Cómo hacer análisis de vulnerabilidades

El escaneo es la fase inicial de pentesting. Los investigadores/pentesters conocen muy bien esta fase del análisis de seguridad. Esta es la fase en la que los pentesters invierten la mayor parte del tiempo, pues esta proporciona al pentester mucha información para preparar las fases de pruebas de penetración posteriores.

Hay muchas herramientas automáticas y manuales que se utilizan en pentesting, pero el pentester siempre comienza con el escaneo manual, ya que éste le aportará un panorama más amplio. Hoy le mostraremos cómo el pentester/investigador de seguridad puede usar scripts de nmap para buscar vulnerabilidades.

Nmap es una herramienta de código abierto diseñada para escanear/verificar puertos abiertos de aplicaciones web/móviles. Nmap usa paquetes de IP sin procesar para analizar una URL/host dados. Nmap recolecta información sobre servicios, puertos abiertos, servidor de aplicaciones, versión del sistema operativo del sistema operativo, etc. Nmap da muchas opciones como usar scripts para buscar el objetivo.

Las secuencias de comandos de Nmap utilizan whois para buscar el objetivo. De acuerdo con expertos en seguridad en redes del Instituto Internacional de Seguridad Cibernética, también puede escribir o compartir su propio script de nmap. Le mostraremos cómo utilizar un script externo. Este nmap sripts ha probado en Kali Linux 2018.4

  • Clonar script desde git clone https://github.com/OCSAF/freevulnsearch.git
root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/OCSAF/freevulnsearch.git 

Cloning into 'freevulnsearch'... remote: Enumerating objects: 114, done. remote: Counting objects: 100% (114/114), done. remote: Compressing objects: 100% (85/85), done. remote: Total 114 (delta 64), reused 60 (delta 29), pack-reused 0 Receiving objects: 100% (114/114), 34.58 KiB | 2.66 MiB/s, done. Resolving deltas: 100% (64/64), done.
  • A continuación, escriba cd freevulnsearch
  • Escriba ls
root@kali:/home/iicybersecurity/Downloads# cd freevulnsearch/
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# ls
freevulnsearch.nse LICENSE README.md
  • cp freevulnsearch.nse a la ubicación de secuencias de comandos. Para ese escriba cp freevulnsearch.nse /usr/share/nmap/scripts
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# cp freevulnsearch.nse /usr/share/nmap/scripts
  • A continuación, escriba locate *.nse
  • Esta consulta listará todos los scripts que están disponibles en el motor de revisión nmap
root@kali:/home/iicybersecurity# locate *.nse
  • Luego escriba nmap -sV –script freevulnsearch certified.com
  • -sV, s falsificará la dirección IP y V escaneará el objetivo de forma detallada
  • –Freevulnsearch es la secuencia de comandos utilizada para escanear el objetivo
  • certified.com es el objetivo
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap -sV --script freevulnsearch certified.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 02:17 EST
Nmap scan report for certified.com (162.241.216.11)
Host is up (0.30s latency).
rDNS record for 162.241.216.11: box5331.bluehost.com
Not shown: 978 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
|freevulnsearch: *Error with API query. API or network possibly not available. 25/tcp open smtp Exim smtpd 4.91 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:exim:exim:4.91) | *Check other sources like https://www.exploit-db.com
26/tcp open smtp Exim smtpd 4.91
| freevulnsearch:
| *No CVE found with NMAP-CPE: (cpe:/a:exim:exim:4.91)
|_ *Check other sources like https://www.exploit-db.com
53/tcp open domain ISC BIND 9.8.2rc1 (RedHat Enterprise Linux 6)
| freevulnsearch:
| CVE-2017-3145 Medium 5.0 https://cve.circl.lu/cve/CVE-2017-3145
| CVE-2017-3143 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3143
| CVE-2017-3142 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3142
| CVE-2017-3141 High 7.2 EDB https://cve.circl.lu/cve/CVE-2017-3141
| CVE-2017-3136 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3136
| CVE-2016-9131 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-9131
| CVE-2016-8864 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-8864
| CVE-2016-6170 Medium 4.0 https://cve.circl.lu/cve/CVE-2016-6170
| CVE-2016-2848 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-2848
| CVE-2016-2775 Medium 4.3 https://cve.circl.lu/cve/CVE-2016-2775
| CVE-2016-1286 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-1286
| CVE-2016-1285 Medium 4.3 https://cve.circl.lu/cve/CVE-2016-1285
| CVE-2015-8461 High 7.1 https://cve.circl.lu/cve/CVE-2015-8461
| CVE-2015-8000 Medium 5.0 https://cve.circl.lu/cve/CVE-2015-8000
| CVE-2015-4620 High 7.8 https://cve.circl.lu/cve/CVE-2015-4620
| CVE-2015-1349 Medium 5.4 https://cve.circl.lu/cve/CVE-2015-1349
| CVE-2014-0591 Low 2.6 https://cve.circl.lu/cve/CVE-2014-0591
| CVE-2013-6230 Medium 6.8 https://cve.circl.lu/cve/CVE-2013-6230
| CVE-2013-4854 High 7.8 https://cve.circl.lu/cve/CVE-2013-4854
| CVE-2013-2266 High 7.8 https://cve.circl.lu/cve/CVE-2013-2266
| CVE-2012-5689 High 7.1 https://cve.circl.lu/cve/CVE-2012-5689
| CVE-2012-5688 High 7.8 https://cve.circl.lu/cve/CVE-2012-5688
| CVE-2012-5166 High 7.8 https://cve.circl.lu/cve/CVE-2012-5166
| CVE-2012-4244 High 7.8 https://cve.circl.lu/cve/CVE-2012-4244
| CVE-2012-3817 High 7.8 https://cve.circl.lu/cve/CVE-2012-3817
| *No CVE found with NMAP-CPE: (cpe:/a:isc:bind:9.8.2rc1)
|_ *CVE found with freevulnsearch function: (cpe:/a:isc:bind:9.8.2:rc1)
80/tcp open http nginx 1.14.1
| freevulnsearch:
| *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1)
|_ *Check other sources like https://www.exploit-db.com
|http-server-header: nginx/1.14.1 110/tcp open pop3 Dovecot pop3d 139/tcp filtered netbios-ssn 143/tcp open imap Dovecot imapd 443/tcp open ssl/http nginx 1.14.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) | *Check other sources like https://www.exploit-db.com
|http-server-header: nginx/1.14.1 445/tcp filtered microsoft-ds 465/tcp open tcpwrapped 587/tcp open tcpwrapped 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 1720/tcp filtered h323q931 2222/tcp open ssh OpenSSH 5.3 (protocol 2.0) |_freevulnsearch: *Error with API query. API or network possibly not available. 3306/tcp open mysql MySQL 5.6.41-84.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:mysql:mysql:5.6.41-84.1) | *No CVE found with freevulnsearch function: (cpe:/a:mysql:mysql:5.6.41) | *Check other sources like https://www.exploit-db.com
5060/tcp filtered sip
5432/tcp open postgresql PostgreSQL DB
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0
