Skip to content

4. Vulnerability Analysis

Jump to bottom
Thibault edited this page Mar 31, 2021 · 2 revisions

Vulnerability analysis is a testing process that involves identifying, measuring, prioritizing, and ranking the system for vulnerabilities. The process either consists of manual or automated approaches with differing degrees of precision and complete coverage. The end goal is to protect systems from unauthorized access and data breaches.

Source: https://blog.eccouncil.org/4-steps-to-a-successful-vulnerability-analysis/

Let's start with nmap-scripts for our vulnerability analysis, the official documentation is available here.

Depending on your needs you can run each script independently:

$ cd /usr/share/nmap/scripts
$ sudo nmap --script firewall-bypass.nse 10.0.2.15

Or launch multiple of them by group type:

$ sudo nmap --script exploit 10.0.2.15
...
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
80/tcp   open   http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.0.2.15
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://10.0.2.15:80/payroll_app.php
|     Form id:
|     Form action:
|
|     Path: http://10.0.2.15:80/chat/
|     Form id: name
|     Form action: index.php
|
|     Path: http://10.0.2.15:80/drupal/
|     Form id: user-login-form
|_    Form action: /drupal/?q=node&destination=node
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.0.2.15
|   Found the following indications of potential DOM based XSS:
|
|     Source: eval("document.location.href = '"+b+"pos="+a.options[a.selectedIndex].value+"'")
|_    Pages: http://10.0.2.15:80/phpmyadmin/js/functions.js?ts=1365422810
| http-fileupload-exploiter:
|
|_    Couldn't find a file-type field.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
445/tcp  open   microsoft-ds
631/tcp  open   ipp
3000/tcp closed ppp
3306/tcp open   mysql
8080/tcp open   http-proxy
8181/tcp closed intermapper
MAC Address: 08:00:27:42:51:79 (Oracle VirtualBox virtual NIC)

Host script results:
| smb-vuln-regsvc-dos:
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_

Nmap done: 1 IP address (1 host up) scanned in 26.74 seconds

SearchSploit - Exploit Database Archive Search

This tool can be used to search for vulnerabilies based on the services versions, as well as the Common Vulnerabilities and Exposures website and the Google search engine.

$ searchsploit ProFTPD 1.3.5
-------------------------------------------------------------- ---------------------------------
 Exploit Title                                                |  Path
-------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)     | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution           | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                                     | linux/remote/36742.txt
-------------------------------------------------------------- ---------------------------------

To display it's content simply run these commands:

$ locate 37262.rb
/usr/share/exploitdb/exploits/linux/remote/37262.rb
$ vim /usr/share/exploitdb/exploits/linux/remote/37262.rb

This file is part of the Metasploit Framework, that we'll cover on the next chapter 😉

$ searchsploit UnrealIRCd linux
-------------------------------------------------------------- ---------------------------------
 Exploit Title                                                |  Path
-------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)  | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow       | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                     | windows/dos/27407.pl
-------------------------------------------------------------- ---------------------------------

Nessus Essentials Vulnerability Scanner

Since the installation process is rather long (~30min) and require to create an account, let's skip this. It's just important to know that this kind of all-in-one tool exists and is very useful for complex business networks.

For those who still want to try, at the end of the workshop, the program can be downloaded here and installed with the command:

$ sudo dpkg -i Nessus-8.13.1-debian6_amd64.deb
Capture d’écran 2021-03-08 à 19 29 37

Next Page >

Clone this wiki locally