Laboratório de Análise de Vulnerabilidades

Scanning de Portas, Gerador de pacotes e Nessus

1. NMAP

Opções Básicas

-sT = Scaneia portas apenas do protocolo TCP.

-sU = Scaneia portas apenas do protocolo UDP.
-sS = Scaneia usando pacotes tcp com o flag SYN ativado.
-sA = Scaneia usando pacotes tcp com o flago ACK ativado. Ótimo para
burlar a segurança de programas firewalls e descobrir suas regras de
filtragem.
-sP = Scan de ping. Varre uma grande faixa de ips usando mensagens
icmp echo request para determinar os hosts ativos("alive") na(s) rede(s).
-P0 = Não disparar o ping em scans. Serve para scannear máquinas que
bloqueiam tráfego do protocolo icmp.
-O = Finger printing. Usado para obter informações remotas sobre o
sistema operacional da vitima.
-sV = Obtém informações do tipo de serviço rodando em uma porta
específica que esteja aceitando conexões. Essa opção é muito útil para
saber se é uma versão antiga que possa ser remotamente explorada com o
uso de exploits para invasão do sistema ou outros objetivos.
-p = Especifica uma faixa de portas, ou uma única porta de serviço a ser
scaneada.

Ver:
http://www.vivaolinux.com.br/artigos/impressora.php?codigo=13548
 Sem parâmetros

root@bt:~# nmap
Nmap 5.61TEST4 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:

Escanear 172.16.50.40 (Windows2003-XAMP-ENG)

root@bt:~# nmap 172.16.50.40

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 17:48 BRT

Nmap scan report for 172.16.50.40
Host is up (1.0s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
514/tcp filtered shell
1025/tcp open NFS-or-IIS
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 94.39 seconds

root@bt:~#
 Banners
root@bt:~# nmap -sV 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:21 BRT
Nmap scan report for 172.16.50.40
Host is up (0.00077s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.32 beta
80/tcp open http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k
mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open ssl/http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12
OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 13.70 seconds

detecção de S.O
root@bt:~# nmap -O 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:20 BRT
Nmap scan report for 172.16.50.40
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3306/tcp open mysql
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds
root@bt:~#
 Ping em rede

root@bt:~# nmap -sP 172.16.49.0/24

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:13 BRT

Nmap scan report for 172.16.49.1
Host is up (0.00025s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.49.2
Host is up (0.00027s latency).
MAC Address: 00:50:56:F3:86:20 (VMware)
Nmap scan report for 172.16.49.130
Host is up.
Nmap scan report for 172.16.49.254
Host is up (0.00025s latency).
MAC Address: 00:50:56:E2:64:64 (VMware)
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.19 seconds
root@bt:~#

Subir o serviço SSH no firewall na porta 60000

- editar arq /etc/ssh/sshd.conf e rebootar serviço

root@ubuntu:~# more /etc/ssh/sshd_config

# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 60000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2

root@ubuntu:~# /etc/init.d/ssh restart

Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service ssh restart
Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the restart(8) utility, e.g. restart ssh
ssh start/running, process 10398
root@ubuntu:~# netstat -natp | grep ssh
tcp 0 0 0.0.0.0:60000 0.0.0.0:* LISTEN 10398/sshd
tcp6 0 0 :::60000 :::* LISTEN 10398/sshd
root@ubuntu:~#
 Realizar scaneamento normalmente

root@bt:~# nmap 172.16.49.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:32 BRT
Nmap scan report for 172.16.49.100
Host is up (0.00040s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
3128/tcp open squid-http
8888/tcp open sun-answerbook
MAC Address: 00:0C:29:FB:E5:B6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
root@bt:~#

Realizar scaneamento em todas as portas

root@bt:~# nmap -p 1-65535 -sV 172.16.49.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:34 BRT
Nmap scan report for 172.16.49.100
Host is up (0.00075s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.0
80/tcp open http Apache httpd 2.2.16 ((Ubuntu))
3128/tcp open http-proxy Squid webproxy 3.1.6
8888/tcp open http-proxy Tinyproxy 1.8.2
60000/tcp open ssh OpenSSH 5.5p1 Debian 4ubuntu6 (protocol 2.0)
MAC Address: 00:0C:29:FB:E5:B6 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/

Nmap done: 1 IP address (1 host up) scanned in 123.86 seconds
root@bt:~#
 Scanning UDP
root@bt:~# nmap -sU -vv -p1-200 172.16.50.20

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 23:57 BRT

Initiating Ping Scan at 23:57
Scanning 172.16.50.20 [4 ports]
Completed Ping Scan at 23:57, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:57
Completed Parallel DNS resolution of 1 host. at 23:57, 0.05s elapsed
Initiating UDP Scan at 23:57
Scanning 172.16.50.20 [200 ports]
Discovered open port 123/udp on 172.16.50.20
Discovered open port 137/udp on 172.16.50.20
Completed UDP Scan at 23:57, 1.25s elapsed (200 total ports)
Nmap scan report for 172.16.50.20
Host is up (0.0041s latency).
Scanned at 2012-06-25 23:57:10 BRT for 1s
Not shown: 196 closed ports
PORT STATE SERVICE
123/udp open ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp

Read data files from: /usr/local/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
Raw packets sent: 206 (6.089KB) | Rcvd: 199 (11.364KB)

Scanear uma porta

root@bt:~# nmap -p T:139 172.16.50.20-40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:00 BRT
Nmap scan report for 172.16.50.20
Host is up (0.0021s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn

Nmap scan report for 172.16.50.40

Host is up (0.0032s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Nmap done: 21 IP addresses (2 hosts up) scanned in 2.69 seconds
root@bt:~#
Scripting engine (4.2)
- brute force
- info gather
- vulnerability scaning
- etc

Diretório de Configuração - /usr/local/share/nmap/scripts/

 Verificar Vulnerabilidades SMB
root@bt:~# nmap -v --script=smb-check-vulns 172.16.50.40

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:31 BRT

NSE: Loaded 1 scripts for scanning.
Initiating Ping Scan at 00:31
Scanning 172.16.50.40 [4 ports]
Discovered open port 135/tcp on 172.16.50.40
Discovered open port 21/tcp on 172.16.50.40
Discovered open port 443/tcp on 172.16.50.40
Discovered open port 80/tcp on 172.16.50.40
Discovered open port 3306/tcp on 172.16.50.40
Discovered open port 1025/tcp on 172.16.50.40
Discovered open port 445/tcp on 172.16.50.40
Discovered open port 3389/tcp on 172.16.50.40
Discovered open port 139/tcp on 172.16.50.40
Completed SYN Stealth Scan at 00:31, 1.34s elapsed (1000 total ports)
NSE: Script scanning 172.16.50.40.
Initiating NSE at 00:31
Completed NSE at 00:31, 0.08s elapsed
Nmap scan report for 172.16.50.40
Host is up (0.0014s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3306/tcp open mysql
3389/tcp open ms-term-serv
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

Testar o uso de todos os scripts

nmap --script=all 172.16.50.50 (anon ftp, smb users , password policy,
netbios vulnerabilidade etc)
 2. HPING3 (gerador de pacotes)

root@bt:~# hping3 -c 1 -V -I eth0 -1 172.16.50.40

using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): icmp mode set, 28 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44550 tos=0 iplen=28
icmp_seq=0 rtt=0.9 ms

--- 172.16.50.40 hping statistic ---

1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.9/0.9/0.9 ms
root@bt:~#
-c = count
-V = verbose
-I = Network Interface to use
-1 = ICMP packet

root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 172.16.50.40

using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): S set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44554 tos=0 iplen=44
sport=80 flags=SA seq=0 win=64240 rtt=3.1 ms
seq=3096103240 ack=1389621577 sum=dcf8 urp=0

--- 172.16.50.40 hping statistic ---

1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.1/3.1/3.1 ms
root@bt:~#
-s = source port
-p = destination port
-S = set the SYN flag in the packet
 No flags

root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 172.16.50.40

using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44559 tos=0 iplen=40
sport=80 flags=RA seq=0 win=0 rtt=1.4 ms
seq=0 ack=1775632469 sum=4d67 urp=0

--- 172.16.50.40 hping statistic ---

1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.4/1.4/1.4 ms
root@bt:~#

Flag FIN set

root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 172.16.50.40

using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): F set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44566 tos=0 iplen=40
sport=53 flags=RA seq=0 win=0 rtt=1.5 ms
seq=0 ack=2031154861 sum=d561 urp=0

--- 172.16.50.40 hping statistic ---

1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.5/1.5/1.5 ms
root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -F 172.16.50.40
using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): F set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44567 tos=0 iplen=40
sport=80 flags=RA seq=0 win=0 rtt=1.4 ms
seq=0 ack=2070067822 sum=a79b urp=0

--- 172.16.50.40 hping statistic ---

1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.4/1.4/1.4 ms
root@bt:~#
 NESSUS - scanner de vulnerabilidades
http://wiki.backbox.org/index.php/Nessus

- instalar o Nessus e adicionar usuário

root@bt:~# apt-get install nessus
root@bt:~# /opt/nessus/sbin/nessus-adduser

Fazer o registro em http://www.nessus.org/register/

Receber a chave de ativação por email

root@bt:~# /opt/nessus/bin/nessus-fetch –register chave_de_ativacao

root@bt:~# /etc/init.d/nessusd start

Acessar o Nessus https://172.16.49.165:8834

(usuário: nessus, senha: nessus)

Atualizar Nessus

root@bt:~# /opt/nessus/sbin/nessus-update-plugins
Fetching the newest updates from nessus.org...
Done. The Nessus server will restart when its scans are finished
root@bt:~#
 Verificar a atualização

root@bt:~# locate plugin_feed_info

/opt/nessus/var/nessus/plugin_feed_info.inc
root@bt:~# more /opt/nessus/lib/nessus/plugins/plugin_feed_info.inc
PLUGIN_SET = "201206282239";
PLUGIN_FEED = "HomeFeed (Non-commercial use only)";
root@bt:~