Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

合天網安實驗室發表於2019-04-16

第二章 資訊收集和掃描-續

我們將學習以下內容

Nessus結合使用

NeXpose結合使用

OpenVAS結合使用

接上篇:第二章 資訊收集與掃描

14、與Nessus結合

到目前為止,我們已經瞭解了埠掃描的基礎知識,以及學會了Nmap的使用。通過其他一些工具的學習,進一步提高了掃描和資訊收集的技術。在接下來的小節中,我們將介紹其他幾種掃描目標可用服務和埠的工具,這些工具還可以幫助我們確定特定服務和埠可能存在的漏洞型別。讓我們開始漏洞掃描之旅。

Nessus是使用最廣泛的漏洞掃描器之一,它可用通過掃描目標發現漏洞並生成詳細的報告。Nessus是滲透測試中非常有用的工具。你可用使用它的GUI版本,也可以在Metasploit控制檯中使用它。本書主要介紹在msfconsole中使用它。

準備工作

要使用Nessus需要先去Nessus官網註冊並取得Licenses。你可以使用Nessus家庭版,此授權是免費的,它允許你掃描個人家庭網路(小於16個IP地址)。然後下載軟體安裝包進行安裝。在Kali中需要下載.deb格式的包,然後使用dpkg -i進行安裝。

家庭版金鑰申請地址:https://www.tenable.com/products/nessus-home

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

填寫註冊資訊,完成註冊,然後會跳轉到下載頁面

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

根據自己的系統版本,下載32bit或者64bit版本

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

啟用金鑰會發到你的郵箱裡面,請儲存下來。

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

下載完成之後進行安裝:

root@osboxes:~# cd ~/Downloads/
root@osboxes:~/Downloads# ls
bettercap  bettercap_linux_amd64_2.2.zip  libpcap-1.8.1  libpcap-1.8.1.tar.gz  Nessus-8.3.1-debian6_amd64.deb
root@osboxes:~/Downloads# dpkg -i Nessus-8.3.1-debian6_amd64.deb //安裝
Selecting previously unselected package nessus.
(Reading database ... 435326 files and directories currently installed.)
Preparing to unpack Nessus-8.3.1-debian6_amd64.deb ...
Unpacking nessus (8.3.1) ...
Setting up nessus (8.3.1) ...
Unpacking Nessus Scanner Core Components...

 - You can start Nessus Scanner by typing /etc/init.d/nessusd start
 - Then go to https://osboxes:8834/ to configure your scanner

Processing triggers for systemd (241-1) ...
root@osboxes:~/Downloads#
複製程式碼

安裝完成之後,啟動Nessus服務

root@osboxes:~/Downloads# systemctl start nessusd.service
複製程式碼

根據提示,使用瀏覽器開啟網址https://osboxes:8834/或者https://127.0.0.1:8834進行配置

1、設定使用者名稱和密碼:

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

2、選擇Home,Professional or Manager,填寫啟用金鑰進行授權啟用。

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

3、啟用完成後,Nessus還會安裝一系列元件,等待安裝完成(需要一段時間,請耐心等待)

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

安裝完成後,就可以進行下一步操作了。

怎麼做

1、在msfconsole裡面載入nessus元件。

msf5 > load nessus //載入nessus元件
[*] Nessus Bridge for Metasploit
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: Nessus
msf5 >
複製程式碼

2、輸入nessus_help命令,可以檢視可用引數和幫助資訊

msf5 > nessus_help

Command                     Help Text
-------                     ---------
Generic Commands
-----------------           -----------------
nessus_connect              Connect to a Nessus server
nessus_logout               Logout from the Nessus server
nessus_login                Login into the connected Nesssus server with a different username and password
nessus_save                 Save credentials of the logged in user to nessus.yml
nessus_help                 Listing of available nessus commands
nessus_server_properties    Nessus server properties such as feed type, version, plugin set and server UUID.
nessus_server_status        Check the status of your Nessus Server
nessus_admin                Checks if user is an admin
nessus_template_list        List scan or policy templates
nessus_folder_list          List all configured folders on the Nessus server
nessus_scanner_list         List all the scanners configured on the Nessus server
Nessus Database Commands
複製程式碼

