Learning Vulnerability Scanning

Learning Vulnerability Scanning is fun and easy. So I hope you enjoy reading this short how to guide on how to use vulnerability scanning to secure your servers and networks.

NMAP is the swiss tool that you need to learn if you’re serious in Cyber Security profession. The NMAP tool can be use with NSE scripting (Nmap Scripting Engine) to automate your tasks.

For example using NSE Script using a single vulnerability (cold fusion) to scan our test lab machine.

root@kali:~# nmap -v -p 80 –script http-vuln-cve2010-2861 10.11.1.220

Starting Nmap 6.47 ( http://nmap.org ) at 2016-07-22 17:34 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 17:34
Scanning 10.11.1.220 [1 port]
Completed ARP Ping Scan at 17:34, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:34
Completed Parallel DNS resolution of 1 host. at 17:35, 13.01s elapsed
Initiating SYN Stealth Scan at 17:35
Scanning 10.11.1.220 [1 port]
Completed SYN Stealth Scan at 17:35, 0.04s elapsed (1 total ports)
NSE: Script scanning 10.11.1.220.
Nmap scan report for 10.11.1.220
Host is up (0.043s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:50:56:89:78:7F (VMware)

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.16 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (68B)

Now using script all to scan all vulnerabilities to our target lab machine.

