Bước 1: Cài đặt Nmap-Vulners
Truy cập vào đường dẫn, nơi cài đặt nmap-vulners:
$ cd/usr/share/nmap/scripts
Nếu chưa cài đặt git thì ta sử dụng tiếp lệnh sau:
$ sudo apt install git $ sudo git clone https://github.com/vulnersCom/nmap-vulners.git Cloning into 'nmap-vulners'... remote: Counting objects: 28, done. remote: Compressing objects: 100% (23/23), done. remote: Total 28 (delta 9), reused 19 (delta 4), pack-reused 0 Unpacking objects: 100% (28/28), done.
Bước 2: Cài đặt Vulscan
$ sudo git clone https://github.com/scipag/vulscan.git Cloning into 'vulscan'... remote: Counting objects: 227, done. remote: Compressing objects: 100% (23/23), done. remote: Total 227 (delta 19), reused 22 (delta 9), pack-reused 194 Receiving objects: 100% (227/227), 15.87 MiB | 408.00 KiB/s, done. Resolving deltas: 100% (137/137), done.
Sau đó ta có thể dùng câu lệnh sau để kiểm tra những database của Nmap Vulscan đã cài trong trong máy tính
$ ls vulscan/*.csv vulscan/cve.csv vulscan/exploitdb.csv vulscan/openvas.csv vulscan/osvdb.csv vulscan/scipvuldb.csv vulscan/securityfocus.csv vulscan/securitytracker.csv vulscan/xforce.csv
Vulscan có cung cấp cho ta 1 số database quan trọng
scipvuldb.csv cve.csv osvdb.csv securityfocus.csv securitytracker.csv xforce.csv expliotdb.csv openvas.csv
Sau đó ta chạy lệnh sau để update database chon map vulscan
$ cd vulscan/utilities/updater/
Ta sẽ cấp quyền truy cập file “updateFiles.sh” bằng lệnh sau:
$ sudo chmod +x updateFiles.sh
Ta thực hiện chạy lệnh sau để update:
$ sudo ./updateFiles.sh Downloading https://raw.githubusercontent.com/scipag/vulscan/master/cve.csv... Downloading https://raw.githubusercontent.com/scipag/vulscan/master/exploitdb.csv... Downloading https://raw.githubusercontent.com/scipag/vulscan/master/openvas.csv... Downloading https://raw.githubusercontent.com/scipag/vulscan/master/osvdb.csv... Downloading https://raw.githubusercontent.com/scipag/vulscan/master/scipvuldb.csv... Downloading https://raw.githubusercontent.com/scipag/vulscan/master/securityfocus.csv... Downloading https://raw.githubusercontent.com/scipag/vulscan/master/securitytracker.csv... Downloading https://raw.githubusercontent.com/scipag/vulscan/master/xforce.csv... Returning 0, as no files have been updated, but script ran successfully
Đến đây ta đã cài đặt xong Nmaps Vulscan Script.
2, Sử dụng Nmap Vulnerability scaning
- Scan với Nmap-Vulners
nmap --script nmap-vulners -sV -p# <Địa chỉ IP>Với tham số -sV nmap sẽ cho ta thấy các thông tin version của chương trình đang sử dụng port tương ứng. Luôn sử dụng tham số -sV trong NSE.
Ví dụ:
nmap --script nmap-vulners -sV -p80 1##.##.###.#24 Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for 1##.##.###.#24 Host is up (0.89s latency). PORT STATE SERVICE VERSION 22/tcp open http nginx 1.0.15 |_http-server-header: nginx/1.0.15 | vulners: | cpe:/a:igor_sysoev:nginx:1.0.15: | CVE-2013-4547 7.5 https://vulners.com/cve/CVE-2013-4547 |_ CVE-2013-0337 7.5 https://vulners.com/cve/CVE-2013-0337
- Scan với Vulscan
nmap --script vulscan -sV -p# <Địa chỉ IP>Ví dụ:
nmap --script vulscan -sV -p22 1##.##.###.#77 Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for 1##.##.###.#77 Host is up (0.67s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | vulscan: scip VulDB - http://www.scip.ch/en/?vuldb: | [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service | [39331] OpenBSD 4.3p2 Audit Log linux_audit_record_event unknown vulnerability | [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability | [43307] OpenBSD 4.0 unknown vulnerability | [41835] OpenBSD up to 4.8 unknown vulnerability | [38743] OpenBSD up to 4.6 unknown vulnerability | [36382] OpenBSD OpenSSH up to 4.6 information disclosure | [32699] OpenBSD OpenSSH 4.1 denial of service | [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler | [2578] OpenBSD OpenSSH up to 4.4 Singal race condition | [32532] OpenBSD OpenSSH 4.5 packet.c denial of service | [1999] OpenBSD OpenSSH up to 4.2pl scp system() Designfehler | [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler | [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Designfehler | [26219] OpenBSD OpenSSH up to 4.1 pl information disclosure | [16020] OpenBSD OpenSSH 4.5 Format String | | MITRE CVE - http://cve.mitre.org: | [CVE-2009-2904] A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership. | [CVE-2008-4109] A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch | [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. | [CVE-2007-3102] Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. | [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. | [CVE-2008-3844] Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.
Ta có thể scan với những database mà ta có update ở trên của Vulnerability scaning
nmap --script vulscan --script-args vulscandb=scipvuldb.csv -sV -p# <Địa chỉ IP> nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV -p# <Địa chỉ IP> nmap --script vulscan --script-args vulscandb=securitytracker.csv -sV -p# <Địa chỉ IP>Ví dụ:
nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV -p22 1##.##.###.#43 Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for 1##.##.###.#43 Host is up (0.52s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | vulscan: exploitdb.csv: | [2444] OpenSSH <= 4.3 pl (Duplicated Block) Remote Denital of Service Exploit | [21402] OpenSSH s.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability | [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit | |_
Ngoài ra để scan với thông tin tổng quát hơn, ta có thể sử dụng cả Nmap-Vulners và Vulscan
nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p# <Địa chỉ IP>Ví dụ:
nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p22 1##.##.###.#21 Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for 1##.##.###.#21 Host is up (0.54s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:4.3: | CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051 | CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924 | CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752 | CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478 | CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692 | CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904 | CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109 | CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243 | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052 | CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107 | CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755 | CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814 | CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000 | CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327 |_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259 | vulscan: scipvuldb.csv: | [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service | [39331] OpenBSD 4.3p2 Audit Log linux_audit_record_event unknown vulnerability | [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability | [43307] OpenBSD 4.0 unknown vulnerability | [41835] OpenBSD up to 4.8 unknown vulnerability | [38743] OpenBSD up to 4.6 unknown vulnerability | [36382] OpenBSD OpenSSH up to 4.6 information disclosure | [32699] OpenBSD OpenSSH 4.1 denial of service | [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler | [2578] OpenBSD OpenSSH up to 4.4 Singal race condition | [32532] OpenBSD OpenSSH 4.5 packet.c denial of service | [1999] OpenBSD OpenSSH up to 4.2pl scp system() Designfehler | [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler | [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Designfehler | [26219] OpenBSD OpenSSH up to 4.1 pl information disclosure | [16020] OpenBSD OpenSSH 4.5 Format String
Không có nhận xét nào:
Đăng nhận xét