nmapの出力は、こんなフィルタを通して、CSV化する
perl を使うと、こんなにスッキリ書けるのか!!
% vi filter-nmap.sh
perl -pe 's/\n/, /g'
sed s/Nmap.scan.report.for./______
sed 's/Host is up//g'
sed 's/| //g'
使用例
%nmap –script=smb-os-discovery,smb-
–Pn –p80,139,445 –scan-delay 1 192.168.1.0/24 > file1
%cat file1 | ./filter-nmap.sh > file1.csv
参考にしたところ
・改行(\n)をスペースに置換するコマンド (2015/10/29)
--> 10/17追記
例えば、下記のスクリプト利用の際、前述フィルタを通してやると良い
### http-vuln-cve2012-1823
nmap -sV --script http-vuln-cve2012-1823 <target>
nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/
User Summary:
Detects ◆PHP-CGI installations that are vulnerable to CVE-2012-1823,
This critical vulnerability allows attackers
to retrieve source code and execute code remotely.
The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers
return colour syntax highlighted source.
We use the pattern "<span style=.*><?" to detect vulnerable installations.
### http-vuln-cve2015-1427
nmap --script=http-vuln-cve2015-
User Summary:
This script attempts to detect a vulnerability, CVE-2015-1427,
which allows attackers to leverage features of this API
to gain unauthenticated remote code execution (RCE).
◆Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have a vulnerability
in the Groovy scripting engine.
The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox
and execute shell commands as the user running the Elasticsearch Java VM.
http-vuln-cve2015-1635
nmap -p80 --script http-vuln-cve2015-1635.nse <target>
User Summary:
Checks for a remote code execution vulnerability (MS15-034)
in Microsoft Windows systems (CVE2015-2015-1635).
The script sends a specially crafted HTTP request with no impact on the system
to detect this vulnerability.
The affected versions are Windows 7, Windows Server 2008 R2, Windows 8,
Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.
http-vuln-cve2017-5638
nmap -p <port> --script http-vuln-cve2017-5638 <target>
User Summary:
Detects whether the specified URL is vulnerable
to ◆the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).
http-vuln-cve2017-5689
nmap -p 16992 --script http-vuln-cve2017-5689 <target>
User Summary:
Detects if a system with ◆Intel Active Management Technology
is vulnerable to the INTEL-SA-00075 privilege escalation vulnerability (CVE2017-5689).
This script determines if a target is vulnerable by attempting to perform digest authentication
with a blank response parameter. If the authentication succeeds,
a HTTP 200 response is received.
Intel Active Management Technology (AMT) にアクセス制限不備の脆弱性
### http-vuln-cve2017-8917
nmap --script http-vuln-cve2017-8917 -p 80 <target>
User Summary:
An SQL Injection vulnerability affecting ◆Joomla! 3.7.x before 3.7.1
allows for unauthenticated users to execute arbitrary SQL commands.
...
smb-vuln-cve-2017-7494
nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-
User Summary:
Checks if target machines are vulnerable
to the arbitrary shared library load vulnerability CVE-2017-7494.
Unpatched versions of ◆Samba from 3.5.0 to 4.4.13, and versions prior to 4.5.10 and 4.6.4 are affected by a vulnerability that allows remote code execution, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
...
The script checks the preconditions for the exploit to happen:
1) If the argument check-version is applied, the script will ONLY check services
running potentially vulnerable versions of Samba,
and run the exploit against those services.
...
smb-vuln-ms10-061
nmap -p 445 <target> --script=smb-vuln-ms10-061
User Summary:
Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
This vulnerability was used in Stuxnet worm.
The script checks for the vuln in a safe way without a possibility of crashing the remote system as this is not a memory corruption vulnerability.
In order for the check to work it needs access to at least ◆one shared printer on the remote system.
By default it tries to enumerate printers by using LANMAN API which on some systems is not available by default.
In that case user should specify printer share name as printer script argument.
To find a printer share, smb-enum-shares can be used.
Also, on some systems, accessing shares requires valid credentials which can be specified with smb library arguments smbuser and smbpassword.
smb2-vuln-uptime
nmap -O --script smb2-vuln-uptime <target>
nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>
User Summary:
Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.
SMB2 protocol negotiation response returns the system boot time pre-authentication.
This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs.
Remember that a rebooted system may still be vulnerable.
This check only reveals unpatched systems based on the uptime, no additional probes are sent
rdp-vuln-ms12-020
nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>
User Summary:
Checks if a machine is vulnerable to MS12-020 RDP vulnerability.
The Microsoft bulletin MS12-020 patches two vulnerabilities:
CVE-2012-0152 which addresses a denial of service vulnerability inside ◆Terminal Server, and
CVE-2012-0002 which fixes a vulnerability in ◆Remote Desktop Protocol.
Both are part of Remote Desktop Services.
MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
No comments:
Post a Comment