| Fpostmaster.c
| L1624
|_ RProcessStartupPacket
8080/tcp open http nginx 1.14.1
| freevulnsearch:
| *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1)
|_ *Check other sources like https://www.exploit-db.com
|http-server-header: nginx/1.14.1 8443/tcp open ssl/http nginx 1.14.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) | *Check other sources like https://www.exploit-db.com
|_http-server-header: nginx/1.14.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.70%I=7%D=2/13%Time=5C63C488%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro
SF:tocol\x2065363.19778:\x20server\x20supports\x201.0\x20to\x203.0\0Fpo
SF:stmaster.c\0L1624\0RProcessStartupPacket\0\0");
Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.09 seconds
  • Después de ejecutar la consulta anterior, el script nmap ha encontrado vulnerabilidades que pueden usarse en futuros ataques
  • Esta consulta muestra la lista de CVE, que son las vulnerabilidades más comunes y se pueden utilizar para crear fallas en la aplicación web
  • Escriba nmap -sV –script broadcast-dhcp-discover certified.com
  • -sV falsificará la dirección IP y V escaneará el objetivo de forma detallada
  • –Script broadcast-dhcp-discover obtendrá parámetros locales sin asignar una nueva dirección
  • certified.com es el objetivo
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap -sV --script broadcast-dhcp-discover certified.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 03:05 EST
Pre-scan script results:
| broadcast-dhcp-discover:
| Response 1 of 1:
| IP Offered: 192.168.1.9
| DHCP Message Type: DHCPOFFER
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
| Domain Name Server: 192.168.1.1
| Server Identifier: 192.168.1.1
|_ IP Address Lease Time: 1d00h00m00s
Nmap scan report for certified.com (162.241.216.11)
Host is up (0.30s latency).
rDNS record for 162.241.216.11: box5331.bluehost.com
Not shown: 978 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
25/tcp open tcpwrapped
26/tcp open smtp Exim smtpd 4.91
53/tcp open domain ISC BIND 9.8.2rc1 (RedHat Enterprise Linux 6)
80/tcp open http nginx 1.14.1
|http-server-header: nginx/1.14.1 110/tcp open pop3 Dovecot pop3d 139/tcp filtered netbios-ssn 143/tcp open imap Dovecot imapd 443/tcp open ssl/http nginx 1.14.1 |_http-server-header: nginx/1.14.1 445/tcp filtered microsoft-ds 465/tcp open ssl/smtps? 587/tcp open tcpwrapped 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 1720/tcp filtered h323q931 2222/tcp open ssh OpenSSH 5.3 (protocol 2.0) 3306/tcp open mysql MySQL 5.6.41-84.1 5060/tcp filtered sip 5432/tcp open postgresql PostgreSQL DB | fingerprint-strings: | SMBProgNeg: | SFATAL | C0A000 | Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0 | Fpostmaster.c | L1624 | RProcessStartupPacket
8080/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
8443/tcp open ssl/http nginx 1.14.1
|_http-server-header: nginx/1.14.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.70%I=7%D=2/13%Time=5C63CFD1%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro
SF:tocol\x2065363.19778:\x20server\x20supports\x201.0\x20to\x203.0\0Fpo
SF:stmaster.c\0L1624\0RProcessStartupPacket\0\0");
Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.67 seconds
  • La consulta anterior ha obtenido el registro rDNS que muestra los puertos y servicios abiertos. Esta información se puede utilizar en otras actividades de hacking
  • La consulta anterior muestra la versión listada con cada puerto
  • Escriba nmap –script http-security-headers certified.com
  • –script http-security-headers se usa para verificar el encabezado de seguridad de respuesta http
  • certified.com es la URL de destino
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap --script http-security-headers certified.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 04:31 EST
Nmap scan report for certified.com (162.241.216.11)
Host is up (0.29s latency).
rDNS record for 162.241.216.11: box5331.bluehost.com
Not shown: 978 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
26/tcp open rsftp
53/tcp open domain
80/tcp open http
|http-security-headers: 110/tcp open pop3 139/tcp filtered netbios-ssn 143/tcp open imap 443/tcp open https | http-security-headers: | Strict_Transport_Security: | HSTS not configured in HTTPS Server
445/tcp filtered microsoft-ds
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1720/tcp filtered h323q931
2222/tcp open EtherNetIP-1
3306/tcp open mysql
5060/tcp filtered sip
5432/tcp open postgresql
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 9.67 seconds
  • Después de ejecutar la consulta anterior, el encabezado de seguridad https ha demostrado que los hosts no están configurados en el servidor https
  • HSTS es la autoridad de transporte estricta que ayuda a los sitios web de ataques de degradación de protocolo. La información anterior también se puede utilizar en otras actividades de hacking
  • También puede usar nmap dos script para lanzar ataques DDoS
(Visited 722, 1 times)