Skip to main content

Blueprinting The Target Part - 5


Draw the Blueprint of the target


Introduction

  Drawing the blueprint of the target is putting together what you have discovered so far. We will not be performing any new ways of scanning but we will be putting together what we have found so far. It’s like inventorying the information gathered so that you can plan the attacks.

Nmap Scans
    So far, we have only performed the scans with nmap but haven’t stored the output or the results of the scans. Let’s just quickly give you the diagrammatic out of the nmap scans we performed with the NMAP GUI that is Zen-map. You can install this tool on the Ubuntu Box by simply typing the following command via Ubuntu Terminal.

Command: sudo apt-get install zenmap.

   Next, we will now put together the results of the scans so that we can blueprint the information gathered. Below diagram maps the network connectivity for the targeted network.






  What we have discovered with NeXpose, let’s have a look and then we will put together the overall information gathered.

Summary of Vulnerabilities Gathered

   There were 631 vulnerabilities found during this scan. Of these, 154 were critical vulnerabilities. Critical vulnerabilities require immediate attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 425 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.

   There were 52 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.

 Critical vulnerabilities were found to exist on 2 of the systems, making them most susceptible to attack. Two systems were found to have severe vulnerabilities. Moderate vulnerabilities were found on 2 systems. No systems were free of vulnerabilities.

Most Common Vulnerabilities

  There were 4 occurrences of the cifs-samba-afs-filesystem-acl-mapping-bof, cifs-samba-filerenaming- dos, cifs-smb-signing-disabled, cifs-smb-signing-not-required, cifs-samba-connectionflooding- dos, database-open-access, dns allows-cache-snooping, dns-processes-recursivequeries and nfs-mountd-0002 vulnerabilities, making them the most common vulnerabilities.


    Now we will give you an idea of how you will document the details on the each vulnerability that was discovered. We will present only few-selected ones, just to cover how to blueprint them

Details of Discovered Vulnerabilities

  Vulnerability: Tomcat Application Manager Tomcat Tomcat Password Vulnerability (apache-tomcatdefault- password).

Description

  HP Operations Manager 8.10 on Windows contains a “hidden account” in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.


Solution

   The Tomcat service has an administrator account set to a default configuration. This can be easily changed in conf/tomcat-users.xml.

Vulnerability: CVE-2008-0122: Buffer overflow in inet_network() (dns-bind-libbind-off-by-one-vuln).
 Description:
   Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0- PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. 


 Solution

Upgrade to ISC BIND version 9.3.5.

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.3.5/bind-9.3.5.tar.gz.

Upgrade to ISC BIND version 9.3.5. The source code and binaries for this release can be downloaded from BIND website.

Upgrade to ISC BIND version 9.4.3.

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.4.3/bind-9.4.3.tar.gz.
Upgrade to ISC BIND version 9.4.3. The source code and binaries for this release can be downloaded from BIND website.

Upgrade to ISC BIND version 9.5.0b2.

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.5.0b2/bind-9.5.0b2.tar.gz.
Upgrade to ISC BIND version 9.5.0b2. The source code and binaries for this release can bedownloaded from BIND website.

This way you will cover all the vulnerabilities you have discovered so far in the vulnerability assessment. If not all, then your focus should be on all high, critical and medium risk level vulnerabilities.

Discovered Users & Groups

In this section, you will put together the discovered user level information, here we will only present some of the information as we have gathered much information and this is because we had vulnerable operating system.




   This is just the highlight of what we have gathered in information gathering and vulnerability assessment to give an idea how you blueprint the organization’s information & network security.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more