CEH13 Lab – Module 05: Vulnerability Analysis

Zad 好物分享

Scenario

Earlier, all possible information about a target system such as system name, OS details, shared network resources, policies and passwords details, and users and user groups were gathered.

Now, as an ethical hacker or penetration tester (hereafter, pen tester), your next step is to perform vulnerability research and a vulnerability assessment on the target system or network. Ethical hackers or pen testers need to conduct intense research with the help of information acquired in the footprinting and scanning phases to discover vulnerabilities.

Vulnerability assessments scan networks for known security weaknesses: it recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channel; and evaluates the target systems for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Additionally, it assists security professionals in securing the network by determining security loopholes or vulnerabilities in the current security mechanism before attackers can exploit them.

The information gleaned from a vulnerability assessment helps you to identify weaknesses that could be exploited and predict the effectiveness of additional security measures in protecting information resources from attack.

The labs in this module will give you real-time experience in collecting information regarding underlying vulnerabilities in the target system using various online sources and vulnerability assessment tools.

 

Objective

The objective of this lab is to extract information about the target system that includes, but not limited to:

  • Network vulnerabilities
  • IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports and services that are listening
  • Application and services configuration errors/vulnerabilities
  • The OS version running on computers or devices
  • Applications installed on computers
  • Accounts with weak passwords
  • Files and folders with weak permissions
  • Default services and applications that may have to be uninstalled
  • Mistakes in the security configuration of common applications
  • Computers exposed to known or publicly reported vulnerabilities

Overview of Vulnerability Assessment

A vulnerability refers to a weakness in the design or implementation of a system that can be exploited to compromise the security of the system. It is frequently a security loophole that enables an attacker to enter the system by bypassing user authentication. There are generally two main causes for vulnerable systems in a network, software or hardware misconfiguration and poor programming practices. Attackers exploit these vulnerabilities to perform various types of attacks on organizational resources.

Lab Tasks

Ethical hackers or pen testers use numerous tools and techniques to collect information about the underlying vulnerability in a target system or network. Recommended labs that will assist you in learning various vulnerability assessment techniques include:

  1. Perform vulnerability research with vulnerability scoring systems and databases

    • Perform vulnerability research in Common Weakness Enumeration (CWE)

  2. Perform vulnerability assessment using various vulnerability assessment tools

    • Perform vulnerability analysis using OpenVAS

  3. Perform Vulnerability Analysis using AI

    • Perform vulnerability analysis using ShellGPT

Lab 1: Perform Vulnerability Research with Vulnerability Scoring Systems and Databases

Lab Scenario

As a professional ethical hacker or pen tester, your first step is to search for vulnerabilities in the target system or network using vulnerability scoring systems and databases. Vulnerability research provides awareness of advanced techniques to identify flaws or loopholes in the software that could be exploited. Using this information, you can use various tricks and techniques to launch attacks on the target system.

Lab Objectives

  • Perform vulnerability research in Common Weakness Enumeration (CWE)

Overview of Vulnerabilities in Vulnerability Scoring Systems and Databases

Vulnerability databases collect and maintain information about various vulnerabilities present in the information systems.

The following are some of the vulnerability scoring systems and databases:

  • Common Weakness Enumeration (CWE)
  • Common Vulnerabilities and Exposures (CVE)
  • National Vulnerability Database (NVD)

Task 1: Perform Vulnerability Research in Common Weakness Enumeration (CWE)

Common Weakness Enumeration (CWE) is a category system for software vulnerabilities and weaknesses. It has numerous categories of weaknesses that means that CWE can be effectively employed by the community as a baseline for weakness identification, mitigation, and prevention efforts. Further, CWE has an advanced search technique with which you can search and view the weaknesses based on research concepts, development concepts, and architectural concepts.

Here, we will use CWE to view the latest underlying system vulnerabilities.

  1. By default, Windows 11 machine is selected, click Ctrl+Alt+Delete to activate the machine and login with Admin/Pa$$w0rd.

    Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.

  2. Launch any web browser, and go to https://cwe.mitre.org/ website (here, we are using Mozilla Firefox).

    If the Default Browser pop-up window appears, uncheck the Always perform this check when starting Firefox checkbox and click the Not now button.

    If a New in Firefox: Content Blocking pop-up window appears, follow the step and click start browsing to finish viewing the information.

  3. CWE website appears. Navigate to Search tab, in the Google Custom Search under CWE List Quick Access section and search for SMB in the search field.

    Here, we are searching for the vulnerabilities of the running services that were found in the target systems in previous module labs (Module 04 Enumeration).

    Screenshot

  4. The search results appear, scroll-down to view the underlying vulnerabilities in the target service (here, SMB). You can click any link to view detailed information on the vulnerability.

    The search results might differ when you perform this task

    Screenshot

  5. Now, click any link (here, CWE-284) to view detailed information about the vulnerability.

    Screenshot

  6. Similarly, you can click on other vulnerabilities and view detailed information.

  7. Now, navigate to the CWE List tab. CWE List Version will be displayed. Scroll down, and under the External Mappings section, select CWE Top 25 (2023).

    The result might differ when you perform this task.

    Screenshot

  8. A webpage appears, displaying CWE VIEW: Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses. Scroll down and view a list of Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses under the Relationships section. You can check each weakness to view detailed information on it.

    This information can be used to exploit the vulnerabilities in the software and further launch attacks.

    The result showing publishing year might differ when you perform this task.

    Screenshot

  9. Similarly, you can go back to the CWE website and explore other options, as well.

  10. Attacker can find vulnerabilities on the services running on the target systems and further exploit them to launch attacks.

  11. This concludes the demonstration of checking vulnerabilities in the Common Weakness Enumeration (CWE).

  12. Close all open windows and document all the acquired information.

Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools

Lab Scenario

The information gathered in the previous labs might not be sufficient to reveal potential vulnerabilities of the target: there could be more information available that may help in finding loopholes. As an ethical hacker, you should look for as much information as possible using all available tools. This lab will demonstrate other information that you can extract from the target using various vulnerability assessment tools.

Lab Objectives

  • Perform vulnerability analysis using OpenVAS

Overview of Vulnerability Assessment

A vulnerability assessment is an in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand exploitation. It scans networks for known security weaknesses, and recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels. It identifies, quantifies, and ranks possible vulnerabilities to threats in a system. Additionally, it assists security professionals in securing the network by identifying security loopholes or vulnerabilities in the current security mechanism before attackers can exploit them.

There are two approaches to network vulnerability scanning:

  • Active Scanning
  • Passive Scanning

Task 1: Perform Vulnerability Analysis using OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. Its capabilities include unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans, and a powerful internal programming language to implement any vulnerability test. The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs)-over 50,000 in total.

Here, we will perform a vulnerability analysis using OpenVAS.

In this task, we will use the Parrot Security (10.10.1.13) machine as a host machine and the Windows Server 2022 (10.10.1.22) machine as a target machine.

  1. Click on Parrot Security to switch to the Parrot Security machine and login with attacker/toor.

    If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close it.

    If a Question pop-up window appears asking you to update the machine, click No to close the window.

  2. Open a Terminal window and execute sudo su to run the programs as a root user (When prompted, enter the password toor).

    The password that you type will not be visible.

  3. Run docker run -d -p 443:443 --name openvas mikesplain/openvas command to launch OpenVAS.

  4. After the tool initializes, click Firefox icon from the top-section of the Desktop.

  5. The Firefox browser appears, go to https://127.0.0.1/. OpenVAS login page appears, log in with admin/admin.

    If a Warning page appears, click Advanced and select Accept the Risk and Continue.

    Screenshot

  6. The OpenVAS Dashboards appears. Navigate to Scans --> Tasks from the Menu bar.

    If a Welcome to the scan task management! pop-up appears, close it.

    Screenshot

  7. Hover over wand icon and click the Task Wizard option.

    Screenshot

  8. The Task Wizard window appears; enter the target IP address in the IP address or hostname field (here, the target system is Windows Server 2022 [10.10.1.22]) and click the Start Scan button.

    Screenshot

  9. The task appears under the Tasks section; OpenVAS starts scanning the target IP address.

  10. Wait for the Status to change from Requested to Done. Once it is completed, click the Done button under the Status column to view the vulnerabilities found in the target system.

    It takes approximately 20 minutes for the scan to complete.

    If you are logged out of the session then login again using credentials admin/admin.

    Screenshot

  11. Report: Results appear, displaying the discovered vulnerabilities along with their severity and port numbers on which they are running.

    The results might differ when you perform this task.

    open1.jpg

  12. Click on any vulnerability under the Vulnerability column to view its detailed information.

  13. Detailed information regarding selected vulnerability appears, as shown in the screenshot.

    open4.jpg

  14. Similarly, you can check other Reports by hovering over the Report: Results section to view other Reports regarding the vulnerabilities in the target system.

  15. Next, go through the findings, including all high or critical vulnerabilities. Manually use your skills to verify the vulnerability. The challenge with vulnerability scanners is that they are quite limited; they work well for an internal or white box test only if the credentials are known. We will explore that now: return to your OpenVAS tool, and set up for the same scan again; but this time, turn your firewall ON in the Windows Server 2022 machine.

  16. Now, we will enable Windows Firewall in the target system and scan it for vulnerabilities.

  17. Click on Windows Server 2022 to switch to the Windows Server 2022 machine and click Ctrl+Alt+Delete and login with CEH/Administrator / Pa$$w0rd.

  18. Navigate to Control Panel --> System and Security --> Windows Defender Firewall --> Turn Windows Defender Firewall on or offenable Windows Firewall, and click OK.

    By turning the Firewall ON, you are making it more difficult for the scanning tool to scan for vulnerabilities in the target system.

    Screenshot

  19. Click on Parrot Security to switch to Parrot Security machine and perform Steps# 7-9 to create another task for scanning the target system.

  20. A newly created task appears under the Tasks section and starts scanning the target system for vulnerabilities.

  21. After the completion of the scan, click the Done button under the Status column.

    It takes approximately 15-20 minutes for the scan to complete.

