根据信息收集结果搜索漏洞利用模块.
结合外部漏洞扫描系统对大IP段进行批量扫描.
如果是基于端口服务扫描结果版本信息(速度慢)。- > 通过扫描到的版本信息和官方网站上的版本找版本迭代的BUG修复信息。通过这个方式查找高危漏洞效率低下。
通过检索已公开的漏洞数据库(数量大) exploit-db 补天 乌云(乌云目前被关闭了2年应该是回不来了据说是撬了互联网的保险箱)等漏洞库查找相关漏洞和利用代码,将其放入/usr/share/metasploit-framework/modules/**/之下在msfconsole 下reload_all即可使用。
当然也可以使用searchexploit 去检索漏洞,由Kali安全办公司维护仓库,非常活跃我也start了大家多帮忙点点。上次维护时间5分钟之前,2020-02-12 16:27
lqh@lqh:/opt$ searchsploit nginx
-------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path#执行代码,或者漏洞说明
| (/opt/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Nginx (Debian Based Distros + Gentoo) - 'logrotate' Local Privilege Escalation | exploits/linux/local/40768.sh
Nginx 0.6.36 - Directory Traversal | exploits/multiple/remote/12804.tx
Nginx 0.6.38 - Heap Corruption | exploits/linux/local/14830.py
Nginx 0.6.x - Arbitrary Code Execution NullByte Injection | exploits/multiple/webapps/24967.t
Nginx 0.7.0 < 0.7.61 / 0.6.0 < 0.6.38 / 0.5.0 < 0.5.37 / 0.4.0 < 0.4.14 - Denial of Service (PoC) | exploits/linux/dos/9901.txt
Nginx 0.7.61 - WebDAV Directory Traversal | exploits/multiple/remote/9829.txt
Nginx 0.7.64 - Terminal Escape Sequence in Logs Command Injection | exploits/multiple/remote/33490.tx
Nginx 0.7.65/0.8.39 (dev) - Source Disclosure / Download | exploits/windows/remote/13822.txt
Nginx 0.8.36 - Source Disclosure / Denial of Service | exploits/windows/remote/13818.txt
Nginx 1.1.17 - URI Processing SecURIty Bypass | exploits/multiple/remote/38846.tx
Nginx 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit) | exploits/linux/remote/25775.rb
Nginx 1.3.9 < 1.4.0 - Denial of Service (PoC) | exploits/linux/dos/25499.py
Nginx 1.3.9/1.4.0 (x86) - Brute Force | exploits/linux_x86/remote/26737.p
Nginx 1.4.0 (Generic Linux x64) - Remote Overflow | exploits/linux_x86-64/remote/3227
PHP-FPM + Nginx - Remote Code Execution | exploits/php/webapps/47553.md
-------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Shellcodes: No Result
通常使用这个利用库比较集中,但是还是有很多利用代码和0day漏洞信息暴露在一些暗网或者深网中。这里不做太多说明。
使用弱点扫描器实现漏洞扫描效果极好,非常不错比自己(先扫描端口 -> 获取版本信息 -> 找版本漏洞 -> 找执行代码 -> 漏洞利用)效率不是一点点的提高。
扫描方式分为两种 :有身份验证的扫描(白盒) 、 无身份式扫描(黑盒)
CVSS(Common Vulnerability Scoring System)通用漏洞评分系统 0->10 10最高评分威胁等级最高, 0则反之。当前最高版本3.1 CVSS is currently at version 3.1.(来自官网)
评分标准为:基本分数、时间得分、环境得分 三个度量范围其中又各自划分了细小分支
NAMP7.6 目前 /usr/share/nmap/scripts/script.db 579个脚本中包含了101个弱点利用和检测的脚本
lqh@lqh:/usr/share/nmap/scripts$ cat script.db | grep vuln |wc -l
101
# 我选择用docker更简单,因为有阿里云加速,如果直接安装openvas需要更新里面的文件,速度非常慢非常痛苦。
docker run -d -p 443:443 --name openvas mikesplain/openvas
# This will grab the container from the docker registry and start it up. Openvas startup can take some time (4-5 minutes while NVT's are scanned and databases rebuilt), so be patient. Once you see a It seems like your OpenVAS-9 installation is OK. process in the logs, the web ui is good to go. Goto https://<machinename>
Username: admin
Password: admin
OpenVAS Manager
To use OpenVAS Manager, add port 9390 to you docker run command:
docker run -d -p 443:443 -p 9390:9390 --name openvas mikesplain/openvas
Update NVTs
Occasionally you'll need to update NVTs. We update the container about once a week but you can update your container by execing into the container and running a few commands:
docker exec -it openvas bash
# # inside container - 全局配置的修改 Extras -> my Settings -> edit 全局配置修改
TimeZone 、Changepassword、Severity Class、等配置。
打开我的虚拟机准备开始扫描
root@lqh:/home/lqh# virsh list
Id Name State
----------------------------------------------------
1 win2k8r2 running 192.168.1.2
2 owasp running 192.168.1.126
3 haproxy2 running 192.168.1.251
扫描配置设置: Configuration -> scan Configs -> 默认有8个配置文件 ->对齐进行操作
name
des
families
NVTS
empty
(Empty and static configuration template.)
0
0
Discovery
(Network Discovery scan configuration.)
20
2723
Full and fast
(Most NVT's; optimized by using previously collected information.)
62
49767
Full and fast ultimate
(Most NVT's including those that can stop services/hosts; optimized by using previously collected information.)
62
49767
Full and very deep
(Most NVT's; don't trust previously collected information; slow.)
62
49767
Full and very deep ultimate
(Most NVT's including those that can stop services/hosts; don't trust previously collected information; slow.)
62
49767
Host Discovery
(Network Host Discovery scan configuration.)
2
2
System Discovery
(Network System Discovery scan configuration.)
6
29
配置扫描目标:Configuration -> Targets -> 左上角点上边的五角星 -> New Target ->
需要注意的是:指定排除主机、扫描端口设定、主机存活发现、可以指定身份认证的方式进行扫描(Configuration->Credentials添加身份认证)
如果在前面的端口扫描中确定了开放端口可以设定只扫描那些端口的策略(Configuration ->Port List)
创建扫描任务 Scans -> Tasks -> New Task ->
可以创建自动调度进行自动扫描任务,我这边没有必要。 Configuration -> Schedules 在创建扫描任务的时候可以指定扫描的调度。
抓包测试弱点扫描流程为 -> 主机发现 -> 端口发现 ->
msf5 > search cve-2011-3192
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/http/apache_range_dos 2011-08-19 normal No Apache Range Header DoS (Apache Killer)
