ANGEL WHITE "GALC PENTEST": El Rincon De Hacking Team Cuatro scripts nmap NSE para pruebas de penetración

Hoy les vengo a compartir este tuttorial de un gran entuciasta, y conocedor y creardor de algunos scripts, pluyings de metasploit y nmap..

Por HAHWUL:

Hoy, escribo una publicación de blog simple en mis scripts NSE de cuatro nmap para pruebas de penetración.
Tal vez sea algo que todos saben, pero espero que te diviertas.

¡Empecemos!

dns-brute.nse

Primero. Script de búsqueda de subdominios dns-brute.nse
este script nse se encuentra subdominio con bruteforce.

$ nmap -p 80 --script dns-brute.nse hahwul.com
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for hahwul.com (183.111.174.31)
Host is up (0.0088s latency).


PORT   STATE SERVICE
80/tcp open  http


Host script results:
| dns-brute:
|   DNS Brute-force hostnames:
|     test.hahwul.com - 127.0.0.1
|     www.hahwul.com - 172.217.161.179
|     www.hahwul.com - 2404:6800:4005:80f:0:0:0:2013
|_    *A: 183.111.174.31

http-enum & http-title

Estos scripts en la serie http * son muy útiles para identificar servicios http y banner

$ nmap --script http-enum 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00076s latency).
Not shown: 975 closed ports
PORT      STATE    SERVICE
32/tcp    filtered unknown
80/tcp    open     http
| http-enum:
|   /test/: Test page
|   /test.html: Test page
|   /robots.txt: Robots file
|_  /index/: Potentially interesting folder
801/tcp   filtered device
1037/tcp  filtered ams
1110/tcp  filtered nfsd-status
1122/tcp  filtered availant-mgr
1148/tcp  filtered elfiq-repl
1163/tcp  filtered sddp
1503/tcp  filtered imtc-mcs
1658/tcp  filtered sixnetudr
2170/tcp  filtered eyetv
3000/tcp  open     ppp
4005/tcp  filtered pxc-pin

Vulscan y vulner

Tercero, estos scripts (vuldb, vulners) pueden identificar vulnerabilidades conocidas. Esta información de vulnerabilidad de los scripts de NSE al consultar los sitios de db de vulnerabilidad.

Hay las siguientes bases de datos preinstaladas disponibles en este momento:

scipvuldb.csv - https://vuldb.com
cve.csv - https://cve.mitre.org
securityfocus.csv - https://www.securityfocus.com/bid/
xforce.csv - https://exchange.xforce.ibmcloud.com/
expliotdb.csv - https://www.exploit-db.com
openvas.csv - http://www.openvas.org
securitytracker.csv - https://www.securitytracker.com (final de vida útil)
osvdb.csv - http://www.osvdb.org (final de vida)
vulnes.com - https://vulners.com

$ nmap -sV --script=vulscan/vulscan.nse 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0036s latency).
Not shown: 501 filtered ports, 495 closed ports
PORT     STATE SERVICE              VERSION
80/tcp   open  http
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
|     Last-Modified: Tue, 09 Apr 2019 08:09:37 GMT
|     Content-Type: text/html
|     Content-Length: 2193
…

5432/tcp open  postgresql           PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
|   SMBProgNeg:
|     SFATAL
|     VFATAL
|     C0A000
|     Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
|     Fpostmaster.c
|     L2015
|_    RProcessStartupPacket
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_

Vulneras

22/tcp  open    ssh     OpenSSH 4.3 (protocol 2.0)
| vulners:
|   cpe:/a:openbsd:openssh:4.3:
|       CVE-2006-5051           9.3             https://vulners.com/cve/CVE-2006-5051
|       CVE-2006-4924           7.8             https://vulners.com/cve/CVE-2006-4924
|       CVE-2007-4752           7.5             https://vulners.com/cve/CVE-2007-4752
|       CVE-2010-4478           7.5             https://vulners.com/cve/CVE-2010-4478
|       CVE-2014-1692           7.5             https://vulners.com/cve/CVE-2014-1692
|       CVE-2009-2904           6.9             https://vulners.com/cve/CVE-2009-2904
|       CVE-2008-4109           5.0             https://vulners.com/cve/CVE-2008-4109
|       CVE-2007-2243           5.0             https://vulners.com/cve/CVE-2007-2243
|       CVE-2017-15906          5.0             https://vulners.com/cve/CVE-2017-15906
|       CVE-2006-5052           5.0             https://vulners.com/cve/CVE-2006-5052
|       CVE-2010-5107           5.0             https://vulners.com/cve/CVE-2010-5107
|       CVE-2010-4755           4.0             https://vulners.com/cve/CVE-2010-4755
|       CVE-2012-0814           3.5             https://vulners.com/cve/CVE-2012-0814
|       CVE-2011-5000           3.5             https://vulners.com/cve/CVE-2011-5000
|       CVE-2011-4327           2.1             https://vulners.com/cve/CVE-2011-4327
|_      CVE-2008-3259           1.2             https://vulners.com/cve/CVE-2008-3259

Cómo instalar - vulscan

$ git clone https://github.com/scipag/vulscan

# for MacOS
$ ln -s `pwd`/vulscan /usr/local/share/nmap/scripts/vulscan

# for Linux
$ ln -s `pwd`/vulscan /usr/share/nmap/scripts/vulscan

Cómo instalar - Vulners

$ wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse

# for MacOS
$ cp vulners.nse /usr/local/share/nmap/scripts/

# for Linux
$ cp vulners.nse /usr/share/nmap/scripts/

Por último, el banner agarrando el script NSE.
Esta secuencia de comandos es más detallada y mejor que la secuencia de comandos de captura de banner predeterminada en nmap. Si observa el código, es una forma de probar conectándose directamente a un puerto conocido.

$ nmap 127.0.0.1 --script=banner-plus
Starting Nmap 7.70 ( https://nmap.org ) 
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Not shown: 964 closed ports, 29 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
|_banner-plus: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2......
80/tcp   open  http
|_banner-plus: HTTP/1.0 200 OK\r\nLast-Modified: Tue, 09 Apr 2019 08:09:37 GMT\r\nContent-Type: text/html\r\nContent-Length: 2193\r\n\r\n<title>Plutotottoo</title>\n<script>function run()... 생략 ...
3000/tcp open  ppp
|_banner-plus: HTTP/1.1 200 OK\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Download-Options: noopen\r\nX-Permitted-Cross-Domain-Policies: no... 생략 ...
3001/tcp open  nessus
3003/tcp open  cgms
4444/tcp open  krb524
5432/tcp open  postgresql
8081/tcp open  blackice-icecap
|_banner-plus: HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain; charset=UTF-8\r\nContent-Length: 1907\r\n\r\nZAP Error [java.net.UnknownHostException]: www\n\nStack Trace:\njava.net.UnknownHostException: www\n\tat java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)\n\tat java.net.SocksSocketImpl.... 생략 ...

¿Cómo instalar?

$ wget https://raw.githubusercontent.com/hdm/scan-tools/master/nse/banner-plus.nse

# for MacOS
$ cp banner-plus.nse /usr/local/share/nmap/scripts/

# for Linux
$ cp banner-plus.nse /usr/share/nmap/scripts/

ANGEL WHITE "GALC PENTEST"

HACKER ANGELWHITE GALC

miércoles, 3 de junio de 2020

El Rincon De Hacking Team Cuatro scripts nmap NSE para pruebas de penetración

dns-brute.nse

http-enum & http-title

Vulscan y vulner

banner-plus

No hay comentarios:

Publicar un comentario

Featured Posts

Social Icons