CompTIA Pentest+ PT0-002 – Section 6: Vulnerability Scanning Part 2

>51. Scanning Considerations (OBJ 2.3 and 2.4)

There are several scanning considerations that need to be made before you start running a vulnerability scanner, like Nmap, OpenVAS, Nessus, or Nikto. Now these considerations include things like the time to run the scans, the protocols to scan, the topology of the network, the bandwidth limitations you may be having placed upon you, how to conduct query throttling, if there’s any fragile systems you need to consider during your scans, and if there’s any nontraditional assets that may need to be scanned as well. First, you need to consider the time to run the scans. Every scan that we run takes up valuable resources, both on the system that’s doing the scanning, as well as on the target system that you’re conducting the scanning against. If we scan a server, for example, it has to respond to each of those queries and requests, which in turn uses up some of its memory and processing resources.

If we start scanning multiple machines across the network at the same time, this can actually slow down the network because of all the bandwidth we start to use up. When you’re conducting a vulnerability scan, it’s up to you to choose the right time to do that scan. Are you going to do it during prime business hours, or are you going to do it on weekends or overnight when the systems aren’t as busy? As a penetration tester, you have to make those decisions and properly scope your vulnerability scans to minimize the impact to the targeted organization and help improve your scanning speed and performance. Sometimes, system administrators have backups running and other processes that are being done during the evenings that are already taxing the server’s resources. So conducting scans at that same time could drastically increase the length of time it’s going to take for those scans to complete. For example, one organization I work with always ran its backups from midnight to 2:00 AM on Saturday mornings. Because our full system backups were happening during that time, those systems were already running slowly and consuming extra resources.

If we started conducting our vulnerability scans at that same time, it could cause a system to not be able to meet its operational requirements or even get kicked offline. Remember, not all scans will take the same amount of time either. If I’m going to scan one host for 50 different types of vulnerabilities, it’s going to take a lot less time than if I scanned 100 hosts for 50 vulnerabilities, or if I scan that same 100 hosts for 500 different vulnerabilities that will take even longer. Now let’s say for example you’re using Nessus, and there are thousands of known vulnerabilities that Nessus can scan for. You need to decide which ones you’re going to add to the scan scope, because the more vulnerabilities you add, the longer that scope is going to take to complete. And the more you add, the more likely it is that network defenders are going to see your scanning activity and they’re going to block you. This is why conducting your reconnaissance upfront and determining what operating system, services and versions are being run on a given target is truly important. Because if you could scan for just the vulnerabilities associated with those pieces of software, instead of scanning for every possible vulnerability, you’re going to be quieter, and it’s going to take you a lot less time. Now, if you’re conducting a web application scan, for example, you can have a single application that will take you several days to complete, depending on the depth of the scan and the amount of code used in that particular web application. You need to keep this in mind as well as you start developing your plans for scanning, because the time to run these scans can become extremely long if you don’t properly plan and scope your scans. Second, you need to consider the protocols that are going to be assessed during your scanning because each protocol scanned is going to take up time and resources.

Now, are we going to scan every single port and service on a target? Remember, there are a total of 65,535 ports on every machine that you might want to scan. Are you going to scan all of them, or are you just interested in looking at the web server and you want to conduct an analysis on that? In that case, you may only need to look at port 80 and port 443 for HTTP and HTTPS. If you can minimize the number of ports and services that you need to scan, you’re going to save a lot of time and resources. Again, you need to consult your assessment’s objectives and your initial scoping documents to figure out what should be scanned based on your engagement’s goals and the reconnaissance that you’ve already completed up to this point. Nmap for example, has a scan type that can scan just the top 20 most common ports that are used by servers. If you run this type of scan instead of scanning every possible port, you’re only going to scan 0.03% of that server’s ports. But those 20 are much more likely to be used on that target server because they include common things, like FTP, SSH, SMTP, DNS, HTTP, and other commonly used services. The third consideration is the network topology that’s in use by that network and where you want to scan the network from.

