Blog

Archive for May 7th, 2020

Using Nmap As a Lightweight Vulnerability Scanner, (Fri, May 8th)

Yesterday, Bojan wrote a nice diary[1] about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports. When I read Bojan’s diary, it reminded me of an old article[2] that I wrote on my blog a long time ago. The idea was to use Nmap as a lightweight vulnerability scanner. Nmap has a scan type that tries to determine the service/version information running behind an open port (enabled with the ‘-sV’ flag). Based on this information, the script looks for interesting CVE in a flat database. Unfortunately, the script was developed by a third-party developer and was never integrated into the official list of scripts. 

However, a second project was kicked off and integrated into Nmap: The vulners[3] script. The principle is the same: You scan the host (with ‘-sV’) and, for each identified service, the script performs a lookup in the CVE database. Example:

[email protected]:~# nmap -sV --script=vulners -v x.x.x.x
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 17:28 CEST
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:28
Completed NSE at 17:28, 0.00s elapsed
Initiating NSE at 17:28
Completed NSE at 17:28, 0.00s elapsed
Initiating Ping Scan at 17:28
Scanning x.x.x.x [4 ports]
Completed Ping Scan at 17:28, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:28
Completed Parallel DNS resolution of 1 host. at 17:28, 2.17s elapsed
Initiating SYN Stealth Scan at 17:28
Scanning x.x.x.x [1000 ports]
Discovered open port 443/tcp on x.x.x.x
Discovered open port 3389/tcp on x.x.x.x
Discovered open port 445/tcp on x.x.x.x
Discovered open port 21/tcp on x.x.x.x
Discovered open port 3306/tcp on x.x.x.x
Discovered open port 135/tcp on x.x.x.x
Discovered open port 139/tcp on x.x.x.x
Discovered open port 80/tcp on x.x.x.x
Discovered open port 49158/tcp on x.x.x.x
Discovered open port 3800/tcp on x.x.x.x
Discovered open port 49160/tcp on x.x.x.x
Discovered open port 49154/tcp on x.x.x.x
Discovered open port 49152/tcp on x.x.x.x
Discovered open port 49153/tcp on x.x.x.x
Discovered open port 49155/tcp on x.x.x.x
Discovered open port 49157/tcp on x.x.x.x
Completed SYN Stealth Scan at 17:28, 5.58s elapsed (1000 total ports)
Initiating Service scan at 17:28
Scanning 16 services on x.x.x.x
Service scan Timing: About 56.25% done; ETC: 17:30 (0:00:44 remaining)                                                                                                                                                                                                                   [70/1471]
Completed Service scan at 17:30, 84.04s elapsed (16 services on 1 host)
NSE: Script scanning x.x.x.x.
Initiating NSE at 17:30
Completed NSE at 17:30, 6.91s elapsed
Initiating NSE at 17:30
Completed NSE at 17:30, 1.55s elapsed
Nmap scan report for x.x.x.x
Host is up (0.19s latency).
Not shown: 984 closed ports
PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                FileZilla ftpd 0.9.41 beta
80/tcp    open  http               Apache httpd 2.4.17 ((Win32) OpenSSL/1.0.2d PHP/5.6.20)
|_http-server-header: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.20
| vulners:
|   cpe:/a:apache:http_server:2.4.17:
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092                                                                                                                                                                                                                   |       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
443/tcp   open  ssl/http           Apache httpd 2.4.17 ((Win32) OpenSSL/1.0.2d PHP/5.6.20)
|_http-server-header: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.20
| vulners:
|   cpe:/a:apache:http_server:2.4.17:
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql              MariaDB (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
3800/tcp  open  tcpwrapped
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49160/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

NSE: Script Post-scanning.
Initiating NSE at 17:30
Completed NSE at 17:30, 0.00s elapsed
Initiating NSE at 17:30
Completed NSE at 17:30, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.83 seconds
           Raw packets sent: 1022 (44.944KB) | Rcvd: 1001 (40.108KB)

The difference between the two scripts is the way they search for CVE. In this case, the script requires Internet access to query the Vulners API[4].

