Security Vulnerability Report

Security Vulnerability Report

Security Vulnerability Report conducted by ICSS student Parag Thakur. The full project discussed below:

 

Project NameSecurity Vulnerability Report

Author Name:  Parag Thakur

Publish Date:  05-07-2018

 

Focus of Assessment:

A network-based assessment of the device which runs Windows XP Professional SP2 platform. There was no Google hacking, password cracking, firewall analysis, social engineering.

 

Table of Contents

 

  1. Table of Contents 
  1. Executive Summary 
  1. Scope 
  1. Tools 
  1. Approach 
  1. Findings and Recommendations 
  1. Gaining Access 
  1. Solutions

 

Executive Summary:

The following assessment report was performed in between 5 July’18 to 6 July’18 for the vulnerability assessment of the client running Windows XP Professional SP2 platform. After finding the vulnerability I would the demonstrate the gaining of client’s personal computer access by Metasploit framework. The scan was performed by Network mapper(Nmap) v7.60

 

Scope:

The external vulnerability scan is used as a tool to gather data to assess the effectiveness of current security control measures taken at the system level. Further, this data will be used as evidence to support findings and recommendations found in the Security Assessment document. The purpose of the scan was to provide information regarding critical, moderate and low levels vulnerabilities to the client that should be used as a milestone for the client privacy and a level of current industry security architecture.

 

Tools:

Nmap (Network Mapper) v7.60– Nmap is a security scanner, originally written by Gordon Lyon, used to discover hosts and services on a computer network, thus building a “map” of the network.

Metasploit Framework by Rapid7– The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

 

Approach:

Disclaimer:  All scans performed were under client’s permission because it subject to privacy leakage and moreover there was the risk of system crash and failure.

 

Step 1: Performing Nmap fast scan(-F) to 192.168.43.11 with Aggressive(-

 

  1. argument and include the NSE(Nmap Scripting Engine) for vulnerability assessment.

 

Security

 

Note: Fast Scan would scan 1000 ports by default and with aggressive search, I would know about Service version, OS detection, and trace the route. This would take upto 79.99 seconds to complete, I could optimise the search by suitable optimisation methods which you will find at https://nmap.org/book for e.g., -PN, max-rtt value etc.

 

Findings and Recommendations:

The following ports (135/tcp, 139/tcp, 445/tcp) were open and they were running the services (msrpc, netbios-ssn, Microsoft-ds) respectively (I have performed the aggressive scan which include OS detection(-O), Service detection(-sV) and traceroute(– traceroute) by default so I could also get the service version details which were laid down below).

 

 

Device Type General Purpose
Operating System Microsoft Windows XP|2003
Mac Address 00:0C:29:50:C6:14
Target IP 192.168.43.11
Traceroute 1 Hop RTT: 1.12ms

 

 

Vulnerability

By performing the vulnerability scan to the target IP <192.168.43.11> I would get the following vulnerabilities which are listed below:-

 

Screenshot:

Vulnerability

 

  1. samba-vuln-cve-2012-1182 : Samba Remote Heap Overflow CVE: CVE-2012-1182

 

Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the “root” user from an anonymous connection.

 

Reference:

http://www.samba.org/samba/security/CVE-2012-1182

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-

2012-1182

 

Note:

It was false positive and in report it says

NT_STATUS_ACCESS_DENIED which means I had not the administrative privileges. Thus in this case it’s not count on vulnerable.

 

  1. smb-vuln-ms08-067:

Microsoft Windows system vulnerable to remote code execution

CVE: CVE-2008-4250

It allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization.

 

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

 

Note:

Here its status was vulnerable so I could go for further process by this major vulnerability in the client’s system.

  1. smb-vuln-ms10-054:

SMB Remote Memory Corruption Vulnerability CVE: CVE-2010-2550

It allows remote attackers to execute arbitrary code via a crafted SMB packet, aka “SMB Pool Overflow Vulnerability.

 

Reference:

http://seclists.org/fulldisclosure/2010/Aug/122 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2550

 

Note:

It was false positive as it shows false in the report, so this was not the vulnerability in client’s system.

 

  1. smb-vuln-ms10-061: CVE: CVE-2010-2729

This vulnerability was used in Stuxnet worm. The script checks for the vuln in a safe way without a possibility of crashing the remote system as this is not a memory corruption vulnerability. In order for the check to work it needs access to at least one shared printer on the remote system. By default it tries to enumerate printers by using LANMAN API which on some systems is not available by default. In that case user should specify printer share name as printer script argument. To find a printer share, smb-enum-shares can be used. Also, on some systems, accessing shares requires valid credentials which can be specified with smb library arguments smbuser and smbpassword.

 

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729

http://technet.microsoft.com/en-us/security/bulletin/MS10-061

 

Note:

It was false positive and in the report it says script execution failed so the client’s system was not vulnerable to this issue.

 

  1. smb-vuln-ms17-010:

Remote Code Execution vulnerability in Microsoft SMBv1 servers

CVE: CVE-2017-0143

 

Risk Factor: HIGH

It allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.

 

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

 

Note:

It was false positive and by OS detection I came to know that the client’s system runs on Microsoft Window XP|2003 but this vulnerability was for Microsoft SMBv1 Servers and we I was using personal edition, so I could not go for this.

Note: These are the listed vulnerabilities which I found by Nmap Scripting Engine, I could only get into that system by using the smb-vuln-ms08-067 vulnerability having CVE-2008-4250 as stated above.

 

Gaining Access:

Step 2: After vulnerability assessment, open terminal and execute Metasploit Framework by using msfconsole command.

 

Vulnerability

Step 3: Search the found vulnerability in the Metasploit modules database which was ms80-067.

 

Vulnerability

 

Note:

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

 

References:

https://technet.microsoft.com/en-us/library/security/MS08-067

 

Step 4: After getting the search results, I would use the highlighted (in pictures) module for further process.

 

Vulnerability

 

Step 5: Set payload to windows/meterpreter/reverse_tcp.

 

Vulnerability

Step 6: Set LHOST to attacker IP <192.168.43.28> and RHOST to victim IP <192.168.43.11>.

 

Vulnerability

 

Step 7: By show options I would able to see what things I were already set to payloads.

 

Vulnerability

 

Step 8: By exploit I had entered into the client’s system and client’s privacy is under threat.

 

Vulnerability

 

Now, I have gained the access of the system and I could do anything whatever I want such as by getsystem we can escalate privilege and become NT Authority user and get hashdump(passwords in encrypted format) and easily crack the password by Jhon the Ripper or else. I can do more thing which will make the client under risk, so kindly fix the issue as soon as possible.

 

Solutions:

  1. Patch the system with latest Microsoft security updates to overcome this vulnerability. 
  1. Use a better firewall and IDS that can led attacker to filtered scan results during Nmap scan. 
  1. Maintain the security by weekly or monthly vulnerability assessment.

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Data Analysis

Internet Of Things Training Hyderabad

Internet Of Things Training in Bhubaneswar

Internet Of Things Training in Bangalore

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Web Penetration Testing Company in Bangalore

Network Penetration Testing – NPT

Network Penetration Testing Service in Bangalore

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


Show Buttons
Hide Buttons