Objective: Extract and research information based on the vulnerabilities discovered in the previous recon stages. This includes finding more information on the following:

• Network vulnerabilities
• IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports and services that are listening
• Application and services configuration errors/vulnerabilities
• The OS version running on computers or devices
• Applications installed on computers
• Accounts with weak passwords
• Files and folders with weak permissions
• Default services and applications that may have to be uninstalled
• Mistakes in the security configuration of common applications
• Computers exposed to known or publicly reported vulnerabilities

Machines Used:

• Windows 10
• Windows Server 2019
• Parrot OS

Applications/Tools/Database Overview:

• Vulnerability Databases
  • Common Weakness Enumeration (CWE)
  • Common Vulnerabilities and Exposures (CVE)
  • National Vulnerability Database (NVD)
• Vulnerability Assessment Tools
  • OpenVAS
  • Nessus
  • GFI LANGuard
  • Nikto

Applications/Tools/Databases Used:

Vulnerability Databases

Overview: There is a wide variety of searchable databases that can provide you with information on flaws that have already been found, cataloged, and scored. This information includes the version of the affected software/hardware and how it was exploited. 

Name: Common Weakness Enumeration (CWE)

Objective: Perform Vulnerability Research in Common Weakness Enumeration (CWE)

Function: Similar to the OWASP top 10, this is a website that highlights and categorizes the most common vulnerabilities. It provides background information, consequence, likelihood of exploitation, and even examples of how it’s done. 

Website: https://cwe.mitre.org

Results: A good place to research the most current techniques that hackers are using. 

Name: Common Vulnerabilities and Exposures (CVE)

Objective: Perform Vulnerability Research in Common Vulnerabilities and Exposures (CVE)

Function: An accessible and searchable database that provides organization and exchange of information. It is free to use and allows security researchers to share information on found vulnerabilities. 

Website: https://cve.mitre.org/

Results: Provides easy to use structure to search for known vulnerabilities in an easy format. CVE-<Year>-<XXXXX>

Name: National Vulnerability Database (NVD)

Objective: Perform Vulnerability Research in National Vulnerability Database (NVD)

Function: A Government run repository for vulnerability management data that catalogues vulnerabilities and appies a base score ranking. It provides the CVE number and also provides the description, severity, and references of the vulnerability. The site also includes security checklists, and common misconfigurations to help security professionals. 

Website: https://nvd.nist.gov/

Results: Upon searching for a CVE you receive a score, looking into the score details you can see how severe an impact the vulnerability has on the affected system. The higher the score the easier it is to exploit and the higher an impact it will have on the system. You can narrow your search down to a single specific service, the lab here uses the example of searching for “smb”. 

Vulnerability Assessment Tools

Overview: Use assessment tools to map your network and identify any weaknesses or vulnerabilities. 

Name: OpenVAS

Objective: Perform Vulnerability Analysis using OpenVAS

Function: The OpenVAS scanner combines several tools and services that will perform a vulnerability scan and allow you to manage them from a GUI dashboard. By using unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans it provides a high level overview of where you need to tighten up your controls. 

Commands and Options: Simply start the OpenVAS service and navigate to the dashboard in your web browser (Default address is https://127.0.0.1:9392). From here you can perform an automated scan on your network which displays the results with the vulnerability name and the CVSS rating number. 

Results: The report that is generated from the scan is linked to the several vulnerability databases previously mentioned. This scan is easily performed and the results give you details on how to better secure your system.

Name: Nessus

Objective: Perform Vulnerability Scanning using Nessus

Function: Another scanning tool, however Nessus can be used for compliance assessments and configuration management. 

Commands and Options: Like OpenVAS, you navigate to the browser based GUI that sits on the local host port 8834. From here you are presented with a dashboard where you can write policies and test the network against the policy you just wrote. Nessus also provides other services like malware scanning and analysis as well as some web application testing tools. 

Results: A more robust scan than OpenVAS, Nessus provides many features to tailor your scan to the environment you are in. It also formats the scan into a professional looking template that can be presented to C-suites and executives. The scan in the lab highlighted SNMP vulnerabilities that were found in the network, and gave remedies on how to fix the issue. 

Name: GFI LANGuard

Objective: Perform Vulnerability Scanning using GFI LanGuard

Function: A network auditing, patch management and vulnerability scanning tool that is designed to assess the security of the network. 

Commands and Options: GUI based accessed by using the executable file, you input the desired IP address or range and select scan. 

Results: A rather frustrating experience from getting the key for a 30 day trial to the actual scan taking over an hour this was the weakest scanning tool in the labs. It does provide similar results as the previous tools however I found the interface clunky and dated. The interface is busy and cluttered and I found navigating it rather difficult.

Name: Nikto
Objective: Perform Web Servers and Applications Vulnerability Scanning using CGI Scanner Nikto

Function: Nikto is an Open Source web server scanner that finds potential problems and security vulnerabilities including:

• Server and software misconfigurations
• Default files and programs
• Insecure files and programs
• Outdated servers and programs

    Webpage: https://cirt.net/nikto2-docs/

Commands and Options: 

Basic Syntax

• nikto <options>

    Basic Scan

• nikto -h 192.168.0.1

    Options While Scan is Taking Place

Featured Options as Presented in the Lab

• Tuning – A tuning scan can be used to decrease the number of tests performed against a target. By specifying the type of test to include or exclude, faster and focused testing can be completed. This is useful in situations where the presence of certain file types such as XSS or simply “interesting” files is undesired.
• Cgidirs – Scans the specified CGI directories; users can use filters such as “none” or “all” to scan all CGI directories or none).

Results: Scanning a webpage with Nikto will result in a list of possible lines of attack, running services, and misconfigurations. Unfortunately the lab does not go into any details on what the output actually means. This tool could be featured in the enumeration stage as it does just that, although it could be noted that it provides full support for integration with Nessus. 

Precautions: Using the websites for vulnerability searching is perfectly legal and highly recommended. When using the other tools it is important to get the exact level of scan to do. Some of the methods are pretty extreme and could slow down or even cripple a network. Nikto is designed specifically for web servers so be sure to only use it on ones you have the permission to. 

Countermeasures/Mitigation: I think all of these tools are essentially counter and mitigation tools. An important note is that it often falls on the security professional to keep up to date with the emerging threats, and it is their responsibility to check these websites daily and conduct the scans regularly. 

Personal Reflection: The websites and tools featured are really powerful resources to use when analyzing the vulnerabilities on a network. The only real issue was with the GFI LanGuard but other than that I think it was a positive exercise. I think that there could have been some more time spent with the tools and how to actually analyze the results rather than just scanning a super insecure server where it lights up like a Christmas tree. One tool I think is missing from here is searchsploit.  It is a metasploit module that provides the functionality of searching through all of the provided databases and then gives you the exploit path to follow if you happen to find something that is vulnerable. 

Works Cited (MLA):

EC-Council. Certified Ethical Hacker (CEH) Version 11 eBook w/ iLabs (Volumes 1 through 4). International Council of E-Commerce Consultants (EC Council), 2020. [VitalSource Bookshelf].