root@kali:~# nmap -v -p 80 –script all 10.11.1.220

Starting Nmap 6.47 ( http://nmap.org ) at 2016-07-22 17:38 EDT
NSE: Loaded 470 scripts for scanning.
NSE: Script Pre-scanning.
NSE: url-snarf no network interface was supplied, aborting …
Initiating NSE at 17:38
NSE: mtrace: A source IP must be provided through fromip argument.
Completed NSE at 17:38, 40.18s elapsed
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.95.129
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.95.254
| IP Address Lease Time: 0 days, 0:30:00
| Subnet Mask: 255.255.255.0
| Router: 192.168.95.2
| Domain Name Server: 192.168.95.2
| Domain Name: localdomain
| Broadcast Address: 192.168.95.255
| NetBIOS Name Server: 192.168.95.2
| Renewal Time Value: 0 days, 0:15:00
|_ Rebinding Time Value: 0 days, 0:26:15
| broadcast-eigrp-discovery:
|_ ERROR: Couldn’t get an A.S value.
| broadcast-igmp-discovery:
| 192.168.95.1
| Interface: eth0
| Version: 2
| Group: 224.0.0.251
| Description: mDNS
| 192.168.95.1
| Interface: eth0
| Version: 2
| Group: 224.0.0.252
| Description: Link-local Multicast Name Resolution (rfc4795)
|_ Use the newtargets script-arg to add the results as targets
| broadcast-listener:
| ether
| EIGRP Hello
|
| ARP Request
| sender ip sender mac target ip
| 192.168.95.2 00:50:56:F7:A0:DD 192.168.95.129
| 10.11.17.13 00:50:56:AF:12:F5 10.11.17.220
| 10.11.1.50 00:50:56:89:5C:08 10.11.0.151
| 192.168.95.1 00:50:56:C0:00:08 192.168.95.2
| 10.11.1.145 00:50:56:89:59:1B 10.11.1.220
| 10.11.1.5 00:50:56:89:7E:0D 10.11.0.32
| 10.11.1.251 00:50:56:89:7A:B2 10.11.1.220
| 10.11.1.14 00:50:56:89:43:C6 10.11.0.151
| 10.11.1.252 00:50:56:89:4E:65 198.32.64.12
| 10.11.1.220 00:50:56:89:78:7F 10.11.1.251
| 10.11.1.221 00:50:56:89:5E:D2 10.11.1.145
| udp
| MDNS
| Generic
| ip ipv6 name
| 10.11.1.237 humble.local
| 10.11.1.237 f.b.8.7.9.8.e.f.f.f.6.5.0.5.2.0.0.0.0.0.4.0.3.b.f.f.6.3.5.c.c.f.ip6.arpa
| 10.11.1.72 5.7.2.5.9.8.e.f.f.f.6.5.0.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
| 10.11.1.238 humble2.local
| 10.11.1.238 c.6.6.3.9.8.e.f.f.f.6.5.0.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
| 10.11.1.72 beta.local
| 10.11.1.237 f.b.8.7.9.8.e.f.f.f.6.5.0.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
| 10.11.1.238 c.6.6.3.9.8.e.f.f.f.6.5.0.5.2.0.0.0.0.0.4.0.3.b.f.f.6.3.5.c.c.f.ip6.arpa
| 10.11.1.72 5.7.2.5.9.8.e.f.f.f.6.5.0.5.2.0.0.0.0.0.4.0.3.b.f.f.6.3.5.c.c.f.ip6.arpa
| Netbios
| Query
| ip query
| 10.11.1.50 WPAD
| 10.11.1.49 WPAD
| 192.168.95.1 GRSHQ-693TXQ1 x1C
| LLMNR
| ip query
| fe80::2499:44cc:43d5:8b24 GRSHQ-693TXQ1
| 192.168.95.1 GRSHQ-693TXQ1
| 10.11.1.223 Jeff
| 10.11.1.50 wpad
| 10.11.1.50 Bethany2
| 10.11.1.49 wpad
| 10.11.1.49 Bethany
| 10.11.1.230 kevin
| 10.11.1.145 HELPDESK
| SSDP
| ip uri
| 192.168.95.1 urn:schemas-upnp-org:device:InternetGatewayDevice:1
| 10.11.1.230 urn:schemas-upnp-org:device:InternetGatewayDevice:1
| DHCP
| srv ip cli ip mask gw dns vendor
| 192.168.95.254 192.168.95.129 255.255.255.0 192.168.95.2 192.168.95.2 –
|_ 192.168.95.254 192.168.95.131 255.255.255.0 192.168.95.2 192.168.95.2 –
| broadcast-ping:
| IP: 10.11.1.22 MAC: 00:50:56:89:1e:50
| IP: 10.11.1.141 MAC: 00:50:56:89:6d:1b
| IP: 10.11.1.8 MAC: 00:50:56:89:1d:09
| IP: 10.11.1.209 MAC: 00:50:56:89:13:a9
| IP: 192.168.95.2 MAC: 00:50:56:f7:a0:dd
| IP: 10.11.1.115 MAC: 00:50:56:89:45:d4
|_ Use –script-args=newtargets to add the results as targets
| broadcast-wpad-discover:
|_ ERROR: Could not find WPAD using DNS/DHCP
| broadcast-wsdd-discover:
| Devices
