nsploit: popping boxes using nmap - sector boxes with nmap… · waiting for commands to come in...

Ryan LinnSecTor 2009

Nsploit: Popping boxes using Nmap

Sunday, September 27, 2009

Agenda

Introduction

What is Nsploit

Why Nsploit

Nmap and NSE

Metasploit, XMLRPC, Meterpreter

Nsploit Dissected

Demos and Walkthroughs

Questions

Thanks


Introduction

Who am I?

Information Security Engineer at SAS

Writer for EthicalHacker.net

Contributed code to Metasploit and BeEF

Enjoy playing with tools and learning


What is Nsploit

Series of Lua scripts to allow Nmap to talk to Metasploit

Consists of 3 parts

Library

Triggers

Config File

Uses Nmap’s NSE to trigger Metasploit modules based on detected conditions during scanning


Why Nsploit

Curiosity To allow for targeted attacks to be launched

across multiple IPs To scan and trigger relevant exploits based on

NSE detection To use widely expanding vulnerability detection

Nmap modules and take it to the next level To be friendly enough not to burden exploit

developers In hopes that someone else may find something

even cooler to do with it


Nmap and NSE

Nmap (http://www.nmap.org) is a “utility for network exploration or security auditing” Allows for highly configurable port scanning and

OS detection

Has a built in scripting engine called NSE (Nmap Scripting Engine) using Lua

Has been expanding from port scanning to include scripts to do further detection of versioning and vulnerability detection

Part of most security folks arsenal


http://www.nmap.org/http://www.nmap.org/

Nmap and NSE

What is Lua and how does it work with Nmap ?

Lua is a lightweight, embeddable scripting engine developed by Pontifical Catholic University of Rio de Janeiro

Scripting language for World of Warcraft

Embedded into Nmap

Nmap contains Lua libraries to facilitate common tasks and to extend Nmap’s scanning power


Metasploit and XMLRPC

What is Metasploit

Framework for creating security tools and exploits (http://www.metasploit.com)

What is XMLRPC

XML based protocol for communicating between disparate systems

Frequently used over HTTP

In our case, it isn’t


http://www.metasploit.com/http://www.metasploit.com/http://www.metasploit.com/http://www.metasploit.com/

Meterpreter

What is Meterpreter

Metasploit payload that uses DLL injection and allows for advanced plugins and scripts to be executed on remote hosts.

Has ability to launch scripts

Windows only (for now)

Has the potential to dump hashes, impersonate users, manipulate processes, run commands

When used as a payload, can launch scripts automatically


Nsploit Dissected

Architecture

Metasploit with XMLRPC module enabled

○ Listening on a port (local or remote)

○ Waiting for commands to come in from Nmap

Nmap with NSE Libraries

○ NSE core library

○ NSE scripts that trigger Metasploit module execution

○ Config file to describe what gets called and to where


Nsploit Dissected

Components

Nsploit library

○ Facilitates trigger creation

○ Contains XMLRPC communication pieces

○ Basic class to call Metasploit modules

○ Limits amount of code required to launch module


Nsploit Dissected

Components

Nsploit triggers

○ NSE script

○ Contains or calls vulnerability detection logic

○ Called by Nmap based on port/service/protocol match

○ Act based on information discovered on own along with information discovered by Nmap


Nsploit Dissected

Components

Nsploit config file

○ Contains information about what to launch

○ What payloads to use (when appropriate)

○ Payload settings

○ OS Specific settings

○ XML format


Demos and Walkthroughs

Quick demo of things working

Overview of code layout

Examination of trigger module

Examination of config file

Features demo


Questions?

Code can be found at: http://www.happypacket.net

Blog: http://blog.happypacket.net

Twitter: @sussurro

Email: [email protected]


http://www.happypacket.net/http://www.happypacket.net/http://blog.happypacket.nethttp://blog.happypacket.net

Thanks

To you for coming

To SecTor organizers and staff

To Nmap and Metasploit teams

To all who helped with ideas and troubleshooting


nsploit: popping boxes using nmap - sector boxes with nmap… · waiting for commands to come in...

Documents

Advanced Mainframe Hacking · Nmap Scripting Engine (NSE) •Composed of Libraries and scripts •Over 530 scripts available •121 Libraries •Uses Lua . VANGUARD SECURITY & COMPLIANCE

NOMBRE SINOPSIS nmap especiﬁcación de objetivo · 2018. 10. 2. · NMAP(1) [FIXME: manual] NMAP(1) NOMBRE nmap − Herramienta de exploración de redes y de sondeo de seguridad

Automatizando o Nmap com NSE

Tutorial. Nmap IndiceEscanear nuestra Ip-----pag11 Programar nmap-----pag12. Introducción a Nmap Nmap (‘Network Mapper’), es una herramienta open source, diseñada para explorar

Manual Nmap

DIS10:Ethical Hacking and countermeasures - bytecode.inbytecode.in/hacking-landing-page/pdf/DIS10-1-Ethical-hacking-and... · • NMAP Scripting Engine(NSE SCRIPTS). • Network Sweeping-

nmap Paper

Nmap commands

Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1

Nmap: Scanning the Internet - Nmap - Free Security Scanner For

Nmap® Cookbook - Lagout system /linux/Nmap Cookbook The... · Improved Nmap Scripting Engine (NSE) for performing complex scanning tasks (see page 161) Addition of the Ndiff utility

EJECUCION NMAP

[kmasecurity.net] - Nmap

NMAP Tutorial

Curso Nmap

Nmap NSE development for offense and defense - … CON 24/DEF CON 24... · Nmap NSE development for offense and defense Agenda Introduction to the Nmap Scripting Engine Brief history

Creating Road Intersection MAP Data for MMITSS “ The NMAP File” Webinar #… · NMAP File Creation Workflow. 9 NMAP File Creation Workflow. ESRI ArcMAP Screen. 10 NMAP File Creation

Modul Nmap

Automatizando Nmap com NSE

Starting Nmap 6.40 ( ) at 2016-06-12 … · Starting Nmap 6.40 ( ) at 2016-06-12 11:50 Pacific Daylight Time NSE: Loaded 110 scripts for scanning. NSE: Script Pre-scanning

The Guide to Nmap - Nmap - Free Security Scanner For Network

Nsploit: Popping boxes using Nmap - SecTor 2018 boxes... · Nsploit: Popping boxes using Nmap Sunday, September 27, 2009. Agenda ... Lua is a lightweight, embeddable scripting engine

Nmap NSE development for offense and defense

root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting

Nmap basico

nmap perintah

Nmap NSE Hacking for IT Security Professionals

Nmap Guide

PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNﬂood hping3 UDPﬂood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

Nmap NSE Hacking for IT Security Professionals Marc Ruef Security & Risk Conference November 3th - 6th 2010 Lucerne, Switzerland

CIS 700/002 : Special Topics : NMap · Introduction to NMap • Nmap: A free and open source utility for network discovery and security auditing • Nmap can check – what hosts

howto-linux-nmap - brazil.minnesota.edubrazil.minnesota.edu/examples/ex/howto-linux-nmap.pdf · This pdf shows the installation of nmap. basic nmap operation. and saving nmap output

Nmap basics

Automatizando o Nmap com NSE Tiago Natel de Moura

DEVELOPING AND CONNECTING ISSA … · But one of the most promising extensions of Nmap is the Nmap Scripting Engine (NSE) that is constantly being updat - ed with Lua scripts written