Verwundbarkeitsscanner
Ziel: Bekannte Schwachstellen finden
Geeignete Tools:
Kommando ‚nmap‘ mit der Option ‚–script‘ (NSE-Skripte)
Siehe z.B.:
root@deb10srv:~# ls -l /usr/share/nmap/scripts/*rpc*
-rw-r--r-- 1 root root 4399 Jul 3 2020 /usr/share/nmap/scripts/bitcoinrpc-info.nse
-rw-r--r-- 1 root root 4409 Jul 3 2020 /usr/share/nmap/scripts/deluge-rpc-brute.nse
-rw-r--r-- 1 root root 3379 Jul 3 2020 /usr/share/nmap/scripts/metasploit-msgrpc-brute.nse
-rw-r--r-- 1 root root 3227 Jul 3 2020 /usr/share/nmap/scripts/metasploit-xmlrpc-brute.nse
-rw-r--r-- 1 root root 3235 Jul 3 2020 /usr/share/nmap/scripts/msrpc-enum.nse
-rw-r--r-- 1 root root 4100 Jul 3 2020 /usr/share/nmap/scripts/nessus-xmlrpc-brute.nse
-rw-r--r-- 1 root root 2140 Jul 3 2020 /usr/share/nmap/scripts/rpcap-brute.nse
-rw-r--r-- 1 root root 2654 Jul 3 2020 /usr/share/nmap/scripts/rpcap-info.nse
-rw-r--r-- 1 root root 8891 Jul 3 2020 /usr/share/nmap/scripts/rpc-grind.nse
-rw-r--r-- 1 root root 4488 Jul 3 2020 /usr/share/nmap/scripts/rpcinfo.nse
-rw-r--r-- 1 root root 4328 Jul 3 2020 /usr/share/nmap/scripts/xmlrpc-methods.nse
root@deb10srv:~#
root@deb10srv:~# # - metasploit (GUI: Armitage)
root@deb10srv:~#
root@deb10srv:~# # - nessus (ist nicht mehr Open Source)
root@deb10srv:~#
root@deb10srv:~# # - OpenVAS (Web-UI: Greenbone)
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# # * Client/Server-Architektur: https://en.wikipedia.org/wiki/OpenVAS
root@deb10srv:~# # * Greenbone-Assistent: https://www.bsi.bund.de/EN/Topics/Industry_CI/ICS/Tools/OpenVAS/OpenVAS_node.html
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# ## Praxisbeispiel mit nmap:
root@deb10srv:~# # => https://www.hackingtutorials.org/scanning-tutorials/scanning-for-smb-vulnerabilities-using-nmap/
root@deb10srv:~# head /usr/share/nmap/scripts/smb-enum-shares.nse
local smb = require "smb"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
description = [[
Attempts to list shares using the <code>srvsvc.NetShareEnumAll</code> MSRPC function and
retrieve more information about them using <code>srvsvc.NetShareGetInfo</code>. If access
to those functions is denied, a list of common share names are checked.
root@deb10srv:~#
root@deb-srv:~#
root@deb-srv:~# ## Unser zu untersuchendes Opfersystem:
root@deb-srv:~# lsof -iTCP:445 -Pn
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
smbd 245 root 42u IPv6 35663 0t0 TCP *:445 (LISTEN)
smbd 245 root 44u IPv4 35665 0t0 TCP *:445 (LISTEN)
cleanupd 427 root 42u IPv6 35663 0t0 TCP *:445 (LISTEN)
cleanupd 427 root 44u IPv4 35665 0t0 TCP *:445 (LISTEN)
root@deb-srv:~#
root@deb-srv:~# ip -4 addr show dev eth0
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0
inet 192.168.2.233/24 brd 192.168.2.255 scope global eth0
valid_lft forever preferred_lft forever
root@deb-srv:~#
root@deb-srv:~#
root@deb10srv:~#
root@deb10srv:~# nmap --script smb-enum-shares -p445 192.168.2.233
Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-20 11:56 CEST
Nmap scan report for 192.168.2.233
Host is up (0.00012s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:16:3E:11:61:DF (Xensource)
Host script results:
| smb-enum-shares:
| account_used: <blank>
| \\192.168.2.233\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Samba 4.9.5-Debian)
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| \\192.168.2.233\netlogon:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\sysvol\dom1.test\scripts
| Anonymous access: <none>
| \\192.168.2.233\profiles:
| Type: STYPE_DISKTREE
| Comment: Profile Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\srv\samba\profiles
| Anonymous access: <none>
| \\192.168.2.233\sysvol:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\sysvol
|_ Anonymous access: <none>
Nmap done: 1 IP address (1 host up) scanned in 1.74 seconds
root@deb10srv:~#
root@deb10srv:~#