Wednesday, 20 February 2019

CÓMO HACER ANÁLISIS DE VULNERABILIDADES

09:38    No comments

nmap00

El escaneo es la fase inicial de pentesting. Los investigadores/pentesters conocen muy bien esta fase del análisis de seguridad. Esta es la fase en la que los pentesters invierten la mayor parte del tiempo, pues esta proporciona al pentester mucha información para preparar las fases de pruebas de penetración posteriores.

Hay muchas herramientas automáticas y manuales que se utilizan en pentesting, pero el pentester siempre comienza con el escaneo manual, ya que éste le aportará un panorama más amplio. Hoy le mostraremos cómo el pentester/investigador de seguridad puede usar scripts de nmap para buscar vulnerabilidades.

Nmap es una herramienta de código abierto diseñada para escanear/verificar puertos abiertos de aplicaciones web/móviles. Nmap usa paquetes de IP sin procesar para analizar una URL/host dados. Nmap recolecta información sobre servicios, puertos abiertos, servidor de aplicaciones, versión del sistema operativo del sistema operativo, etc. Nmap da muchas opciones como usar scripts para buscar el objetivo.

Las secuencias de comandos de Nmap utilizan whois para buscar el objetivo. De acuerdo con expertos en seguridad en redes del Instituto Internacional de Seguridad Cibernética, también puede escribir o compartir su propio script de nmap. Le mostraremos cómo utilizar un script externo. Este nmap sripts ha probado en Kali Linux 2018.4

root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/OCSAF/freevulnsearch.git 