| 192.168.95.1
| Message id: 00f7ffd9-c8a0-4695-8156-7718c4f8e0d2
| Address: http://192.168.95.1:5357/8da5b27a-c780-4373-921e-2c3bada8acc3/
|_ Type: Device pub:Computer
|_eap-info: please specify an interface with -e
| http-icloud-findmyiphone:
|_ ERROR: No username or password was supplied
| http-icloud-sendmsg:
|_ ERROR: No username or password was supplied
| http-virustotal:
|_ ERROR: An API key is required in order to use this script (see description)
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
| targets-ipv6-multicast-invalid-dst:
| IP: fe80::2499:44cc:43d5:8b24 MAC: 00:50:56:c0:00:08 IFACE: eth0
|_ Use –script-args=newtargets to add the results as targets
| targets-ipv6-multicast-mld:
| IP: fe80::2499:44cc:43d5:8b24 MAC: 00:50:56:c0:00:08 IFACE: eth0
|
|_ Use –script-args=newtargets to add the results as targets
| targets-ipv6-multicast-slaac:
| IP: fe80::2499:44cc:43d5:8b24 MAC: 00:50:56:c0:00:08 IFACE: eth0
| IP: fe80::8539:a4b2:73d2:61c5 MAC: 00:50:56:89:1d:70 IFACE: tap0
| IP: fe80::f462:394e:fc37:6825 MAC: 00:50:56:c0:00:08 IFACE: eth0
| IP: fe80::f180:81a8:87c2:2fb6 MAC: 00:50:56:89:14:2b IFACE: tap0
| IP: fe80::50c9:6e9b:ae48:7f1b MAC: 00:50:56:89:14:2b IFACE: tap0
| IP: fe80::84e0:751a:3b50:2e0a MAC: 00:50:56:89:5c:08 IFACE: tap0
| IP: fe80::6543:330c:453a:d725 MAC: 00:50:56:89:5c:08 IFACE: tap0
| IP: fe80::250:56ff:fe89:1d70 MAC: 00:50:56:89:1d:70 IFACE: tap0
| IP: fe80::250:56ff:fe89:3590 MAC: 00:50:56:89:35:90 IFACE: tap0
| IP: fe80::250:56ff:fe89:3209 MAC: 00:50:56:89:32:09 IFACE: tap0
| IP: fe80::250:56ff:fe89:d6c MAC: 00:50:56:89:0d:6c IFACE: tap0
| IP: fe80::1506:17a6:199f:3d71 MAC: 00:50:56:89:59:1b IFACE: tap0
| IP: fe80::250:56ff:fe89:200d MAC: 00:50:56:89:20:0d IFACE: tap0
| IP: fe80::e890:24c:98e2:6969 MAC: 00:50:56:89:3c:36 IFACE: tap0
| IP: fe80::d82e:2e77:70e2:e2ae MAC: 00:50:56:89:3c:36 IFACE: tap0
| IP: fe80::250:56ff:fe89:6ba3 MAC: 00:50:56:89:6b:a3 IFACE: tap0
| IP: fe80::250:56ff:fe89:2314 MAC: 00:50:56:89:23:14 IFACE: tap0
| IP: fe80::e8b4:9672:ded0:c0c7 MAC: 00:50:56:89:72:ae IFACE: tap0
| IP: fe80::250:56ff:fe89:4af6 MAC: 00:50:56:89:4a:f6 IFACE: tap0
| IP: fe80::250:56ff:fe89:6d1b MAC: 00:50:56:89:6d:1b IFACE: tap0
| IP: fe80::250:56ff:fe89:78bf MAC: 00:50:56:89:78:bf IFACE: tap0
| IP: fe80::250:56ff:fe89:5275 MAC: 00:50:56:89:52:75 IFACE: tap0
| IP: fe80::250:56ff:fe89:4e65 MAC: 00:50:56:89:4e:65 IFACE: tap0
| IP: fe80::250:56ff:fe89:54bd MAC: 00:50:56:89:54:bd IFACE: tap0
| IP: fe80::250:56ff:fe89:58c4 MAC: 00:50:56:89:58:c4 IFACE: tap0
| IP: fe80::250:56ff:fe89:7ab2 MAC: 00:50:56:89:7a:b2 IFACE: tap0
| IP: fe80::250:56ff:fe89:1645 MAC: 00:50:56:89:16:45 IFACE: tap0
| IP: fe80::250:56ff:fe89:366c MAC: 00:50:56:89:36:6c IFACE: tap0
| IP: fe80::250:56ff:fe89:1d09 MAC: 00:50:56:89:1d:09 IFACE: tap0
|_ Use –script-args=newtargets to add the results as targets
Initiating ARP Ping Scan at 17:38
Scanning 10.11.1.220 [1 port]
Completed ARP Ping Scan at 17:38, 0.18s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:38
Completed Parallel DNS resolution of 1 host. at 17:38, 13.00s elapsed
Initiating SYN Stealth Scan at 17:38
Scanning 10.11.1.220 [1 port]
Completed SYN Stealth Scan at 17:38, 0.12s elapsed (1 total ports)
NSE: Script scanning 10.11.1.220.
Initiating NSE at 17:38
Completed NSE at 17:39, 4.22s elapsed
Initiating NSE at 17:39
Completed NSE at 17:39, 0.00s elapsed
Nmap scan report for 10.11.1.220
Host is up (0.063s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:50:56:89:78:7F (VMware)