When conducting a vulnerability scan, you can conduct the scan from inside or outside of the local area network. It’s also very important to understand the network topology, because this decision is going to affect your results based on where you’re going to scan it. If you’re conducting a PCI DSS scan for example, you’re going to need to conduct both an internal and external scan. This means we need to connect inside of the LAN behind the firewall, scan the network, and then later on scan again from outside the firewall over the internet to complete our compliance scan. Then you need to compare both sets of results to see what vulnerabilities exist that an insider could exploit, and which vulnerabilities exist that an outside attacker could exploit. The location of the scan also depends on your engagement goals and the type of assets that you’re going to be scanning. For example, if you’re scanning a web application, you might only do an external scan. On the other hand, if I’m testing your internal Windows file server, I may only need to conduct an internal scan. This is why planning is so important, because it’s going to tell us how we do a lot of our job when we get to the scanning phase. The fourth consideration is that of bandwidth limitations that may be placed upon you when you’re scanning. These bandwidth limitations can also really affect your ability to complete your scans on time. Every scan does take up network bandwidth, and so we need to decide how much we’re willing to dedicate to these scans. Nmap is going to use the -T syntax option to determine how fast or aggressive a scan will be. If we use the -T5 option, that scan is going to be highly aggressive and it goes as quickly as possible. It also uses up the most bandwidth. Now the -T4 option is a little bit slower, and it keeps going down until you get down to -T1, which is extremely slow and very stealthy.

On this setting, it may only put out one scan every few minutes. By slowing down these scans, the tool’s going to be able to get a more in-depth scan while using less bandwidth and remaining less detectable. Remember, some networks have really big, fast connections. My office, for example, has a one gigabit per second connection. If you’re going to be scanning our network, our systems can handle an aggressive scan using -T5 or -T4. On the other hand, some companies have very slow connections. and those are relying on cable connections, maybe a DSL line or a satellite connection with a very high latency. If we’re scanning those types of networks, we can actually be too aggressive in our scans and take their entire network offline, and this can cause an unintended denial of service attack. Again, all this needs to be considered as part of your scanning plan. The fifth consideration is whether or not you’re going to use query throttling. As I just described, using a tool like Nmap allows us to reduce the number of queries launched by the scanner at any given time. And this can help minimize the impact to network bandwidth. but it also helps us from being detected by the network defenders.

By using query throttling, we can be more sneaky when we’re conducting our scans and limit them to certain hours. For example, I can throttle my queries so I only send one scan per hour during the regular work day. But then I might send 25 scans per hour between 9:00 PM and 5:00 AM. By running these scans outside of normal business hours, I may be able to avoid detection by a cybersecurity analyst. By enabling query throttling, I’m also going to be able to avoid tripping alerts on the network’s IDS and IPS sensors by stretching out those scans over a longer period of time. These are all factors to consider as we begin our scans. The sixth thing we need to consider is if there’s going to be any fragile or non-traditional systems that could be affected by our vulnerability scanning activities. Now, this is incredibly important, because when we do a vulnerability scan, we can actually take down a server by being too aggressive or probing for specific vulnerabilities. For this reason, we need to look at which systems are considered off limits for our scans and if they should be exempted, or how we can scan those fragile or non-traditional systems more safely. Now, for example, let’s say you have a production server that your business is totally reliant upon. We might consider that to be a fragile system, and we have to be especially careful not to take down that server during a scan. If on the other hand, we’re looking at some nontraditional systems, things like SCADA and ICS devices, those devices can actually be broken very easily using a standard vulnerability scanner like OpenVAS, Nessus, or Nmap. For this reason, it’s best to leave the SCADA and ICS systems to a specialist who better understands those systems, or exempt them completely during your vulnerability scanning to make sure you don’t break them by accident. Now, as you can see, there are a lot of considerations to think about when you’re configuring your vulnerability scanners on a production network. These considerations include things like the time it takes to run the scans, the protocols you need to scan, the topology of the network, the bandwidth limitations that are placed upon you, how you conduct query throttling if there are any fragile systems to consider during your scans, and if there’s any non-traditional assets that may need to be scanned. By thinking about these things upfront, you’re going to be a able to avoid causing a disruption to the organization’s production network, and also attempt to avoid detection during your vulnerability scans.

52. Nessus Scanning (OBJ 2.3 and 2.4)

In this video, I wanted to show you how to use the Nessus vulnerability scanning tool. Now, I’m not going to make you an expert in it but I just want to show you a couple of the features. So, on this machine, Nessus is installed. So, I’m going to go ahead and load up Nessus, which is a web client. It’s running on a local web server on this machine, which is a Windows machine. Now, once I get there, I’m going to have to log into the scanning tool and once we’re logged into the tool, we’re going to be able to actually start using it. Now, there’s a couple of tabs here. We have the Reports tabs, which will show us any completed reports that we’ve already done before. Now, if we have multiple reports, we can actually compare those reports. So, this is very helpful in vulnerability management. I might have a scan from last week and then I have a scan from this week. And so, I can actually open up the one from before, compare it to the one I just did, and then see what the difference is where this one I might have had one vulnerability here and one vulnerability there, I can see if those vulnerabilities have been fixed by the system administration team. So, that’s one of the ways you can use this tool is by going back and looking at that historical data. You can also download those reports if you need to give them to the system administrators either by email or through your file share.

Now, when you go to your scans, this is where your scans will be run. Now, we don’t have any scans set yet because we haven’t set any policies. So, the first thing I want to do is go over to my Policies tab. Now, we’ve talked about things like plugins and some of the templates. In here, we already have a couple of scans that are set up. We have Web App Tests; we have Preparing for our PCI-DSS audits; we have Internal Network Scans or External Network Scans. These are all templates that are provided by Tenable. Now, instead of using those, I’m going to show you how you can create your own by clicking on Add and giving it a name. We’re going to call this Windows Scan. And I’m going to scan two Windows machines that are in this network. And you can actually set up the port scanners with doing TCP scans or SNMP scans, whatever you want. I’m going to leave the default settings here for right now, just so that we can get going with this. Now, we’ve clicked on Credentials. This is where you would put in your account, which would be your username and password if you’re going to do a credentialed scan. We’ve talked about this before where sometimes you’re trying to do it from an attacker’s perspective, you would not use a credential scan but as a vulnerability manager, you would want to use a credentialed scan, so you can get more information about what vulnerabilities exist so you can solve those. Now, the important one here is going to be your plugins and you can see these are green because they’re enabled right now.

Let’s scroll down here to the Windows plugin and you can see that all of these different plugins, each of these is a different vulnerability that it’s trying to exploit or find out if that exists inside of that server. So, we can turn on a plugin or turn off a plugin just by clicking the disable and you can see the Windows family has gone away. Because I’m going to do a Windows family, I’m just going to take everything else out right now and disable them. So, I can click on the one I want and then click on disable. So, you get the idea. We could turn things on or turn things off as needed. For instance, since I know I’m going to be scanning Windows, do I need to look at the CentOS? Probably not, right? Because I don’t have a CentOS device. You get the idea. So, you can actually hit Disable All and everything will be disabled. And then you can turn on just what you want. In my case, I’m just going to scan for these three Windows plugins to make our scan go much quicker. And these three families actually have 3,000 different vulnerabilities that we’re going to be scanning for. The last thing is preferences if you have domain controller passwords and usernames, you can check those as well.

So, I’m going to go ahead and submit that. And now you can see that I have this Windows scan, which is a private policy that I’ve created and it’s set by the user which is me. Now, we’re going to go ahead and go to scan, and we’re going to add a new scan. Here’s where we do your scans. You’ll give it a name, so you’ll know what it is. And you can schedule it. You can use a template if you want or run it now. I’m going to run it now but if you wanted to, you could schedule it and you can schedule it based on every day, every week, every month, every year or just once. In our case, we’re going to run it now. We’re going to select the policy we want and we’re going to use the policy that we just created, which was Windows Scan and I’m going to give it the targets. Now, you can give it the entire range of an IP address. For instance, if I had the 10.3.1.0/24 range, For instance, if I had the 10.3.1.0/24 range, that’s going to scan all 256 clients inside that subnet. In my case, there’s two that I want to scan: the 10.3.1.6 and the 10.3.2.3. The first one is a Windows 2003 server; the second one is a Windows 2012 server. And you can also launch a browse for a text file or a comma separated value file with all of your IPs and use those as your target files, so you don’t have to type them in individually each time. I’m going to go ahead and launch the scan, and it’s going to go ahead and take a couple of minutes here to run the scan because does take a while. It has to reach out to each machine and run those 3,300 or so vulnerabilities against it to identify which ones they have and which ones are active. So, I’m going to go ahead and pause the video here and come back when the scan is complete. All right, that scan only took about a minute actually. And so, once it finishes, it clears it from our scans because there’s no more scheduled scans. But it does show up now in our reports and you can see their test scan has just completed at 16:57.

And again, we can go ahead and double-click it if we want to browse it. And we’ll see which scans have which vulnerabilities. Here you can see the vulnerability count. For instance, here there’s 12 and you can see the criticality. By default, it’s going to show you based on criticality most critical to least critical. And they go from critical to high to medium to low or informational, and you’ll see the number of counts or the number of vulnerabilities that exist. This can be a helpful view but the one I actually prefer is the host view from a vulnerability management perspective. So, when I go ahead and click on host view, you can see right away which of these servers is the most vulnerable. Which one do you think it is? That’s right, it’s the 10.3.1.6, which I told you was a Windows 2003 server. There are seven critical vulnerabilities, one high, one medium, and then 17 informational. If I look at the 2008 server, on the other hand, we have zero criticals, zero high, zero medium, and zero low and only 18 informational. It’s a much more secure server. And so, we can actually look at it and go, if I had to apply resources to one of these servers and I only had a certain amount of time and money, which one would I fix first? I would fix the 2003 server because it has more vulnerabilities that can be exploited by a known adversary.

Now, if you want to dig into each of those vulnerabilities, which you’ll need to to be able to figure out what’s wrong with it, you can then click on it and dig in a little bit deeper. So, let’s say I wanted to fix this one. This is a very common vulnerability: the MS08-067. I can click on that. It will show up the information of what the vulnerability is. It tells me its arbitrary code execution; it gives me a description of it, which is actually a remote code execution against Windows 2000, XP, 2003, Vista and 2008 if you don’t have a patch installed. It’s a critical risk factor, which means I want to fix it right away as soon as I can and the CVSS base score is a 10, which tells you it is very, very critical. And you can see here that it could affect your confidentiality and your integrity and things of that nature. Now, as you scroll down a little bit further, you actually get a link to what the IAVA is, which tells you what the government version of how to fix this is; the Microsoft vulnerability, which is MS08-067; and the CWE, which is number 94. And you can cross-reference these in the vulnerability database, pull that up if you’re connected to the internet, and it will tell you exactly what is wrong and how to fix it. In our case, because it’s this one, that is going to tell us that we can go to Microsoft and download something to fix it. Now, how is it exploited? Well, lots of things have an exploit for it.

Canvas has an exploit for it; Core Impact has an exploit for it; Metasploit has an exploit for it. And if any of these things have this exploit, it’s a public vulnerability, which means we should really, really be worried about it because any script kiddie can basically attack us using this vulnerability. So, you could see how you can really dig in deep here with the vulnerability scans, either based on an individual scan by looking at the host or digging into the particular vulnerability and knowing which plugin was used and what patch needs to be applied. If you take this information and give it to your system administrators, they can implement a change control process, implement the bug fix, and get you into a less vulnerable state where you’ll go through and scan again to see how that looks as you compare the two scans.

53. OpenVas Scanning (OBJ 2.3 and 2.4)

Scan outputs, in this lesson, I’m going to show you how to assess scan outputs. And so instead of using Nessus, we’re going to go ahead and use OpenVas to see how that one looks a little bit different. Now, in this one, I’m going to go a little bit more in depth than I did last time, because I’m going to show you everything from creating the scan account, configuring its permissions setting up OpenVas and then looking at the results from that scan. Let’s jump into the environment and get started. First, we need to go ahead and configure our scan accounts. So I’m going to open up DC1, and then use my Active Directory Users and Computers Area. And from here, I’m going to right click on Users, and select New, and then Group. When I do this I’m going to enter my name for my group. I’m going to call it sec- glo-scan. And this is the group name we’re going to use for our auditors who are going to perform our scans. Now, when we look at the scope of this, it should be Global and the type should be selected as Security. Once that’s done, go ahead and hit OK. Next, we’re going to right click on User and select New. and then User. Here, we’re going to enter in the full name and username as a scan. Then I’m going to click Next and I’m going to enter a password.

Now, I’m going to uncheck the user must change password and check the password never expires and then click none and then Finish. This is a common setting when you’re setting up a scan account. Now, when you do this make sure you’re using a good, strong password because again we’re not requiring people to change their password here and the password will never expire. So something long and strong and complicated would be a great use case here. Next, we’re going to right click the scan object that we just created that user. And we’re going to select add to group. Here, we’re going to type in sec-glo-scan and then click Check Name. Once that’s underline, click OK. And then we’ll be able to hit OK, again. Now, we can close the active directory users and computers console. Next, we’re going to go into the Server Manager and select tools, Group Policy Management. This will allow us to go and manage our group policies. Once we’re in here, then right click the computer’s OU container and select create a GPO in this domain and link it here. When we get to the box, we’re going to go ahead and call it some thing. In this case, 515support Scanning Policy. 515support is going to be our fictional company that we’re using in examples here. Now, we’re going to expand the Computer Configuration and then Policies, and then Window Settings then security Settings, then Local Policies and then User Rights Assignment. Once you do that, double click, the deny log on locally. This is going to make sure that we’re not going to allow people to log onto the local machines as an administrator. We can only do it remotely by using our scanning engine.

We’re going to check the, define these policy settings box and then click Add Users or Groups. Again, we’re going to type in our group which is sec-glo-scan and click OK and then, OK to confirm from the main dialogue. At this point, we can double click the Deny Log on Through Remote Desktop Services. Because again, we don’t want people logging onto these machines. And we’re going to check the, define these policy settings box and click Add User or group. Again, we’re going to put in our group sec-glo-scan and click OK and then, OK once more. Under Security Settings, we’re going to select the Registry node. We’re going to right click in the empty pane and select Add Key. From here, we’re going to select Users and click OK. Then we’ll click Advanced and click Add. Then we can select a principle. Again, We’re going to type in sec-glo-scan and click OK. From the type box, we’re going to select Deny. From the applies to list box, we’re going to ensure this object and child objects is selected. Now, at this point we can select the show advanced permissions and we’re going to check the following boxes, Set Value, Create Sub Key, Create Link, Delete, Change permissions, and Take ownership. And then we’ll confirm all the dialogue boxes. This allows us to create those keys that we need inside the registry to give us the right permissions for a scanner. Next, we’re going to right click in the empty pane, And again, select Add Key.

From here, we’re going to Machine and click OK. Then click Advanced and add and select a principle. Once more, we’re going to type in sec-glo-scan and click OK. From the type box we’re going to select Deny. and for the applies to list box we’re going to select this object and child objects. Then we’re going to click the show advanced permissions and make sure we check the following boxes, Set Value Create Sub Key, Create Link, Delete, Change and Take ownership. Once more, confirm all the dialogue boxes and now we have set the right permissions. So at this point we have now created user and a group with the right permissions that we can use for our scanners. Anytime we want to do credentialed scans now, we’re going to use the user account sec-glo-scan inside the group, sec-glo-scan. because that is our scanning account. So any host in the network will allow us to connect using administrative credentials when we’re using the scan account. And it gives us local administrative of rights, to the registry across all the computers in this domain. Now that we finished creating the scan account, we to go into OpenVAS and start using it. So we’re going to go over to my openVAS scanning machine, and we’re going to go to the webpage 10.1.0.243 which is my local account. When you’re using OpenVas, you’re going to do it through a webpage that then interacts with the server and the program on that local machine. Once we’re there, I’m going to log in with my admin user and my password. Now once I’m in the system, you can see the dashboard. and there isn’t much information here because they haven’t done any scans yet. First, I want to go to configuration under the menu and then select credentials. From here, I want to select New Credential, and then in that dialogue box, I’m going to add a new account known as sec-glo-scan; that user account we just created. Now, from the allow insecure use options, I’m going to select Yes because I want to find every vulnerability in my systems, not just the ones that might not cause problems.

Then in the username box, I’m going to type 515support which is my domain /scan. And in the password box, I’m going to type my password. Now notice the /scan is that user account we created. After we do this click Save. Now, that we have our credential saved, we can now go and configure a scan/scope, and sensitivity. When we do this, we’re going to decide what group of targets we want to go after with our vulnerability scanning. So we’re going to click on Configuration and then select Targets. here. I’m going to click New Target. Then in that web dialogue, I’m going to type in the name 515support-Host-Windows because I’m going to do a scan across all my hosts inside my network that are windows based. Next to the host, I’m going to select Manual and type in the IP address that I want to scan in this case, 10.1.0.0/24 which is my subnet that contains all my windows hosts. Next, I can click to exclude some hosts. So I’m going to select Manual and type in 10.1.0 254, 10.1.0.243 Now the .243 machine is the box I’m actually scanning with. So I don’t want to actually scan this as part of my host because it’s actually an excluded area. It is my vulnerability scanner. Then under credentials, I’m going to select sec-glo-scan because that is one that we have authorized as that administrative scanning account. And then I’m going to click on Save.

Now, next I’m going to go to the configuration menu and click Scan Configs. Here, we’re going to take a few minutes to just browse the default scan configurations, but we’re not going to make any changes here. From the scans, I can select Tasks and from the tasks, there’s going to be a wizard prompt that appears. if it does just close it. Next, click on New Task and then select New Task. In the new task dialogue box, We’re going to type in the name that we want to call this. In this case 515support-Host-Windows-Full. Then from the scan targets box, we’re going to select the group we just set up, 515support- Host-Windows. From the scan configuration box, we’re going to ensure that we select Full and Fast which is the type of vulnerability scan we want to conduct. And then we’ll click Save, and finally we’ll click play, which will start our scan. Now, because I’m using the community edition here, I don’t have the ability to schedule tasks. That’s a feature of the pro version of this tool. So if you’re going to be using this on your own home network, you’re going to have to actually remember to start up the scan yourself at designated intervals, instead of having it doing it for you automatically. Now it’ll usually take a couple of minutes or even longer to perform these scans because it’s connecting to each machine inside my scope and being able to test them for those vulnerabilities. So I’m going to speed this up here, so you don’t have to wait as long. Once you’re done, You’re going to get back the results by going ahead and looking at the scan report, click on Scan and then Results.

Once you do that, you’ll see a dashboard with four key areas. The top left is all the results by severity class. So in this case, you could see I had 163 total vulnerabilities. I had 7 high, 26 medium, 5 low and the rest of these were log or informational content. Then in the middle, we have a word cluster. These are words that are coming to us based on all those vulnerabilities were found. And so I could see for instance that Windows occurred a lot because these were window scans. So that was a very large word. So it’s a very quick visual way to say, “Oh, I have an issue with SSLTLS or I have an issue with SSH or whatever that vulnerability is that’s really taking up most of your cluster there inside the words. Then, on the top right side, you have the results shown based on the severity inside of CVSS. So it goes from non applicable login and 1 through 10. And so you could see very quickly how dangerous things are on your network. Now, what I really find useful is that bottom part. Now, in the bottom part, we’re seeing the results 10 at a time and in those results we are going to see, in this case, 10 out of 163. You’ll have the name of the vulnerability. You’ll have the severity. You’ll have the quality of detection. You’ll have the host IP, the name which is the DNS name of your server and then the location and when that was created. This is information again at the top level, but you can drill down and see additional detail by clicking on the names of those vulnerabilities. So now that we’ve done a quick look at our results let’s go ahead and take a look by filtering to find out anything associated with a particular host.

For example, if I wanted to find all the vulnerabilities for the host at 10.1.0.1, I could go into the filter box, type host= 10.1.0.1 and click update filter. This is all the vulnerabilities associated with my domain controller. Now you’ll see, there’s not many here. Why is that? Well, because we really only did an uncredentialed scan against a domain controller. We gave ourself permissions with that scan account to have administrative rights on everything in the network except the domain controller. So the domain control is getting an uncredentialed scan, while everything else is getting a credentialed scan. Now let’s take a look, for instance, at the Null Session Vulnerability. When we click on that, we can see that because the guest account is enabled, There is a serious configuration here and because this is a domain controller, this is quite alarming. This is something that definitely should not be there on a domain controller, which is why there’s a high severity and it’s something we should fix quite quickly. Now, the next thing we want to do is we want to filter out and adjust our string here. So instead of looking at the domain controller at 10.1.0.1, let’s go ahead and make that 10.1.0.2. When we do that, you’re going to see a lot more severe results. This is because we had administrative credentials and we did a credentialed scan. Now, when we did this on a host, we’re going to see a lot more vulnerabilities because we have administrative rights. In this case, we see a lot of them that have high severity in the 10 range or the 9 range.

Now, we can go in and look at these by clicking on those reports. And if you have internet access connected to this, you can actually go and research those different CVEs to figure out what you should do. For example, if we look at the vulnerability in the filter and we want to find everything that’s affected particular vulnerability, instead of looking at it by host, we can type in vulnerability~” and then the name of the vulnerability. In my case, I’m going to use 4013389, and then end quote. Once I do that, I click the update filter button and you’ll see that I have a hit for PC2, which is running Windows 7. And this is bad news because this is the same vulnerability that was used by WannaCry which is known as EternalBlue. This is a big, bad vulnerability that allows remote code execution on a system. So this is one that if you’re finding your network, you want to make sure you get it patched up pretty quickly. Now, additionally, we can look at the same results by instead of looking at the vulnerability number, based on the knowledge base that Microsoft uses, We can instead look at it based on a CVE.

For example, I know that the WannaCry vulnerability is CVE 2017-0144. So I can go into the filter box type ~”CVE-2017-0144″ and hit update filter. Now, I’m going to find any machines that match that CVE. This is really useful if there’s some new, big, bad vulnerability that comes out and you want to test all your systems for that particular vulnerability. For example, I was working in a large organization when the Apache Struts vulnerability that came out a couple of years ago. We wanted to identify across our millions of endpoints which ones were vulnerable to this attack. So we were able to do a search, looking just for that one CVE as we looked across our network and scanned and that way we can find those and patch those quickly. So hopefully you’ve enjoyed this short lesson on learning how to configure your scanner and use a scanner using OpenVAS and the Greenbone Community edition. As I said in the other lesson, I recommend you download this program and scan your own network. Play with it, get comfortable reading these different results and reading these reports because it would be totally fair for the exam to give you an output from one of these results and then ask you what you would do to fix it as a defender or how you would exploit it as an attack.