Note that the script accepts one parameter: You can specify the minimum CVSS (“Common Vulnerability Scoring System”) score to display:

[email protected]:~# nmap -sV --script=vulners --script-args mincvss=8 x.x.x.x

Once you get some results, our next goal could be to automatically process the results. Let’s use a few lines of Python to parse the Nmap XML output (that is created via the ‘-oX’ flag):

[email protected]:~# nmap -sV --script=vulners -oX x.x.x.x.xml  x.x.x.x
[email protected]:~# python3
Python 3.7.7 (default, Mar 10 2020, 13:18:53)
[GCC 9.2.1 20200306] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from libnmap.parser import NmapParser
>>> p = NmapParser.parse_fromfile("x.x.x.x.xml")
>>> for host in p.hosts:
...   for svc in host.services:
...     for script in svc.scripts_results:
...       output = script.get("output")
...       print(output)
...

  cpe:/a:microsoft:sql_server:2014:
        CVE-2015-1763   8.5     https://vulners.com/cve/CVE-2015-1763
        CVE-2015-1762   7.1     https://vulners.com/cve/CVE-2015-1762
        CVE-2020-0618   6.5     https://vulners.com/cve/CVE-2020-0618
        CVE-2019-1068   6.5     https://vulners.com/cve/CVE-2019-1068
        CVE-2016-7253   6.5     https://vulners.com/cve/CVE-2016-7253
        CVE-2016-7250   6.5     https://vulners.com/cve/CVE-2016-7250
        CVE-2015-1761   6.5     https://vulners.com/cve/CVE-2015-1761
        CVE-2017-8516   5.0     https://vulners.com/cve/CVE-2017-8516
        CVE-2014-1820   4.3     https://vulners.com/cve/CVE-2014-1820

Nice! So, we have a lightweight vulnerability scanner and we can automate the reporting. Another idea could be to perform a diff of a first scan – used as a baseline – and a second one (performed at regular intervals. Ndiff[5] is a great tool to achieve this.

In conclusion, a tool can be for multiple purposes, offensive VS. defensive security!

[1] https://isc.sans.edu/forums/diary/Scanning+with+nmaps+NSE+scripts/26096/
[2] https://blog.rootshell.be/2010/06/03/vulnerability-scanner-within-nmap/
[3] https://github.com/vulnersCom/nmap-vulners
[4] https://vulners.com/api/v3/
[5] https://nmap.org/ndiff/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Keeping Kids Safe Online – During and After COVID

COVID has forced schools across the country to shut down and move their education online. As living rooms turned into classrooms, it has become critical for parents to understand that their children need similar safety precautions with the Internet as they would out in public.

With kids’ increased online presence, there are a number of available resources at your disposal to better educate children and adults on practicing safe Internet hygiene. COVID aside, these best practices will be beneficial for us to follow even if and when schools reopen.

Below are a few actions we can take to protect kids online.

  • Have an open and honest conversation with your kid about what information can or should not be shared online. See here to a link on some example Personally Identifiable Information (PII) data they should keep private.
  • Adjust the privacy settings and parental controls of the applications and websites that your child is using. Enabling safe search and keeping your webcam covered when not in use are also another easy layer of protection.
  • Encourage and monitor appropriate behavior online – stress to them that what they share online can potentially remain on the Internet forever.

These past few months have been an adjustment period for everyone, but teaching your kids to practice being #CyberSafe will ultimately benefit them in the long run. 

Additional links for your reference:

Cyberbullying Resources from Clark County School District

Free At-Home Cyber Best Practices & Activities from NICERC and Dept of Homeland Security

Nevada Attorney General on Internet Safety

Posted in: Individuals, Kids, Parent & Educator Tip Card, Parents and Educators

Leave a Comment (0) →

Scanning with nmap?s NSE scripts, (Thu, May 7th)

If someone asked me 7 or 8 years ago what I use nmap for, my answer would be: simple port scanning – it’s a port scanner, and that’s what it should be used for. Boy was I wrong.

As some of our readers certainly know, nmap includes the map Scripting Engine (NSE), which turns nmap into much more than a scanner – it allows creation of scripts which can perform all sort of actions. The scripts are written in the Lua programming language and nmap comes with many them – the very latest SVN version comes with 601 NSE script.

