침투테스트 약간 유용한 nmap NSE 스크립트 4가지

오늘은 nmap NSE 스크립트 4개에 대해 글 작성해봅니다. 음, 초안?은 좀 써놓은지 되었는데, 최근에 여러모로 신경쓸일이 많아서 이제서야 글 올리게되네요. 우선, 신박한 내용은 아니고 그냥 보편적으로 많이들 쓰시는 스크립트 4개정도 추려봤습니다. 혹시나 좋은 스크립트를 아신다면 댓글로 공유해주시면 정말 감사하겠습니다 :)

dns-brute.nse

첫번째는 dns-brute.nse 입니다. 대체로 서브도메인 스캐닝 툴들이 워낙 잘 나와있어서 활용도가 엄청 높진 않으나, nmap 자체의 기능이랑 같이 사용할 수 있기 때문에 한번에 여러가지 작업을 하는데 있어서는 유용합니다.

스크립트 이름대로 bruteforce를 통해 대상 도메인의 하위 서브 도메인을 찾아줍니다.

nmap -p 80 --script dns-brute.nse hahwul.com
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for hahwul.com (183.111.174.31)
Host is up (0.0088s latency).

PORT   STATE SERVICE
80/tcp open  http

Host script results:
| dns-brute:
|   DNS Brute-force hostnames:
|     test.hahwul.com - 127.0.0.1
|     www.hahwul.com - 172.217.161.179
|     www.hahwul.com - 2404:6800:4005:80f:0:0:0:2013
|_    *A: 183.111.174.31

http-enum & http-title

다음은 http-enum, http-title인데요, http* 계열의 스크립트들이 http 식별에 있어서는 굉장히 좋습니다만, 솔직히 시간이 좀 오래걸립니다. 그중에선 짧은데 결과가 잘 나온다고 생각되는 것들이 2개정도여서 이 2개로 선정해봤습니다.

nmap --script http-enum 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00076s latency).
Not shown: 975 closed ports
PORT      STATE    SERVICE
32/tcp    filtered unknown
80/tcp    open     http
| http-enum:
|   /test/: Test page
|   /test.html: Test page
|   /robots.txt: Robots file
|_  /index/: Potentially interesting folder
801/tcp   filtered device
1037/tcp  filtered ams
1110/tcp  filtered nfsd-status
1122/tcp  filtered availant-mgr
1148/tcp  filtered elfiq-repl
1163/tcp  filtered sddp
1503/tcp  filtered imtc-mcs
1658/tcp  filtered sixnetudr
2170/tcp  filtered eyetv
3000/tcp  open     ppp
4005/tcp  filtered pxc-pin

Vulscan & vulners

3번째는 취약점 검색 스크립트입니다. 잘 알려진 취약점 DB 사이트들에 쿼리를 날려서 관련 버전이나 서비스에 해당하는 취약점 정보를 받아와 표현해줍니다. vulscan쪽이 확실히 지원하는 사이트 대역이 크긴합니다.

실질적인 유효타를 찾는다는 느낌보단 보안적인 하드닝 미흡 구간을 찾는데 있어서 나름 쓸만하다고 생각되네요. 하나의 홀이라도 찾을 수 있으면 다행이니..

지원하는 사이트는 이렇습니다. 다만 맨 아래 vulners를 제외하곤 모두 vulscan에서 사용하는 사이트입니다.

scipvuldb.csv - https://vuldb.com
cve.csv - https://cve.mitre.org
securityfocus.csv - https://www.securityfocus.com/bid/
xforce.csv - https://exchange.xforce.ibmcloud.com/
expliotdb.csv - https://www.exploit-db.com
openvas.csv - http://www.openvas.org
securitytracker.csv - https://www.securitytracker.com (end-of-life)
osvdb.csv - http://www.osvdb.org (end-of-life)
vulnes.com - https://vulners.com

nmap -sV --script=vulscan/vulscan.nse 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0036s latency).
Not shown: 501 filtered ports, 495 closed ports
PORT     STATE SERVICE              VERSION
80/tcp   open  http
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
|     Last-Modified: Tue, 09 Apr 2019 08:09:37 GMT
|     Content-Type: text/html
|     Content-Length: 2193
…

5432/tcp open  postgresql           PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
|   SMBProgNeg:
|     SFATAL
|     VFATAL
|     C0A000
|     Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
|     Fpostmaster.c
|     L2015
|_    RProcessStartupPacket
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_

