Objectives
-To learn about more advanced network security and vulnerability scanning tools
Lab Outcome:
· To complete the lab procedures & correctly answer the questions in the Blackboard quiz.
Lab Deliverables
· Answer the Blackboard quiz
· Pay attention to the quiz due date.
· Some of the lab exercises can be performed outside the lab. However, be sure to adjust your answers to "pretend" you are in the lab.
Background information:
The capabilities and tools you will be using in this lab should not be used either on the Algonquin Corporate network or any other network connection without explicit authorization from the network administrator. Otherwise, you risk being mistaken for an attacker on that network!!
Procedure:
N.B.: The procedures in this lab must be completed on the RED network segment ONLY (172.16.*.*). Makes sure the BLUE network is disabled except when you need to be connected to update or download software.
- DO NOT TRY THESE EXPLOITS ON ANY COMPUTER OR NETWORK WITHOUT EXPLICIT PERMISSION FROM THE OWNER OF THE COMPUTER / NETWORK.
- DO NOT ATTEMPT TO RUN ANY ATTACKS ON ANY COMPUTER OUTSIDE OF THE LAB.
- Any attempts to run these tools on a 10.50.*.* segment will result in loss of lab privileges, lockout or loss of your Algonquin account... or potentially greater consequences with legal ramifications.
Follow these procedures carefully. If at any time you are unsure or are having problems, re-read the instructions. If you are not getting expected results, re-read the instructions!
.: If you feel the need to use screen captures to help answer the questions, that's entirely acceptable. Just make sure they're readable and that the screen captures are included in your submission document.
1. Setup
› You should have both a Windows 7 VM AND Kali VM running
On the same VMNet and able to communicate/connect to each other.
› N.B.: Screenshots are okay to answer all the questions in this lab, but you will have to annotate or foot-note some parts of it to actually answer the question(s) properly.
2. Vulnerability Scans
› The biggest problem with Nmap is that, although it does identify where potential vulnerabilities might exist (i.e. open ports), it does so only in a limited fashion.
• As an example, if Nmap sees that port 21 is opened, it doesn't verify what service is actually running on that port - it simply reports that port 21 is open for service.
› But it does have some capabilities beyond what you have seen to help identify vulnerabilities.
• Run the command nmap --script-updatedb to ensure the NSE scripts are updated. You must have internet connectivity. You can disable the BLUE network for the scans.
- That's a double dash before script [always]
• Next, run the command nmap --script vuln --script-args vulns.showall against your Windows target VM
- Make sure all firewalls are off for all target scans
- This will let NMap scan that VM / IP for potential known vulnerabilities
-If you REALLY want to, you can run the GUI ZenMap front end for Nmap.
• You can read more about the NSE scripting engine at and what scripts are available to use
- Try using other vulnerability related NSE scripts for NMap to see what it finds
Q1. For the Windows target, what vulnerabilities/issues/warnings did NMap find?
• Run the same command(s) against your Kali/Linux VM
Q2. For the Linux target, what vulnerabilities/issues/warnings did NMap find?
› Now, since we found that port 445 was open on the Windows box, and that relates to SMB, we can try an additional scan with Nmap toward the Windows VM. Your Windows machine should be unpatched.
• nmap --script smb-os-discovery.nse -p445
Q3. Did NMap find anything interesting/new on the Windows VM?
3. Vulnerability Scanning Tools
› N.B.: If you are experiencing performance problems with VMware, consider increasing the memory associated with your VM.
› You will have to switch between the BLUE network VMNet (for downloads/installs) and the RED
network VMNet (for doing actual scans) in this section.
› Other tools, such as Nessus, OpenVAS, NexPose, GFI Languard, etc... are designed specifically as vulnerability scanners.
• They are designed to dig a little deeper into the vulnerability information. Rather than simply scanning the ports, with appropriate options, they will attempt to connect to the ports and identify the service running behind it as best it can. It will also report back, based on a database of known vulnerabilities, what the security issue might be and, if available, how to fix it or where to go to find out.
› Nessus is a client-server tool. That means you need a Nessus server up and running, and then use the Nessus client to connect to it and direct it to scan a 3rd system.
• Just be aware that, when scanning a system with a firewall installed, Nessus will trigger responses from the firewall.
› Nessus is available for Windows OR Linux
• We are installing it in your Windows 7 VM (or Windows 8, etc) for simplicity's sake - not the host O/S.
You'll then be scanning from that VM to other VMs.
- I'm not telling you that you CAN'T install it under Kali, just that it's more complicated. It's based on installing a .deb package under Kali - several good reference pages on how to do it online.
- You'll then receive an e-mail with the activation code
- Be careful to pick the right one - right Windows O/S and 32 or 64-bit....
• Run the downloaded app and follow the installation instructions onscreen.
› Once the install is completed, a browser will open to continue configuring the application.
• Starts with a welcome screen - just click on continue.
• Then you will be prompted to create a new user for Nessus, along with a password
• Next, you`ll need your activation code (you do already have an activation code, right?) you received in the "Activation code" area and click "Continue"
• It will then start downloading the plug-ins.
