Identificación de Servicios
De nuevo, un uso distinto que Nmap para realizar un escaneo de servicios en nuestra red objetivo, Metasploit también incluye una gran variedad de escaneres para distintos servicios, que ayudan a determinar servicios vulnerables que se están ejecutando en la maquina objetivo.
msf auxiliary(tcp) > search auxiliary ^scanner
[*] Searching loaded modules for pattern '^scanner'...
Auxiliary
=========
Name Description
---- -----------
scanner/db2/discovery DB2 Discovery Service Detection.
scanner/dcerpc/endpoint_mapper Endpoint Mapper Service Discovery
scanner/dcerpc/hidden Hidden DCERPC Service Discovery
scanner/dcerpc/management Remote Management Interface Discovery
scanner/dcerpc/tcp_dcerpc_auditor DCERPC TCP Service Auditor
scanner/dect/call_scanner DECT Call Scanner
scanner/dect/station_scanner DECT Base Station Scanner
scanner/discovery/arp_sweep ARP Sweep Local Network Discovery
scanner/discovery/sweep_udp UDP Service Sweeper
scanner/emc/alphastor_devicemanager EMC AlphaStor Device Manager Service.
scanner/emc/alphastor_librarymanager EMC AlphaStor Library Manager Service.
scanner/ftp/anonymous Anonymous FTP Access Detection
scanner/http/frontpage FrontPage Server Extensions Detection
scanner/http/frontpage_login FrontPage Server Extensions Login Utility
scanner/http/lucky_punch HTTP Microsoft SQL Injection Table XSS Infection
scanner/http/ms09_020_webdav_unicode_bypass MS09-020 IIS6 WebDAV Unicode Auth Bypass
scanner/http/options HTTP Options Detection
scanner/http/version HTTP Version Detection
...snip...
scanner/ip/ipidseq IPID Sequence Scanner
scanner/misc/ib_service_mgr_info Borland InterBase Services Manager Information
scanner/motorola/timbuktu_udp Motorola Timbuktu Service Detection.
scanner/mssql/mssql_login MSSQL Login Utility
scanner/mssql/mssql_ping MSSQL Ping Utility
scanner/mysql/version MySQL Server Version Enumeration
scanner/nfs/nfsmount NFS Mount Scanner
scanner/oracle/emc_sid Oracle Enterprise Manager Control SID Discovery
scanner/oracle/sid_enum SID Enumeration.
scanner/oracle/spy_sid Oracle Application Server Spy Servlet SID Enumeration.
scanner/oracle/tnslsnr_version Oracle tnslsnr Service Version Query.
scanner/oracle/xdb_sid Oracle XML DB SID Discovery
...snip...
scanner/sip/enumerator SIP username enumerator
scanner/sip/options SIP Endpoint Scanner
scanner/smb/login SMB Login Check Scanner
scanner/smb/pipe_auditor SMB Session Pipe Auditor
scanner/smb/pipe_dcerpc_auditor SMB Session Pipe DCERPC Auditor
scanner/smb/smb2 SMB 2.0 Protocol Detection
scanner/smb/version SMB Version Detection
scanner/smtp/smtp_banner SMTP Banner Grabber
scanner/snmp/aix_version AIX SNMP Scanner Auxiliary Module
scanner/snmp/community SNMP Community Scanner
scanner/ssh/ssh_version SSH Version Scannner
scanner/telephony/wardial Wardialer
scanner/tftp/tftpbrute TFTP Brute Forcer
scanner/vnc/vnc_none_auth VNC Authentication None Detection
scanner/x11/open_x11 X11 No-Auth Scanner
En el escaneo de puertos aparecieron varias maquinas con el puerto 22 TCP abierto. SSH es muy seguro pero las vulnerabilidades no son desconocidas por eso hay que recopilar tanta información como sea posible de los objetivos. Vamos a usar nuestro archivo de salida en este ejemplo, analizando el hosts con el puerto 22 abierto y pasándolo a "RHOSTS".
msf auxiliary(arp_sweep) > use scanner/ssh/ssh_version
msf auxiliary(ssh_version) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(ssh_version) > cat subnet_1.gnmap | grep 22/open | awk '{print $2}' > /tmp/22_open.txt
[*] exec: cat subnet_1.gnmap | grep 22/open | awk '{print $2}' > /tmp/22_open.txt
msf auxiliary(ssh_version) > set RHOSTS file:/tmp/22_open.txt
RHOSTS => file:/tmp/22_open.txt
msf auxiliary(ssh_version) > set THREADS 50
THREADS => 50
msf auxiliary(ssh_version) > run
[*] 192.168.1.1:22, SSH server version: SSH-2.0-dropbear_0.52
[*] 192.168.1.137:22, SSH server version: SSH-1.99-OpenSSH_4.4
[*] Auxiliary module execution completed
Servidores FTP configurados pobremente pueden frecuentemente ser el punto de apoyo que se necesita para ganar acceso a una red entera por eso siempre hay que verificar si el acceso anónimo esta permitido en cualquier puerto FTP abierto el cual usualmente es el puerto TCP 21. Vamos a establecer los THREADS en 10 ya que vamos a escaner un rango de 10 hosts.
msf > use scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 192.168.1.20-192.168.1.30
RHOSTS => 192.168.1.20-192.168.1.30
msf auxiliary(anonymous) > set THREADS 10
THREADS => 10
msf auxiliary(anonymous) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(anonymous) > run
[*] 192.168.1.23:21 Anonymous READ (220 (vsFTPd 1.1.3))
[*] Recording successful FTP credentials for 192.168.1.23
[*] Auxiliary module execution completed
En un corto periodo de tiempo y con muy poco trabajo, hemos podido adquirir una gran informacion sobre los hosts que residen en nuestra red lo que nos da una vision mucho mejor a que nos enfretamos cuando realizamos nuestra prueba de penetracion.
© Offensive Security 2009
NOTA:
"
"