TNA - Leblon - Avaliação de Infraestrutura
Windows Terminal Services habilitado
-->   Fazer acesso remoto a estação 192.168.79.253 e printar a tela de login
      Example Usage
-->   nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>
Script Output
PORT      STATE SERVICE        VERSION
3389/tcp open ms-wbt-server?
| rdp-vuln-ms12-020:
|    VULNERABLE:
|    MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|      State: VULNERABLE
|      IDs: CVE:CVE-2012-0152
|      Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|      Description:
|                Remote Desktop Protocol vulnerability that could allow remote
attackers to cause a denial of service.
|
|      Disclosure date: 2012-03-13
|      References:
|        http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
|    MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|      State: VULNERABLE
|      IDs: CVE:CVE-2012-0002
|      Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|      Description:
|                Remote Desktop Protocol vulnerability that could allow remote
attackers to execute arbitrary code on the targeted system.
|
|      Disclosure date: 2012-03-13
|      References:
|        http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
Terminal services com autenticação desabilitada no nível de rede
      Example Usage
--> nmap -p 3389 --script rdp-enum-encryption   <ip>
Script Output
PORT      STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-enum-encryption:
|    Security layer
|      CredSSP: SUCCESS
|      Native RDP: SUCCESS
|      SSL: SUCCESS
|    RDP Encryption level: High
|      128-bit RC4: SUCCESS
|_     FIPS 140-1: SUCCESS
Utilização de comunidade padrão do SNMP
--> nmap -sU --script snmp-brute
      Example Usage
-->nmap -sU --script snmp-brute <target> [--script-args snmp-
brute.communitiesdb=<wordlist> ]
Script Output
PORT     STATE SERVICE
161/udp open snmp
| snmp-brute:
|    dragon - Valid credentials
|_ jordan - Valid credentials
Suporte ao uso de cifras RC4 no certificado SSL
-->nmap --script ssl-enum-ciphers -p 443
      Example Usage
-->nmap -sV --script ssl-enum-ciphers -p 443 <host>
Script Output
PORT     STATE SERVICE REASON
443/tcp open https     syn-ack
| ssl-enum-ciphers:
|    TLSv1.0:
|      ciphers:
|        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|        TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|        TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|        TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|        TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|        TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
|        TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|        TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|        TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|      compressors:
|        NULL
|      cipher preference: server
|      warnings:
|        64-bit block cipher 3DES vulnerable to SWEET32 attack
|        Broken cipher RC4 is deprecated by RFC 7465
|        Ciphersuite uses MD5 for message integrity
|        Weak certificate signature: SHA1
|    TLSv1.2:
|      ciphers:
|        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|        TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|        TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|        TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|        TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|        TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|        TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|        TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
|        TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|        TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|        TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|      compressors:
|        NULL
|      cipher preference: server
|      warnings:
|        64-bit block cipher 3DES vulnerable to SWEET32 attack
|        Broken cipher RC4 is deprecated by RFC 7465
|        Ciphersuite uses MD5 for message integrity
|_   least strength: C
Servidor DNS Cache Snooping
-->nmap -sU -p 53 --script dns-cache-snoop.nse --script-args='nonrecursive,timed'
192.168.61.252
-->nmap -sU -p 53 --script dns-cache-snoop.nse
      Example Usage
-->nmap -sU -p 53 --script=dns-recursion <target>
Script Output
PORT   STATE SERVICE REASON
53/udp open domain udp-response
|_dns-recursion: Recursion appears to be enabled
      Example Usage
-->nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-
snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
Script Output
PORT   STATE SERVICE REASON
53/udp open domain udp-response
| dns-cache-snoop: 10 of 100 tested domains are cached.
| www.google.com
| facebook.com
| www.facebook.com
| www.youtube.com
| yahoo.com
| twitter.com
| www.twitter.com
| www.google.com.hk
| www.google.co.uk
|_www.linkedin.com
RDP - Criptografia
nmap -p 3389 --script rdp-enum-encryption 192.168.61.252
Protocolo de criptografia desatualizado
--> sslscan 192.168.78.202:1433
      Example Usage
-->nmap -sV -sC 92.168.78.202
Script Output
443/tcp open   https   syn-ack
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_IDEA_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
      Example Usage
-->nmap -sV --version-light --script ssl-poodle -p 443 <host>
Script Output
PORT     STATE SERVICE REASON
443/tcp open https     syn-ack
| ssl-poodle:
|    VULNERABLE:
|    SSL POODLE information leak
|      State: VULNERABLE
|      IDs: CVE:CVE-2014-3566 OSVDB:113251
|            The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
|            other products, uses nondeterministic CBC padding, which makes it
easier
|            for man-in-the-middle attackers to obtain cleartext data via a
|            padding-oracle attack, aka the "POODLE" issue.
