The Internet of Stuff and Things: Metasploitable 3

Metasploitable 3

Vulnerability Scan with OpenVAS

Before this post I was exploiting vulnerabilities I found by researching the nmap results, so I decided to go a little further and run a vulnerability scanner to get a bit more info about the metasploitable3 server using the openvas module included with metasploit from the msfconsole.

As seen in the OpenVAS website:

About OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 47,000 in total (as of June 2016).

All OpenVAS products are Free Software. Most components are licensed under the GNU General Public License (GNU GPL).

Load the openvas module in metasploit

msf > load openvas

[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS
msf >

Let's see what commands are available
msf > openvas_ <-- press 2xtab
openvas_config_list openvas_report_delete openvas_target_list openvas_task_resume_or_start
openvas_connect openvas_report_download openvas_task_create openvas_task_start
openvas_debug openvas_report_import openvas_task_delete openvas_task_stop
openvas_disconnect openvas_report_list openvas_task_list openvas_version
openvas_format_list openvas_target_create openvas_task_pause
openvas_help openvas_target_delete openvas_task_resume

Connect to OpenVAS from metasploit

msf > openvas_connect
[*] Usage:
[*] openvas_connect username password host port <ssl-confirm>
msf > openvas_connect <USER> <PASSWORD> 127.0.0.1 9390

And create a target, in this case my metasploitable3 server

msf > openvas_target_create

[*] Usage: openvas_target_create <name> <hosts> <comment>

msf > openvas_target_create metasploitable3 10.20.10.23 "Metasploitable 3"

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.

[*]

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.

[+] OpenVAS list of targets

ID Name Hosts Max Hosts In Use Comment

-- ---- ----- --------- ------ -------

66d42758-5aec-40c6-91cc-647e9bc27734 metasploitable3 10.20.10.23 1 1 Metasploitable 3

b493b7a8-7489-11df-a3ec-002264764cea Localhost localhost 1 0

OpenVAS has different types of Scans predefined available depending on the purpose of the scan there are some Network Vulnerability Tests (NVTs) enabled

empty: Empty and static configuration template.
Discovery: Network Discovery scan configuration.
Full and fast: Most NVT's; optimized by using previously collected information.
Full and fast ultimate: Most NVT's including those that can stop services/hosts; optimized by using previously collected information.
Full and very deep: Most NVT's; don't trust previously collected information; slow.
Full and very deep ultimate: Most NVT's including those that can stop services/hosts; don't trust previously collected information; slow.
Host Discovery: Network Host Discovery scan configuration.
System Discovery: Network System Discovery scan configuration.
msf > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs

ID Name
-- ----
085569ce-73ed-11df-83c3-002264764cea empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea Full and very deep
74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
daba56c8-73ec-11df-a475-002264764cea Full and fast

Since I'm not scared of being blocked or detected by an IDS or anything, I chose the Full and very deep ultimate scan to create my scanning task
msf > openvas_task_create

[*] Usage: openvas_task_create <name> <comment> <config_id> <target_id>

msf > openvas_task_create metasploitable3 "Full and very deep ultimate" 74db13d6-7489-11df-91b9-002264764cea 66d42758-5aec-40c6-91cc-647e9bc27734

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[*] 488384b9-2e40-4ea4-8c43-bfe978440280
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID Name Comment Status Progress
-- ---- ------- ------ --------
488384b9-2e40-4ea4-8c43-bfe978440280 metasploitable3 Full and very deep ultimate New -1

And I run my new task:

msf > openvas_task_start 488384b9-2e40-4ea4-8c43-bfe978440280

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.

[*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>b1ebe60c-577e-4cdb-8ead-4d09e6474835</report_id></start_task_response></X>

And wait...

msf > openvas_task_list

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.

[+] OpenVAS list of tasks

ID Name Comment Status Progress

-- ---- ------- ------ --------

488384b9-2e40-4ea4-8c43-bfe978440280 metasploitable3 Full and very deep ultimate Running 1

msf > openvas_task_list

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.

[+] OpenVAS list of tasks

ID Name Comment Status Progress

-- ---- ------- ------ --------

488384b9-2e40-4ea4-8c43-bfe978440280 metasploitable3 Full and very deep ultimate Running 4

With access to the Greenbone (the Web GUI for OpenVAS, usually running in TCP port 9392) I can also follow the progress of the task.

Task Progress in Greenbone for OpenVAS

At 98% of progress we can see very interesting results, including a few vulnerabilities I exploited before

98% Scan Progress

And we're done...

msf > openvas_task_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID Name Comment Status Progress
-- ---- ------- ------ --------
488384b9-2e40-4ea4-8c43-bfe978440280 metasploitable3 Full and very deep ultimate Done -1

Now I import the report into metasploit to populate my vulns table.

OpenVAS supports different report formats and we need to know the ID of the format we want to use, in this case XML because is the one of the format supported

msf > openvas_format_list

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.

[+] OpenVAS list of report formats

ID Name Extension Summary

-- ---- --------- -------

5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report

50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1.