Vulners

22/tcp  open    ssh     OpenSSH 4.3 (protocol 2.0)
| vulners:
|   cpe:/a:openbsd:openssh:4.3:
|       CVE-2006-5051           9.3             https://vulners.com/cve/CVE-2006-5051
|       CVE-2006-4924           7.8             https://vulners.com/cve/CVE-2006-4924
|       CVE-2007-4752           7.5             https://vulners.com/cve/CVE-2007-4752
|       CVE-2010-4478           7.5             https://vulners.com/cve/CVE-2010-4478
|       CVE-2014-1692           7.5             https://vulners.com/cve/CVE-2014-1692
|       CVE-2009-2904           6.9             https://vulners.com/cve/CVE-2009-2904
|       CVE-2008-4109           5.0             https://vulners.com/cve/CVE-2008-4109
|       CVE-2007-2243           5.0             https://vulners.com/cve/CVE-2007-2243
|       CVE-2017-15906          5.0             https://vulners.com/cve/CVE-2017-15906
|       CVE-2006-5052           5.0             https://vulners.com/cve/CVE-2006-5052
|       CVE-2010-5107           5.0             https://vulners.com/cve/CVE-2010-5107
|       CVE-2010-4755           4.0             https://vulners.com/cve/CVE-2010-4755
|       CVE-2012-0814           3.5             https://vulners.com/cve/CVE-2012-0814
|       CVE-2011-5000           3.5             https://vulners.com/cve/CVE-2011-5000
|       CVE-2011-4327           2.1             https://vulners.com/cve/CVE-2011-4327
|_      CVE-2008-3259           1.2             https://vulners.com/cve/CVE-2008-3259

How to Install - vulscan

git clone https://github.com/scipag/vulscan

# for MacOS (Apple Silicon)
ln -s `pwd`/vulscan /opt/homebrew/share/nmap/scriptsvulscan

# for MacOS (Intel)
ln -s `pwd`/vulscan /usr/local/share/nmap/scripts/vulscan

# for Linux
ln -s `pwd`/vulscan /usr/share/nmap/scripts/vulscan

How to Install - Vulners

wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse

# for MacOS (Apple Silicon)
cp vulners.nse /opt/homebrew/share/nmap/scripts/

# for MacOS (Intel)
cp vulners.nse /usr/local/share/nmap/scripts/

# for Linux
cp vulners.nse /usr/share/nmap/scripts/

마지막으로 banner-plus.nse입니다. 오픈된 포트에서 어떤 서비스를 사용하는 지 배너그래빙하여 사용자에게 제공해줍니다.

nmap 자체에도 기본적인 배너그래빙 모듈, NSE 스크립트가 들어있지만 테스트 여러번 해봤을 떈 banner-plus가 가장 좋은 결과를 나타냈었습니다.

nmap 127.0.0.1 --script=banner-plus
Starting Nmap 7.70 ( https://nmap.org ) 
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Not shown: 964 closed ports, 29 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
|_banner-plus: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2......
80/tcp   open  http
|_banner-plus: HTTP/1.0 200 OK\r\nLast-Modified: Tue, 09 Apr 2019 08:09:37 GMT\r\nContent-Type: text/html\r\nContent-Length: 2193\r\n\r\n<title>Plutotottoo</title>\n<script>function run()... 생략 ...
3000/tcp open  ppp
|_banner-plus: HTTP/1.1 200 OK\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Download-Options: noopen\r\nX-Permitted-Cross-Domain-Policies: no... 생략 ...
3001/tcp open  nessus
3003/tcp open  cgms
4444/tcp open  krb524
5432/tcp open  postgresql
8081/tcp open  blackice-icecap
|_banner-plus: HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain; charset=UTF-8\r\nContent-Length: 1907\r\n\r\nZAP Error [java.net.UnknownHostException]: www\n\nStack Trace:\njava.net.UnknownHostException: www\n\tat java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)\n\tat java.net.SocksSocketImpl.... 생략 ...

How to install?

wget https://raw.githubusercontent.com/hdm/scan-tools/master/nse/banner-plus.nse

# for MacOS (Apple Silicon)
cp banner-plus.nse /opt/homebrew/share/nmap/scripts/

# for MacOS (Intel)
cp banner-plus.nse /usr/local/share/nmap/scripts/

# for Linux
cp banner-plus.nse /usr/share/nmap/scripts/