3、連線到Nessus服務,使用nessus_connect NessusUser:NessusPassword@127.0.0.1命令。

msf5 > nessus_connect nessusroot:Passw0rd@127.0.0.1 //連線到 Nessus 服務
[*] Connecting to https://127.0.0.1:8834/ as nessusroot
[*] User nessusroot authenticated successfully.
msf5 >
複製程式碼

4、使用nessus_policy_list可用列出Nessus服務上的所有掃描策略。如果沒有,需要先在WebUI介面中建立策略。

msf5 > nessus_policy_list
[-] No policies found
msf5 >
複製程式碼

提示沒有策略,我們去建立一個

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

我們選擇新建一個Basic Network Scan策略

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

配置好相關的引數,然後點儲存

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

回到msfconsole裡面再次執行nessus_policy_list就看看到了

msf5 > nessus_policy_list
Policy ID  Name       Policy UUID
---------  ----       -----------
4          PenTest01  731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65

msf5 >
複製程式碼

5、建立nessus掃描,使用nessus_scan_new --help檢視命令幫助資訊:

msf5 > nessus_scan_new --help                                                             
[*] Usage:                                                                                
[*] nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>                  
[*] Use nessus_policy_list to list all available policies with their corresponding UUIDs  
msf5 >                                                                                    
複製程式碼

6、建立掃描

msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 Metasploitable3 Windows_Machine 192.168.177.144
[*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called Metasploitable3 - Windows_Machine and scanning 192.168.177.144
[*] New scan added
[-] Error while running command nessus_scan_new: undefined method `[]' for nil:NilClass

Call stack:
/usr/share/metasploit-framework/plugins/nessus.rb:979:in `cmd_nessus_scan_new'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:49:in `<main>'
msf5 >
複製程式碼

此次會報錯:Error while running command nessus_scan_new: undefined method []' for nil:NilClass。這是由於Nessus 7開始對遠端呼叫進行認證,從而導致Metasploit呼叫失敗。現在正在等待修復。

解決辦法:Nessus Plugin unable to create new scan · Issue #11117 · rapid7/metasploit-framework · GitHub github.com/rapid7/meta…

成功建立掃描:

msf5 > nessus_scan_new 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65 test test 192.168.177.144
[*] Creating scan from policy number 731a8e52-3ea6-a291-ec0a-d2ff0619c19d7bd788d6be818b65, called test - test and scanning 192.168.177.144
[*] New scan added
[*] Use nessus_scan_launch 6 to launch the scan
Scan ID  Scanner ID  Policy ID  Targets          Owner
-------  ----------  ---------  -------          -----
6        1           5          192.168.177.144  nessusroot

msf5 >
複製程式碼

7、使用nessus_scan_list可用檢視掃描列表,以及它們的狀態

msf5 > nessus_scan_list                             
Scan ID  Name  Owner       Started  Status  Folder  
-------  ----  -----       -------  ------  ------  
6        test  nessusroot           empty   3       
                                                    
msf5 >                                              
複製程式碼

8、啟動掃描,使用nessus_scan_launch <Scan ID>啟動掃描

msf5 > nessus_scan_launch 6
[+] Scan ID 6 successfully launched. The Scan UUID is 67d8e87c-17a6-7693-0b41-666f40291e1464ae15bc02832ca3
msf5 >
複製程式碼

再次檢視狀態:

msf5 > nessus_scan_list
Scan ID  Name  Owner       Started  Status   Folder
-------  ----  -----       -------  ------   ------
6        test  nessusroot           running  3

msf5 >
複製程式碼

9、檢視掃描的詳細資訊,使用nessus_scan_details <Scan ID> <info/hosts/vulnerabilities/history>

msf5 > nessus_scan_details 6 info  //檢視掃描狀態
Status   Policy              Scan Name  Scan Targets     Scan Start Time  Scan End Time
------   ------              ---------  ------------     ---------------  -------------
running  Basic Network Scan  test       192.168.177.144  1555301230