5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table.

6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report.

77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report.

9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary.

910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0.

9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report.

9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image.

a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report.

a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file.

a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report.

c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v1.1.10.

c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list.

c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report.

msf > openvas_report_import

[*] Usage: openvas_report_import <report_id> <format_id>

[*] Only the NBE and XML formats are supported for importing.

msf > openvas_report_list

[+] OpenVAS list of reports

ID Task Name Start Time Stop Time

-- --------- ---------- ---------

b1ebe60c-577e-4cdb-8ead-4d09e6474835 metasploitable3 2017-02-01T03:59:09Z 2017-02-01T04:26:37Z

And I got an error... 👎, It seems the openvas-omp Ruby gem hasn't been updated since 2011 😣

msf > openvas_report_import b1ebe60c-577e-4cdb-8ead-4d09e6474835 a994b278-1f62-11e1-96ac-406186ea4fc5

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.

[*] Importing report to database.

[-] Error while running command openvas_report_import: undefined method `split' for nil:NilClass

Call stack:

/usr/share/metasploit-framework/lib/rex/parser/openvas_nokogiri.rb:100:in `end_element'

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/nokogiri-1.7.0.1/lib/nokogiri/xml/sax/document.rb:127:in `end_element_namespace'

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/nokogiri-1.7.0.1/lib/nokogiri/xml/sax/parser.rb:112:in `parse_with'

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/nokogiri-1.7.0.1/lib/nokogiri/xml/sax/parser.rb:112:in `parse_memory'

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/nokogiri-1.7.0.1/lib/nokogiri/xml/sax/parser.rb:84:in `parse'

/usr/share/metasploit-framework/lib/msf/core/db_manager/import/open_vas.rb:11:in `import_openvas_new_xml'

/usr/share/metasploit-framework/lib/msf/core/db_manager/import.rb:95:in `import'

/usr/share/metasploit-framework/plugins/openvas.rb:529:in `cmd_openvas_report_import'

/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:430:in `run_command'

/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:392:in `block in run_single'

/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:386:in `each'

/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:386:in `run_single'

/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:205:in `run'

/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'

/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'

/usr/bin/msfconsole:48:in `<main>'

The first part is just that annoying 'deprecated' message I've been getting, that's an easy fix, just edit

/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb

go to line 201 and replace timeout with Timeout.timeout

Replace timeout with Timeout.timeout

The other seems to be a real problem, the db_import functionality is not able to import my OpenVAS XML report, might be something wrong with my report or a bug in db_import or how the split is used in /usr/share/metasploit-framework/lib/rex/parser/openvas_nokogiri.rb:100

It breaks at line 100

I've open an issue in GitHub for now.

But no worries, we can still import an old report I had that worked well but didn't catch all the vulns

msf > openvas_report_list

[+] OpenVAS list of reports

ID Task Name Start Time Stop Time

-- --------- ---------- ---------

0a8443d2-a8f3-4ae3-a905-8a2f8329e266 metasploitable3 2017-01-31T03:42:32Z 2017-01-31T04:25:38Z

b1ebe60c-577e-4cdb-8ead-4d09e6474835 metasploitable3 2017-02-01T03:59:09Z 2017-02-01T04:26:37Z

msf > openvas_report_import 0a8443d2-a8f3-4ae3-a905-8a2f8329e266 a994b278-1f62-11e1-96ac-406186ea4fc5

[*] Importing report to database.

And my workspace is now populated:

msf > hosts

Hosts

=====

address mac name os_name os_flavor os_sp purpose info comments

------- --- ---- ------- --------- ----- ------- ---- --------

10.20.10.23 Unknown device

msf > services

Services

========

host port proto name state info

---- ---- ----- ---- ----- ----

10.20.10.23 21 tcp open

10.20.10.23 22 tcp open

10.20.10.23 80 tcp open

10.20.10.23 1617 tcp open

10.20.10.23 4848 tcp open

10.20.10.23 8022 tcp open

10.20.10.23 8080 tcp open

10.20.10.23 9200 tcp open

msf > vulns

[*] Time: 2017-02-03 06:07:40 UTC Vuln: host=10.20.10.23 name=Microsoft Windows IIS FTP Server DOS Vulnerability refs=CVE-2010-3972,BID-45542

[*] Time: 2017-02-03 06:07:40 UTC Vuln: host=10.20.10.23 name=MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) refs=CVE-2015-1635

[*] Time: 2017-02-03 06:07:40 UTC Vuln: host=10.20.10.23 name=Elastisearch Remote Code Execution Vulnerability refs=CVE-2014-3120

Unfortunately this import is not as good as the nmap one I did before.

Next time I will do the same with Nessus Free and another one with Nextpose Community.

The Internet of Stuff and Things

Friday, February 3, 2017

Metasploitable 3 - OpenVAS Vulnerability Scan

Metasploitable 3

Vulnerability Scan with OpenVAS

About OpenVAS

No comments:

Post a Comment

Blog Archive