Seguridad

Para encontrar vulneveravilidades
//Estamos indicando que queremos ver vulneberabilidades de tipo smb, que es un t

ipo de codigo malicioso
nmap -p 139,445 --script smb-check-vulns --script-args=unsafe=1 192.168.1.15
Nmap scan report for 192.168.1.15
Host is up (0.0036s latency).
PORT
STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 18.22 seconds
PORT
STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Buscar vulneverabilidades en el servicio de remote desktop protocol

[heloel@manjaro ~]$ nmap -p 3389 --script rdp-vuln-ms12-020 192.168.1.15
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-04 12:31 CDT
PORT
STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|
State: VULNERABLE
|
IDs: CVE:CVE-2012-0152
|
Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|
Description:
|
Remote Desktop Protocol vulnerability that could allow remote attack
ers to cause a denial of service.
|
|
Disclosure date: 2012-03-13
|
References:
|
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|
State: VULNERABLE
|
IDs: CVE:CVE-2012-0002
|
Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|
Description:
|
Remote Desktop Protocol vulnerability that could allow remote attack
ers to execute arbitrary code on the targeted system.
|
|
Disclosure date: 2012-03-13
|
References:
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
En caso de que no sea vulnerable:
[heloel@manjaro ~]$ nmap -p 3389 --script rdp-vuln-ms12-020 192.168.1.12
PORT
STATE SERVICE
3389/tcp closed ms-wbt-server
Nos muestra todos los plugins que corre el sitio basado en wordpress:
[heloel@manjaro ~]$ nmap -p 80 --script http-wordpress-plugins --script-args=htt
p-wordpress-enum-.basepath=/wp/ 192.168.1.66
PORT STATE SERVICE
80/tcp open http
|_http-wordpress-plugins: nothing found amongst the 100 most popular plugins, us
e --script-args http-wordpress-plugins.search=<number|all> for deeper analysis)
Te muerta si esta ligado a phmyadmin:
[heloel@manjaro ~]$ nmap -P0 -p 80 --script http-enum 192.168.1.66
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /phpmyadmin/: phpMyAdmin
|_ /manual/: Potentially interesting folder
=========================== Enumeration
Podemos sacar usuario, archivos compatidos, nombre de maquina. Si la maquina est

a conectada a un servidor de domino, pudes sacar todos esos usuarios. Recursos.
User: pruebas contador
Pass: Pru3b45 Contabile5.
rpccliente -U='Pruebas%Pru3b45.' 192.168.15 -c srvinfo
//ya lo habiamos visto.
En algunos lugares tienen la constumbre de siempre solicitar todos los privilegi
os
Muestra todos los servicios que corren en windwos
net rpc service list -I 192.168.1.12 -U 'hdddevel%Develope5.'
[heloel@manjaro ~]$ net rpc service list -I 192.168.1.12 -U 'hdddevel%Develope5.
'
invalid ownership on directory /var/cache/samba/lck
ADWS
"Active Directory Web Services"
AeLookupSvc
"Application Experience"
ALG
"Application Layer Gateway Service"
AppHostSvc
"Application Host Helper Service"
.........
Para ver los servicio compartidos
smbclient -L 192.168.1.15 -U 'Pruebas%Pru3b45.'
Compartido por default en windwos:
[heloel@manjaro ~]$ smbclient -L 192.168.1.15 -U 'Pruebas%Pru3b45.'
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
Domain=[CEH03] OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Serv
er 2003 5.2]
Sharename
Type
Comment
-----------------print$
Disk
Printer Drivers
C$
Disk
Default share
HPColorLaserJet8500 Printer Solo para el sistema
IPC$
IPC
Remote IPC
ADMIN$
Disk
Remote Admin
SYSVOL
Disk
Logon server share
DocsPublic
Disk
Publico
NETLOGON
Disk
Logon server share
er 2003 5.2]
Server
--------PRUEBAS-X97KJYY
Comment
-------
Workgroup
--------CEH03
WORKGROUP
Master
------PRUEBAS-X97KJYY
LOCALHOST
Se supone no tiene nada compartido:

[heloel@manjaro ~]$ smbclient -L 192.168.1.12 -U 'hdddevel%Develope5.'
Domain=[CEH12] OS=[Windows Server 2012 R2 Standard Evaluation 9600] Server=[Wind
ows Server 2012 R2 Standard Evaluation 6.3]
Sharename
Type
Comment
-----------------ADMIN$
Disk
Remote Admin
C$
Disk
Default share
IPC$
IPC
Remote IPC
NETLOGON
Disk
Logon server share
SYSVOL
Disk
Logon server share
Connection to 192.168.1.12 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
No dejamos huella de mapeo y vemos lo que hay.
[heloel@manjaro ~]$ smbclient //192.168.1.18/publico -U 'Pruebas%Pru3b45.' -c di
r
Domain=[CEH08] OS=[Windows Server 2008 R2 Enterprise 7601 Service Pack 1] Server
=[Windows Server 2008 R2 Enterprise 6.1]
.
D
0 Tue Aug 4 12:43:19 2015
..
D
0 Tue Aug 4 12:43:19 2015
file.txt
A
39 Sat Jun 27 15:29:35 2015
inatel
D
0 Tue Aug 4 12:42:33 2015
pdfobjflow.dot
A
282 Tue Aug 4 12:43:19 2015
yomero
D
0 Sat Jun 27 15:28:23 2015
15728127 blocks of size 4096. 13160401 blocks available
Saber si puedes escribir smbclient //192.168.1.18/publico/ -U 'Pruebas%Pru3b45.'
-c 'mkdir segmaster'
Subir arcchivo
smbclient //192.168.1.18/publico -U 'Pruebas%Pru3b45.' -c 'put heloel.txt'
bajar archivo
smbclient //192.168.1.18/publico -U 'Pruebas%Pru3b45.' -c 'get heloel.txt'
Para ver la unidad, que se supone no esta compartida
[heloel@manjaro ~]$ smbclient //192.168.1.18/c$ -U 'Pruebas%Pru3b45.' -c dir
$Recycle.Bin
DHS
0 Mon Jul 13 21:34:39 2009
Boot
DHS
0 Wed Feb 18 14:31:22 2015
bootmgr
AHSR 383786 Sat Nov 20 21:24:02 2010
BOOTSECT.BAK
AHSR
8192 Wed Feb 18 14:31:22 2015
brasil
D
0 Fri Feb 20 09:55:10 2015
ceh-inter
D
0 Thu Feb 19 21:33:28 2015
Documents and Settings
DHS
0 Tue Jul 14 00:06:44 2009
inatel
D
0 Tue Aug 4 12:48:13 2015
inetpub
D
0 Fri May 1 23:55:02 2015
pagefile.sys
AHS 2146881536 Fri Sep 4 13:14:08 2015
PerfLogs
D
0 Mon Jul 13 22:20:08 2009
Program Files
DR
0 Wed Feb 18 13:42:49 2015
Program Files (x86)
DR
0 Wed Feb 18 13:42:50 2015
ProgramData
DH
0 Wed Feb 18 13:58:17 2015
Recovery
DHS
0 Wed Feb 18 12:33:57 2015
System Volume Information
DHS
0 Wed Feb 18 13:42:54 2015
Users
DR
0 Wed Feb 18 13:20:51 2015
voip.log
A 2076478 Tue May 5 09:31:05 2015
Windows
D
0 Wed Feb 18 15:50:18 2015
wwww
0 Sat Jun 27 15:34:17 2015

Cuando es denegado el acceso
[heloel@manjaro ~]$ smbclient //192.168.1.15/c$ -U 'Pruebas%Pru3b45.' -c dir
er 2003 5.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
[heloel@manjaro ~]$ smbclient //192.168.1.12/c$ -U 'hdddevel%Develop5.' -c dir
session setup failed: NT_STATUS_LOGON_FAILURE
Cuando nos metemos en una carpeta
[heloel@manjaro ~]$ smbclient //192.168.1.12/c$ -U 'hdddevel%Develope5.' -c 'dir
Users/*'
Domain=[CEH12] OS=[Windows Server 2012 R2 Standard Evaluation 9600] Server=[Wind
ows Server 2012 R2 Standard Evaluation 6.3]
.
DR
0 Sat Aug 1 15:48:23 2015
..
DR
0 Sat Aug 1 15:48:23 2015
.NET v4.5
D
0 Wed Jul 29 22:25:12 2015
.NET v4.5 Classic
D
0 Wed Jul 29 22:25:11 2015
Administrator
D
0 Fri Aug 28 13:32:42 2015
All Users
DHS
0 Thu Aug 22 09:48:41 2013
Default
DHR
0 Thu Aug 22 11:16:29 2013
Default User
DHS
0 Thu Aug 22 09:48:41 2013
desktop.ini
AHS
174 Thu Aug 22 10:37:57 2013
MSSQLSERVER
D
0 Fri Aug 28 13:30:03 2015
Public
DR
0 Thu Aug 22 10:39:32 2013
Te permite enstrar como cmd, pero no puede ejecutar comandos, solo los que hemos
visto anteriormente.
[heloel@manjaro ~]$ smbclient //192.168.1.18/c$ -U 'Pruebas%Pru3b45.'
smb: \> ls
$Recycle.Bin
DHS
0 Mon Jul 13 21:34:39 2009
Boot
DHS
0 Wed Feb 18 14:31:22 2015
bootmgr
AHSR 383786 Sat Nov 20 21:24:02 2010
BOOTSECT.BAK
AHSR
8192 Wed Feb 18 14:31:22 2015
brasil
D
0 Fri Feb 20 09:55:10 2015
ceh-inter
D
0 Thu Feb 19 21:33:28 2015
Documents and Settings
DHS
0 Tue Jul 14 00:06:44 2009
fsociety.dat
A
90 Fri Sep 4 13:38:16 2015
holi.txt
D
0 Fri Sep 4 13:38:33 2015
inatel
D
0 Tue Aug 4 12:48:13 2015
inetpub
D
0 Fri May 1 23:55:02 2015
jorge
D
0 Fri Sep 4 13:38:05 2015
p$#$4
D
0 Fri Sep 4 13:39:53 2015
pagefile.sys
AHS 2146881536 Fri Sep 4 13:14:08 2015
PerfLogs
D
0 Mon Jul 13 22:20:08 2009
Program Files
DR
0 Wed Feb 18 13:42:49 2015
Program Files (x86)

ProgramData
Recovery
System Volume Information
Users
voip.log
Windows
wwww
DR
0 Wed Feb
DH
0 Wed Feb
DHS
0 Wed Feb
DHS
0 Wed Feb
DR
0 Wed Feb
A 2076478 Tue May
D
0 Wed Feb
D
0 Sat Jun
18
18
18
18
18
5
18
27
13:42:50
13:58:17
12:33:57
13:42:54
13:20:51
09:31:05
15:50:18
15:34:17
2015
2015
2015
2015
2015
2015
2015
2015

smb: \>
Cuando quieres entrar a una carpeta con caracteres especiales
[heloel@manjaro ~]$ smbclient //192.168.1.18/c$ -U 'Pruebas%Pru3b45.'
smb: \> cd "Program Files"
smb: \Program Files\> ^C
SMTP de correo, se le puede hacer enumeration
El servicio SNMP para el monitorie de redes, ver cantidad de bits que entran y s
alen en cada dispositivo
Tambien se monitorean los servidores, sus recursos.
Al ser un protocolo abierto, cualquiera puede hablarle al SNMP
Hay que lanzarlo a un archivo porque no alcanza la pantalla
snmpwalk -v 2c -c public 192.168.1.18
La parte que nos interesa nos dice el hardware que el dispositivo tiene:
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (87187) 0:14:31.87
HOST-RESOURCES-MIB::hrSystemDate.0 = STRING: 2015-9-4,14:31:20.3
HOST-RESOURCES-MIB::hrSystemInitialLoadDevice.0 = INTEGER: 0
HOST-RESOURCES-MIB::hrSystemInitialLoadParameters.0 = ""
HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 1
HOST-RESOURCES-MIB::hrSystemProcesses.0 = Gauge32: 40
HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = INTEGER: 0
HOST-RESOURCES-MIB::hrMemorySize.0 = INTEGER: 2096564 KBytes
HOST-RESOURCES-MIB::hrStorageIndex.1 = INTEGER: 1
HOST-RESOURCES-MIB::hrStorageType.1 = OID: HOST-RESOURCES-TYPES::hrStorageRemova
bleDisk
HOST-RESOURCES-MIB::hrStorageType.2 = OID: HOST-RESOURCES-TYPES::hrStorageFixedD
isk
HOST-RESOURCES-MIB::hrStorageType.3 = OID: HOST-RESOURCES-TYPES::hrStorageVirtua
lMemory
HOST-RESOURCES-MIB::hrStorageType.4 = OID: HOST-RESOURCES-TYPES::hrStorageRam
HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: A:\\
HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: C:\\ Label: Serial Number eca643
93
HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual Memory
HOST-RESOURCES-MIB::hrStorageDescr.4 = STRING: Physical Memory
HOST-RESOURCES-MIB::hrStorageAllocationUnits.1 = INTEGER: 0 Bytes
HOST-RESOURCES-MIB::hrStorageSize.1 = INTEGER: 0
HOST-RESOURCES-MIB::hrStorageUsed.1 = INTEGER: 0
HOST-RESOURCES-MIB::hrStorageAllocationFailures.1 = Counter32:
HOST-RESOURCES-MIB::hrDeviceIndex.1 = INTEGER: 1
0
0
0
0
Procesos corriendo
HOST-RESOURCES-MIB::hrSWRunName.240 = STRING: "smss.exe"
HOST-RESOURCES-MIB::hrSWRunName.320 = STRING: "csrss.exe"
HOST-RESOURCES-MIB::hrSWRunName.328 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.372 = STRING: "wininit.exe"
HOST-RESOURCES-MIB::hrSWRunName.392 = STRING: "csrss.exe"
HOST-RESOURCES-MIB::hrSWRunName.440 = STRING: "winlogon.exe"
HOST-RESOURCES-MIB::hrSWRunName.460 = STRING: "services.exe"
HOST-RESOURCES-MIB::hrSWRunName.476 = STRING: "lsass.exe"
HOST-RESOURCES-MIB::hrSWRunName.484 = STRING: "lsm.exe"
HOST-RESOURCES-MIB::hrSWRunName.844 = STRING: "LogonUI.exe"
HOST-RESOURCES-MIB::hrSWRunName.1260 = STRING: "spoolsv.exe"
HOST-RESOURCES-MIB::hrSWRunName.1292 = STRING: "Microsoft.ActiveDirectory.WebSer
vices.exe"
HOST-RESOURCES-MIB::hrSWRunName.1356 = STRING: "dfsrs.exe"
HOST-RESOURCES-MIB::hrSWRunName.1376 = STRING: "dns.exe"
HOST-RESOURCES-MIB::hrSWRunName.1452 = STRING: "inetinfo.exe"
HOST-RESOURCES-MIB::hrSWRunName.1492 = STRING: "ismserv.exe"
HOST-RESOURCES-MIB::hrSWRunName.1652 = STRING: "snmp.exe"
HOST-RESOURCES-MIB::hrSWRunName.1672 = STRING: "vmtoolsd.exe"
Procesos, sus paths y parametros
OST-RESOURCES-MIB::hrSWRunPath.1652 = STRING: "C:\\Windows\\System32\\"
HOST-RESOURCES-MIB::hrSWRunPath.1672 = STRING: "C:\\Program Files\\VMware\\VMwar
e Tools\\"
HOST-RESOURCES-MIB::hrSWRunPath.1736 = STRING: "C:\\Windows\\system32\\"
HOST-RESOURCES-MIB::hrSWRunPath.1764 = STRING: "C:\\Windows\\system32\\wlms\\"
HOST-RESOURCES-MIB::hrSWRunPath.1840 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.1 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.320 = STRING: "ObjectDirectory=\\Windows S
haredSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:User"
HOST-RESOURCES-MIB::hrSWRunParameters.392 = STRING: "ObjectDirectory=\\Windows S
haredSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:User"
Hay v1, v2c, v3 pero esta ultima casi nadie la soporta pero cifra, la mayoria so
porta la 2c y la version v1 aun es compatible.
Depende de el modelo, puese ser lynksis o cisco y asi.
El que no lo soportaria es el sistema operativo, como windows, cisco ios, etc.
DNS
Relacion, maquina - IP
Ver todos los dominios que estan bajo el nombre de itesm.mx
dnsenum --enum -f /usr/share/doc/dnsenum-1.2.4.1/dns.txt -r itesm.mx
saep.itesm.mx.
mx.
sageci.itesm.mx.
sal.itesm.mx.
.itesm.mx.
internaldns.sal.itesm.mx.
sampe.itesm.mx.
mx.
sani01.itesm.mx.
sanib01.itesm.mx.
sanipprd01.itesm.mx.
mx.
sappa.itesm.mx.
sm.mx.
sar.itesm.mx.
scanner.itesm.mx.
sce.itesm.mx.
sdm.itesm.mx.
esm.mx.
seguros.itesm.mx.
selfserviceapptest.itesm.mx.
semanai.itesm.mx.
servicioencuestas.itesm.mx.
servicios.itesm.mx.
servicios.itesm.mx.
servicios.itesm.mx.
recibircfd.pruebas.servicios.itesm.mx.
recibircfd.servicios.itesm.mx.
3600
IN
CNAME
prod58ms.itesm.
3600
3600
IN
IN
A
NS
131.178.26.34
internaldns.sal
3600
3600
IN
IN
A
CNAME
10.32.158.2
prod79ms.itesm.
3600
3600
3600
IN
IN
IN
A
A
CNAME
132.254.8.21
132.254.7.21
pprd10ws.itesm.
3600
IN
CNAME
prod025ws04.ite
3600
3600
3600
3600
IN
IN
IN
IN
A
A
A
CNAME
10.2.40.134
131.178.53.15
10.2.27.216
v19prod156ws.it
3600
3600
3600
3600
3600
3600
3600
3600
3600
IN
IN
IN
IN
IN
IN
IN
IN
IN
A
A
A
A
A
MX
MX
A
A
10.2.40.215
10.2.27.95
184.106.55.106
10.2.27.127
10.2.18.239
5
5
10.2.40.61
10.2.40.12
Obtener el active diretory, como se llama el arbol