msf5 > nessus_scan_details 6 hosts //檢視主機
Host ID  Hostname         % of Critical Findings  % of High Findings  % of Medium Findings  % of Low Findings
-------  --------         ----------------------  ------------------  --------------------  -----------------
2        192.168.177.144  1                       0                   0                     0

msf5 > nessus_scan_details 6 vulnerabilities //檢視漏洞資訊
Plugin ID  Plugin Name	Plugin Family      Count
---------  -----------	-------------      -----
10114      ICMP Timestamp Request Remote Date Disclosure	General            1
10150      Windows NetBIOS / SMB Remote Host Information Disclosure	Windows            1
10287      Traceroute Information	General            1
10394      Microsoft Windows SMB Log In Possible	Windows            1
10736      DCE Services Enumeration	Windows            8
10785      Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
.....
msf5 > nessus_scan_details 6 history //檢視掃描歷史
History ID  Status   Creation Date  Last Modification Date
----------  ------   -------------  ----------------------
7           running  1555301230

msf5 >
複製程式碼

WebUI上也可以看到我們建立的掃描

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

10、當完成掃描後,使用nessus_db_import <Scan ID>將掃描結果匯入到Metasploit中。

msf5 > nessus_scan_details 6 info                                                            
Status     Policy              Scan Name  Scan Targets     Scan Start Time  Scan End Time    
------     ------              ---------  ------------     ---------------  -------------    
completed  Basic Network Scan  test       192.168.177.144  1555301230       1555302154       
                                                                                             
msf5 > nessus_db_import 6                                                                    
[*] Exporting scan ID 6 is Nessus format...                                                  
[+] The export file ID for scan ID 6 is 2110513949                                           
[*] Checking export status...                                                                
[*] Export status: loading                                                                   
[*] Export status: ready                                                                     
[*] The status of scan ID 6 export is ready                                                  
[*] Importing scan results to the database...                                                
[*] Importing data of 192.168.177.144                                                        
[+] Done                                                                                     
msf5 >                                                                                       
複製程式碼

匯入進去之後,我們就能使用hostsservices命令檢視主機和目標服務的資訊了。

msf5 > hosts   
Hosts                                                                                                              
=====                                                                                                              
address          mac                name             os_name       os_flavor  os_sp  purpose  info  comments       
-------          ---                ----             -------       ---------  -----  -------  ----  --------       
192.168.177.1                                        Unknown                         device                        
192.168.177.144  00:0c:29:41:d2:48  METASPLOITABLE3  Windows 2008  Standard   SP1    server                        
192.168.177.145                                      Unknown                         device                   
msf5 > services     
Services       
========                                                                                                                                                                                                              
host             port   proto  name              state  info      
----             ----   -----  ----              -----  ----      
192.168.177.1    21     tcp    ftp               open   220 Serv-U FTP Server v15.0 ready...\x0d\x0a               
192.168.177.144  21     tcp    ftp               open   220 Microsoft FTP Service\x0d\x0a   
192.168.177.144  22     tcp    ssh               open   SSH-2.0-OpenSSH_7.1     
192.168.177.144  80     tcp    www               open   Microsoft IIS httpd 7.5    
192.168.177.144  135    tcp    epmap             open                   
192.168.177.144  137    udp    netbios-ns        open 
.....
複製程式碼

