Skip to main content

Blueprinting The Target Part - 5


Draw the Blueprint of the target


Introduction

  Drawing the blueprint of the target is putting together what you have discovered so far. We will not be performing any new ways of scanning but we will be putting together what we have found so far. It’s like inventorying the information gathered so that you can plan the attacks.

Nmap Scans
    So far, we have only performed the scans with nmap but haven’t stored the output or the results of the scans. Let’s just quickly give you the diagrammatic out of the nmap scans we performed with the NMAP GUI that is Zen-map. You can install this tool on the Ubuntu Box by simply typing the following command via Ubuntu Terminal.

Command: sudo apt-get install zenmap.

   Next, we will now put together the results of the scans so that we can blueprint the information gathered. Below diagram maps the network connectivity for the targeted network.






  What we have discovered with NeXpose, let’s have a look and then we will put together the overall information gathered.

Summary of Vulnerabilities Gathered

   There were 631 vulnerabilities found during this scan. Of these, 154 were critical vulnerabilities. Critical vulnerabilities require immediate attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 425 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.

   There were 52 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.

 Critical vulnerabilities were found to exist on 2 of the systems, making them most susceptible to attack. Two systems were found to have severe vulnerabilities. Moderate vulnerabilities were found on 2 systems. No systems were free of vulnerabilities.

Most Common Vulnerabilities

  There were 4 occurrences of the cifs-samba-afs-filesystem-acl-mapping-bof, cifs-samba-filerenaming- dos, cifs-smb-signing-disabled, cifs-smb-signing-not-required, cifs-samba-connectionflooding- dos, database-open-access, dns allows-cache-snooping, dns-processes-recursivequeries and nfs-mountd-0002 vulnerabilities, making them the most common vulnerabilities.


    Now we will give you an idea of how you will document the details on the each vulnerability that was discovered. We will present only few-selected ones, just to cover how to blueprint them

Details of Discovered Vulnerabilities

  Vulnerability: Tomcat Application Manager Tomcat Tomcat Password Vulnerability (apache-tomcatdefault- password).

Description

  HP Operations Manager 8.10 on Windows contains a “hidden account” in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.


Solution

   The Tomcat service has an administrator account set to a default configuration. This can be easily changed in conf/tomcat-users.xml.

Vulnerability: CVE-2008-0122: Buffer overflow in inet_network() (dns-bind-libbind-off-by-one-vuln).
 Description:
   Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0- PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. 


 Solution

Upgrade to ISC BIND version 9.3.5.

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.3.5/bind-9.3.5.tar.gz.

Upgrade to ISC BIND version 9.3.5. The source code and binaries for this release can be downloaded from BIND website.

Upgrade to ISC BIND version 9.4.3.

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.4.3/bind-9.4.3.tar.gz.
Upgrade to ISC BIND version 9.4.3. The source code and binaries for this release can be downloaded from BIND website.

Upgrade to ISC BIND version 9.5.0b2.

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.5.0b2/bind-9.5.0b2.tar.gz.
Upgrade to ISC BIND version 9.5.0b2. The source code and binaries for this release can bedownloaded from BIND website.

This way you will cover all the vulnerabilities you have discovered so far in the vulnerability assessment. If not all, then your focus should be on all high, critical and medium risk level vulnerabilities.

Discovered Users & Groups

In this section, you will put together the discovered user level information, here we will only present some of the information as we have gathered much information and this is because we had vulnerable operating system.




   This is just the highlight of what we have gathered in information gathering and vulnerability assessment to give an idea how you blueprint the organization’s information & network security.

Popular posts from this blog

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the pa...
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...
Read more

Hacking - Best OF Reverse Engineering - Part7

How to Disassemble and Debug Executable Programs on Linux, Windows and Mac OS X? The Interactive Disassembler Professional (IDA Pro) is an extremely powerful disassembler distributed by Hex-Rays. Although IDA Pro is not the only disassembler, it is the disassembler of choice for many malware analysts, reverse engineers, and vulnerability analysts. The program is published by Hex-Rays (http://www.hex-rays.com), which provides a free version for noncommercial uses that is one version less than the current paid version. It is now version 5.0. IDA Pro will disassemble an entire program and perform tasks such as function discovery, stack analysis, local variable identification, and much more. IDA Pro includes extensive code signatures within its Fast Library Identification and Recognition Technology (FLIRT), which allows it to recognize and label a disassembled function, especially library code added by a compiler. IDA Pro is meant to be interactive, and all aspects of its disasse...
Read more