Module 05: Vulnerability Analysis

Module 05: Vulnerability Analysis

Module 05: Vulnerability Analysis

1 Hr 2 Min Remaining

Instructions Resources Help  100%

Module 05: Vulnerability Analysis

Lab Scenario

Earlier, all possible information about a target system such as system name, OS details, shared network resources, policies and passwords details, and users and user groups were gathered.

Now, as an ethical hacker or penetration tester (hereafter, pen tester), your next step is to perform vulnerability research and a vulnerability assessment on the target system or network. Ethical hackers or pen testers need to conduct intense research with the help of information acquired in the footprinting and scanning phases to discover vulnerabilities.

Vulnerability assessments scan networks for known security weaknesses: it recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channel; and evaluates the target systems for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Additionally, it assists security professionals in securing the network by determining security loopholes or vulnerabilities in the current security mechanism before attackers can exploit them.

The information gleaned from a vulnerability assessment helps you to identify weaknesses that could be exploited and predict the effectiveness of additional security measures in protecting information resources from attack.

The labs in this module will give you real-time experience in collecting information regarding underlying vulnerabilities in the target system using various online sources and vulnerability assessment tools.

Lab Objectives

The objective of this lab is to extract information about the target system that includes, but not limited to:

  • Network vulnerabilities
  • IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports and services that are listening
  • Application and services configuration errors/vulnerabilities
  • The OS version running on computers or devices
  • Applications installed on computers
  • Accounts with weak passwords
  • Files and folders with weak permissions
  • Default services and applications that may have to be uninstalled
  • Mistakes in the security configuration of common applications
  • Computers exposed to known or publicly reported vulnerabilities

Overview of Vulnerability Assessment

Vulnerability assessment plays a major role in providing security to any organization’s resources and infrastructure from various internal and external threats. To secure a network, an administrator needs to perform patch management, install proper antivirus software, check configurations, solve known issues in third-party applications, and troubleshoot hardware with default configurations. All these activities together constitute vulnerability assessment. Network vulnerability scanning can be categorized into active scanning and passive scanning:

  • Active Scanning: Interacts directly with the target network to find vulnerabilities by sending probes and specially crafted requests to the target host in the network
  • Passive Scanning: Finds vulnerabilities without directly interacting with the target network and identifying vulnerabilities via information exposed by systems in their normal communications

Lab Tasks

Ethical hackers or pen testers use numerous tools and techniques to collect information about the underlying vulnerability in a target system or network. Recommended labs that will assist you in learning various vulnerability assessment techniques include:

  1. Perform vulnerability research with vulnerability scoring systems and databases
    • Perform vulnerability research in Common Weakness Enumeration (CWE)
    • Perform vulnerability research in Common Vulnerabilities and Exposures (CVE)
    • Perform vulnerability research in National Vulnerability Database (NVD)
  2. Perform Vulnerability Assessment using Various Vulnerability Assessment Tools
    • Perform vulnerability analysis using OpenVAS
    • Perform vulnerability scanning using Nessus
    • Perform vulnerability scanning using GFI LanGuard
    • Perform web servers and applications vulnerability scanning using CGI Scanner Nikto

Next: Lab 1: Perform…

Live Chat

Module 05: Vulnerability Analysis

56 Minutes Remaining

Instructions Resources Help  100%

Lab 1: Perform Vulnerability Research with Vulnerability Scoring Systems and Databases

Lab Scenario

As a professional ethical hacker or pen tester, your first step is to search for vulnerabilities in the target system or network using vulnerability scoring systems and databases. Vulnerability research provides awareness of advanced techniques to identify flaws or loopholes in the software that could be exploited. Using this information, you can use various tricks and techniques to launch attacks on the target system.

Lab Objectives

  • Perform vulnerability research in Common Weakness Enumeration (CWE)
  • Perform vulnerability research in Common Vulnerabilities and Exposures (CVE)
  • Perform vulnerability research in National Vulnerability Database (NVD)

Overview of Vulnerabilities in Vulnerability Scoring Systems and Databases

Vulnerability databases collect and maintain information about various vulnerabilities present in the information systems.

The following are some of the vulnerability scoring systems and databases:

  • Common Weakness Enumeration (CWE)
  • Common Vulnerabilities and Exposures (CVE)
  • National Vulnerability Database (NVD)
  • Common Vulnerability Scoring System (CVSS)

Task 1: Perform Vulnerability Research in Common Weakness Enumeration (CWE)

Common Weakness Enumeration (CWE) is a category system for software vulnerabilities and weaknesses. It has numerous categories of weaknesses that means that CWE can be effectively employed by the community as a baseline for weakness identification, mitigation, and prevention efforts. Further, CWE has an advanced search technique with which you can search and view the weaknesses based on research concepts, development concepts, and architectural concepts.

Here, we will use CWE to view the latest underlying system vulnerabilities.

  1. By default, Windows 10machine is selected, click Ctrl+Alt+Delete to activate the machine.

Alternatively, you can also click Ctrl+Alt+Delete button under Windows 10 machine thumbnail in the Resources pane or Click Ctrl+Alt+Delete button under Commands (thunder icon) menu.

  1. By default, Adminuser profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

Alternatively, you can also click Pa$$w0rd under Windows 10 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

If Welcome to Windows wizard appears, click Continue and in Sign in with Microsoft wizard, click Cancel.

Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.

  1. Launch any browser, here, we are using Mozilla Firefox. In the address bar of the browser place your mouse cursor and click https://cwe.mitre.org/and press Enter
    • If the Default Browserpop-up window appears, uncheck the Always perform this check when starting Firefox checkbox and click the Not now
    • If a New in Firefox: Content Blockingpop-up window appears, follow the step and click Got it to finish viewing the information.
  2. CWEwebsite appears. In the Google Custom Search under Search CWE section, type SMB and click the search icon.

Here, we are searching for the vulnerabilities of the running services that were found in the target systems in previous module labs (Module 04 Enumeration).

  1. The search results appear, displaying the underlying vulnerabilities in the target service (here, SMB). You can click any link to view detailed information on the vulnerability.

The search results might differ in your lab environment.

  1. Now, click any link (here, CWE-200) to view detailed information about the vulnerability.
  2. A new webpage appears in the new tab, displaying detailed information regarding the vulnerability. You can scroll-down further to view more information.
  3. Similarly, you can click on other vulnerabilities and view detailed information.
  4. Now, navigate back to the CWEwebsite, scroll down, and click the CWE List link present below the searched results.
  5. A new webpage appears, displaying CWE List Version. Scroll down, and under the External Mappingssection, click CWE Top 25 (2019).

The result might differ in your lab environment.

  1. A webpage appears, displaying CWE VIEW: Weaknesses in the 2019 CWETop 25 Most Dangerous Software Errors. Scroll down and view a list of Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors under the Relationships You can click on each weakness to view detailed information on it.

This information can be used to exploit the vulnerabilities in the software and further launch attacks.

The result publishing year be might different in your lab environment.

  1. Similarly, you can go back to the CWE website and explore other options, as well.
  2. This concludes the demonstration of checking vulnerabilities in the Common Weakness Enumeration (CWE).
  3. Close all open windows and document all the acquired information.

Question 1.1.1:

Name the target service that is searched for vulnerabilities in this task.

Correct

Task 2: Perform Vulnerability Research in Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a publicly available and free-to-use list or dictionary of standardized identifiers for common software vulnerabilities and exposures. It is used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.

Here, we will use CVE to view the latest underlying system and software vulnerabilities.

  1. In Windows 10machine, launch any browser (here, Mozilla Firefox). In the address bar of the browser place your mouse cursor and click https://cve.mitre.org/ and press Enter
  2. CVEwebsite appears. In the right pane, under the Newest CVE Entries section, recently discovered vulnerabilities are displayed.

The results might differ in your lab environment.

  1. You can copy the name of any vulnerability under the Newest CVE Entriessection and search on CVE to view detailed information on it. (here, we are selecting the vulnerability CVE-2020-13910)
  2. Now, click on the Search CVE List Under Search CVE Listsection, type the vulnerability name (here, CVE-2020-4051) in the search bar, and click Submit.
  3. Search Resultspage appears, displaying the information regarding the searched vulnerability. You can click the vulnerability link to view further detailed information regarding the vulnerability.
  4. Similarly, in the Search CVE Listsection, you can search for a service-related vulnerability by typing the service name (here, SMB) and click Submit.

You can search for the vulnerabilities of the running services that were found in the target systems in previous module labs (Module 04 Enumeration).

  1. Search Resultspage appears, displaying a list of vulnerabilities in the target service (SMB) along with their description, as shown in the screenshot.

The results might vary in your lab environment.

  1. Further, you can click on CVE-IDof any vulnerability to view its detailed information. Here, we will click on the first CVE-ID link.
  2. Detailed information regarding the vulnerability is displayed such as its DescriptionReferences, and Date Entry Created. Further, you can click on links under the Referencessection to view more information on the vulnerability.
  3. Likewise, you can search for other target services for the underlying vulnerabilities in the Search CVE List
  4. This concludes the demonstration of checking vulnerabilities in the Common Vulnerabilities and Exposures (CVE).
  5. Close all open windows and document all the acquired information.

Question 1.2.1:

What is the host machine that is used to perform the above task?

Task 3: Perform Vulnerability Research in National Vulnerability Database (NVD)

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). These data enable the automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Here, we will use the NVD to view the latest underlying system and software vulnerabilities.

  1. In Windows 10machine, launch any browser (here, Mozilla Firefox). In the address bar of the browser place your mouse cursor and click https://nvd.nist.gov/ and press Enter
  2. NATIONAL VULNERABILITY DATABASEwebsite appears: the recently discovered vulnerabilities can be viewed.
  3. You can click on the CVE-ID link (here, CVE-2020-6269) to view detailed information about the vulnerability.

The results might differ in your lab environment.

  1. A new webpage appears, displaying CVE-2020-6269 Detail. You can view detailed information such as Current Description, Severity, References, and Weakness Enumeration.
  2. Under the Severitysection, click the Base Score link to view the CVSS details regarding the vulnerability.
  3. A new webpage appears, displaying information such as Base ScoresTemporal Score, and Environmental Score Overall Scorerelated to a vulnerability in graphical form, under Common Vulnerability Scoring System Calculator CVE-2020-6269.
    • Base Score: The metric most relied upon by enterprises and deals with the inherent qualities of a vulnerability. The table below describes the severity of a vulnerability depending upon the Base Score range:

CVSS v3.0 Ratings

Severity Base Score Range
None 0.0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0
CVSS v2.0 Ratings
Severity Base Score Range
Low 0.0-3.9
Medium 4.0-6.9
High 7.0-10

more…

  • Temporal Score: Represents the qualities of the vulnerability that change over time, and the Environmental score represents the qualities of the vulnerability that are specific to the affected user’s environment.
  • Overall Score: Sum total of both the scores (CVSS Base Score, CVSS Temporal Score).
  1. Scroll down to view more detailed information on different score metrics such as Base Score Metrics, Temporal Score Metrics, and Environmental Score Metrics.

The results might differ depending upon the selected vulnerability

  1. Now, navigate back to the main page of the NATIONAL VULNERABILITY DATABASE Expand Vulnerabilitiesand click Search & Statistics option, as shown in the screenshot.
  2. Search Vulnerability Databasepage appears. In the Keyword Search field, type a target service (here, SMB) to find vulnerabilities associated with it and click Search.

You can search for the vulnerabilities of the running services that were found in the target systems in previous module labs (Module 04 Enumeration).

  1. The Search Resultspage appears, displaying detailed information on the underlying vulnerabilities in the target service.
  2. You can further view detailed information on each vulnerability by clicking on the Vuln ID
  3. Likewise, you can search for other target services for the underlying vulnerability in the Search Vulnerability Database
  4. This concludes the demonstration of checking vulnerabilities in the National Vulnerability Database (NVD).
  5. Close all open windows and document all the acquired information.

Question 1.3.1:

Which of the following Base Score Ranges specifies medium Severity in Common Vulnerability Scoring System (CVSS) v3.0 Ratings?

4.0-6.9

0.1-3.9

7.0-8.9

9.0-10.0

Question 1.3.2:

The sum total of CVSS Base Score and CVSS Temporal Score is called the __.

PreviousNext: Lab 2: Perform…

Live Chat

Module 05: Vulnerability Analysis

48 Minutes Remaining

Instructions Resources Help  100%

Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools

Lab Scenario

The information gathered in the previous labs might not be sufficient to reveal potential vulnerabilities of the target: there could be more information available that may help in finding loopholes. As an ethical hacker, you should look for as much information as possible using all available tools. This lab will demonstrate other information that you can extract from the target using various vulnerability assessment tools.

Lab Objectives

  • Perform vulnerability analysis using OpenVAS
  • Perform vulnerability scanning using Nessus
  • Perform vulnerability scanning using GFI LanGuard
  • Perform web servers and applications vulnerability scanning using CGI Scanner Nikto

Overview of Vulnerability Assessment Tools

Vulnerability assessment tools are used to secure and protect the organization’s system or network: security analysts can use these tools to identify weaknesses present in the organization’s security posture and remediate the identified vulnerabilities before an attacker exploits them. Network vulnerability scanners analyze and identify vulnerabilities in the target network or network resources using vulnerability assessment and network auditing. These tools also assist in overcoming weaknesses in the network by suggesting various remediation techniques.

Task 1: Perform Vulnerability Analysis using OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. Its capabilities include unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans, and a powerful internal programming language to implement any vulnerability test. The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs)—over 50,000 in total.

Here, we will perform a vulnerability analysis using OpenVAS.

In this task, we will use the Parrot Security (10.10.10.13) machine as a host machine and the Windows Server 2016 (10.10.10.16) machine as a target machine.

  1. Click on Parrot Security 4.10to switch to the Parrot Security
  2. In the login page, the attackerusername will be selected by default. Enter password as toor in the Password field and press Enter to log in to the machine.

If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close it.

If a Question pop-up window appears asking you to update the machine, click No to close the window.

  1. Click Applicationsat the top of the Desktop window and navigate to Pentesting –> Vulnerability Analysis –> Openvas – Greenbone –> Start to launch OpenVAS tool.
  2. A terminal window appears, in the [sudo] password for attackerfield, type toor as a password and press Enter. OpenVAS initializes.

The password that you type will not be visible.

  1. After the tool initializes, click Firefoxicon from the top-section of the Desktop.
  2. The Firefoxbrowser appears, in the address bar, type  and press Enter.
  3. OpenVAS login page appears, log in with Usernameand Password as admin and password and click the Login
  4. OpenVAS Dashboardsappears, as shown in the screenshot.
  5. Navigate to Scans –> Tasksfrom the Menu

If a Welcome to the scan management! pop-up appears, close it.

  1. Hover over wand icon and click the Task Wizard
  2. The Task Wizardwindow appears; enter the target IP address in the IP address or hostname field (here, the target system is Windows Server 2016 [10.10.10.16]) and click the Start Scan
  3. The task appears under the Taskssection; OpenVAS starts scanning the target IP address.
  4. Wait for the Statusto change from Requested to Done. Once it is completed, click the Done button under the Status column to view the vulnerabilities found in the target system.

If you are logged out of the session then login again using credentials admin/password.

  1. Report: Informationappears, click Results tab to view the discovered vulnerabilities along with their severity and port numbers on which they are running.
  2. Click on any vulnerability under the Vulnerabilitycolumn (here, Apache HTTP Server 2.4.20 – 2.4.39 Multiple Vulnerabilities (Windows) to view its detailed information.
  3. Detailed information regarding selected vulnerability appears, as shown in the screenshot.
  4. Similarly, you can click other discovered vulnerabilities under the Report:Results section to view detailed information regarding the vulnerabilities in the target system.
  5. Next, go through the findings, including all high or critical vulnerabilities. Manually use your skills to verify the vulnerability. The challenge with vulnerability scanners is that they are quite limited; they work well for an internal or white box test only if the credentials are known. We will explore that now: return to your OpenVAS tool, and set up for the same scan again; but this time, turn your firewall ONin the Windows Server 2016
  6. Now, we will enable Windows Firewallin the target system and scan it for vulnerabilities.
  7. Click on Windows Server 2016to switch to the Windows Server 2016 machine and click Ctrl+Alt+Delete to activate it, by default, Administrator user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.
  8. Navigate to Control Panel–> System and Security –> Windows Firewall –> Turn Windows Firewall on or offenable Windows Firewall, and click OK.

By turning the Firewall ON, you are making it more difficult for the scanning tool to scan for vulnerabilities in the target system.

  1. click on Parrot Security 4.10to switch to Parrot Security machine and perform Steps# 9-11 to create another task for scanning the target system.
  2. A newly created task appears under the Taskssection and starts scanning the target system for vulnerabilities.
  3. After the completion of the scan, click the Donebutton under the Status
  4. Report: Informationappears, click Results tab to view the discovered vulnerabilities along with their severity and port numbers on which they are running.

The results might vary in your lab environment.

  1. The scan results for the target machine before and after the Windows Firewall was enabled are the same, thereby indicating that the target system is vulnerable to attack even if the Firewall is enabled.
  2. This concludes the demonstration performing vulnerabilities analysis using OpenVAS.
  3. Close all open windows and document all the acquired information.
  4. Click on Windows Server 2016to switch to the Windows Server 2016 machine and click Ctrl+Alt+Delete to activate it, by default, Administrator user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.
  5. Navigate to Control Panel–> System and Security –> Windows Firewall –> Turn Windows Firewall on or off, disable Windows Firewall, and click OK.

Question 2.1.1:

What is the IP address of the target machine in this task?

Task 2: Perform Vulnerability Scanning using Nessus

Nessus is an assessment solution for identifying vulnerabilities, configuration issues, and malware, which can be used to penetrate networks. It performs vulnerability, configuration, and compliance assessment. It supports various technologies such as OSes, network devices, hypervisors, databases, tablets/phones, web servers, and critical infrastructure.

Here, we will use Nessus to perform vulnerability scanning on the target system.

  1. Click on Windows 10to switch to Windows 10
  2. Launch any browser, (here, Microsoft Edge). In the address bar of the browser place your mouse cursor and click https://localhost:8834/and press Enter
  3. This site is not securepage appears, expand the Details section and click Go on to the webpage
  4. In the Nessus login page use Adminas the username and password as Password and click Sign In
  5. Nessus begins to initialize; this will take some time. On completion of initialization, the Nessus dashboard appears along with the Welcome to Nessus Essentialspop-up. Close the pop-up.

In the Let Microsoft Edge save and fill your password for this site next time? pop-up, click Never.

  1. The Nessus Essentialsdashboard appears; click Policies under RESOURCES section from the pane on the left.
  2. The Policieswindow appears; click Create a new policy.
  3. The Policy Templateswindow appears; click Advanced Scan.
  4. The New Policy / Advanced Scansection appears.
  5. In the Settingstab under the BASIC setting type, specify a policy name in the Name field (here, NetworkScan_Policy), and give a Description about the policy (here, Scanning a Network).
  6. In the Settingstab, click DISCOVERY setting type and turn off the Ping the remote host option from the right pane.
  7. Select the Port Scanningoption under the DISCOVERY setting type, and then click the Verify open TCP ports found by local port enumerators Leave the other fields with default options, as shown in the screenshot.
  8. Select the ADVANCEDsetting type. In the right pane, under the Performance Options settings, set the values of Max number of concurrent TCP sessions per host and Max number of concurrent TCP sessions per scan to Unlimited.
  9. To configure the credentials of a new policy, click the Credentialstab and select Windows from the options.
  10. Specify the Usernameand Password in the window. Here, the specified credentials are CEH123/[email protected].

Re-enter the created user account credentials, Admin/password, if session timeout notification pop-up appears.

  1. Click the Pluginstab and do not alter any of the options in this window. Click the Save
  2. Policy saved successfullynotification pop-up appears, and the policy is added in the Policies window, as shown in the screenshot.
  3. Now, click Scansfrom the menu bar to open My Scans window; click Create a new scan.
  4. The Scan Templateswindow appears. Click the User Defined tab and select NetworkScan Policy.

If an API Disabled pop-up appears, refresh the browser and log in again to the Nessus Essentials using credentials (Admin/password), if it still shows the API Disabled error then clear the cache of the browser by clicking on the three dots at the top right of the browser –> Click on History –> Clear History and make sure that cache and cookies are checked and click on clear and login to the Nessus Essentials again.

  1. The New Scan / NetworkScan_Policywindow appears. Under General Settings in the right pane, input the Name of the scan (here, Local Network) and enter the Description for the scan (here, Scanning a local network); in the Targets field, enter the IP address of the target on which you want to perform the vulnerability analysis. In this lab, the target IP address is 10.10.16 (Windows Server 2016).

The IP addresses may vary in your lab environment.

  1. Click Schedulesettings; ensure that the Enabled switch is turned off. Click the drop-down icon next to the Save button and select Launch to start the scan.
  2. The Scan saved and launched successfullynotification pop-up appears. The scan is launched, and Nessus begins to scan the target.
  3. After the completion of the scan: click Local Networkto view the detailed results.
  4. The Local Networkwindow appears, displaying the summary of target hosts, as well as the Scan Details and Vulnerabilities categorization under the Hosts tab, as shown in the screenshot.
  5. Click the Vulnerabilitiestab, and scroll down to view all the vulnerabilities associated with the target machine.

The list of vulnerabilities may differ in your lab environment.

  1. Click these vulnerabilities to view detailed reports about each. For instance, in this lab, we are selecting the first vulnerability in the list, that is, SNMP (Multiple Issues).
  2. The Local NetworkSNMP (Multiple Issues) window appears, displaying multiple issues in SNMP service. Click on any issue (here, SNMP Agent Default) to view its detailed information.
  3. The report regarding selected vulnerability SNMP Agent Default Community Name (public)appears with detailed information such as plugin details, risk information, vulnerability information, reference information and the solution, and output, as shown in the screenshot.
  4. On completing the vulnerability analysis, click Scans, and then click the recently performed scan (here, Local Network).
  5. In the Local Networkwindow, click the Report tab from the top-right corner, and choose a file format (here, HTML) from the drop-down list. By downloading a report, you can access it anytime, instead of logging in to Nessus again and again.
  6. The Generate HTML Reportpop-up appears: leave the Report type option on default (Executive Summary). Click Generate Report to download the report.

If the What do you want to do with Local_Network_5cfvy7.html? pop-up appears, click Save.

The file name might differ in your lab environment

  1. Once the download is finished, a pop-up appears at the bottom of the browser; click Open.
  2. If the How do you want to open this file?pop-up appears, choose any browser (here, Firefox) to view the downloaded HTML file.
  3. The Nessus scan report appears in the Firefoxweb browser, as shown in the screenshot.

Screenshots and browser might differ in your lab environment.

  1. You can click the Expand Alloption to view the detailed scan report.
  2. A list of discovered vulnerabilities appears. You can further click on plugins (here, 130276) to view more detailed information on the vulnerability

The results might differ in your lab environment.

  1. The selected plugin details are displayed, as shown in the screenshot.
  2. In this way, you can select a vulnerability of your choice to view the complete details.
  3. Once the vulnerability analysis is done, switch back to Microsoft Edgewhere Nessus is running and click Admin –> Sign Out in the top-right corner.
  4. Once the session is successfully logged out, a Signed out successfully. Goodbye, adminnotification appears.
  5. This concludes the demonstration of performing vulnerability assessment using Nessus.
  6. Close all open windows and document all the acquired information.

Question 2.2.1:

What is the default port used by Nessus to run?

Question 2.2.2:

What is the IP address of the target machine in this task?

Task 3: Perform Vulnerability Scanning using GFI LanGuard

GFI LanGuard scans, detects, assesses, and rectifies security vulnerabilities in your network and connected devices. It scans the network and ports to detect, assess, and correct security vulnerabilities, with minimal administrative effort. It scans your OSes, virtual environments, and installed applications through vulnerability check databases. It enables you to analyze the state of your network security, identify risks, and address how to take action before it is compromised.

Here, we will use GFI LanGuard to perform vulnerability scanning on the target system.

  1. Click on Windows Server 2019to switch to the Windows Server 2019 machine, click Ctrl+Alt+Delete to activate the machine. By default, Administrator user account is selected and click on Pa$$w0rd to enter the password and press Enter.
  2. Launch any browser, in this lab we are using Mozilla Firefox. In the address bar of the browser place your mouse cursor and click https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard/download/and press Enter
  3. The GFI LanGuardregistration page appears. Enter your details and business email under the Business Email field and click Continue.
  4. On the next page, enter the required details and select the I agree to GFI Software terms of service and privacy policy and consent to GFI Software to process datacheckbox and click Start my free trial
  5. The Download your GFI LanGuard trialpage appears; click the Download your free trial

The Opening languard.exe pop-up appears; click Save File.

  1. Now, navigate to the download location (here, Downloads) and double-click exeto install.

If the User File – Security Warning pop-up appears, click Run.

  1. The GFI LanGuarddialog box appears; select preferred language (here, English) and click OK.
  2. The GFI LanGuardwizard appears with selected components for installation; click Next to proceed.
  3. The Database Configurationwindow appears. In the SQL server name field, type .\SQLEXPRESS and leave SQL database name as default. Ensure that the Use Windows Authentication checkbox is selected and click OK.

The SQL server name might differ in your lab environment.

  1. Now, switch back to the Mozilla Firefoxbrowser, open a new tab, and log in to your email account that you have given while registration.
  2. Open an email from GFI Downloadsand copy the activation key.
  3. The GFI LanGuard License Keywindow appears. Paste the received activation key in the Enter License Key field and click OK.
  4. GFI LanGuard starts installing after the completion of the installation; when the GFI LanGuard Setupwindow appears, click Next.
  5. The End-User License Agreementwizard appears; accept the terms and click Next.
  6. In the Attendant service credentialswizard, leave the Name field as default (here, SERVER2019\Administrator) and enter the Password of the administrator account (here, Pa$$w0rd); then, click Next.

The Name field might differ in your lab environment.

  1. In the Choose Destination Locationwizard, leave the Folder location set to default and click Install.
  2. The Installing GFI LanGuardwizard appears. After the completion of installation, the GFI LanGuard Central Management Server Setup window appears; then, click Next.
  3. In the Service logon informationwizard, leave the User Name field (Administrator user account) set to its default, enter the Password of the administrator account (here, Pa$$w0rd), and click Next.

The Name field might differ in your lab environment.

  1. The HTTPS Settingswizard appears; keep the name in its default and click Next.

The name field might differ in your lab environment.

  1. In the Destination Folderwizard, choose the location where you want to install the application (here, the default location is selected) and click Next.
  2. In the Ready to installwizard, click Install to proceed.
  3. Once the installation is complete in the GFI LanGuard Central Management Server Setupwindow, click Finish.
  4. In the GFI LanGuard Setupwindow, ensure that the Launch GFI LanGuard checkbox is selected. De-select the Launch GFI LanGuard Central Management Server checkbox and click Finish.
  5. GFI LanGuardpop-up appears on the main window of the application; click Continue evaluation.
  6. The GFI LanGuardmain window appears, and it begins to inspect the security status of the local computer.
  7. Click Launch a Scanor View details.
  8. A window indicates that a scan on the local machine is already in progress.

Allow the scan to finish analyzing vulnerabilities in the host machine.

  1. Click Stopto halt the vulnerability scan on the host machine.

If the Stop scanning confirmation pop-up appears, click Yes.

The scan might take time to stop.

  1. The Launch a New Scanpage appears: specify the details required to scan a target/machine as follows:
    • Enter the IP address of the machine in the Scan Targetfield (here, the target machine is Windows Server 2016 [10.10.10.16]), and ensure that the Full Scan option is selected from the Profile drop-down list.
    • Ensure that Currently logged on useris selected in the Credentials drop-down list.
    • Click Scan.

This may vary in your lab environment.

  1. GFI LanGuard takes some time to perform the vulnerability assessment on the intended machine.
  2. Once the scanning is complete, a Scan completed!message is displayed under Scan Results Details, as shown in the screenshot.

The scanning takes approximately 20–30 minutes to complete.

  1. To examine the scanned result, in the left pane under Scan Results Overview, click the IP address (10.10.16) node to expand it. The Vulnerability Assessmentand Network & Software Audit nodes are displayed, as shown in the screenshot.

The results might differ in your lab environment.

  1. Click the Vulnerability Assessment This shows category-wise details of assessed vulnerabilities. Click each category to view the vulnerabilities in detail.
  2. Expand Portsand click Open TCP Ports to view all the open TCP Ports under the Scan Results Details section in the right pane, as shown in the screenshot.
  3. Click System Informationto view detailed information about the target system under the Scan Results Details section in the right pane.
  4. Expand the System Informationnode and click Shares to view the details of shared folders in the target machine.
  5. Similarly, you can click the Hardwareand Software nodes to view detailed scan information.
  6. Click the Dashboardtab to display the scanned network information. In the left pane, expand Entire Network, and then CEH; then, click SERVER2016.
  7. Detailed information such as Vulnerability LevelSecurity SensorsComputer DetailsScan Activity, and Results Statisticsare displayed in the right pane, as shown in the screenshot

In real-time, using this vulnerability information about the target systems can be used to develop and design exploits suitable to break into a network or a single target.

  1. You can further explore the tool by clicking on various options. For instance, click on Softwarefrom the options at the top to view a list of applications installed on the target machine under the Application Category You can also click on any application (here, Google Chrome) to view its detailed information under Details sections, as shown in the screenshot.
  2. Click on the Vulnerabilitiesoption; a list of various categories of vulnerabilities appears under the Vulnerability Types Click on any category of vulnerability (here, High Security Vulnerabilities): detailed information on this category is displayed under the Details section, and a list of vulnerabilities is displayed under the Vulnerability List section.
  3. You can further explore scanned results by clicking various options such as PatchesSystem InformationHardware, and Ports.
  4. Now, click on the Reporttab and click the Vulnerability Status type under General Reports from the right pane.
  5. Information about the Vulnerability Statusreport appears in the right pane; click the Generate Report button to create the vulnerability report.
  6. The Vulnerability Statusreport appears in the right pane. Click on the drop-down icon next to icon and choose the HTML File
  7. The HTML Export Optionswindow appears; leave the settings to default and click OK.
  8. The Save Aswindow appears; set the download location to Desktop. Rename the file to Vulnerability Status Report.html and click Save.
  9. The GFI LanGuardpop-up appears; click Yes to open the file.
  10. In the How do you want to open this file?pop-up, select any web browser (here, Firefox) and click OK.
  11. The Vulnerability Statusreport appears; you can scroll down to view detailed information regarding discovered vulnerabilities.
  12. This concludes the demonstration of scanning network vulnerabilities using GFI LanGuard.
  13. Close all open windows and document all the acquired information.

Question 2.3.1:

What is the default HTTPS server name kept in the HTTPS Settings wizard in this task?

Question 2.3.2:

What is the target IP address in the above task?

Task 4: Perform Web Servers and Applications Vulnerability Scanning using CGI Scanner Nikto

Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files and HTTP server options; it will also attempt to identify installed web servers and software.

Here, we will perform web servers and applications vulnerability scanning using CGI scanner Nikto.

In this task, we will target the www.certifiedhacker.com website.

  1. Click on Parrot Security 4.10to switch to Parrot Security
  2. Click the Applicationsmenu in the top-left corner of Desktop and navigate to Pentesting –> Web Application Analysis –> Web Vulnerability Scanners –> nikto to open Nikto in the Terminal
  3. Parrot Terminalwindow appears, in the [sudo] password for attacker field, type toor as a password and press Enter. Nikto initializes.

The password that you type will not be visible.

  1. Nikto scanning options will be displayed to scan the target website.
  2. You can further type nikto -Hand press Enter to view various available commands with full help text
  3. The result appears, displaying various available options in Nikto. We will use the Tuningoption to do a deeper and more comprehensive scan on the target webserver.

A tuning scan can be used to decrease the number of tests performed against a target. By specifying the type of test to include or exclude, faster and focused testing can be completed. This is useful in situations where the presence of certain file types such as XSS or simply “interesting” files is undesired.

  1. In the terminal window, type nikto -h (Target Website)-Tuning x (here, the target website is certifiedhacker.com) and press Enter. Nikto starts scanning with all the tuning options enabled.

-h: specifies the target host and x: specifies the Reverse Tuning Options (i.e., include all except specified).

The scan takes approximately 10 minutes to complete.

  1. The result appears, displaying various information such as the name of the server, IP address, target port, retrieved files, and vulnerabilities details of the target website.

The result might vary in your lab environment.

  1. Here, we will check for cgi directories with the –Cgidirs In this option, search for specific directories or use alloptions to search for all the available directories.
  2. In the terminal window, type nikto -h (Target Website) -Cgidirs all, (here, the target website is certifiedhacker.com) and hit Enter.

-Cgidirs: scans the specified CGI directories; users can use filters such as “none” or “all” to scan all CGI directories or none).

The scan takes approximately 10 minutes to complete.

  1. The target website does not have any CGI directory; therefore, the same result as the previous scan was obtained.

You can use try this command on another website to obtain information about CGI directories.

  1. Now, we will save the scan results in the form of a text file on Desktop. To do so, type cdand press Enter to jump to the root directory.
  2. Type cd Desktopand press Enter to navigate to the Desktop
  3. Type nikto -h (Target Website) -o (File_Name)-F txt, (here, the target website is certifiedhacker.com) and press Enter.

-h: specifies the target, -o: specifies the name of the output file, and -F: specifies the file format.

Name the file Nikto_Scan_Results

The scan takes approximately 10 minutes to complete.

  1. Now, type pluma Nikto_Scan_Resultsand press Enter to open the created file in a text editor window. The file appears displaying the scanned results, as shown in the screenshot.
  2. This concludes the demonstration of checking vulnerabilities in the target website using Nikto.
  3. Close all open windows and document all the acquired information.

Question 2.4.1:

Which of the following is a target website in this task?

www.eccouncil.org

www.certifiedhacker.com

www.moviescope.com

www.goodshopping.com

Expert Answer: Module 05: Vulnerability Analysis

Module 05: Vulnerability Analysis
Module 05: Vulnerability Analysis
$0.00

Module 05: Vulnerability Analysis

$0.00