• Metasploit | 163
    		•

    | Chapter 5: Automated Exploits




    Download 22,59 Mb.
    Pdf ko'rish
    bet153/225
    Sana14.05.2024
    Hajmi22,59 Mb.
    #232856
    1   ...   149   150   151   152   153   154   155   156   ...   225
    Bog'liq
    learningkalilinux

    162 | Chapter 5: Automated Exploits

    192.168.86.1
    53
    tcp domain open
    192.168.86.1
    80
    tcp http open
    192.168.86.1
    5000
    tcp upnp open MiniUPnP 1.9 Linux
    3.13.0-115-generic;
    UPnP 1.1
    192.168.86.1
    8080
    tcp http-proxy open
    192.168.86.1
    8081
    tcp blackice-icecap open
    192.168.86.8
    80
    tcp http filtered
    192.168.86.9
    80
    tcp http filtered
    192.168.86.20
    49
    tcp tacacs filtered
    192.168.86.20
    80
    tcp http open
    192.168.86.20
    389
    tcp ldap filtered
    192.168.86.20
    1028
    tcp unknown filtered
    192.168.86.20
    1097
    tcp sunclustermgr filtered
    192.168.86.20
    1141
    tcp mxomss filtered
    192.168.86.20
    1494
    tcp citrix-ica filtered
    192.168.86.20
    1935
    tcp rtmp filtered
    192.168.86.20
    1998
    tcp x25-svc-port filtered
    192.168.86.20
    2003
    tcp finger filtered
    192.168.86.20
    2043
    tcp isis-bcast filtered
    192.168.86.20
    2710
    tcp sso-service filtered
    192.168.86.20
    2910
    tcp tdaccess filtered
    192.168.86.20
    3766
    tcp sitewatch-s filtered
    192.168.86.20
    5989
    tcp wbem-https filtered
    192.168.86.20
    6389
    tcp clariion-evr01 filtered
    192.168.86.20
    7004
    tcp afs3-kaserver filtered
    192.168.86.20
    9001
    tcp tor-orport filtered
    192.168.86.20
    49155
    tcp unknown filtered
    192.168.86.20
    61532
    tcp unknown filtered
    192.168.86.21
    22
    tcp ssh open OpenSSH 7.6p1
    Debian 
    2
    protocol 2.0
    192.168.86.22
    8008
    tcp http open
    You can also import results from vulnerability scans. Let’s take the output from one of
    our OpenVAS scans. I exported the report into NBE format, which is a Nessus-based
    format that Metasploit can read. From there, I imported the file into the database by
    using 
    db_import
    followed by the filename. 
    shows the process of doing
    the import.
    Example 5-15. Using db_import
    msf > db_import /root/Downloads/report.nbe
    [
    *
    ]
    Importing 
    'Nessus NBE Report'
    data
    [
    *
    ]
    Importing host 192.168.86.196
    [
    *
    ]
    Importing host 192.168.86.247
    [
    *
    ]
    Importing host 192.168.86.247
    [
    *
    ]
    Importing host 192.168.86.247
    [
    *
    ]
    Importing host 192.168.86.38
    [
    *
    ]
    Importing host 192.168.86.39
    [
    *
    ]
    Importing host 192.168.86.32
    [
    *
    ]
    Importing host 192.168.86.24
    Metasploit | 163

    [
    *
    ]
    Importing host 192.168.86.33
    [
    *
    ]
    Importing host 192.168.86.42
    [
    *
    ]
    Importing host 192.168.86.37
    [
    *
    ]
    Importing host 192.168.86.36
    [
    *
    ]
    Importing host 192.168.86.25
    [
    *
    ]
    Importing host 192.168.86.22
    [
    *
    ]
    Importing host 192.168.86.45
    [
    *
    ]
    Importing host 192.168.86.49
    [
    *
    ]
    Importing host 192.168.86.162
    [
    *
    ]
    Importing host 192.168.86.170
    [
    *
    ]
    Importing host 192.168.86.160
    [
    *
    ]
    Importing host 192.168.86.156
    [
    *
    ]
    Importing host 192.168.86.40
    [
    *
    ]
    Importing host 192.168.86.1
    [
    *
    ]
    Importing host 192.168.86.26
    [
    *
    ]
    Importing host 192.168.86.218
    [
    *
    ]
    Importing host 192.168.86.249
    [
    *
    ]
    Importing host 192.168.86.27
    [
    *
    ]
    Importing host 192.168.86.9
    [
    *
    ]
    Importing host 192.168.86.8
    [
    *
    ]
    Successfully imported /root/Downloads/report.nbe
    With the results of the vulnerability scan in the database, they become things we can
    look up. Using 
    vulns
    , we can list all of the vulnerabilities known in the database. We
    can also narrow the list of vulnerabilities by using command-line parameters. For
    example, if you use 
    vulns -p 80
    , you will be listing all the vulnerabilities associated
    with port 80. Using 
    -s
    , you can search by service name. What you will get is just a list
    of the vulnerabilities. This includes the host information where the vulnerability
    exists, as well as a reference number for the vulnerability. You can also get informa‐
    tion about the vulnerabilities by using 
    -i
    , as shown in 
    Example 5-16
    . This is just part
    of the vulnerability details from one of the vulnerabilities found.
    Example 5-16. Vulnerability information from msfconsole
    Solution:
    Solution 
    type
    : Mitigation
    To disable TCP timestamps on linux add the line 
    'net.ipv4.tcp_timestamps = 0'
    to
    /etc/sysctl.conf. Execute 
    'sysctl -p'
    to apply the settings at runtime.
    To disable TCP timestamps on Windows execute
    'netsh int tcp set global timestamps=disabled'
    Starting with Windows Server 
    2008
    and Vista, the timestamp cannot be completely
    disabled.
    The default behavior of the TCP/IP stack on this Systems is to not use the
    Timestamp options when initiating TCP connections, but use them 
    if
    the TCP peer
    that is initiating communication includes them in their synchronize 
    (
    SYN
    )
    segment.
    See also: http://www.microsoft.com/en-us/download/details.aspx?id
    =
    9152

    Download 22,59 Mb.
    1   ...   149   150   151   152   153   154   155   156   ...   225




    Download 22,59 Mb.
    Pdf ko'rish