檢視掃描結果中的漏洞資訊,使用vulns指令

msf5 > vulns                                                    
Vulnerabilities                                                
===============                                               
Timestamp                Host             Name         References                                                                                   
---------                ----             ----           ----------                                                                                   
2019-04-12 07:52:51 UTC  192.168.177.144  MS17-010 SMB RCE Detection                                CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,MSB-MS17-
010,URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html,URL-https://github.com/countercept/doublepulsar-detection-script,URL-htt
ps://technet.microsoft.com/en-us/library/security/ms17-010.aspx            
2019-04-12 09:08:20 UTC  192.168.177.144  HTTP Writable Path PUT/DELETE File Access    
                                                                       OSVDB-397       
2019-04-15 04:25:24 UTC  192.168.177.144  Elasticsearch Transport Protocol Unspecified Remote Code Execution  CVE-2015-5377,NSS-105752,NSS-119499                                                          
2019-04-15 04:25:25 UTC  192.168.177.144  MySQL Server Detection      NSS-10719                                                                                    
2019-04-15 04:25:25 UTC  192.168.177.144  Elasticsearch Detection     NSS-109941                                                                                   
2019-04-15 04:25:25 UTC  192.168.177.144  ManageEngine Desktop Central 9 < Build 92027 Multiple Vulnerabilities  CVE-2018-8722,NSS-108752                                                                     
2019-04-15 04:25:25 UTC  192.168.177.144  Elasticsearch Unrestricted Access Information Disclosure  NSS-101025  
....
複製程式碼

15、與NeXpose結合

在本節,我們將介紹另一個極佳的漏洞掃描器:NeXposeNexPose是領先的漏洞評估工具之一。NeXposeRapid7 常用的工具,它執行漏洞掃描並將結果匯入到 Metasploit 資料庫中。NeXpose 的用法與 Nessus 類似,讓我們快速瞭解一下如何使用 NeXpose。至於深入探究就留給大家來完成了。

準備工作

NeXpose社群版,可申請免費試用1年:www.rapid7.com/info/nexpos…

郵箱必須是獨立的個人、學校、企業、機構等域名郵箱;第三方郵箱均無效!(如:gmail、新浪、網易、126、騰訊等都視為無效)。

註冊,然後下載安裝程式進行安裝。

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

註冊完成,然後下載安裝程式

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

安裝:安裝詢問過程,直接敲回車即可,然後填寫一個使用者資訊,設定密碼等

root@osboxes:~# chmod +x Rapid7Setup-Linux64.bin
root@osboxes:~# ./Rapid7Setup-Linux64.bin
....
Do you want to continue?                                                                                                                      
Yes [y, Enter], No [n]                                                                                    
Gathering system information....                                                                    
Security Console with local Scan Engine                                                                                                       
If you do not have a console installed yet, this option is recommended. The console manages scan engines and all administrative operations. 
Scan Engine only                          
This distributed engine can start scanning after being paired with a Security Console.   
Select only the set of components you want to install:                                                                                        
Security Console with local Scan Engine [1, Enter]    
Scan Engine only [2]                     
1                                                                                                                                            
Where should Rapid7 Vulnerability Management be installed?                                                                                    
[/opt/rapid7/nexpose]
....
Select any additional installation tasks.    
Initialize and start after installation?     
Yes [y], No [n, Enter]                       
y 
...
If you chose to start the Security Console as part of the installation, then it will be started upon installer completion.
Using the credentials you created during installation, log onto Nexpose at https://localhost:3780.

To start the service run: sudo systemctl start nexposeconsole.service

To start the service run: sudo systemctl start nexposeconsole.service
The Security Console is configured to automatically run at startup. See the
installation guide if you wish to modify start modes.

[Enter]

Finishing installation...
複製程式碼

我們設定的使用者名稱:nexpose 密碼:Faq3wANIK0 (根據自己喜好設定)

啟動指令碼,執行/opt/rapid7/nexpose/nsc/nsc.sh 或者systemctl start nexposeconsole,啟動需要一段時間,請耐心等待。

然後訪問https://localhost:3780配置,等待啟動完成,使用使用者名稱和密碼登入,然後輸入我們申請的Key啟用產品

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

msfconsole中載入nexpose元件,然後連線到nexpose服務

msf5 > load nexpose                                                        
                                                                           
 ▄▄▄   ▄▄            ▄▄▄  ▄▄▄                                              
 ███   ██             ██ ▄██                                               
 ██▀█  ██   ▄████▄     ████    ██▄███▄    ▄████▄   ▄▄█████▄   ▄████▄       
 ██ ██ ██  ██▄▄▄▄██     ██     ██▀  ▀██  ██▀  ▀██  ██▄▄▄▄ ▀  ██▄▄▄▄██      
 ██  █▄██  ██▀▀▀▀▀▀    ████    ██    ██  ██    ██   ▀▀▀▀██▄  ██▀▀▀▀▀▀      
 ██   ███  ▀██▄▄▄▄█   ██  ██   ███▄▄██▀  ▀██▄▄██▀  █▄▄▄▄▄██  ▀██▄▄▄▄█      
 ▀▀   ▀▀▀    ▀▀▀▀▀   ▀▀▀  ▀▀▀  ██ ▀▀▀      ▀▀▀▀     ▀▀▀▀▀▀     ▀▀▀▀▀       
                               ██                                          
                                                                           
[*] Nexpose integration has been activated                                 
[*] Successfully loaded plugin: nexpose                                    
msf5 > nexpose_connect nexpose:Faq3wANIK0@127.0.0.1:3780
[*] Connecting to Nexpose instance at 127.0.0.1:3780 with username nexpose...
msf5 >
複製程式碼
怎麼做

NeXpose服務連線後,我們就可以掃描目標生成報告。NeXpose支援兩個掃描命令,一個是nexpose_scan,此命令會掃描目標然後匯入結果到metasploit資料庫中,另外一個是nexpose_discover,此命令僅發現主機和服務,不匯入結果。

1、對目標進行快速掃描(執行最小服務發現掃描)

msf5 > nexpose_discover 192.168.177.144
[*] Scanning 1 addresses with template aggressive-discovery in sets of 32
[*] Completed the scan of 1 addresses
msf5 >
複製程式碼

2、檢視nexpose_scan幫助

msf5 > nexpose_scan -h
Usage: nexpose_scan [options] <Target IP Ranges>

OPTIONS:

    -E <opt>  Exclude hosts in the specified range from the scan
    -I <opt>  Only scan systems with an address within the specified range
    -P        Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
    -c <opt>  Specify credentials to use against these targets (format is type:user:pass
    -d        Scan hosts based on the contents of the existing database
    -h        This help menu
    -n <opt>  The maximum number of IPs to scan at a time (default is 32)
    -s <opt>  The directory to store the raw XML files from the Nexpose instance (optional)
    -t <opt>  The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
    -v        Display diagnostic information about the scanning process

msf5 >
複製程式碼

3、要掃描目標,使用nexpose_scan -t <template> <target_id>

msf5 > nexpose_scan -t full-audit 192.168.177.144
[*] Scanning 1 addresses with template full-audit in sets of 32
[*] Completed the scan of 1 addresses
msf5 >
複製程式碼

4、掃描完成後,匯入結果到資料庫中,使用nexpose_site_import <site_id>

msf5 > nexpose_site_import 7
[*] Generating the export data file...
[*] Downloading the export data...
[*] Importing Nexpose data...
複製程式碼

16、與OpenVAS結合

OpenVAS( Open Vulnerability Assessment System)是Nessus專案的分支。是一個免費開源的漏洞掃描和漏洞管理工具。也是當前使用最為廣泛的漏洞掃描和管理開源解決方案。

怎麼做

1、在Kali上安裝 OpenVAS

root@osboxes:~# apt install openvas -y
複製程式碼

2、設定openvas,包括下載規則,建立管理員使用者和服務。

root@osboxes:~# openvas-setup //這一步會下載很多東西,請耐心等待

[>] Updating OpenVAS feeds
[*] [1/3] Updating: NVT
--2019-04-15 13:54:37--  http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
Connecting to 192.168.1.91:1080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 22288483 (21M) [application/octet-stream]
....    
經過漫長的等待...
[*] Opening Web UI (https://127.0.0.1:9392) in: 5... 4... 3... 2... 1...

[>] Checking for admin user
[*] Creating admin user
User created with password 'dc63c468-3780-4e3c-b30c-1597f4b91623'.