Cloning into 'freevulnsearch'... remote: Enumerating objects: 114, done. remote: Counting objects: 100% (114/114), done. remote: Compressing objects: 100% (85/85), done. remote: Total 114 (delta 64), reused 60 (delta 29), pack-reused 0 Receiving objects: 100% (114/114), 34.58 KiB | 2.66 MiB/s, done. Resolving deltas: 100% (64/64), done.
  • A continuación, escriba cd freevulnsearch
  • Escriba ls
root@kali:/home/iicybersecurity/Downloads# cd freevulnsearch/
 root@kali:/home/iicybersecurity/Downloads/freevulnsearch# ls
 freevulnsearch.nse  LICENSE  README.md
  • cp freevulnsearch.nse a la ubicación de secuencias de comandos. Para ese escriba cp freevulnsearch.nse /usr/share/nmap/scripts
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# cp freevulnsearch.nse /usr/share/nmap/scripts
  • A continuación, escriba locate *.nse
  • Esta consulta listará todos los scripts que están disponibles en el motor de revisión nmap
root@kali:/home/iicybersecurity# locate *.nse
  • Luego escriba nmap -sV –script freevulnsearch certified.com
  • -sV, s falsificará la dirección IP y V escaneará el objetivo de forma detallada
  • –Freevulnsearch es la secuencia de comandos utilizada para escanear el objetivo
  • certified.com es el objetivo
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap -sV --script freevulnsearch certified.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 02:17 EST
 Nmap scan report for certified.com (162.241.216.11)
 Host is up (0.30s latency).
 rDNS record for 162.241.216.11: box5331.bluehost.com
 Not shown: 978 closed ports
 PORT     STATE    SERVICE      VERSION
 21/tcp   open     ftp          Pure-FTPd
 22/tcp   open     ssh          OpenSSH 5.3 (protocol 2.0)
 |freevulnsearch: *Error with API query. API or network possibly not available. 25/tcp   open     smtp         Exim smtpd 4.91 | freevulnsearch: |   *No CVE found with NMAP-CPE: (cpe:/a:exim:exim:4.91) |  *Check other sources like https://www.exploit-db.com
 26/tcp   open     smtp         Exim smtpd 4.91
 | freevulnsearch:
 |   *No CVE found with NMAP-CPE: (cpe:/a:exim:exim:4.91)
 |_  *Check other sources like https://www.exploit-db.com
 53/tcp   open     domain       ISC BIND 9.8.2rc1 (RedHat Enterprise Linux 6)
 | freevulnsearch:
 |   CVE-2017-3145       Medium          5.0             https://cve.circl.lu/cve/CVE-2017-3145
 |   CVE-2017-3143       Medium          4.3             https://cve.circl.lu/cve/CVE-2017-3143
 |   CVE-2017-3142       Medium          4.3             https://cve.circl.lu/cve/CVE-2017-3142
 |   CVE-2017-3141       High            7.2     EDB     https://cve.circl.lu/cve/CVE-2017-3141
 |   CVE-2017-3136       Medium          4.3             https://cve.circl.lu/cve/CVE-2017-3136
 |   CVE-2016-9131       Medium          5.0             https://cve.circl.lu/cve/CVE-2016-9131
 |   CVE-2016-8864       Medium          5.0             https://cve.circl.lu/cve/CVE-2016-8864
 |   CVE-2016-6170       Medium          4.0             https://cve.circl.lu/cve/CVE-2016-6170
 |   CVE-2016-2848       Medium          5.0             https://cve.circl.lu/cve/CVE-2016-2848
 |   CVE-2016-2775       Medium          4.3             https://cve.circl.lu/cve/CVE-2016-2775
 |   CVE-2016-1286       Medium          5.0             https://cve.circl.lu/cve/CVE-2016-1286
 |   CVE-2016-1285       Medium          4.3             https://cve.circl.lu/cve/CVE-2016-1285
 |   CVE-2015-8461       High            7.1             https://cve.circl.lu/cve/CVE-2015-8461
 |   CVE-2015-8000       Medium          5.0             https://cve.circl.lu/cve/CVE-2015-8000
 |   CVE-2015-4620       High            7.8             https://cve.circl.lu/cve/CVE-2015-4620
 |   CVE-2015-1349       Medium          5.4             https://cve.circl.lu/cve/CVE-2015-1349
 |   CVE-2014-0591       Low             2.6             https://cve.circl.lu/cve/CVE-2014-0591
 |   CVE-2013-6230       Medium          6.8             https://cve.circl.lu/cve/CVE-2013-6230
 |   CVE-2013-4854       High            7.8             https://cve.circl.lu/cve/CVE-2013-4854
 |   CVE-2013-2266       High            7.8             https://cve.circl.lu/cve/CVE-2013-2266
 |   CVE-2012-5689       High            7.1             https://cve.circl.lu/cve/CVE-2012-5689
 |   CVE-2012-5688       High            7.8             https://cve.circl.lu/cve/CVE-2012-5688
 |   CVE-2012-5166       High            7.8             https://cve.circl.lu/cve/CVE-2012-5166
 |   CVE-2012-4244       High            7.8             https://cve.circl.lu/cve/CVE-2012-4244
 |   CVE-2012-3817       High            7.8             https://cve.circl.lu/cve/CVE-2012-3817
 |   *No CVE found with NMAP-CPE: (cpe:/a:isc:bind:9.8.2rc1)
 |_  *CVE found with freevulnsearch function: (cpe:/a:isc:bind:9.8.2:rc1)
 80/tcp   open     http         nginx 1.14.1
 | freevulnsearch:
 |   *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1)
 |_  *Check other sources like https://www.exploit-db.com
 |http-server-header: nginx/1.14.1 110/tcp  open     pop3         Dovecot pop3d 139/tcp  filtered netbios-ssn 143/tcp  open     imap         Dovecot imapd 443/tcp  open     ssl/http     nginx 1.14.1 | freevulnsearch: |   *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) |  *Check other sources like https://www.exploit-db.com
 |http-server-header: nginx/1.14.1 445/tcp  filtered microsoft-ds 465/tcp  open     tcpwrapped 587/tcp  open     tcpwrapped 993/tcp  open     ssl/imap     Dovecot imapd 995/tcp  open     ssl/pop3     Dovecot pop3d 1720/tcp filtered h323q931 2222/tcp open     ssh          OpenSSH 5.3 (protocol 2.0) |_freevulnsearch: *Error with API query. API or network possibly not available. 3306/tcp open     mysql        MySQL 5.6.41-84.1 | freevulnsearch: |   *No CVE found with NMAP-CPE: (cpe:/a:mysql:mysql:5.6.41-84.1) |   *No CVE found with freevulnsearch function: (cpe:/a:mysql:mysql:5.6.41) |  *Check other sources like https://www.exploit-db.com
 5060/tcp filtered sip
 5432/tcp open     postgresql   PostgreSQL DB
 | fingerprint-strings:
 |   SMBProgNeg:
 |     SFATAL
 |     C0A000
 |     Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0
 |     Fpostmaster.c
 |     L1624
 |_    RProcessStartupPacket
 8080/tcp open     http         nginx 1.14.1
 | freevulnsearch:
 |   *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1)
 |_  *Check other sources like https://www.exploit-db.com
 |http-server-header: nginx/1.14.1 8443/tcp open     ssl/http     nginx 1.14.1 | freevulnsearch: |   *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) |  *Check other sources like https://www.exploit-db.com
 |_http-server-header: nginx/1.14.1
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port5432-TCP:V=7.70%I=7%D=2/13%Time=5C63C488%P=x86_64-pc-linux-gnu%r(SM
 SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro
 SF:tocol\x2065363.19778:\x20server\x20supports\x201.0\x20to\x203.0\0Fpo
 SF:stmaster.c\0L1624\0RProcessStartupPacket\0\0");
 Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:6
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 39.09 seconds
  • Después de ejecutar la consulta anterior, el script nmap ha encontrado vulnerabilidades que pueden usarse en futuros ataques
  • Esta consulta muestra la lista de CVE, que son las vulnerabilidades más comunes y se pueden utilizar para crear fallas en la aplicación web
  • Escriba nmap -sV –script broadcast-dhcp-discover certified.com
  • -sV falsificará la dirección IP y V escaneará el objetivo de forma detallada
  • –Script broadcast-dhcp-discover obtendrá parámetros locales sin asignar una nueva dirección
  • certified.com es el objetivo
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap -sV --script broadcast-dhcp-discover certified.com

 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 03:05 EST
 Pre-scan script results:
 | broadcast-dhcp-discover:
 |   Response 1 of 1:
 |     IP Offered: 192.168.1.9
 |     DHCP Message Type: DHCPOFFER
 |     Subnet Mask: 255.255.255.0
 |     Router: 192.168.1.1
 |     Domain Name Server: 192.168.1.1
 |     Server Identifier: 192.168.1.1
 |_    IP Address Lease Time: 1d00h00m00s
 Nmap scan report for certified.com (162.241.216.11)
 Host is up (0.30s latency).
 rDNS record for 162.241.216.11: box5331.bluehost.com
 Not shown: 978 closed ports
 PORT     STATE    SERVICE      VERSION
 21/tcp   open     ftp          Pure-FTPd
 22/tcp   open     ssh          OpenSSH 5.3 (protocol 2.0)
 25/tcp   open     tcpwrapped
 26/tcp   open     smtp         Exim smtpd 4.91
 53/tcp   open     domain       ISC BIND 9.8.2rc1 (RedHat Enterprise Linux 6)
 80/tcp   open     http         nginx 1.14.1
 |http-server-header: nginx/1.14.1 110/tcp  open     pop3         Dovecot pop3d 139/tcp  filtered netbios-ssn 143/tcp  open     imap         Dovecot imapd 443/tcp  open     ssl/http     nginx 1.14.1 |_http-server-header: nginx/1.14.1 445/tcp  filtered microsoft-ds 465/tcp  open     ssl/smtps? 587/tcp  open     tcpwrapped 993/tcp  open     ssl/imap     Dovecot imapd 995/tcp  open     ssl/pop3     Dovecot pop3d 1720/tcp filtered h323q931 2222/tcp open     ssh          OpenSSH 5.3 (protocol 2.0) 3306/tcp open     mysql        MySQL 5.6.41-84.1 5060/tcp filtered sip 5432/tcp open     postgresql   PostgreSQL DB | fingerprint-strings: |   SMBProgNeg: |     SFATAL |     C0A000 |     Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0 |     Fpostmaster.c |     L1624 |    RProcessStartupPacket
 8080/tcp open     http         nginx 1.14.1
 |_http-server-header: nginx/1.14.1
 8443/tcp open     ssl/http     nginx 1.14.1
 |_http-server-header: nginx/1.14.1
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port5432-TCP:V=7.70%I=7%D=2/13%Time=5C63CFD1%P=x86_64-pc-linux-gnu%r(SM
 SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro
 SF:tocol\x2065363.19778:\x20server\x20supports\x201.0\x20to\x203.0\0Fpo
 SF:stmaster.c\0L1624\0RProcessStartupPacket\0\0");
 Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:6
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 33.67 seconds
  • La consulta anterior ha obtenido el registro rDNS que muestra los puertos y servicios abiertos. Esta información se puede utilizar en otras actividades de hacking
  • La consulta anterior muestra la versión listada con cada puerto
  • Escriba nmap –script http-security-headers certified.com
  • –script http-security-headers se usa para verificar el encabezado de seguridad de respuesta http
  • certified.com es la URL de destino
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap --script http-security-headers certified.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 04:31 EST
 Nmap scan report for certified.com (162.241.216.11)
 Host is up (0.29s latency).
 rDNS record for 162.241.216.11: box5331.bluehost.com
 Not shown: 978 closed ports
 PORT     STATE    SERVICE
 21/tcp   open     ftp
 22/tcp   open     ssh
 25/tcp   open     smtp
 26/tcp   open     rsftp
 53/tcp   open     domain
 80/tcp   open     http
 |http-security-headers: 110/tcp  open     pop3 139/tcp  filtered netbios-ssn 143/tcp  open     imap 443/tcp  open     https | http-security-headers: |   Strict_Transport_Security: |    HSTS not configured in HTTPS Server
 445/tcp  filtered microsoft-ds
 465/tcp  open     smtps
 587/tcp  open     submission
 993/tcp  open     imaps
 995/tcp  open     pop3s
 1720/tcp filtered h323q931
 2222/tcp open     EtherNetIP-1
 3306/tcp open     mysql
 5060/tcp filtered sip
 5432/tcp open     postgresql
 8080/tcp open     http-proxy
 8443/tcp open     https-alt
 Nmap done: 1 IP address (1 host up) scanned in 9.67 seconds
  • Después de ejecutar la consulta anterior, el encabezado de seguridad https ha demostrado que los hosts no están configurados en el servidor https
  • HSTS es la autoridad de transporte estricta que ayuda a los sitios web de ataques de degradación de protocolo. La información anterior también se puede utilizar en otras actividades de hacking
  • También puede usar nmap dos script para lanzar ataques DDoS

0 comments:

Post a Comment