CASID

CURSO DE
AUDITORES
TURMA 2014

LABORATRIOS

CASID CIAW

LAB- 1
Laboratrio do Curso de Segurana Ofensiva
Scanning de Portas, Gerador de pacotes e
Nessus
1. NMAP
Opes Bsicas
-sT = Scaneia portas apenas do protocolo TCP.
-sU = Scaneia portas apenas do protocolo UDP.
-sS = Scaneia usando pacotes tcp com o flag SYN ativado.
-sA = Scaneia usando pacotes tcp com o flago ACK
ativado. timo para burlar a segurana de programas
firewalls e descobrir suas regras de filtragem.
-sP = Scan de ping. Varre uma grande faixa de ips usando
mensagens icmp echo request para determinar os hosts
ativos("alive") na(s) rede(s).
-P0 = No disparar o ping em scans. Serve para scannear
mquinas que bloqueiam trfego do protocolo icmp.
-O = Finger printing. Usado para obter informaes
remotas sobre o sistema operacional da vitima.
-sV = Obtm informaes do tipo de servio rodando em
uma porta especfica que esteja aceitando conexes. Essa
opo muito til para saber se uma verso antiga que
possa ser remotamente explorada com o uso de exploits
para invaso do sistema ou outros objetivos.
-p = Especifica uma faixa de portas, ou uma nica porta
de servio a ser scaneada.
-T0 at -T5
Ver:
http://www.vivaolinux.com.br/artigos/impressora.php?
codigo=13548

CASID CIAW

Sem parmetros
root@kali:~# nmap
Nmap 5.61TEST4 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:

Arquivos importantes em /usr/share/nmap/nmapservices (portas e probabilidade)

Escanear 172.16.50.40 (Windows2003-XAMP-ENG)
root@kali:~# nmap 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 17:48 BRT
Nmap scan report for 172.16.50.40
Host is up (1.0s latency).
Not shown: 991 closed ports
PORT
STATE SERVICE
21/tcp open
ftp
80/tcp open
http
135/tcp open
msrpc
139/tcp open
netbios-ssn
443/tcp open
https
445/tcp open
microsoft-ds
514/tcp filtered shell
1025/tcp open
NFS-or-IIS
3306/tcp open
mysql

deteco de S.O
root@kali:~# nmap -O 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:20 BRT
Nmap scan report for 172.16.50.40
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT
STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3306/tcp open mysql
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at
CASID CIAW
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds
root@kali:~#

Scanning UDP
root@kali:~# nmap -sU -vv -p1-200 172.16.50.20
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 23:57 BRT
Initiating Ping Scan at 23:57
Scanning 172.16.50.20 [4 ports]
Completed Ping Scan at 23:57, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:57
Completed Parallel DNS resolution of 1 host. at 23:57, 0.05s elapsed
Initiating UDP Scan at 23:57
Scanning 172.16.50.20 [200 ports]
Discovered open port 123/udp on 172.16.50.20
Discovered open port 137/udp on 172.16.50.20
Completed UDP Scan at 23:57, 1.25s elapsed (200 total ports)
Nmap scan report for 172.16.50.20
Host is up (0.0041s latency).
Scanned at 2012-06-25 23:57:10 BRT for 1s
Not shown: 196 closed ports
PORT STATE
SERVICE
123/udp open
ntp
137/udp open
netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
Raw packets sent: 206 (6.089KB) | Rcvd: 199 (11.364KB)

Scanear uma porta

root@kali:~# nmap -p T:139 172.16.50.20-40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:00 BRT
Nmap scan report for 172.16.50.20
Host is up (0.0021s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Nmap scan report for 172.16.50.40
Host is up (0.0032s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Nmap done: 21 IP addresses (2 hosts up) scanned in 2.69 seconds
root@kali:~#

CASID CIAW

Decoy ver tcpdump

root@kali:~# nmap -sS -D 1.1.1.1,2.2.2.2,3.3.3.3 172.16.50.40
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-22 09:05 EDT
Nmap scan report for 172.16.50.40
Host is up (0.0018s latency).
Not shown: 989 closed ports
PORT
STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1028/tcp open unknown
1029/tcp open ms-lsa
3306/tcp open mysql
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 3.24 seconds
root@kali:~#

Diretrio de Configurao - /usr/share/nmap/scripts/

CASID CIAW

Discovery OS - smb
root@kali:~# nmap 172.16.50.40 --script smb-os-discovery.nse
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-22 08:04 EDT
Nmap scan report for 172.16.50.40
Host is up (0.0014s latency).
Not shown: 989 closed ports
PORT
STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1028/tcp open unknown
1029/tcp open ms-lsa
3306/tcp open mysql
3389/tcp open ms-wbt-server
Host script results:
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 1 (Windows Server 2003 5.2)
| OS CPE: cpe:/o:microsoft:windows_server_2003::sp1
| Computer name: cassio-trzocv4r
| NetBIOS computer name: CASSIO-TRZOCV4R
| Workgroup: WORKGROUP
|_ System time: 2014-04-22T09:04:56-03:00
Nmap done: 1 IP address (1 host up) scanned in 2.24 seconds

