Penetration Testing #2 - Vulnerability assesment lab from INE free course

 

Hi there!

Here is another step towards the goal of becoming a security specialist. Today we have the lab which states about vulnerability assessment. Another phase in the saint circle of a successful penetration test. Before exploitation, we need to understand what the weakest point is in the whole targeted infrastructure. To break into a network it is crucial to know what machines are vulnerable and how we can exploit these security holes to gain full access into a firm. The INE free course shares a great lab that is created for our purpose. This exercise is called Nessus, from the name of the tool that we are supposed to use. After a short introduction let's dig into hacking.

Nessus - vulnerability assessment lab

The goal of this lab is pretty simple - we have to find a machine inside the network and scan it using the Nessus. The report generated after this action will tell us about all possible vulnerabilities that the host has. But we need to remember that this tool is not infallible. It can generate false-positives and we as future security specialists have to check if these vulnerabilities exist inside the scanned machine.

The first step in this lab is to connect to the appropriate network using a VPN client and map it in case of finding the machine to scan.

Connecting to the lab's network

At this moment we are inside the network and want to find the machine to break in. So the first thing is checking the local IP address of the network to launch the Nmap. Usage of the ifconfig command is the best choice for our purpose.

The network's IP address

The lab's machine resides in the virtual private network so the address of the tap0 interface is appropriate. The IP of our network is 192.168.99.0. Now it's time to map the infrastructure using the Nmap. At the moment, information about which hosts are alive is sufficient, therefore I'm going to disable the port scan.

Network mapping - which hosts are alive?

There is only one host up in the whole network which is 192.168.99.50, the second one is our "local" machine. So now we know the address of the target and we can scan it using the Nmap once again, but this time with the service detection option. The scan result will give us a good amount of information about the target - that will be useful for setting the Nessus.

Detection of services running on the machine

Now we know what we are dealing with. These ports are open on our target machine: 135, 139, 445. The operating system running on the machine is Windows XP most likely or some incarnation of Windows. With these all in mind, we can now set up Nessus properly. 

The Nessus is the vulnerability scanner. It works in the model of client <-> server architecture. The client machine is used for configuring the tool and the server is responsible for making a scan. The operation of the Nessus is based on its database with a ton of vulnerabilities saved in. The vulnerability scanner sends probes to machines from the set IP range and matches responses with the herusitics/signatures from its database. If there is a match, the scanned machine is probably vulnerable to a checked exploit. It's worth mentioning that Nessus is also scanning the machine for open ports before going into sending special probes. This "knowledge" is useful for this program since it can grab proper payloads for testing. The last operation that Nessus does is generating a full report about the target. This report is the result of the scan and it consists of exploits descriptions that the machine might be vulnerable to.

We can set the client and the server on one machine. To launch Nessus and configure it let's go to kali:8834 and log in. The first thing to do is to create our first policy.

Policies description taken from the Nessus

From the network mapping, we already know that the target machine is the client running Windows XP.  This knowledge is key in configuring a vulnerability scanner.

Policies prepared as templates after launching the Nessus

As you can see there is a couple of ready-mades policies but none of them is about Windows client machine. This is the reason why I'm going to choose the Advanced Scan policy and make my own template to perform an appropriate scan. Probably the most important for us is to disable unnecessary scanning checks just to save time. So as we know that our target machine runs Windows then go to the Plugins section in our policy and click Disable All.

Every set of exploits to check is disabled now

Now we can find some plugins related to the Windows OS family and enable them.

These two plugins enabled will be enough for our target machine because we know that it is a client, not a server. The rest of the settings are okay in my opinion, therefore I've saved the policy. Now it's time for trying it in practice - with the vulnerability scan. If you want to start a scan you have to go into My Scans and click Create a new scan. As we would like to use the user-defined policy in our scan we should click User Defined and then click on the Windows Scan template.

Before the scan is started the Nessus has to know what the target of the scan is. As I mentioned earlier the IP address of the target is 192.168.99.50.

Choosing the target of the vulnerability scan

At this moment the scan is ready to use. The last action we have to take is to simply launch the scan by clicking a triangle with the "Launch" word.

And this is the result of the scan. We have five vulnerabilities detected. Four of them are critical and probably one is rated as high threatening level.

Vulnerabilities found by the scanner

These are vulnerabilities found by the Nessus. Probably the scariest vulnerability found on the machine is this one:

SMB Server vulnerability found on the target machine

The description of the vulnerability taken from the Nessus

The Nessus has another great feature which is appreciated by the security specialists - I'm 100% sure. The tool gives us descriptions of all the vulnerabilities that are found. That being said our target machine is most likely vulnerable to the Eternal Blue exploit among others.

Another very interesting vulnerability hidden in the target machine is MS08-067:

MS08-067 vulnerability description

The content of the description is really scary from the victim's point of view. It tells us that an attacker can own the machine remotely after executing a code with System privileges.

At this point, the lab is over since the exploitation phase will be described in another post on my blog after finishing the Metasploit section from the INE course. Thanks for reading.

Cheers!