Host script results:
|_dns-brute: Can’t guess domain of “10.11.1.220”; use dns-brute.domain script argument.
|_ipidseq: Incremental!
|_path-mtu: PMTU == 1500
| unusual-port:
|_ WARNING: this script depends on Nmap’s service/version detection (-sV)

NSE: Script Post-scanning.
Initiating NSE at 17:39
Completed NSE at 17:39, 0.00s elapsed
Initiating NSE at 17:39
Completed NSE at 17:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 60.21 seconds
Raw packets sent: 10 (3.336KB) | Rcvd: 2 (68B)

Woohh! That’s a lot of information to digest. Try it using your lab machine.

Now let’s try open source OpenVAS vulnerability tool. (Other vulnerability scanners such as Nessus, Retina, Nextpose, etc.) Use what works for you. The OpenVAS is pre-installed in Kali Linux, you just need to initialize the plugins and start services required.

root@kali:~# openvas-setup
[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] The ‘OpenVAS NVT Feed’ is provided by ‘The OpenVAS Project’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed.html’.
[i] NVT dir: /var/lib/openvas/plugins

…. wait to complete the OpenVAS initialization …

I’ve got an error using OpenVAS.

In version Debian 3.18.6.1, I can’t start the services giving me error of “Your CERT data might be broken now“.

In version Debian 4.0, I was able to initialize OpenVAS successfully.

In version Linux Kali 4.3.0 (latest version as of writing this article), error command not found.

I need to revisit this error and figure out why it is not running in Linux Kali 4.3.0

The OpenVAS management is through the web interface. Open a web browser and point your URL address to https://127.0.0.1:9392, username admin and the auto generated password provided to you when you initialized OpenVAS.

Play around using OpenVAS, aside NMAP this is a cool tool to learn.

How about Overflows? You need to understand about reading vulnerability code and stack overflow.

Let’s have an example of simple software programming code to better understand buffer overflow.

Example vulnerability code, filename vulnerability.c

#include <stdio.h>

int main(int argc, char *argv[])
{
char buffer[64];

if (argc < 2)
{
printf(“syntax errorrn”);
printf(“must supply at-least one argumentrn”)
return(1);
}

strcpy(buffer,argv[1]);
return(0);
}

It contains a main function which allow for users input e.g. command line argv[]. The code then proceed to declare a local buffer of 64 bytes long. These 64 bytes of memory will be reserve for buffer variable. Then the main function proceed to check if less than 2 arguments, it prints out the usage function otherwise the main function proceed to execute the strcpy function. Which copy the users arguments to the 64 bytes allocated to the buffer variable.

This program simply accept user inputs and store it in memory. Yes, very simple program to digest.

So where is the problem? Why  this simple program is vulnerable? There is no user validation of input. If the user where to provide 100 bytes of input, the strcpy function will still accept those 100 bytes and dump them in to memory allocated to the buffer variable even though it only accept 64 bytes. This will simply crash the program.

Compile this program to executable so you can see that will happen if you go beyond 64 bytes of input.

The first command, vuln.exe AAAAAAAAAA [Enter], nothing happen.

KING.NET.BufferOverFlow

The second command, vuln.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

And crash the program.

You can use a debugger program like Olly Debugger (OllyDbg) to see what happen during execution.

Windows Buffer Overflow Example.

Fuzzing.

Execution – Shellcode Payload … more study time to learn.

 

Please continue reading other HOWTO articles.


Register your own Domain Name!

EM @QUE.COM

Founder, QUE.COM Game Studios. | Founder, Yehey.com a Shout for Joy! | MAJ.COM Management of Assets and Joint Venture | More at KING.NET Ideas to Life | Network of Innovation | Send your Tip to my Bitcoin/Ethereum or other crypto currency.

Leave a Reply