TNA - Leblon - Avaliação de Infraestrutura

Windows Terminal Services habilitado

--> Fazer acesso remoto a estação 192.168.79.253 e printar a tela de login

Example Usage
--> nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

Script Output
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server?
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Description:
| Remote Desktop Protocol vulnerability that could allow remote
attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Description:
| Remote Desktop Protocol vulnerability that could allow remote
attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002

Terminal services com autenticação desabilitada no nível de rede

Example Usage
--> nmap -p 3389 --script rdp-enum-encryption <ip>

Script Output
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-enum-encryption:
| Security layer
| CredSSP: SUCCESS
| Native RDP: SUCCESS
| SSL: SUCCESS
| RDP Encryption level: High
| 128-bit RC4: SUCCESS
|_ FIPS 140-1: SUCCESS
Utilização de comunidade padrão do SNMP
--> nmap -sU --script snmp-brute

Example Usage
-->nmap -sU --script snmp-brute <target> [--script-args snmp-
brute.communitiesdb=<wordlist> ]

Script Output
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| dragon - Valid credentials
|_ jordan - Valid credentials

Suporte ao uso de cifras RC4 no certificado SSL

-->nmap --script ssl-enum-ciphers -p 443

Example Usage
-->nmap -sV --script ssl-enum-ciphers -p 443 <host>

Script Output
PORT STATE SERVICE REASON
443/tcp open https syn-ack
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Weak certificate signature: SHA1
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
|_ least strength: C

Servidor DNS Cache Snooping

-->nmap -sU -p 53 --script dns-cache-snoop.nse --script-args='nonrecursive,timed'

192.168.61.252

-->nmap -sU -p 53 --script dns-cache-snoop.nse

Example Usage
-->nmap -sU -p 53 --script=dns-recursion <target>

Script Output
PORT STATE SERVICE REASON
53/udp open domain udp-response
|_dns-recursion: Recursion appears to be enabled

Example Usage
-->nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-
snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>

Script Output
PORT STATE SERVICE REASON
53/udp open domain udp-response
| dns-cache-snoop: 10 of 100 tested domains are cached.
| www.google.com
| facebook.com
| www.facebook.com
| www.youtube.com
| yahoo.com
| twitter.com
| www.twitter.com
| www.google.com.hk
| www.google.co.uk
|_www.linkedin.com

RDP - Criptografia

nmap -p 3389 --script rdp-enum-encryption 192.168.61.252

Protocolo de criptografia desatualizado

--> sslscan 192.168.78.202:1433

Example Usage
-->nmap -sV -sC 92.168.78.202

Script Output
443/tcp open https syn-ack
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_IDEA_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5

Example Usage
-->nmap -sV --version-light --script ssl-poodle -p 443 <host>

Script Output
PORT STATE SERVICE REASON
443/tcp open https syn-ack
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 OSVDB:113251
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
| other products, uses nondeterministic CBC padding, which makes it
easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| http://osvdb.org/113251
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.openssl.org/~bodo/ssl-poodle.pdf

Possibilidade de negação de serviço com SNMP

--> snmp-check 192.168.79.249

--> nmap -sU --script snmp-brute 192.168.79.249

Example Usage
-->nmap -sV 192.168.79.249:161

Script Output
161/udp open snmp udp-response ttl 244 ciscoSystems SNMPv3 server (public)
| snmp-info:
| enterprise: ciscoSystems
| engineIDFormat: mac
| engineIDData: 00:d4:8c:00:11:22
| snmpEngineBoots: 6
|_ snmpEngineTime: 358d01h13m46s

Example Usage
-->nmap -sV <target>

Script Output
161/udp open snmp udp-response ttl 244 ciscoSystems SNMPv3 server (public)
| snmp-info:
| enterprise: ciscoSystems
| engineIDFormat: mac
| engineIDData: 00:d4:8c:00:11:22
| snmpEngineBoots: 6
|_ snmpEngineTime: 358d01h13m46s

Possibilidade de login via SMB

-->smbclient -L 192.168.79.253 -U guest

Example Usage
-->nmap --script smb-enum-users.nse -p445 <host>
-->nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

Script Output
Host script results:
| smb-enum-users:
|_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST,
IWAM_RON-WIN2K-TEST, test1234, TsInternetUser

