25.206  172.217.27.78  80    http   0        0
 1   175.158.2.152   175.158.2.152  443   https  0        0

두번째론 wmap_targets 으로 실제 테스트가 진행되는 타겟을 지정합니다.

HAHWUL > wmap_targets -t 127.0.0.1

or

HAHWUL > wmap_targets -d 0 [] Loading 172.217.27.78,http://172.217.25.206:80/. HAHWUL > wmap_targets -l [] Defined targets ===============

 Id  Vhost          Host            Port  SSL    Path
 --  -----          ----            ----  ---    ----
 0   172.217.27.78  172.217.25.206  80    false  /

세팅이 다 되었으면.. run!

HAHWUL > wmap_run -e [] Using ALL wmap enabled modules. [-] NO WMAP NODES DEFINED. Executing local modules [] Testing target: [] Site: 172.217.27.78 (172.217.25.206) [] Port: 80 SSL: false ============================================================ [] Testing started. 2017-08-07 11:33:59 +0900 [] Loading wmap modules… [….]

완료 후 vulns에도 저장되지만 wmap_vulns 로 따로 볼수도 있습니다.

HAHWUL > wmap_vulns -l