  22. Report: Results appears, displaying the discovered vulnerabilities along with their severity and port numbers on which they are running.

    The results might differ when you perform this task.

    open3.jpg

  23. The scan results for the target machine before and after the Windows Firewall was enabled are the same, thereby indicating that the target system is vulnerable to attack even if the Firewall is enabled.

  24. This concludes the demonstration performing vulnerabilities analysis using OpenVAS.

  25. Close all open windows and document all the acquired information.

  26. Click on Windows Server 2022 to switch to the Windows Server 2022 machine and click Ctrl+Alt+Delete login with Administrator/Pa$$w0rd.

  27. Navigate to Control Panel --> System and Security --> Windows Defender Firewall --> Turn Windows Defender Firewall on or off, disable Windows Firewall, and click OK.

Question 5.2.1.1


Lab 3: Perform Vulnerability Analysis using AI

 

Lab Scenario

As a professional ethical hacker or pen tester, you must acknowledge the limitations of conventional approaches in revealing all potential vulnerabilities. Therefore, you will utilize AI-driven vulnerability analysis tools to identify and assess security weaknesses in a simulated network environment.

Lab Objectives

  • Perform vulnerability analysis using ShellGPT

Overview of vulnerability analysis using AI

Vulnerability Analysis with AI employs advanced algorithms to unearth hidden security flaws in networks. AI-driven tools extract comprehensive data, prioritize risks, and fortify defenses, empowering ethical hackers to anticipate and mitigate emerging threats effectively. This innovative approach enhances cybersecurity readiness by leveraging AI's precision and adaptability.

Task 1: Perform Vulnerability Analysis using ShellGPT

ShellGPT swiftly interprets and executes commands, conducting scans, identifying weaknesses, and suggesting mitigation strategies in real-time. Its adaptive nature facilitates dynamic navigation through complex systems, enhancing efficiency and precision in vulnerability analysis. By integrating ShellGPT, you can gain a powerful ally in their quest to safeguard digital ecosystems, leveraging AI's capabilities to uncover and address security risks with unparalleled speed and accuracy.

Here, we will use ShellGPT to discover potential vulnerabilites in the target.

The commands generated by ShellGPT may vary depending on the prompt used and the tools available on the machine. Due to these variables, the output generated by ShellGPT might differ from what is shown in the screenshots. These differences arise from the dynamic nature of the AI's processing and the diverse environments in which it operates. As a result, you may observe differences in command syntax, execution, and results while performing this lab task.

  1. Click Parrot Security to switch to Parrot machine, and login with attacker/toor. Open a Terminal window and execute sudo su to run the program as a root user (When prompted, enter the password toor).

    The password that you type will not be visible.

  2. Run bash sgpt.sh command to configure ShellGPT and the AI activation key.

    You can follow the Instructions to Download your AI Activation Key in Module 00: CEH Lab Setup to obtain the AI activation key. Alternatively, follow the instructions available in the file, Instructions to Download your AI_Activation_Key - CEHv13.

    jetvfd99.jpg

  3. After configuring the ShellGPT in Parrot Security machine, in the terminal window, run **sgpt

  4. --chat nikto --shell "Scan the URL https://www.certifiedhacker.com to identify potential vulnerabilities with nikto"** to launch Nikto scan on the target website.

    In the prompt, type E and press Enter to execute the command.

    Screenshot

  5. Scan result appears displaying the discovered vulnerabilities in the target website (here, www.certifiedhacker.com), as shown in the screenshot.

    Screenshot

    Screenshot

    Nikto scan takes long time to complete. You can terminate the scan, by pressing Ctrl + Z.

  6. In the terminal, run sgpt --chat vuln --shell "Perform vulnerability scan on target url http://www.moviescope.com with Nmap" command to perform vulnerability scan on the target website. The result appears displaying open ports and services running on the target website.

    Screenshot

  7. Run sgpt --chat vuln --shell "Perform a vulnerability scan on target url http://testphp.vulnweb.com with skipfish" to scan the target URL using skipfish tool.

    If a prompt appears, enter any key to continue the scanning process.

    Screenshot

  8. The skipfish begins scanning the target url. After the successful completion of the scan, report is saved at the /tmp/skipfish_scan_output/ location, named as index.html. Navigate to the location, right-click on index.html and open with Firefox ESR Web Browser, as shown in the screenshot.

    The location of scan report might differ. You can view the location in the skipfish command generated by ShellGPT.

    Screenshot

  9. Firefox browser window appears displaying the complete scan report, as shown in the screenshot.

    Screenshot

  10. Apart from the aforementioned commands, you can further explore additional options within the ShellGPT tool and utilize various other tools to conduct vulnerability assessments on the target.

  11. This concludes the demonstration of performing vulnerability assessment on the target system using ShellGPT.

  12. Close all open windows and document all the acquired information.

Question 5.3.1.1


References

https://blog.51sec.org

版权声明:
作者:Zad
链接:https://www.techfm.club/p/212223.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>