Vulnerability analysis

License

This work by Z. Cliffe Schreuders at Leeds Beckett University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Contents

License

Contents

General notes about the labs

Preparation

Introduction to vulnerability scanning and analysis

Nmap scripting engine (NSE) and advanced scanning

Nessus

OpenVAS

Retina Network Security Scanner

NeXpose

Conclusion

General notes about the labs

Often the lab instructions are intentionally open ended, and you will have to figure some things out for yourselves. This module is designed to be challenging, as well as fun!

However, we aim to provide a well planned and fluent experience. If you notice any mistakes in the lab instructions or you feel some important information is missing, please let me (Cliffe) know and I will try to address any issues.

Preparation

As with all of the labs in this module, start by loading the latest version of the LinuxZ template from the IMS system. If you have access to this lab sheet, you can read ahead while you wait for the image to load.

To load the image: press F12 during startup (on the blue boot screen) to access the IMS system, then login to IMS using your university password. Load the template image: LinuxZ.

Once your LinuxZ image has loaded, log in using the username and password allocated to you by your tutor.

The root password -- which should NOT be used to log in graphically -- is “tiaspbiqe2r” (this is a secure password but is quite easy 2 remember). Again, never log in to the desktop environment using the root account -- that is bad practice, and should always be avoided.

Using the VM download script (as described in the previous lab), download and start these VMs:

Feel free to read ahead while the VMs are downloading.

Note the IP address of the Kali Linux system, using “ifconfig”. Ensure that the VMs are networked as indicated above: that is, all share a “host only” network, and the Kali Linux VM also has a “bridged” network.

Introduction to vulnerability scanning and analysis

Identifying vulnerabilities via ethical hacking and penetration testing requires careful research and planning, and testing the exploits against vulnerabilities typically results in a compromise of the remote system. The advantage of a penetration test (hiring ethical hackers to test security by hacking) is that there are very few false positives (that is, vulnerabilities “discovered” that are false alarms), since the security tester can actually attempt exploits and report whether they were successful.

However, there is always a risk that an exploit may cause unintentional damage, or that the ethical hacker will miss something obvious when they are checking things manually.

An alternative, shallower and automated approach, is to use vulnerability scanning (also known as vulnerability analysis or vulnerability assessment). Vulnerability scanners typically start by performing (or importing) network scans such as port scans and service identification, then automatically checks whether each of the identified services are known to contain vulnerabilities.

The way the security tests are conducted are often simply by comparing the service version that has been detected with the versions known to have vulnerabilities (similar to what you did manually using Security Focus). Vulnerability scanners will often also probe the software further to confirm that the system really does appear to be vulnerable. Some probes can potentially cause crashes, so a safe-mode is typically offered to avoid the more dangerous checks.

There are lots of different vulnerability scanners on the market, many of which are extremely expensive for commercial use (although arguably a necessity for efficient security testing). No-cost evaluation versions are often available for home use.

Nmap scripting engine (NSE) and advanced scanning

The Nmap scanner has a powerful feature known as the Nmap scripting engine (NSE). In addition to the scanning features that are built into Nmap, Nmap can be extended with scripts that add other capabilities. Nmap is distributed with a number of scripts (developed by various people), and these add more types of version detection and even does some vulnerability detection.

On the host OS (LinuxZ):

Enable VMware player VMs to put the NIC into promiscuous mode... From the host OS (the LinuxZ image) run the following in a console (such as Konsole from KDEMenu → System → Terminal → Konsole):

sudo chmod a+rw /dev/vmnet*

On the Kali Linux (security tester) VM:

Look at the list of files contained in:

/usr/share/nmap/scripts/

For example, “ls /usr/share/nmap/scripts/”, or browse using a file browser, such as Dolphin.

View the contents of “http-iis-webdav-vuln.nse”. Hint: consider using vi.

This script is written in the Lua programming language, and it checks for a specific WebDav vulnerability.

Open the Nmap man page, and read the description under the heading “NMAP SCRIPTING ENGINE (NSE)”. Note that “-sC Performs a script scan using the default set of scripts. [...] Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.

Launch an Nmap scan using the default set of scripts (where IP address is the Metaploitable VM):

nmap -sC IP-address

Launch an Nmap scan using vulnerability scanning scripts (where IP address is the Metaploitable VM):

nmap --script vuln IP-address

Note this can take a long time to complete (roughly 10 minutes); you may wish to leave this running and continue on with other tasks while it runs.

When this completes read through the output. What vulnerabilities did it detect?

Nmap scripts have a lot of potential; however, the current set of scripts only check for a limited number of vulnerabilities.

Based on what you have learned:

  1. Use the man page to answer: what does the -A Nmap flag do?

Run an Nmap vulnerability scan against the Win2k server VM.

Extra challenge: exploit a vulnerability detected by the Nmap script scan.

Nessus

Nessus, by Tenable Network Security, is one of the most popular commercial vulnerability scanners. Vulnerability tests are written using NASL (the Nessus Attack Scripting Language), and subscriptions to “feeds” of vulnerability checks are available. The “HomeFeed” is available for noncommercial home and educational use for no cost, while the “ProfessionalFeed” receives updates sooner and can be used in commercial settings.

Nessus is based on a client/server architecture, where a client (such as the web interface) connects to the server, which does the scanning. Results can be imported into Metasploit.

In addition to vulnerability scanning, Nessus can be used for compliance checks (such as checking the security policies on networked systems by giving Nessus credentials to manage them).

Open a terminal, and run:

service nessusd start

Start Iceweasel, and visit:

https://localhost:8834

Confirm the security exception. (“I Understand the Risks”, “Add Exception”.) The warning is shown because the site is secured using a self-signed certificate.

Login with username: “nessusadmin”, password: “toor”.

Note that there are various scanning profiles available, and depending on your selection Nessus will check the target(s) for different types of security issues.

Click on “Policies”, and review the various scan types that are preconfigured. Click on “External Network Scan”, and browse the Plugins that are enabled for this profile.

Lets use Nessus to scan Metasploitable for vulnerabilities:

Click “Scan Queue”.

The Nessus Scan Queue

Click “New Scan”.

Configure a scan, by entering a name for the scan, such as “Metasploitable Scan”, and enter the IP address of the system you wish to perform a vulnerability scan of. In this case the IP address of the Metasploitable VM. Note that you could instead enter an IP address range.

Adding and starting a new scan

Click “Run Scan”, to run a vulnerability scan against the Metasploitable target VM.

Click “Results”. You will see that the vulnerability analysis scan is currently running.

Nessus scan in progress

Click the ongoing scan (in this case “Metasploitable Scan”), and view the progress. The Nessus scan is quite detailed, and will take some time to complete.

Nessus scan in progress, some vulnerabilities

Click “Vulnerabilities”, to view the security vulnerabilities that have been detected.

Browsing the detected vulnerabilities

Browse through the list of detected vulnerabilities (if there are not any yet, just wait a while), and click on one of the issues to view more detailed information.

Vulnerability details

Read through the information for the vulnerability and answer the following:

Once the scan is complete:

How many vulnerabilities did it detect?

Click “Export Results”, and generate various HTML reports. View the output of these reports.

Generating Nessus reports

What information from these reports do you think a you would use:

Extra challenge: save and import the results into MSF.

Exploit a vulnerability detected by the Nessus vulnerability scan, to confirm the system is vulnerable.

OPTIONAL TASK: run a scan against the Win2k VM.

OpenVAS

Nessus was originally free and open source software (FOSS); however, in 2005 they closed the source code and removed the permission to use the software for commercial use without a paying for a license. In response to this, the community forked[1] the last version of Nessus that had been released as FOSS, and started the OpenVAS (Open Vulnerability Assessment System) project, a free product. Due to a smaller developer team, OpenVAS’s database of vulnerability checks may be less complete. As with Nessus, results can be imported into Metasploit.

OPTIONAL TASK: Comparison with OpenVAS

Note that using OpenVAS on Kail Linux may involve some troubleshooting to get it working. Consider this an open-ended optional task. If you identify any steps that are missing, please leave a comment.

Setup OpenVAS on Kali Linux:

If you are in the Leeds Beckett IMS labs, run:

export http_proxy=192.168.208.51:3128

openvas-setup

This will take quite some time, to download and install all the plugins.

Note that the default account is named “admin”, and you will set a password while the above runs.

Once the install is complete:

openvas-start

Open another Iceweasel tab, and visit:

https://localhost:9392

Confirm the security exception.

Login with username: “admin”, password: (as you have configured it).

Run a vulnerability scan against the Metasploitable target VM, using the most complete scanning profile that you think is appropriate.

Tip: if you need a guide, try this tutorial.

How many critical vulnerabilities did it detect? How does this compare with the earlier Nessus scan? What are the differences?

Retina Network Security Scanner

Retina, was developed by eEye Digital Security and acquired by BeyondTrust, and is similar in purpose to Nessus. It scans a network or host, and produces a report on the vulnerabilities it discovers. Includes some integration with Metasploit.

OPTIONAL TASK: download a trial version, install, setup, and run Retina Network Security Scanner. Run a vulnerability scan against the Metasploitable target VM, using the most complete scanning profile that you think is appropriate.

How many critical vulnerabilities did it detect? How does this compare with the earlier scans? What are the differences?

NeXpose

NeXpose is developed by Rapid7, who also now manage the Metasploit project. Again, the purpose of NeXpose is similar to the above, although due to the relationship, there is extensive integration with Metasploit to pen-test detected vulnerabilities.

OPTIONAL TASK: download a trial version, install, setup, and run NeXpose. Run a vulnerability scan against the Metasploitable target VM, using the most complete scanning profile that you think is appropriate.

How many critical vulnerabilities did it detect? How does this compare with the earlier scans? What are the differences?

Web vulnerability analysis

In addition to tests to look for vulnerable software running as remote services (and compliance checks regarding client system configuration), security testers often have to test the security of web servers. While the above vulnerability scanners will do some testing of web servers that are detected, there are also a number of vulnerability scanners that exclusively scan web servers for software and misconfiguration vulnerabilities.

Nikto is a command line web vulnerability scanner. Nikto scans for over 6000 security issues, such as dangerous CGI scripts and permissions.

Use Nikto to scan the Metasploitable VM, then the Win2k VM.

nikto -host Target-IP-Address

Take some time to read and understand the output.

Based on one of the detected vulnerabilities:

Exploit a vulnerability detected by the Nikto vulnerability scan, to confirm the system is vulnerable.

Conclusion

At this point you have:

Well done.


[1] Forking a project involves starting a new project based on the code from an existing project, which free and open source software licenses allow you to do.