[+] Done
複製程式碼

3、配置完成後,啟動openvas ,其實在上一步中已經啟動了。也可以用下面的命令啟動

root@osboxes:~# openvas-start
複製程式碼

訪問https://127.0.0.1:9392可登入WebUI

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

4、在msfconsole中載入openvas元件

msf5 > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS
msf5 >
複製程式碼

5、檢視幫助資訊

msf5 > help openvas

OpenVAS Commands
================

    Command                       Description
    -------                       -----------
    openvas_config_list           Quickly display list of configs
    openvas_connect               Connect to an OpenVAS manager using OMP
    openvas_debug                 Enable/Disable debugging
    openvas_disconnect            Disconnect from OpenVAS manager
    openvas_format_list           Display list of available report formats
    openvas_help                  Displays help
    openvas_report_delete         Delete a report specified by ID
    openvas_report_download       Save a report to disk
    openvas_report_import         Import report specified by ID into framework
    openvas_report_list           Display a list of available report formats
    openvas_target_create         Create target (name, hosts, comment)
    openvas_target_delete         Delete target by ID
    openvas_target_list           Display list of targets
    openvas_task_create           Create a task (name, comment, target, config)
    openvas_task_delete           Delete task by ID
    openvas_task_list             Display list of tasks
    openvas_task_pause            Pause task by ID
    openvas_task_resume           Resume task by ID
    openvas_task_resume_or_start  Resume task or start task by ID
    openvas_task_start            Start task by ID
    openvas_task_stop             Stop task by ID
    openvas_version               Display the version of the OpenVAS server


msf5 >
複製程式碼

6、使用 openvas_connect <username> <password> <host> <port>連線到OpenVAS服務

msf5 > openvas_connect admin dc63c468-3780-4e3c-b30c-1597f4b91623 127.0.0.1 9390
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin...
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS connection successful
msf5 >
複製程式碼

7、新增掃描目標,使用openvas_target_create <Name> <Hosts> <Comment>指令,引數包括描述資訊,目標的IP

msf5 > openvas_target_create "Metasploitable3" 192.168.177.144 "Windows Target"
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] 6455a780-092a-40dd-8c01-191a7612505a
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets

ID                                    Name             Hosts            Max Hosts  In Use  Comment
--                                    ----             -----            ---------  ------  -------
6455a780-092a-40dd-8c01-191a7612505a  Metasploitable3  192.168.177.144  1          0       Windows Target


msf5 >
複製程式碼

8、列出配置列表:openvas_config_list

msf5 > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs

ID                                    Name
--                                    ----
085569ce-73ed-11df-83c3-002264764cea  empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5  Host Discovery
698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea  Full and very deep
74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196  Discovery
bbca7412-a950-11e3-9109-406186ea4fc5  System Discovery
daba56c8-73ec-11df-a475-002264764cea  Full and fast


msf5 >
複製程式碼

9、建立任務,使用如下指令

 openvas_task_create <name> <Comment> <config_id> <target_id>
複製程式碼
msf5 > openvas_task_create  "Metasploitable3" "Windows" 698f691e-7489-11df-9d8c-002264764cea 6455a780-092a-40dd-8c01-191a7612505a
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] fb18cf93-a94b-4c9b-aadf-9408bd9a9186
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name             Comment  Status  Progress
--                                    ----             -------  ------  --------
fb18cf93-a94b-4c9b-aadf-9408bd9a9186  Metasploitable3  Windows  New     -1


msf5 >
複製程式碼

10、啟動任務,使用openvas_task_start <task_id>

msf5 > openvas_task_start fb18cf93-a94b-4c9b-aadf-9408bd9a9186
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>7993d76a-43b3-48c6-ac94-ca630e20db68</report_id></start_task_response></X>msf5 >
複製程式碼

11、檢視進度,使用openvas_task_list

msf5 > openvas_task_list                                                                                                                                 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeou
t.timeout instead.                                                                                                                                       
[+] OpenVAS list of tasks                                                                                                                                
ID                                    Name             Comment  Status     Progress                                                                      
--                                    ----             -------  ------     --------                                                                      
fb18cf93-a94b-4c9b-aadf-9408bd9a9186  Metasploitable3  Windows  Requested  1      
msf5 >                                               
複製程式碼