- May take a long time to register and download the plugins - patience
• Once this worked, the Nessus Server login page will be displayed... login with your user
› Run Nessus against a Windows and Linux VM's IP (your own or a lab partner's).
• Don't run the scan against the same VM on which you're running the Nessus server.
Must be a separate VM or machine to work best.
• Just do one scan at a time
- Run more than one scan and you're going to slow the process down and potentially crash.
• You need to first create a scan policy - a set of rules on how you want Nessus to behave
- In the Nessus client windows (i.e. browser), select "Policies" at the top of the window
- Then select "+New Policy" to create a scan policy
- Select "Basic Network Scan" from the the templates
-Start by giving your new policy a name - e.g. CST8230-Lab3
-You can explore and change any of the settings in the template using the menu options on the left. However, for our purposes, the default settings are fine.
-Click on "Save" to save your new policy template
• Now, you can setup a scan against the target system
- select "Scans" at the top of the window
- select "+New Scan" to create a new scan
- select "User" to see your user-defined policy template
- Give the scan a name - e.g. name of machine you're about to scan
- Select the folder where the scan results are to be stored
- Type in the IP of the host(s) you're going to scan in the Targets area
- Finally, click on "Launch" at the bottom (click on the arrow beside Save) to start the scan
-You'll be sent back to the main window while the scan runs
-You should see your scan in progress as indicated by the rotating arrows
- You can view the scan progress at any time by double clicking on it
-Nessus allows you to view what it's found so far
• Once the scan is completed, simply double-click on the scan to see the scan report
- If the scan report is empty or has minimal information, it may have to do with a firewall blocking the scans. Turn off any firewalls!
- You may also have to play with the options a bit to obtain the proper results you'll need
› Use the information discovered using various Nessus commands to answer the questions below.
Q4. Scanning the Windows target, what vulnerabilities/issues/warnings did Nessus find?
(list 3-5 of the most important items)
Q5. Scanning the Linux target, what vulnerabilities/issues/warnings did Nessus find?
(list 3-5 relevant items)
Q6. Based on what you've just observed, compare/contrast the major advantages of Nessus over Nmap. (Please, don't just repeat what was said in the lab... think, analyze, research, report.)
Q7. Based on your results from Nessus, do you think that you can conclude that Linux is in general more secure than Windows? (remember distinction between O/S and services) Justify your answer.
4. Network Vulnerability Scanning using OpenVAS
› Rerun the vulnerability scans with Nessus above using OpenVAS for comparison.
• N.B.: OpenVAS is available for install in Kali...
- root@kali:~# apt-get install openvas
-Assumes you have access to the BLUE network to download
-Will take a few minutes to install everything...
- root@kali:~# openvas-setup
-Pay special attention to any errors or warning...
Will take a while, as it has to do the initial download of preset rules & database
- root@kali:~# openvas-check-setup
-Pay special attention to any errors or warning... and follow the instructions
-You may have to generate keys and/or other items, depending on the install
- root@kali:~# openvasmd --create-user=[name] --role=Admin
-You need to use double dashes before openvasmd options... The [name] is whatever user name you wish to use for OpenVAS
- root@kali:~# openvasmd --user=[name] --new-password=[password]
-Remember this password !!
• You should now be able to connect to OpenVAS with your browser using https://127.0.0.1:9391 and the user/password you setup above
• From here, you can browse thru the menus, click on the purple wand at the top left to start the scanning wizard... or simply type in an IP you wish to do a simple scan on at the front page.
› Compare the results from OpenVAS (or whatever tool you select) to the results that NMap and
Nessus displayed previously.
. Did this new tool give you the same vulnerability results? Explain why.
. What new/different information, when compared to previous tools, did this new tool present?
› Don't be afraid to research and try other VA tools for comparison...
5. Network Vulnerability Scanning using GFI LANGuard
› One other tool that takes from both NMap and Nessus capabilities is GFI's LANGuard.
• Latest version is available
› LANGuard is a vulnerability management solution designed to scan, report and potentially mitigate security vulnerabilities.
• Most of the most common features/scan types from NMap are available
• Like Nessus, LANGuard can do a suite of vulnerability scans against local or remote systems
› However, it's the approach that LANGuard takes to accomplish these tasks that sets it apart.
The GUI interface is designed to guide administrators through the process with ease...
LANGuard also boasts a suite of network tools (e.g. DNS Lookup, Whois, System Enumeration, etc) to help admins figure out what's going on with the network in the same software.
› Download and install the Freeware edition of GFI LANGuard on your Windows VM
• download a 30-day trial version with full capabilities, after which it will default to a freeware version.
› Start GFI LANGuard
• The Network Audit tab is where you do Security Scans
• Click on the Scan submenu in the Network Audit tab
› Okay, let's start small - run a Scan against an Windows VM
• N.B. GFI LANGuard relies on the Remote Registry service on the target VM for some functions. If you have Simple File Sharing turned on for the target, GFI LANGuard will fail to connect to this service. So turn it off.
› Once the scan is completed, you'll get a result screen with:
• Audit Operations done
• Network Vulnerability Level in a nice color coded bar
• # of Missing Security Updates
• # of Other Vulnerabilities
• # of Installed Applications (if possible)
• # of Open Ports (if any)
› To find out more about the specific behind these results, you need to Analyze them
• Click on the Analyze tab at the top or "Analyze scan results" link at the bottom
› From the Scan Result screen, you'll see 2 screens
• Scan Result Overview on the left
• Scan Result Details on the right
› In the Overview screen, you should see the system you scanned listed.
You'll notice a "+" sign beside the system IP/name - click on it to open it up, if it isn't already.
• This allows you to access the scan result categories
› Open each category, again using the "+" symbol, to list the specific issues found by LANGuard
• As you click on each issue/warning, the right-hand window will give you the associated details, along with link(s) and/or remediation info on how to fix the problem
Q10. List all of the issues that LANGuard found on the system you scanned.
› The next stage, is to remediate (i.e. fix/solve) the problem.
• Neither NMap or Nessus do this.
But they do NOT give you a chance to fix the problem from within the software!
• In LANGuard, click on the Remediate tab at the top.
The software will list any patches it knows about - specifically, MS patches
- The software doesn't do remediation for Linux very well.
But it does vulnerability scans against *NIX boxes rather well
› LANGuard does have other neat features
• Dashboard tab allows you to access the information for all the scans you've run
• Configuration tab allows you to configure LANGuard capabilities to suit your needs
• Utilities tab gives you access to the network utilities (e.g. DNS Lookup, Whois, System Enumeration, etc)
› Now, run a Full Scan against the same machine
• File menu -> New -> Scan
• Select the Full Scan link and follow the same process as before
Q11. What, if any, were the differences in the scan results from the first scan?
› Next, try the scan processes with a Linux VM to see what the differences are.
6. And now, for something completely different...
› Up to now, you've been enumerating (listing) individual workstations, and trying to find information from each one by doing port and vulnerability scans. But there is more information available, if you know how to look for it...
• There are automation tools / add-ons that allow for running preset templates and/or schduled scans on your network - one good example is Seccubus
› However, there is key information on the O/S that may be of great help - the user account information. Other tools allows you to poke around at information about accounts on the system.
• These are pure Windows tools, so pick one of your Windows VM or host to install these in.
• Start by downloading the sid.zip
- Browser may complain about insecure site and/or file - ignore it
- The ZIP file contains 2 utilities: user2sid and sid2user
› Next, pick either your Windows VM you want to run this against or a lab partner's - take note of the IP. You can run this against the VM you're installing it into, if over the network fails.
› Now, let's ensure we have the most access possible.
• net use \\\IPC$ "" /user:""
N.B.: target-ip is the IP of the target you're trying to enumerate This sets up access to the PC, assuming the command works Watch the spaces and quotes - mistakes will generate errors.
› Lastly, let's try and enumerate information about one of the users on that machine.
• You're going to have to either know an account (not the admin account, but a guest or other user account) on that machine OR guess
• It is possible you may have to activate the guest account on Windows to be able to use it.
• N.B.: If user2sid doesn't work with a remote system for whatever reason, don't waste time - simply run it against the VM it is installed in.
• user2sid \\ username [no quotes!]
Q12. List the results of the above user2sid command
› Now with the account information, let's back track the user account info on the same system.
• The first line of information above should look something like this:
S-1-5-21-160-7980884-492894322-1202660629-501
• Run this command: sid2user \\ 5 21 160 7980884 492894322 1202660629 501 N.B.: replace the values above with the ones YOU obtained without the first 2 characters and no dashes! LOOK closely at what you typed before running.
Q13. List the results of the above sid2user command
› Okay, so now we know as much as we can about that account. However, notice the last 3 digits - this is the user ID on the system. In the example above, the value was 501.
So, with a little reasoning and research, you would find that user accounts, in MS O/S and Linux, tend to have a UID of 500+ ... which means that UID 500 is typically the Admin account!
• sid2user \\ 5 21 160 7980884 492894322 1202660629 500
N.B.: again, replace the values above with the ones YOU obtained EXCEPT for the 500
Q14. So, what is the account name and information associated to the UID 500?
7. Using DumpSec
› Yet another tool for Windows account and system enumeration is DumpSec, designed to access the Windows SAM files and registry on a local or remote system.
› Run DumpSec
• Select Report -> Select Computer and enter the IP of the target system (same as above)
• N.B.: If DumpSec doesn't work with a remote system for whatever reason, don't waste time - simply run it against the VM it's installed in.
• Once this returns back to the DumpSec screen without an error, select Report from the menu at the top, and choose the specific report you wish to extract from the results obtained.
- Try a few of them to see what DumpSec found out about the system Q15. Did DumpSec find out more information than previous tools?
If so, what information specifically?
Attachment:- Lab.rar