Host script results:

| smb-enum-users:
| | RON-WIN2K-TEST\Administrator (RID: 500)
| | | Description: Built-in account for administering the computer/domain
| | |_ Flags: Password does not expire, Normal user account
| | RON-WIN2K-TEST\Guest (RID: 501)
| | | Description: Built-in account for guest access to the computer/domain
| | |_ Flags: Password not required, Password does not expire, Normal user
account
| | RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001)
| | | Full name: Internet Guest Account
| | | Description: Built-in account for anonymous access to Internet Information
Services
| | |_ Flags: Password not required, Password does not expire, Normal user
account
| | RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002)
| | | Full name: Launch IIS Process Account
| | | Description: Built-in account for Internet Information Services to start
out of process applications
| | |_ Flags: Password not required, Password does not expire, Normal user
account
| | RON-WIN2K-TEST\test1234 (RID: 1005)
| | |_ Flags: Normal user account
| | RON-WIN2K-TEST\TsInternetUser (RID: 1000)
| | | Full name: TsInternetUser
| | | Description: This user account is used by Terminal Services.
|_ |_ |_ Flags: Password not required, Password does not expire, Normal user
account

Example Usage
-->nmap --script smb-security-mode.nse -p445 127.0.0.1
-->sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1

Script Output
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)

Example Usage
-->nmap -p445 --script smb-vuln-ms17-010 <target>
-->nmap -p445 --script vuln <target>

Script Output
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-
wannacrypt-attacks/

Detecção do Servidor DHCP

Example Usage
-->nmap -sU -p 67 --script=dhcp-discover <target>

Script Output
Interesting ports on 192.168.1.1:
PORT STATE SERVICE
67/udp open dhcps
| dhcp-discover:
| DHCP Message Type: DHCPACK
| Server Identifier: 192.168.1.1
| IP Address Lease Time: 1 day, 0:00:00
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
|_ Domain Name Server: 208.81.7.10, 208.81.7.14

Example Usage
-->sudo nmap --script broadcast-dhcp-discover

Script Output
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.114
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.1.1
| IP Address Lease Time: 1 day, 0:00:00
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
| Domain Name Server: 192.168.1.1
|_ Domain Name: localdomain

Utilização de algoritmo de criptografia fraco

-->nmap -p 3389 --script ssl-enum-ciphers

Certificado SSL não confiável

Example Usage
-->nmap -p 443 --script ssl-cert-intaddr <target>

Script Output
443/tcp open https
| ssl-cert-intaddr:
| Subject commonName:
| 10.5.5.5
| Subject organizationName:
| 10.0.2.1
| 10.0.2.2
| Issuer emailAddress:
| 10.6.6.6
| X509v3 Subject Alternative Name:
|_ 10.3.4.5

Certificado SSL com hostname errado

-->sslscan --show-certificate

Example Usage
-->nmap -p 1433 --script ssl-cert-intaddr 192.168.78.202

Script Output
443/tcp open https
| ssl-cert-intaddr:
| Subject commonName:
| 10.5.5.5
| Subject organizationName:
| 10.0.2.1
| 10.0.2.2
| Issuer emailAddress:
| 10.6.6.6
| X509v3 Subject Alternative Name:
|_ 10.3.4.5

Cadeia de certificados SSL contém chaves RSA menores que 2048 bits

nmap --script=ssl-cert.nse
 Example Usage
-->nmap -sV -sC <target>

Script Output
443/tcp open https | ssl-cert: Subject:
commonName=www.paypal.com/organizationName=PayPal, Inc.\
/stateOrProvinceName=California/countryName=US | Not valid before: 2011-03-23
00:00:00 |_Not valid after: 2013-04-01 23:59:59

Example Usage
-->nmap -p 443 --script ssl-cert-intaddr <target>

Script Output
443/tcp open https | ssl-cert-intaddr: | Subject commonName: | 10.5.5.5 | Subject
organizationName: | 10.0.2.1 | 10.0.2.2 | Issuer emailAddress: | 10.6.6.6 | X509v3
Subject Alternative Name: |_ 10.3.4.5

Método de depuração habilitado - HTTP Options

Example Usage
-->nmap --script http-methods <target>
-->nmap --script http-methods --script-args http-methods.url-path='/website'
<target>

Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS

Ip-forwarding

Example Usage
sudo nmap -sn 192.168.78.254 --script ip-forwarding --script-
args='target=www.amazon.com'

Script Output
| ip-forwarding:
|_ The host has ip forwarding enabled, tried ping against (www.example.com)