|      Disclosure date: 2014-10-14
|      Check results:
|        TLS_RSA_WITH_3DES_EDE_CBC_SHA
|      References:
|        https://www.imperialviolet.org/2014/10/14/poodle.html
|        http://osvdb.org/113251
|        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_       https://www.openssl.org/~bodo/ssl-poodle.pdf
Possibilidade de negação de serviço com SNMP
--> snmp-check 192.168.79.249
--> nmap -sU --script snmp-brute 192.168.79.249
      Example Usage
-->nmap -sV 192.168.79.249:161
Script Output
161/udp open snmp     udp-response ttl 244     ciscoSystems SNMPv3 server (public)
| snmp-info:
|   enterprise: ciscoSystems
|   engineIDFormat: mac
|   engineIDData: 00:d4:8c:00:11:22
|   snmpEngineBoots: 6
|_ snmpEngineTime: 358d01h13m46s
      Example Usage
-->nmap -sV <target>
Script Output
161/udp open snmp      udp-response ttl 244   ciscoSystems SNMPv3 server (public)
| snmp-info:
|   enterprise: ciscoSystems
|   engineIDFormat: mac
|   engineIDData: 00:d4:8c:00:11:22
|   snmpEngineBoots: 6
|_ snmpEngineTime: 358d01h13m46s
Possibilidade de login via SMB
-->smbclient -L 192.168.79.253 -U guest
      Example Usage
-->nmap --script smb-enum-users.nse -p445 <host>
-->nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>
Script Output
Host script results:
| smb-enum-users:
|_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST,
IWAM_RON-WIN2K-TEST, test1234, TsInternetUser
Host script results:
| smb-enum-users:
| | RON-WIN2K-TEST\Administrator (RID: 500)
| | | Description: Built-in account for administering the computer/domain
| | |_ Flags:         Password does not expire, Normal user account
| | RON-WIN2K-TEST\Guest (RID: 501)
| | | Description: Built-in account for guest access to the computer/domain
| | |_ Flags:         Password not required, Password does not expire, Normal user
account
| | RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001)
| | | Full name:      Internet Guest Account
| | | Description: Built-in account for anonymous access to Internet Information
Services
| | |_ Flags:         Password not required, Password does not expire, Normal user
account
| | RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002)
| | | Full name:      Launch IIS Process Account
| | | Description: Built-in account for Internet Information Services to start
out of process applications
| | |_ Flags:         Password not required, Password does not expire, Normal user
account
| | RON-WIN2K-TEST\test1234 (RID: 1005)
| | |_ Flags:         Normal user account
| | RON-WIN2K-TEST\TsInternetUser (RID: 1000)
| | | Full name:    TsInternetUser
| | | Description: This user account is used by Terminal Services.
|_ |_ |_ Flags:     Password not required, Password does not expire, Normal user
account
      Example Usage
-->nmap --script smb-security-mode.nse -p445 127.0.0.1
-->sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1
Script Output
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
      Example Usage
-->nmap -p445 --script smb-vuln-ms17-010 <target>
-->nmap -p445 --script vuln <target>
Script Output
Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs: CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-
wannacrypt-attacks/
Detecção do Servidor DHCP
      Example Usage
-->nmap -sU -p 67 --script=dhcp-discover <target>
Script Output
Interesting ports on 192.168.1.1:
PORT    STATE SERVICE
67/udp open dhcps
| dhcp-discover:
|    DHCP Message Type: DHCPACK
|    Server Identifier: 192.168.1.1
|    IP Address Lease Time: 1 day, 0:00:00
|    Subnet Mask: 255.255.255.0
|    Router: 192.168.1.1
|_ Domain Name Server: 208.81.7.10, 208.81.7.14
     Example Usage
-->sudo nmap --script broadcast-dhcp-discover
Script Output
| broadcast-dhcp-discover:
|   IP Offered: 192.168.1.114
|   DHCP Message Type: DHCPOFFER
|   Server Identifier: 192.168.1.1
|   IP Address Lease Time: 1 day, 0:00:00
|   Subnet Mask: 255.255.255.0
|   Router: 192.168.1.1
|   Domain Name Server: 192.168.1.1
|_ Domain Name: localdomain
Utilização de algoritmo de criptografia fraco
-->nmap -p 3389 --script ssl-enum-ciphers
Certificado SSL não confiável
      Example Usage
-->nmap -p 443 --script ssl-cert-intaddr <target>
Script Output
443/tcp open https
| ssl-cert-intaddr:
|   Subject commonName:
|     10.5.5.5
|   Subject organizationName:
|     10.0.2.1
|     10.0.2.2
|   Issuer emailAddress:
|     10.6.6.6
|   X509v3 Subject Alternative Name:
|_    10.3.4.5
Certificado SSL com hostname errado
-->sslscan --show-certificate
      Example Usage
-->nmap -p 1433 --script ssl-cert-intaddr 192.168.78.202
Script Output
443/tcp open https
| ssl-cert-intaddr:
|   Subject commonName:
|     10.5.5.5
|   Subject organizationName:
|     10.0.2.1
|     10.0.2.2
|   Issuer emailAddress:
|     10.6.6.6
|   X509v3 Subject Alternative Name:
|_    10.3.4.5
Cadeia de certificados SSL contém chaves RSA menores que 2048 bits
nmap --script=ssl-cert.nse
      Example Usage
-->nmap -sV -sC <target>
Script Output
443/tcp open https | ssl-cert: Subject:
commonName=www.paypal.com/organizationName=PayPal, Inc.\
/stateOrProvinceName=California/countryName=US | Not valid before: 2011-03-23
00:00:00 |_Not valid after: 2013-04-01 23:59:59
      Example Usage
-->nmap -p 443 --script ssl-cert-intaddr <target>
Script Output
443/tcp open https | ssl-cert-intaddr: | Subject commonName: | 10.5.5.5 | Subject
organizationName: | 10.0.2.1 | 10.0.2.2 | Issuer emailAddress: | 10.6.6.6 | X509v3
Subject Alternative Name: |_ 10.3.4.5
Método de depuração habilitado - HTTP Options
      Example Usage
-->nmap --script http-methods <target>
-->nmap --script http-methods --script-args http-methods.url-path='/website'
<target>
Script Output
PORT   STATE SERVICE REASON
80/tcp open http     syn-ack
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Ip-forwarding
      Example Usage
sudo nmap -sn 192.168.78.254 --script ip-forwarding --script-
args='target=www.amazon.com'
Script Output
| ip-forwarding:
|_ The host has ip forwarding enabled, tried ping against (www.example.com)