Penetration Testing

Finding Vulnerabilities
Dr. Tran The Son
Vietnam – Korea University
 Content
• Vulnerability vs Exposure
• Automated scanning
– Nessus
• Local and online vulnerability databases
• Targeted analysis
– The Nmap Scripting Engine
– Searchsploit
– Metasploit Scanner Modules

• Manual research
 Computer Vulnerability vs Exposure
• Vulnerabilities are flaws in computer software, firmware,
hardware, and service components that can be exploited
by a threat actor to gain unauthorized access and carry out
a cyber-attack.
• Exposures are errors not inherent to the software,
firmware, hardware, or service component that put it at
risk of being exploited, such as misconfigurations, open
ports, and weak credentials.
• CVE, short for common vulnerability and exposure, is a
database of publicly disclosed IT security vulnerabilities
and exposures.
– assigned a unique CVE identifier (CVE ID) and added to the database (CVE List)
 CVE ID
• The CVE ID is a vulnerability’s unique identifier.
• The standard format of a CVE ID is "CVE-YYYY-NNNN",
– CVE is a fixed prefix,
– YYYY is the year in which the CVE ID was assigned (not necessary the same
as when the CVE Record was published),
– NNNN is a random number with at least four digits.
• E.g.
– e.g., CVE-2021-12345, CVE-2008-4250 (MS-08-067)

Register a new CVE

https://www.cve.org/
Common Vulnerability Scoring System
• The severity of a vulnerability is measured using the
Common Vulnerability Scoring System (CVSS). The
current version of CVSS is v3.1.
– CVSS consists of three metric groups: Base, Temporal, and Environmental.
– The CVSS Base Score ranges from 0 to 10, with 10 the most severe and 0
posing no risk.
Factor to generate a CVSS score:
• Attack vector
• Attack complexity
• Required privileges
• User interaction
• Scope
• Confidentiality
• Integrity
• Availability
Attack Vector & Surface
 Exercise
• Examine the CVSS v2 Equation
– Check link: https://nvd.nist.gov/vuln-metrics/cvss
• Examine Base, Overall scores
– Different Access Vectors
– Different C-I-A
• Examine Temporal, Overall scores
– Different Exploitability, Remediation Levels
• Examine Environmental, Overall scores
– Collateral Damage Potential
– Target distribution

https://nvd.nist.gov/vuln-metrics/cvss
 Exploit Prediction Scoring System (EPSS)
• The CVSS is the most frequently cited rating system to
assess the severity of security vulnerabilities. It has been
criticized, however, as not being appropriate to assess
and prioritize risk from those vulnerabilities.
– For this reason, some have called for using the EPSS
 Zero-day vulnerabilities
• A zero-day (also known as a 0-day) is a vulnerability in a
computer system that was previously unknown to its
developers or anyone capable of mitigating it.
• A zero-day vulnerability is a vulnerability in a system or
device that has been disclosed but is not yet patched. An
exploit that attacks a zero-day vulnerability is called a
zero-day exploit
 CVE repositories
• https://www.cve.org/
• https://www.rapid7.com/db/
• https://attackerkb.com
• https://cve.mitre.org/
• https://attackerkb.com/
 Nessus
sudo systemctl start nessusd https://kali:8834/

• Nessus Policies: configuration files that tell Nessus which

vulnerability checks, port scanners, and so on to run in
the vulnerability scan.
– New Policy  Basic Network Scan
• Scanning with Nessus
– Click Scans  New Scan
 Nessus

Scanning Result
Researching Vulnerabilities
https://www.cve.org/
https://www.shodan.io/
 Bài tập
• Sử dụng Nessus để đánh giá mức độ nguy cơ của hệ
thống máy chủ công ty nào đó:
• Xuất KQ dạng bảng (.cvs) => email: [email protected]
• Tìm kiếm thông tin lỗ hổng trên các CSDL về CVE
• Phân tích kết quả
 online vulnerability databases
• The National Vulnerability Database released by the US
Government, available at
– http://web.nvd.nist.gov/view/vuln/search
• Packet Storm Security, available at
– https://packetstormsecurity.com/
• SecurityFocus, available at
– http://www.securityfocus.com/vulnerabilities
• The Exploit database maintained by Offensive Security,
available at
– https://www.exploit-db.com/
• • For some 0-day vulnerabilities, penetration testers can also
keep an eye on
– https://0day.today/
 Local vulnerability databases
• The Exploit database is also copied locally to Kali, and it
can be found in the /usr/share/exploitdb directory.
──(trantheson@kali)-[~]
└─$ searchsploit windows server 2016
------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------- ---------------------------------
3.3/4.0/4.2 MERCUR MailServer - Control-Service | windows/remote/21626.c
3Com 3CDaemon 2.0 FTP Server - 'Username' Remote | windows/remote/16730.rb
3Com FTP Server 2.0 - Remote Overflow | windows/remote/825.c
Abyss Web Server X1 2.11.1 - Unquoted Service Pa | windows/local/40460.txt
acFTP FTP Server 1.4 - 'USER' Remote Buffer Over | windows/dos/1749.pl
acFTP FTP Server 1.4 - 'USER' Remote Denial of S | windows/dos/1757.c
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 | windows/dos/10603.c
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 | windows/remote/16350.rb
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 | windows/remote/2887.pl
…………………….
 Bài số 2
• Cài đặt Win Server 2016 + AD
• Tìm kiếm các lỗ hổng sử dụng CSDL online và off-line
(searchsploit)
• Chạy script của searchsploit để khai thác các lỗ hổng tìm
được (nếu có)
 Example
• Microsoft Exchange 2019 server that may be vulnerable
to remote code execution using valid credentials
 Thực hành
• Tìm kiếm trong CSDL của searchsploit có sẵn trong Kali về
các lỗ hổng của hệ thống mạng VKU
 The Nmap Scripting Engine (NSE)
• nmap --script-help default

Some NSE scripts may crash services or harm the target system, and an entire category is dedicated to denial
of service. For example, the script smb-check-vulns will check for the MS08-067 vulnerability and other SMB
vulnerabilities. Its help information notes that this script is likely dangerous and shouldn’t be run on
production systems unless you are prepared for the server to go down.
 The Nmap Scripting Engine (NSE)
Scripts are written in the embedded Lua programming
language
• Network discovery
• More sophisticated version detection
• Vulnerability detection
• Backdoor detection
• Vulnerability exploitation

NSE is activated with the -sC option (or --script if you wish to specify a
custom set of scripts) and results are integrated into Nmap normal and XML
output
 The Nmap Scripting Engine (NSE)
• Nmap has similarly evolved its original goal of port
scanning. The Nmap Scripting Engine (NSE) lets you run
publicly available scripts and write your own.
• in Kali: /usr/share/nmap/scripts.
 The Nmap Scripting Engine (NSE)
• To tell Nmap to run a script scan in addition to port
scanning (--script=<script_name>)
• use the -sC flag: for common scripts
 The Nmap Scripting Engine (NSE)

Running a
Single
NSE
Script
 The Nmap Scripting Engine (NSE)
• Two types of scripts are supported: service and host
scripts.
– Service scripts relate to a certain open port (service) on the target host, and
any results they produce are included next to that port in the Nmap output
port table.
– Host scripts, on the other hand, run no more than once against each target
IP and produce results below the port table
 NSE Script Categories
– Auth
• These scripts try to determine authentication credentials on the target system, often through a brute-force attack, e.g., snmp-
brute, http-auth, and ftp-anon.
– Default
• These scripts are the default set and are run when using the -sC or - A options
– Discovery
• These scripts try to actively discover more about the network by querying public registries, SNMP-enabled devices,
directory services, and the like.
– External
• Scripts in this category may send data to a third-party database or other network resource
– Intrusive:
• These are scripts that cannot be classified in the s a f e category because the risks are too high that they will crash
the target system
– Malware
• These scripts test whether the target platform is infected by malware or backdoors.
– Safe
• Scripts which weren't designed to crash services, use large amounts of network bandwidth or other resources, or
exploit security holes
– Version
• The scripts in this special category are an extension to the version detection feature and cannot be selected
explicitly
– Vuln
• These scripts check for specific known vulnerabilities and generally only report results if they are found
 LUA scripting

#!/usr/bin/lua
local file = io.open("/etc/shadow", "r")
contents = file:read()
file:close()
print (contents)
 Customizing NSE scripts
This calls the right library from Lua; this line calls the HTTP
ocal http=require 'http' script and makes it a local request.
description = [[ This is my custom discovery on the network ]]
categories = {"safe","discovery"} This typically has two variables, one of which declares whether
equire("http") it is safe or intrusive.

unction portrule(host, port)

eturn port.number == 80 Tạo 1 nmap script như trên slide
end Làm như thế nào đấy để chạy được trên Kali
unction action(host, port)
ocal response
esponse = http.get(host, port, "/config.php")
f response.status and response.status ~= 404
hen
eturn "successful"
end
end
Save the file into the /usr/share/nmap/scripts/ folder
 Exercise
• Find vulnerabilities and access to Win Server 2016 (ảo)
– Get file via FTP port
– Send mail via SMPT port

• Examine the NSE script categories and Determine the

script to check if the vulnerability of CVE-yyyy-xx on Win
7/Server 2016
– Read the text-book “NMAP Network Scanning”
 Metasploit Scanner Modules
• these modules will not give us control of the target
machine, but they will help us identify vulnerabilities for
later exploitation.
• To choose a particular module, we use the module, then
we define our targets with set, and then scan with the
exploit command,
 Metasploit Exploit Check Functions
• Some Metasploit exploits include a check function that
connects to a target to see if it is vulnerable, rather than
attempting to exploit a vulnerability.
 Web Application Scanning
• Web application issues are particularly interesting on
many external penetration tests where your attack
surface may be limited to little more than web servers
– Nikto
– Attacking XAMPP
– Default Credentials
 Nikto
• Nikto is a web application vulnerability scanner built into
Kali that’s like Nessus for web apps.
• To run Nikto against our Linux target, we tell it which
host to scan with the -h flag
 Attacking XAMPP
• XAMPP 1.7.2
• the phpMyAdmin install at http://192.168.20.10/phpmyadmin/ is available and
open
 Default Credentials
• XAMPP 1.7.3 and earlier come with Web Distributed
Authoring and Versioning (WebDAV) software, which is
used to manage files on a web server over HTTP.
XAMPP’s WebDAV installation comes with the default
username and password wampp:xampp

• We can use Cadaver to interact with WebDAV servers

 Manual Analysis
• Exploring a Strange Port
• Finding Valid Usernames
 Exploring a Strange Port
• One port that has failed to come up in our automated
scans is 3232 (or any) on our Windows target

Index.html

• we can enter GET / HTTP/1.1 to ask the web server for

the default page
 HTTP Protocol
• The set of common methods for HTTP/1.1
– "OPTIONS" The GET Method
– "GET“ GET is used to request data from a specified resource.
Note that the query string (name/value pairs) is sent in the
– "HEAD" URL of a GET request:
– "POST" /test/demo_form.php?name1=value1&name2=value2
– "PUT"
The POST Method
– "DELETE"
POST is used to send data to a server to create/update a
– "TRACE" resource.
– "CONNECT" The data sent to the server with POST is stored in the
request body of the HTTP request:

POST /test/demo_form.php HTTP/1.1

Host: w3schools.com
name1=value1&name2=value2
 Finding Valid Usernames
• We can drastically increase our chances of a successful
password attack if we know valid usernames for services.
• To find valid usernames for mail servers is to use the
VRFY SMTP command
 SMTP Commands

1. HELO HELO<SP><domain><CRLF> Mandatory

2. MAIL MAIL<SP>FROM : <reverse-path><CRLF> Mandatory

3. RCPT RCPT<SP>TO : <forward-path><CRLF> Mandatory

4. DATA DATA<CRLF> Mandatory

5. QUIT QUIT<CRLF> Mandatory

6. RSET RSET<CRLF> Highly recommended

7. VRFY VRFY<SP><string><CRLF> Highly recommended

8. NOOP NOOP<CRLF> Highly recommended