ldapsearch -x -h 192.168.1.18 -p 389 -b '' -s base namingContexts
[heloel@manjaro ~]$ ldapsearch -x -h 192.168.1.18 -p 389 -b '' -s base namingCon
texts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts:
namingContexts:
namingContexts:
namingContexts:
namingContexts:
DC=ceh08,DC=org,DC=mx
CN=Configuration,DC=ceh08,DC=org,DC=mx
CN=Schema,CN=Configuration,DC=ceh08,DC=org,DC=mx
DC=DomainDnsZones,DC=ceh08,DC=org,DC=mx
DC=ForestDnsZones,DC=ceh08,DC=org,DC=mx
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
ahora lo utilizamos
[heloel@manjaro ~]$ ldapsearch -LLL -H ldap://192.168.1.18:389 -b 'dc=ceh08,dc=o
rg,dc=mx' -D 'CEH08\Pruebas' -w 'Pru3b45.' > info.txt
y sacamos a archivo
Tiene usuarios y dispositivos entre muchas cosas.
La fortaleza de un password radica en la longitud, no si utilizas todos los tipo
s de caracteres.
IEEE 2007 journal resonancioa teclas para obtener informacion

Mas informacion de nmap en: nmap.org/nsedoc/categories/vuln.html
y sobre el lenguaje de script en nmap.org/book/nse.html
TAREA, VER TODA LA PARTE DE COMPUTO, QUE TENGA EL BEATTLE 2016
SI TRAE BLUETOOTH Y ASI.

Seguridad

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Seguridad

Transféré par

Droits d'auteur :

Formats disponibles

Para encontrar vulneveravilidades

//Estamos indicando que queremos ver vulneberabilidades de tipo smb, que es un t

Buscar vulneverabilidades en el servicio de remote desktop protocol

Podemos sacar usuario, archivos compatidos, nombre de maquina. Si la maquina est

Se supone no tiene nada compartido:

0 Sat Jun 27 15:34:17 2015

15728127 blocks of size 4096. 13159734 blocks available

Program Files (x86)

15728127 blocks of size 4096. 13159733 blocks available

Obtener el active diretory, como se llama el arbol

IEEE 2007 journal resonancioa teclas para obtener informacion

Vous aimerez peut-être aussi