Oct 13, 2017

nmap出力のCSV化(改行コードの処理)

nmapの出力は、こんなフィルタを通して、CSV化すると良い。
perl を使うと、こんなにスッキリ書けるのか!!

% vi filter-nmap.sh
perl -pe 's/\n/, /g'                                                              | \
    sed s/Nmap.scan.report.for./_______________\\n\\n/g | \
    sed 's/Host is up//g'                                                       | \
    sed 's/|  //g'

使用例
%nmap –script=smb-os-discovery,smb-vuln-ms17-010    | \
   –Pn –p80,139,445 –scan-delay 1 192.168.1.0/24 > file1

%cat file1 | ./filter-nmap.sh > file1.csv

参考にしたところ
 ・改行(\n)をスペースに置換するコマンド (2015/10/29)

--> 10/17追記

例えば、下記のスクリプト利用の際、前述フィルタを通してやると良い


### http-vuln-cve2012-1823
nmap -sV --script http-vuln-cve2012-1823 <target>
nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>

User Summary:
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, 
This critical vulnerability allows attackers
to retrieve source code and execute code remotely.

The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers 
return colour syntax highlighted source.
We use the pattern "<span style=.*>&lt;?" to detect vulnerable installations.


### http-vuln-cve2015-1427
nmap --script=http-vuln-cve2015-1427 --script-args command= 'ls' <targets>

User Summary:
This script attempts to detect a vulnerability, CVE-2015-1427,
which allows attackers to leverage features of this API 
to gain unauthenticated remote code execution (RCE).

Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have a vulnerability 
in the Groovy scripting engine.
The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox
and execute shell commands as the user running the Elasticsearch Java VM.


http-vuln-cve2015-1635
nmap -p80 --script http-vuln-cve2015-1635.nse <target>

User Summary:
Checks for a remote code execution vulnerability (MS15-034) 
in Microsoft Windows systems (CVE2015-2015-1635).

The script sends a specially crafted HTTP request with no impact on the system 
to detect this vulnerability.
The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, 
Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.


http-vuln-cve2017-5638
nmap -p <port> --script http-vuln-cve2017-5638 <target>

User Summary:
Detects whether the specified URL is vulnerable 
to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).


http-vuln-cve2017-5689
nmap -p 16992 --script http-vuln-cve2017-5689 <target>

User Summary:
Detects if a system with Intel Active Management Technology
is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).

This script determines if a target is vulnerable by attempting to perform digest authentication
with a blank response parameter. If the authentication succeeds, 
a HTTP 200 response is received.

        Intel Active Management Technology (AMT) にアクセス制限不備の脆弱性

### http-vuln-cve2017-8917
nmap --script http-vuln-cve2017-8917 -p 80 <target>

User Summary:
An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 
allows for unauthenticated users to execute arbitrary SQL commands.
    ...


smb-vuln-cve-2017-7494
nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 <target>

User Summary:
Checks if target machines are vulnerable 
to the arbitrary shared library load vulnerability CVE-2017-7494.

Unpatched versions of Samba from 3.5.0 to 4.4.13, and versions prior to 4.5.10 and 4.6.4 are affected by a vulnerability that allows remote code execution, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
    ...
The script checks the preconditions for the exploit to happen:

    1) If the argument check-version is applied, the script will ONLY check services 
  running potentially vulnerable versions of Samba,
       and run the exploit against those services.
    ...


smb-vuln-ms10-061
nmap  -p 445 <target> --script=smb-vuln-ms10-061

User Summary:
Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.

This vulnerability was used in Stuxnet worm.
The script checks for the vuln in a safe way without a possibility of crashing the remote system as this is not a memory corruption vulnerability.
In order for the check to work it needs access to at least one shared printer on the remote system.
By default it tries to enumerate printers by using LANMAN API which on some systems is not available by default.
In that case user should specify printer share name as printer script argument.
To find a printer share, smb-enum-shares can be used.
Also, on some systems, accessing shares requires valid credentials which can be specified with smb library arguments smbuser and smbpassword.


smb2-vuln-uptime
nmap -O --script smb2-vuln-uptime <target>

nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>

User Summary:
Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.

SMB2 protocol negotiation response returns the system boot time pre-authentication.
This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs.

Remember that a rebooted system may still be vulnerable.
This check only reveals unpatched systems based on the uptime, no additional probes are sent


rdp-vuln-ms12-020
nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

User Summary:
Checks if a machine is vulnerable to MS12-020 RDP vulnerability.

The Microsoft bulletin MS12-020 patches two vulnerabilities:
CVE-2012-0152 which addresses a denial of service vulnerability inside Terminal Server, and
CVE-2012-0002 which fixes a vulnerability in Remote Desktop Protocol.
Both are part of Remote Desktop Services.

        MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)


No comments: