This time we'll continue the journey started in previous post to create a small 'semi-automated' tool to perform some 'basic' network pentests. For this case we'll focus (mostly;)) on CVE-2021-20039 for SonicWall SMA. Here we go...
Today we'll start here:
Main idea:
This time my 'idea' was:
- read nmap's log in Ruby
- find banner/port for services (marked as 'open')
- connect to our Metasploit (MSFRPCd; mentioned here)
- using msfrpcd API: find the poc for found banner and run it against the target host.
"Simple" - as usual. ;)
Setup ENV:
To prepare an environment I used my Kali VM. To create a ruby-based-script-for-Metasploit you need to install also:
As a target machine I used vulnerable SonicWall SMA with default settings.
Manual exploitation of this CVE (using Metasploit) is pretty straightforward: find the poc for CVE, set the RHOST/LHOST and run it to get a shell:
Shell we?
I decided to check if I'll be able to achieve 'similar results' using mentioned libraries (msfrpc-client and ruby-nmap):
Step-by-step:
As we should already have a working example of 'how to read nmap's log' - let's go directly to the connection-to-MSF part. We should be somewhere here:
Moving forward - to find for a specific (read as: based on the banner we found step before) poc in Metasploit modules list:
Next step for me was to figureout 'how to set a specific "settings" for specific poc we'd like to use?'.
For my test-environment-lab I decided to prepare 'few' of the options we can find in the module(s) (like: RHOST, USER_FILE, etc) and hardcode itdirectly in the script ("for now" ;)). Like this:
Next step should be: run all the settings with our found module and wait for a RCE proof. Right?
Next:
As you can see - this 'small tool' still needs to be "modified" (to not call it 'rewrited' again;)).
But it already can be used during pentest projects. Example (debug;]) demo is presented below:
In case of any questions - you know how to find me.
Brak komentarzy:
Prześlij komentarz