12、使用openvas_format_list 可以檢視OpenVAS支援的報告格式。

msf5 > openvas_format_list                                                                                                                                          
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout i
nstead.                                                                                                                                                             
[+] OpenVAS list of report formats                                                                                                                                  
ID                                    Name           Extension  Summary                                                                                             
--                                    ----           ---------  -------                                                                                             
5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report                                                             
50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.                                                              
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.                                                               
6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.    
77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.                                                            
9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.     
910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.   
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.     
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.   
a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.   
a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.   
a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.  
c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.                                                              
c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.  
c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.  
msf5 >   
複製程式碼

13、在WebUI同樣可以看到我們建立的任務狀態資訊

Metasploit 滲透測試手冊第三版 第二章 資訊收集與掃描 -續(翻譯)

14、任務完成後,使用openvas_report_list 檢視報告列表。

msf5 > openvas_report_list
[+] OpenVAS list of reports

ID                                    Task Name        Start Time            Stop Time
--                                    ---------        ----------            ---------
4ee7b572-a470-484c-962e-773d3a7eb7b1  Metasploitable3  2019-04-16T02:40:24Z  2019-04-16T03:07:15Z
7993d76a-43b3-48c6-ac94-ca630e20db68  Metasploitable3  2019-04-16T01:15:44Z

複製程式碼

15、使用openvas_report_import命令將報告匯入到Metasploit中,僅支援NBE(legacy OpenVAS report)和XML格式匯入。

msf5 > openvas_report_import 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5
[*] Importing report to database.
複製程式碼

但是這裡我們使用的 Metasploit-5.0直接這麼匯入會報錯,無法匯入,我們先匯出為檔案再用db_import匯入就可以了。

msf5 > openvas_report_download
[*] Usage: openvas_report_download <report_id> <format_id> <path> <report_name>
msf5 > openvas_report_download 4ee7b572-a470-484c-962e-773d3a7eb7b1 9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 /tmp/ Metasploitable3
[*] Saving report to /tmp/Metasploitable3
msf5 > db_import /tmp/Metasploitable3
[*] Importing 'OpenVAS XML' data
[*] Successfully imported /tmp/Metasploitable3
msf5 >
複製程式碼

16、檢視OpenVAS掃描的漏洞資訊

msf5 > vulns

Vulnerabilities
===============

Timestamp                Host             Name 		References
---------                ----             ----                                                                    ----------
2019-04-16 08:15:22 UTC  192.168.177.144  ICMP Timestamp Detection    CVE-1999-0524
2019-04-16 08:15:23 UTC  192.168.177.144  Microsoft Windows IIS   CVE-2010-3972,BID-45542
2019-04-16 08:15:23 UTC  192.168.177.144  Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)  CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148,BID-96703,BID-96704,BID-96705,BID-96706,BID-96707,BID-96709
2019-04-16 08:15:23 UTC  192.168.177.144  MS15-034 HTTP.sys Remote Code  CVE-2015-1635
2019-04-16 08:15:23 UTC  192.168.177.144  Oracle Glass Fish Server CVE-2017-1000028
2019-04-16 08:15:23 UTC  192.168.177.144  SSL/TLS: Report 'Anonymous' Cipher Suites                 .....
複製程式碼

第三章 服務端漏洞利用(預告)

在本章中,我們將學習以下內容

1、攻擊Linux伺服器

2、SQL隱碼攻擊

3、shell型別

4、攻擊Windows伺服器

5、利用公用服務

6、MS17-010 永恆之藍 SMB遠端程式碼執行Windows核心破壞

7、MS17-010 EternalRomance/EternalSynergy/EternalChampion

8、植入後門

9、拒絕服務攻擊

說明

原書:《Metasploit Penetration Testing Cookbook - Third Edition》

www.packtpub.com/networking-…

本文由合天網安實驗室編譯,轉載請註明來源。

關於合天網安實驗室

合天網安實驗室(www.hetianlab.com)-國內領先的實操型網路安全線上教育平臺

真實環境,線上實操學網路安全 ; 實驗內容涵蓋:系統安全,軟體安全,網路安全,Web安全,移動安全,CTF,取證分析,滲透測試,網安意識教育等。

相關文章