54. Nikto Scanning (OBJ 2.3 and 2.4)

In this lesson, we’re going to go through ways to look at web applications. What I’m going to do first is jump into my lab environment, and we’re going to start with Nikto. As I said, Nikto is a web application vulnerability scanner. If you think about Nessus and Qualys and things like that, those are used against your infrastructure: servers, routers, switches, and hosts. But if you want to look at a web application in depth, you really want to use something like Nikto. So you’re going to go into your terminal and you’re going to run the command nikto -host and the IP of the host you’re trying to scan. In my case, it’s 10.1.0.10. Now, once you do that, you’re going to see some of the issues that were found. For instance, you can see on this first line that the server is an Apache 2.4.6 server being run CentOS. Now, as you go through, you can see there are some anti-clickjacking options that are not present. You can see some cross-site scripting protection headers are not defined. You can see some X-Content-Type-Options is not set. And as you go down you’re going to see all the different vulnerabilities. As you get even further down, you’re going to see things that say OSVDB, which some vulnerability database files that are going to tell you exactly what was tested. So you could see that under 877 there is an HTTP TRACE method that is activated. And this suggests that the host is vulnerable to an attack. And so as you go through, you can identify each of these different things and then you can look them up, research them and figure out how to exploit those issues. Now, the next thing we want to do is test our website and look at it from a probing perspective for directories and files. We can do this using a different plugin inside of Nikto.

So I’m going to use nikto -host 10.1.0.10 -Plugins, and then the plugin I want to use. In my case, it’s going to be a dictionary, under dictionary usr/share/wordlists/dirb/common.txt. When I do that, I’m going to be able to run a scan for common file and directory names on that server. Next, let’s run a command to find any files that require authorization to view. I can do this by using nikto -host 10.1.0.10 -Display and then number four. Note, this will show me all the files that are now identified that would’ve required authorization to view. The next thing I want to do is try to perform a credentialed scan against that web application. And I want to save that output as an HTML report, Nikto can do this as well. We’re going to type in nikto -host http://10.1.0.10/dvwa, which is the web application that I want to go after. Then -id and the credentials. In my case, admin with a password of password. And then I want to output that by using -O and then /root/Downloads/dvwa.htm and then -Format and put it into HTML format, so I’ll type in htm. Once I do that, I’m going to now have that file inside that root directory underneath the downloads folder. If I want to see that, because it’s an HTML file, I need to open it using Firefox. So I’ll type in firefox /root/Downloads/dvwa.html, and this will show me all of the information in that report. Now, as I go through that report, I can see all the different issues that were found.

For instance, there’s directory indexing not found, there’s configuration information that could be remotely available. And there’s other things like that as we go through it. For instance, this PHP reveal that’s being shown where sensitive information is being displayed to the client as they go into that application. So these are all just a quick summary of some of the issues we found with this vulnerable web application. Now for the exam, it’s important that you can read basic outputs from different tools, such as Nikto. For example, they might give you a snippet from a Nikto output, just like you saw here in this video, and then ask you which vulnerability is associated with it. Or they might show you a snippet such as from the Nikto output and then ask you what type of attack you’re going to plan to do in the attack and exploitation phase. Based on what you’re seeing in the those results, as part of your reconnaissance, you should be able to analyze those results and then determine what vulnerabilities exist on that given target server. For example based on the Nikto output we saw, we could see that the Apache server was out of date. It’s using a vulnerable version of OpenSSL and it’s vulnerable to cross-site scripting attacks because didn’t have the cross-site scripting protection header defined inside the HTTP header. This allows a lot of different vulnerabilities for an attacker or penetration tester to exploit. Now, if you didn’t catch that going through the video in the first time, please go back and then pause it on that output screen and take a look at it.

As that output comes up, read through it, take a look at what it is, figure out if you understand what are some of the key vulnerabilities that this server has. Being able to do this level of analysis is going to be really important for you come exam day. Now, as we move into domain three with attacks and exploits, we’re going to use Nikto again as part of showing what vulnerabilities exist and then what we can do to attack those particular vulnerabilities we found in this video. As I said, we’re going to spend more time with this tool and we’ll follow it up again as we get into domain three. But for right now, I just need to introduce you to this tool and the fact that we can use it for web application scanning and get you more comfortable with the type of outputs you can expect from a tool like Nikto.

• Category: Uncategorized