Skip to main content

Blueprinting The Target Part - 4


Vulnerability Assessment & Management


Knowledge Base

   Although we have presented vulnerability assessment & management as a part of the information gathering phase, it is a more dedicated and critical part of the information gathering, so it was worthwhile to keep it separate in a module.
Information Gathered in previous module

• Network Addresses information
• Operating System Level information
• Open Ports
• Services Information
• Work group level information

Next what is required?

   What we need now is the vulnerabilities discovery so that we can further move one more level to discover the weaknesses in the network.

Tools required

   To achieve our goal of detecting & discovering vulnerabilities in the network, we need vulnerability scanners so that they can perform the job and further gather information about the vulnerabilities. We already installed two vulnerabilities scanners in our virtual hacking lab environment. Let’s login to our lab and perform the vulnerability assessment activity so that we can proceed in information gathering.

Vulnerability Assessment

   To perform this activity, first note the IP address of the Ubuntu Box. In our lab, it is on 192.168.56.101. Ensure that all machines in our virtual hacking lab environment are up and running. We have shown the snapshot of our Virtual Box.


 Next, browse the Ubuntu Box on the following address:

Ubuntu NeXpose Web Access: https://192.168.56.101:3780/.



   Next, wait for a while and you will be asked to login, use the credentials you configured at the time of installation. Once logged in, you will see the below screen.

     Next, we will now start the vulnerability assessment on the so far discovered live hosts and find out how vulnerable these systems are.

   Next, to achieve these, we will now scan this with NeXpose scanner as shown in the following figures. Configure the new site as shown below


Next, configure the general settings for the site and click next. 


 Next, configure the IP addresses we want to scan as shown below and continue


 Next, select the scan template, recommended to use full audit.

      
   Next, for credentials, leave them blank, as shown below, as we don’t have any credentials to be used for the vulnerability scan.

Next, leave the web application settings blank at the moment.
 

   Next, configure the organization contact details you are scanning. This will be reflected in the report.


 Next, default settings for access listing and save the site.


     Next, once you configured the site, it will appear on the home page as shown below.

     
    Next, click the scan now option to start the scan for the site we have just configured as shown in below snapshot.


    Next, you will see the following prompt to start the scan. Now start the scan and sit back and watch the vulnerability assessment on screen.

 
    Next, you will see the following screen with the details of the vulnerability assessment. We will wait until it finishes the scans.


    You can see that NeXpose has detected the two Metasploitable machines and is now busy finding vulnerabilities in them. It will take time, as we don’t have enough RAM with our Ubuntu box. However, it will take too long for NeXpose to perform the vulnerability assessment on these two machines.

   Next, you can see that after six minutes of vulnerability assessment NeXpose has identified six vulnerabilities in these machines. We will wait for some more time to see the overall results of our vulnerability assessment with NeXpose. 


    Next, here you go, NeXpose took a total of 10 minutes overall and has discovered 631 vulnerabilities in this vulnerability assessment we have just performed in these two machines. 


     Next, we will not see the assets in our NeXpose, which will give us the overall results of the assessments.

 Next, results of assets by Operating System & applications.


  Next, to see the vulnerabilities found in this assessment cycle, click the vulnerability link on the home screen and you will see the following results in a nice presentable manner.


    Here you can see the details on vulnerabilities, which have been discovered in the assessment we have just performed. This dashboard also provides details on the vulnerabilities. You can click any one of these vulnerabilities and see more details. We have shown one below, this covered much of details on this vulnerability, its scoring, severity, published date and the available exploits and also the solution to mitigate the risk of this vulnerability. All of these details are shown below. 


Vulnerability Management

     Now we will present some reporting by which analysis you can easily find out how you want to manage these vulnerabilities. You can generate reports for executive members of the company; you can also generate report on top assets or top vulnerabilities or just the audit reports.

  By looking from different angles on these vulnerabilities, you would be able to manage these vulnerabilities much easier. You have more options for looking into these vulnerabilities by means of generating different types of reports. 




     We have completed the vulnerability assessment & management with NeXpose in our lab, now it’s your task to perform the similar scan with Nessus Vulnerability Scanner we installed in our virtual hacking lab. We also installed the Metasploit framework; this has nothing to do with Information gathering framework.

    However, we are now assigning a task where you select two vulnerabilities from the NeXpose scan which are exploitable and try exploiting with Metasploit. It’s not difficult as the NeXpose report will guide you on complete steps for exploiting those vulnerabilities with Metasploit.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more