Vulnerability analysis



Similar documents
Web attacks and security: SQL injection and cross-site scripting (XSS)

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Firewalls and Software Updates

Why do I need a pen test lab? Requirements. Virtual Machine Downloads

Symantec Cyber Readiness Challenge Player s Manual

Installing and Configuring Nessus by Nitesh Dhanjani

IDS and Penetration Testing Lab ISA656 (Attacker)

Vulnerability Assessment Lab

IDS and Penetration Testing Lab II

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

Penetration Testing LAB Setup Guide

1 Scope of Assessment

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

Metasploit Pro Getting Started Guide

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Web Application Vulnerability Testing with Nessus

IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection

Running a Default Vulnerability Scan

Metasploit Unleashed. Class 2: Information Gathering and Vulnerability Scanning. Georgia Weidman Director of Cyberwarface, Reverse Space

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

STABLE & SECURE BANK lab writeup. Page 1 of 21

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Vulnerability Assessment. A. Open Vulnerability Assessment (OpenVAS)

IDS and Penetration Testing Lab ISA 674

Running a Default Vulnerability Scan SAINTcorporation.com

Penetration Testing with Kali Linux

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

Running head: USING NESSUS AND NMAP TOOLS 1

Introduction to Nessus by Harry Anderson last updated October 28, 2003

Using Nessus In Web Application Vulnerability Assessments

1 Download & Installation Usernames and... Passwords

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

Lab 9: Pen Testing (NESSUS)

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Armitage. Part 1. Author : r45c4l Mail : infosecpirate@gmail.com.

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Vulnerability Assessment and Penetration Testing

Managing Qualys Scanners

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Metasploit: Penetration Testing in a Virtual Environment. (Final Draft) Christopher Steiner. Dr. Janusz Zalewski. CNT 4104 Fall 2011 Networks

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

How to hack a website with Metasploit

Penetration Testing. What Is a Penetration Testing?

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

The Nexpose Expert System

Course Title: Penetration Testing: Security Analysis

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Building a Penetration Testing Virtual Computer Laboratory

Using Virtual Machines

AN OVERVIEW OF VULNERABILITY SCANNERS

Table of Contents HOL-PRT-1671

Extending Remote Desktop for Large Installations. Distributed Package Installs

Thinspace deskcloud. Quick Start Guide

Penetration Testing Walkthrough

CRYPTUS DIPLOMA IN IT SECURITY

Penetration Testing LAB Setup Guide

Security Event Management. February 7, 2007 (Revision 5)

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Self Service Penetration Testing

Penetration Testing Lab. Reconnaissance and Mapping Using Samurai-2.0

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Intelligence Gathering. n00bpentesting.com

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Security Tools - Hands On

Author: Sumedt Jitpukdebodin. Organization: ACIS i-secure. ID: My Blog:

McAfee Public Cloud Server Security Suite

Configuring Security for FTP Traffic

ECE 4893: Internetwork Security Lab 12: Web Security

IBM Security QRadar Version Vulnerability Assessment Configuration Guide IBM

Lab Objectives & Turn In

Virtual Learning Tools in Cyber Security Education

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

ISERink Installation Guide

WHITEPAPER. Nessus Exploit Integration

Smartphone Pentest Framework v0.1. User Guide

Nessus scanning on Windows Domain

LinuxCon #1 OpenVAS Open Vulnerability Scanning Free your vulnerabilities!

VMTurbo Operations Manager 4.5 Installing and Updating Operations Manager

Nessus Enterprise for Amazon Web Services (AWS) Installation and Configuration Guide. July 16, 2014 (Revision 2)

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

encription IT Security and Forensic Services

Nessus Agents. October 2015

Link and Sync Guide for Hosted QuickBooks Files

Site Administrator User Guide. show, tell, share

Transcription:

Vulnerability analysis License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contents License Contents General notes about the labs Preparation Introduction to vulnerability scanning and analysis Nmap scripting engine (NSE) and advanced scanning Nessus OpenVAS Retina Network Security Scanner NeXpose Conclusion General notes about the labs Often the lab instructions are intentionally open ended, and you will have to figure some things out for yourselves. This module is designed to be challenging, as well as fun! However, we aim to provide a well planned and fluent experience. If you notice any mistakes in the lab instructions or you feel some important information is missing, please feel free to add a comment to the document by highlighting the text and click the comment icon ( ), and I (Cliffe) will try to address any issues. Note that your

comments are public. If you notice others are also reading the lab document, you can click the chat icon ( ) to discuss the lab with each other. Preparation As with all of the labs in this module, start by loading the latest version of the LinuxZ template from the IMS system. If you have access to this lab sheet, you can read ahead while you wait for the image to load. To load the image: press F12 during startup (on the blue boot screen) to access the IMS system, then login to IMS using your university password. Load the template image: LinuxZ. Once your LinuxZ image has loaded, log in using the username and password allocated to you by your tutor. The root password -- which should NOT be used to log in graphically -- is tiaspbiqe2r (this is a secure password but is quite easy 2 remember). Again, never log in to the desktop environment using the root account -- that is bad practice, and should always be avoided. Using the VM download script (as described in the previous lab), download and start these VMs: Kali Linux - with Armitage and Nessus (Bridged and Host Only) Vulnerable Win2K server (Host Only) Metasploitable (Host Only) Feel free to read ahead while the VMs are downloading. Note the IP address of the Kali Linux system, using ifconfig. Ensure that the VMs are networked as indicated above: that is, all share a host only network, and the Kali Linux VM also has a bridged network. Introduction to vulnerability scanning and analysis Identifying vulnerabilities via ethical hacking and penetration testing requires careful research and planning, and testing the exploits against vulnerabilities typically results in a compromise of the remote system. The advantage of a penetration test (hiring ethical hackers to test security by hacking) is that there are very few false positives

(that is, vulnerabilities discovered that are false alarms), since the security tester can actually attempt exploits and report whether they were successful. However, there is always a risk that an exploit may cause unintentional damage, or that the ethical hacker will miss something obvious when they are checking things manually. An alternative, shallower and automated approach, is to use vulnerability scanning (also known as vulnerability analysis or vulnerability assessment). Vulnerability scanners typically start by performing (or importing) network scans such as port scans and service identification, then automatically checks whether each of the identified services are known to contain vulnerabilities. The way the security tests are conducted are often simply by comparing the service version that has been detected with the versions known to have vulnerabilities (similar to what you did manually using Security Focus). Vulnerability scanners will often also probe the software further to confirm that the system really does appear to be vulnerable. Some probes can potentially cause crashes, so a safe-mode is typically offered to avoid the more dangerous checks. There are lots of different vulnerability scanners on the market, many of which are extremely expensive for commercial use (although arguably a necessity for efficient security testing). No-cost evaluation versions are often available for home use. Nmap scripting engine (NSE) and advanced scanning The Nmap scanner has a powerful feature known as the Nmap scripting engine (NSE). In addition to the scanning features that are built into Nmap, Nmap can be extended with scripts that add other capabilities. Nmap is distributed with a number of scripts (developed by various people), and these add more types of version detection and even does some vulnerability detection. On the host OS (LinuxZ): Enable VMware player VMs to put the NIC into promiscuous mode... From the host OS (the LinuxZ image) run the following in a console (such as Konsole from KDEMenu System Terminal Konsole): sudo chmod a+rw /dev/vmnet* On the Kali Linux (security tester) VM: Look at the list of files contained in:

/usr/share/nmap/scripts/ For example, ls /usr/share/nmap/scripts/, or browse using a file browser, such as Dolphin. View the contents of http-iis-webdav-vuln.nse. Hint: consider using vi. This script is written in the Lua programming language, and it checks for a specific WebDav vulnerability. Open the Nmap man page, and read the description under the heading NMAP SCRIPTING ENGINE (NSE). Note that -sc Performs a script scan using the default set of scripts. [...] Some of the scripts in this category are considered intrusive and should not be run against a target network without permission. Launch an Nmap scan using the default set of scripts (where IP address is the Metaploitable VM): nmap -sc IP-address Launch an Nmap scan using vulnerability scanning scripts (where IP address is the Metaploitable VM): nmap --script vuln IP-address Note this can take a long time to complete (roughly 10 minutes); you may wish to leave this running and continue on with other tasks while it runs. When this completes read through the output. What vulnerabilities did it detect? Nmap scripts have a lot of potential; however, the current set of scripts only check for a limited number of vulnerabilities. Based on what you have learned: 1. Use the man page to answer: what does the -A Nmap flag do? Run an Nmap vulnerability scan against the Win2k server VM. Extra challenge: exploit a vulnerability detected by the Nmap script scan. Nessus

Nessus, by Tenable Network Security, is one of the most popular commercial vulnerability scanners. Vulnerability tests are written using NASL (the Nessus Attack Scripting Language), and subscriptions to feeds of vulnerability checks are available. The HomeFeed is available for noncommercial home and educational use for no cost, while the ProfessionalFeed receives updates sooner and can be used in commercial settings. Nessus is based on a client/server architecture, where a client (such as the web interface) connects to the server, which does the scanning. Results can be imported into Metasploit. In addition to vulnerability scanning, Nessus can be used for compliance checks (such as checking the security policies on networked systems by giving Nessus credentials to manage them). Open a terminal, and run: service nessusd start Start Iceweasel, and visit: https://localhost:8834 Confirm the security exception. ( I Understand the Risks, Add Exception.) The warning is shown because the site is secured using a self-signed certificate. Login with username: nessusadmin, password: toor. Note that there are various scanning profiles available, and depending on your selection Nessus will check the target(s) for different types of security issues. Click on Policies, and review the various scan types that are preconfigured. Click on External Network Scan, and browse the Plugins that are enabled for this profile. Lets use Nessus to scan Metasploitable for vulnerabilities: Click Scan Queue. Click New Scan. The Nessus Scan Queue

Configure a scan, by entering a name for the scan, such as Metasploitable Scan, and enter the IP address of the system you wish to perform a vulnerability scan of. In this case the IP address of the Metasploitable VM. Note that you could instead enter an IP address range. Adding and starting a new scan Click Run Scan, to run a vulnerability scan against the Metasploitable target VM. Click Results. You will see that the vulnerability analysis scan is currently running. Nessus scan in progress Click the ongoing scan (in this case Metasploitable Scan ), and view the progress. The Nessus scan is quite detailed, and will take some time to complete.

Nessus scan in progress, some vulnerabilities Click Vulnerabilities, to view the security vulnerabilities that have been detected. Browsing the detected vulnerabilities Browse through the list of detected vulnerabilities (if there are not any yet, just wait a while), and click on one of the issues to view more detailed information. Vulnerability details

Read through the information for the vulnerability and answer the following: What is the CVE for this vulnerability? Are exploits available? What kind? (Stand alone, MSF, etc) What would be the likely result of an attack on this vulnerability? How would you fix this issue? Once the scan is complete: How many vulnerabilities did it detect? How many of the vulnerabilities did you miss when you have previously scanned these systems using Nmap, MSF, and Armitage? How many vulnerabilities that were detected are critical, high, and so on? (Make a note of the number of vulnerabilities) Click Export Results, and generate various HTML reports. View the output of these reports. Generating Nessus reports What information from these reports do you think a you would use: During a penetration test? When writing a report for the management of a company that hired you to test their systems?

When writing a report for the IT department of the company? Extra challenge: save and import the results into MSF. Exploit a vulnerability detected by the Nessus vulnerability scan, to confirm the system is vulnerable. OPTIONAL TASK: run a scan against the Win2k VM. OpenVAS Nessus was originally free and open source software (FOSS); however, in 2005 they closed the source code and removed the permission to use the software for commercial use without a paying for a license. In response to this, the community forked the last version of Nessus that had been released as FOSS, and started the OpenVAS (Open Vulnerability Assessment System) project, a free product. Due to a smaller developer team, OpenVAS s database of vulnerability checks may be less complete. As with Nessus, results can be imported into Metasploit. OPTIONAL TASK: Comparison with OpenVAS Note that using OpenVAS on Kail Linux may involve some troubleshooting to get it working. Consider this an open-ended optional task. If you identify any steps that are missing, please leave a comment. Setup OpenVAS on Kali Linux: If you are in the Leeds Met IMS labs, run: export http_proxy=192.168.208.51:3128 openvas-setup This will take quite some time, to download and install all the plugins. Note that the default account is named admin, and you will set a password while the above runs. Once the install is complete: openvas-start Open another Iceweasel tab, and visit: https://localhost:9392

Confirm the security exception. Login with username: admin, password: (as you have configured it). Run a vulnerability scan against the Metasploitable target VM, using the most complete scanning profile that you think is appropriate. Tip: if you need a guide, try this tutorial. How many critical vulnerabilities did it detect? How does this compare with the earlier Nessus scan? What are the differences? Retina Network Security Scanner Retina, was developed by eeye Digital Security and acquired by BeyondTrust, and is similar in purpose to Nessus. It scans a network or host, and produces a report on the vulnerabilities it discovers. Includes some integration with Metasploit. OPTIONAL TASK: download a trial version, install, setup, and run Retina Network Security Scanner. Run a vulnerability scan against the Metasploitable target VM, using the most complete scanning profile that you think is appropriate. NeXpose How many critical vulnerabilities did it detect? How does this compare with the earlier scans? What are the differences? NeXpose is developed by Rapid7, who also now manage the Metasploit project. Again, the purpose of NeXpose is similar to the above, although due to the relationship, there is extensive integration with Metasploit to pen-test detected vulnerabilities. OPTIONAL TASK: download a trial version, install, setup, and run NeXpose. Run a vulnerability scan against the Metasploitable target VM, using the most complete scanning profile that you think is appropriate. How many critical vulnerabilities did it detect? How does this compare with the earlier scans? What are the differences? Web vulnerability analysis In addition to tests to look for vulnerable software running as remote services (and compliance checks regarding client system configuration), security testers often have to test the security of web servers. While the above vulnerability scanners will do some testing of web servers that are detected, there are also a number of vulnerability

scanners that exclusively scan web servers for software and misconfiguration vulnerabilities. Nikto is a command line web vulnerability scanner. Nikto scans for over 6000 security issues, such as dangerous CGI scripts and permissions. Use Nikto to scan the Metasploitable VM, then the Win2k VM. nikto -host Target-IP-Address Take some time to read and understand the output. How many critical vulnerabilities did Nikto detect? Did it detect any that the above scanners missed? Based on one of the detected vulnerabilities: Can you identify the CVE for the vulnerability? How could you exploit this vulnerability? (With what attack software/exploit?) What would be the likely result of an attack on this vulnerability? How would you fix this issue? Exploit a vulnerability detected by the Nikto vulnerability scan, to confirm the system is vulnerable. Conclusion At this point you have: Learned about vulnerability assessment Run vulnerability scans using various industry standard tools, including Nessus and Nikto Understood that different tools will detect different security issues, and that it is important to consider which tests (and scan profiles) to run Well done.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information