CASID CIAW

Enumerar Usurios do Windows 2000

root@kali:# nmap --script smb-enum-users.nse -p139 172.16.50.50
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:22 BRT
Nmap scan report for 172.16.50.50
Host is up (0.011s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Host script results:
| smb-enum-users:
| WIN2KSQL01\Administrator (RID: 500)
|
Description: Built-in account for administering the computer/domain
|
Flags:
Password does not expire, Normal user account
| WIN2KSQL01\backup (RID: 1006)
|
Full name: backup
|
Flags:
Password does not expire, Normal user account
| WIN2KSQL01\Guest (RID: 501)
|
Description: Built-in account for guest access to the computer/domain
|
Flags:
Password not required, Password does not expire, Account
disabled, Normal user account
| WIN2KSQL01\IUSR_SRV2 (RID: 1002)
|
Full name: Internet Guest Account
|
Description: Built-in account for anonymous access to Internet Information
Services
|
Flags:
Password not required, Password does not expire, Normal user
account
| WIN2KSQL01\IWAM_SRV2 (RID: 1003)
|
Full name: Launch IIS Process Account
|
Description: Built-in account for Internet Information Services to start out of
process applications
|
Flags:
Password not required, Password does not expire, Normal user
account
| WIN2KSQL01\sqlusr (RID: 1005)
|
Full name: sqlusr
|
Flags:
Normal user account
| WIN2KSQL01\TsInternetUser (RID: 1000)
|
Full name: TsInternetUser
|
Description: This user account is used by Terminal Services.
|_ Flags:
Password not required, Password does not expire, Normal user

CASID CIAW

Verificar Vulnerabilidades SMB

root@kali:~# nmap -v -script=smb-check-vulns 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:31 BRT
NSE: Loaded 1 scripts for scanning.
Initiating Ping Scan at 00:31
Scanning 172.16.50.40 [4 ports]
Discovered open port 135/tcp on 172.16.50.40
Discovered open port 21/tcp on 172.16.50.40
Discovered open port 443/tcp on 172.16.50.40
Discovered open port 80/tcp on 172.16.50.40
Discovered open port 3306/tcp on 172.16.50.40
Discovered open port 1025/tcp on 172.16.50.40
Discovered open port 445/tcp on 172.16.50.40
Discovered open port 3389/tcp on 172.16.50.40
Discovered open port 139/tcp on 172.16.50.40
Completed SYN Stealth Scan at 00:31, 1.34s elapsed (1000 total ports)
NSE: Script scanning 172.16.50.40.
Initiating NSE at 00:31
Completed NSE at 00:31, 0.08s elapsed
Nmap scan report for 172.16.50.40
Host is up (0.0014s latency).
Not shown: 991 closed ports
PORT
STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3306/tcp open mysql
3389/tcp open ms-term-serv
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--scriptargs=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

CASID CIAW

LAB-2
NESSUS - scanner de vulnerabilidades
http://wiki.backbox.org/index.php/Nessus
1. Download Nessus
http://www.tenable.com/products/nessus/select-your-operating-system

32 bit or 64 bit option.

http://www.nessus.org/register

2. Instalar NESSUS
(32 or 64 bit version check the package name).

dpkg -i Nessus-5.2.1-debian6_amd64.deb

/etc/init.d/nessusd start (user admin, senha admin)

Acessar https://127.0.0.1:8834 e configurar o Nessus (criar

conta e ativar)
CASID CIAW

Link de Ativao
http://www.tenable.com/products/nessus/nessusplugins/obtain-an-activation-code

Acessar o Nessus https://172.16.50.30:8834

(usurio: admin, senha: admin)

Atualizar Nessus
root@kali:/opt/nessus/bin# /opt/nessus/sbin/nessus-update-plugins
Fetching the newest updates from nessus.org...
Done. The Nessus server will start processing these plugins within a minute
root@kali:/opt/nessus/bin#

CASID CIAW

10

Verificar a atualizao
root@kali:/opt/nessus/bin# locate plugin_feed_info
/opt/nessus/lib/nessus/plugins/plugin_feed_info.inc
/opt/nessus/var/nessus/.plugin_feed_info.inc
/opt/nessus/var/nessus/plugin_feed_info.inc
root@kali:/opt/nessus/bin# more
/opt/nessus/lib/nessus/plugins/plugin_feed_info.inc
PLUGIN_SET = "201404221015";
PLUGIN_FEED = "HomeFeed (Non-commercial use only)";
root@kali:/opt/nessus/bin#

Escanear 172.16.50.40

CASID CIAW

11

LAB-3
2. Wireshark
Verificar se filezilla (FTP Server) est rodando no XAMPENG

Startar o wireshark no Kali interno

Escolher uma interface de captura

CASID CIAW

12

Escolher interface eth0 (clicar em Start)

CASID CIAW

13

Do Kali tentar acessar o servio FTP

root@ubuntu:~# ftp 172.16.50.40
Connected to 172.16.50.40.
220-FileZilla Server version 0.9.32 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
Name (172.16.50.40:cassio): teste
331 Password required for teste
Password:
530 Login or password incorrect!
Login failed.

Aps concluir a tentativa de acesso no firewall parar a

captura no wireshark e ver pacotes capturados no Kali
interno

Ver toda a sesso FTP - boto direito em qualquer pacote

da sesso FTP (Follow TCP Stream)

CASID CIAW

14

Verificar senha capturada

CASID CIAW

15

Abrir no Kali os arquivos que esto localizados na

rea de trabalho
- ftp.pcap
- voip01.pcap

CASID CIAW

16