While scripts can be updated separately, nmap is actually one of the rare tools I download, compile and install manually. The main reason is because with nmap we really do want to have the very latest version always – development is very active and new features and bugs are constantly added. Besides that, the whole compilation process is typically trivial.

Since I do a lot of network penetration tests, where quite often I need to scan large networks (and report on findings), I found some NSE scripts unbelievably useful – this diary will contain some of the top NSE scripts I use during penetration tests – let us know if you have other candidates!

SSL/TLS testing

There is a bunch of scripts that test for various SSL/TLS configuration issues. These are a must – if you are doing a penetration test or you simply want to check if you have servers supporting SSLv3 in your enterprise, these scripts will do the job.
I actually already wrote about SSL/TLS testing – so if you want to read those diaries please go here and here.

  • ssl-enum-ciphers – this script will enumerate supported protocols and cipher suites by the target web site. It will even give grades which are simulating what Qualys’ SSL Server Test web site does too. Just keep in mind that it does not support SSLv2 – for that we need another script …
  • sslv2 – you guessed it – this script will check if SSLv2 is supported by the target service.
  • ssl-cert – this script will retrieve information about the X.509 certificate used by the target service. It’s another handy script that allows you to retrieve certificates of all servers in your scope. Need to know which certificates expire soon? Just do a whole enterprise scan on TCP port 443 with ssl-cert and parse the output. Can’t get easier than that.
  • ssl-dh-params – this script checks if the target service is using weak Diffie-Hellman groups and parameters.

Here is one example of me checking the certificate on the isc.sans.edu web site:

Hmm, do you see something interesting here? Let us know.

SMB testing

Issues in configuration of SMB services can be devastating – anyone who even remotely heard about Responder, Impacket and ntlmrelayx knows what I’m talking about. That’s why I think it is mandatory to check SMB configuration in every penetration test (and in your enterprises). Nmap comes to the rescue here, again with a number of great scripts:

  • smb-protocols – this script will check which SMB protocols are supported by the target server. If you see SMBv1 supported – that’s really bad.
  • smb-security-mode – the script will check for various information about the SMB security level. Besides checking for authentication, probably the most important configuration parameter is message signing – this shows if it is required by the target server or not. Whenever you see message signing not being required, this should be reported as a vulnerability (misconfiguration) since it will allow all those scary tools listed above (Responder etc) to be used by an attacker.
  • smb2-security-mode – the script check whether message signing is enabled, but for SMB2/3 protocols. Do not forget to use it if your target server supports only SMBv2.

I am running these scripts here against a server – we can see that it’s misconfigured because it supports SMBv1 (which should really be disabled everywhere), but at least it has message signing set to required:

HTTP scripts

There is a large number of HTTP scripts – 135 of them currently so I suggest that you get familiar with what is available so you can use them when needed. That being said, there are few cool scripts that I tend to run almost every time, just because they are so convenient:

  • http-apache-server-status – the Apache /server-status web page can often leak a lot of very sensitive information. I actually had cases where I completely compromised a target environment just based on leaked information I saw in the /server-status web page. That’s why I like to automatically check every single server for this web page, and this script will do that easily.
  • http-methods – the script identifies all supported methods. Handy in first phases of a penetration test.
  • http-shellshock – while Shellshock is a bit old now, internally it can still be found quite often. This script allows for an easy check if the target server is vulnerable to Shellshock.
  • http-robots.txt – another very handy script that will automatically retrieve contents of the /robots.txt file and display them. 

Again, this is very useful in cases when you need to check a large number of target servers – simply run the script against them and analyze the results offline.
Here I am running the http-robots.txt NSE script against isc.sans.edu:

Huh, look at those results, do you see anything suspicious there?

I hope you liked this selection of nmap NSE scripts – there are many, many other useful scripts. Let us know which ones are your favorites!
Ah yes – we cover nmap (of course) in the SEC 542 (Web application penetration testing and ethical hacking) course as well, in context of web application penetration tests, of course. There’s even time to sign up for the course next week – I’ll be teaching the new (updated) version of the course for the first time live.


Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →