Fluent Essays

CYBR525, Ethical Hacking and Response Week 6 Lab – Vulnerability Scanning The lab for this week has two parts. In part one you will scan the Woeson Books clients for vulnerabilities. In part two you will research those vulnerabilities and report on what you find. Part 1: Scanning with OpenVas (25 points) To start openvas use the ‘Applications’ drop down menu. Go to the ‘Vulnerability Analysis’ section and click ‘openvas start.’ Your menu may clip the right side of the menu. Choose the second one as show below. You system will launch a terminal window and state that it is ‘Starting OpenVas Services.’ When you terminal returns to a command prompt you are ready to continue. You will interact with the openvas scanner through your Firefox Browser. Start Firefox by clicking on the top tile on the left tile bar, right above the tile you use to start a terminal. Once Firefox launches go to https://127.0.0.1:9392. You will be greeted by the Greenbone Security Assistant login screen. Your username will be admin and your password is the same as your password for Kali sighburrS2S Once you have logged in you will be presented with the dashboard for openvas scans. At present you have no scans so you are viewing the number of CVEs contained in the openvas database. Look through the menus to see some of the capabilities of the Greenbone Security Assistant and the openvas scanner. The website for openvas is linked in your course readings for this week, it’s a great place to find documentation. When you are ready to start scanning use the ‘Scans’ menu and select ‘tasks.’ You will be presented with the scan task dashboard which is empty at present. Click the new scan wizard, indicated in the image below, to configure a scan. When the menu appears select the ‘task wizard’ menu choice. The second option, ‘Advanced Task Wizard’ allows you to change the type of scan, identify multiple IPs, schedule a scan in the future, and do credentialed scans. Credentialed scans will give more accurate results however as of yet you don’t have credentials for the target systems so you are limited to non-credentialed scans. Feel free to explore the Advanced Task Wizard and try out its features but for this lab all that is required is the basic ‘task wizard’ option. Replace the highlighted IP address with the IP you wish to scan. As you are scanning the Woeson network you have seen the network address is 192.168.25. and the last tuple (the question marks in the above image) should be replaced with the host you are going to scan. You will want to conduct scans of all the systems on the Woeson network. Remember these are the systems you found in your nmap scans that have IPs in the range 192.168.25.1-100. Above that range are student systems. For your first tries I recommend scanning one system at a time. You will be able to access all the reports even if the systems are scanned individually. Once the scan task is complete you will be returned to the dashboard which at present isn’t very interesting as it is showing just your one scan task. If you had multiple tasks (also, remember a task could be a scan of multiple systems) the dashboard would show how many tasks were complete, scheduled, severity, etc. By clicking on the name of the task (underlined in blue) at the lower left of the screen you will be taken to the details screen for that particular task. From the detail screen click the results number as indicated in the image above. This is the number of findings in this particular task. The next screen will be the results dashboard along the top showing several results categorized by severity and CVSS number. Along the bottom will be a table with the vulnerabilities found. The columns provide the following information: Vulnerability: The name of the vulnerability. Clicking on it will provide more information. This is where you will need to look for the information to complete Part 2 of the lab. Solution type (puzzle piece): If a patch, work around, or mitigation exists it MAY be indicated here. There may be other mitigations or work arounds you can find. Severity: How bad is it, scale of 1 – 10. This is the CVSS score. QoD: Quality of Detection. The closer to 100 the less chance of a false positive. Host: Which host was the vulnerability found on. Remember a task can scan multiple hosts. Clicking on the host IP can provide some additional enumeration information. Location: Where was the vulnerability detected on the host. Created: When was the scan done. Complete scans on the Woeson assets. Once complete provide a screen shot of your task dashboard showing the completed scans. It’s the screen that looks like the below but should show all your scanning tasks complete. Be sure your scans and scan titles reflect your targets. Only indicating you scanned every address in the Woeson range will not receive full points. At this stage you know what your targets are. Part 2: Vulnerability Research (25 points) For this part of your lab you will list the vulnerabilities you found across all hosts which are rated as high (ignore the medium and low), and research them through the Open VAS, CVE, and NVD databases on your system and on the web. As shown in part 1, your scan task dashboard will show at the bottom of the screen a list of all scan tasks. Below you will see one task, an immediate scan of 10.19.99.211. Your screen would show appropriate IP addresses for the Woeson network. By clicking on the name of the scan task you will be brought to the scan summary page. At the bottom of this screen you will see a link with the number of results (findings) on this scan. Click that number to go to the summary page for findings in that scan. At the bottom of the screen is a list of the vulnerabilities found in that scan. Remember, depending on how you did the scan task your results could show multiple hosts. Clicking on a vulnerability in the list will take you to the summary page for that vulnerability. Across the top of the screen will be the title of the vulnerability, the severity (CVSS Score followed by a Low/Medium/High assessment) and other related information. At the bottom of the screen under the references section is a link to information on the applicable CVE. The link itself is the CVE number. By clicking the CVE link you will be taken to the CVE summary page for that vulnerability. Other options for finding information on the vulnerability are under the SecInfo menu at the top of the screen. This is information that openvas downloads from external information sources. You can also go directly to the source and check the CVE (cve.mitre.org) and NVD (nvd.nist.gov) web sites. Searching by the CVE number will provide applicable information. You will need to access these websites from outside the toxic lab as the toxic lab does not have internet access. Using the information in openvas and the CVE and NVD databases research the vulnerabilities you have found. Complete the table below based on your research. Host(s) IP CVE or other Identifier Severity CVSS Score (if Available) Vulnerability Name/Description 192.168.25.40-45 CVE-2017-3119 High 8.8 Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and earlier, 2015.006.30306 and earlier, and 11.0.20 and earlier has an exploitable memory corruption vulnerability in Acrobat/Reader 11.0.19 engine. Successful exploitation could lead to arbitrary code execution. The first line in the table is an example, information is fictitious. Delete it before submission. Add lines to table as needed. cybr_525___programming_exercise_1_.docx cybr525_week_6_lab_1_.docx Unformatted Attachment Preview CYBR 525 – Week 5 Assignment Name: Instructions: Complete one of the exercises below. PowerShell Exercise Note: You need to complete this exercise on a Windows system. 1. Read the Microsoft PowerShell Tutorial found in the weekly assignments. 2. Run PowerShell console. Review the following commands and run them from the console. If the command scrolls, you can use ‘| more’ to restrict the output to one page at a time. Under each command, include a screenshot and an explanation of what information is provided by the command. a. Get-Help b. Get-Command c. Get-Host d. Alias e. Get-ChildItem env: f. echo Hello $env:username 3. Redirecting output to a file is a method of saving information provided by a shell command. There are two methods to do this in PowerShell: • Use the Out-File cmdlet as in ‘ | Out-File C:\filename.txt’ Bellevue University CYBR 525 1 • To overwrite a file use ‘ > filename ’. To append to an existing file use ‘ >> filename ’. Re-run the ‘ Get-ChildItem env: ‘ cmdlet and output to a file. Show the results below and explain the benefit as part of system testing. 4. Run PowerShell ISE. Create a script that does the following: a. Starts with a comment explaining the script. Include your name, class and date. b. Print a line greeting the user. To do this, you can use the following command: echo Hello $env:username c. Outputs the system information to a file in your home folder. Get-ChildItem env: > $HOME\systeminfo.txt d. Output all of the users on the PC to a file in your home folder. Get-WmiObject –Class Win32_UserAccount | Out-File $HOME\UserAccounts.txt e. Include one additional PowerShell command of your choice. Include a description of the command in your explanation. f. Show the history of all the commands you have typed. Save your script in your home folder and run it. Confirm it completes successfully. Include your script with this exercise. Provide an explanation of your script and the output it provides. Include how it could be used by system testers. Bellevue University CYBR 525 2 PERL Exercise The instructions are for Windows, but it can be completed on Linux as well. 1. Complete Activity 7-4, pages 178-179 in your textbook. a. You can Kali Linux as presented in the exercise or your chosen Linux distribution and editor of choice. b. If you need more information about programming in Perl, refer to the online book by Simon Cozens, Beginning Perl available at http://www.perl.org/books/beginning-perl/. Once you get the initial program running, copy and paste the output here: 2. Complete Activity 7-6, pages 190-194. For this exercise you will be using activeperl in Windows. You can either install activeperl on your own system following the directions in the book or use the virtual environment which has activeperl already installed. If you use the virtual environment you can start on step 10. Regardless of the step you start on don’t go past step 18. Once you have the program running, select an additional Win32 API function from the table of page 189. Copy and paste the output here: 3. Explain in 2-3 paragraphs how PERL could be used by security penetration testers. Include at least two examples. 4. Based on your experience with PERL, what would be the minimum functions you’d include to get the most useful information about the system upon which this script would be run? Bellevue University CYBR 525 3 Linux Bash Shell Exercise Note: You will need to run a Linux Operating System in a virtual environment in order to complete this exercise. 1. Read the Linux Bash shell scripting Tutorials found in the weekly assignments. 2. Start a Linux operating system of your choice (Ubuntu, Fedora, CentOS, Linux MINT, etc.). Review the following commands and run them from the terminal. If the command scrolls, you can use ‘| more’ to restrict the output to one page at a time. Under each command, include a screenshot and an explanation of what information is provided by the command. a. man man b. man -? c. uname -a d. Alias e. env f. cat /etc/passwd g. ls -la h. echo Hello $USER Bellevue University CYBR 525 4 3. Redirecting output to a file is a method of saving information provided by a shell command. To overwrite a file use ‘ > filename ’. To append to an existing file use ‘ >> filename ’. Re-run the ‘env‘ command and output to a file. Show the results below and explain the benefit as part of system testing. 4. Explain the differences between the following methods of viewing / editing files: more, less, cat, gedit, and vi. 5. Create a shell script that does the following: a. Starts with a comment explaining the script. Include your name, class and date. b. Print a line greeting the user. To do this, you can use the following command: echo Hello $USER c. Outputs the system information to a file in your home folder. env > $HOME/systeminfo.txt d. Output all of the users on the PC to a file in your home folder. cat /etc/passwd > $HOME/UserAccounts.txt e. Include one additional shell command of your choice. Include a description of the command in your explanation. Save your script in your home folder and run it. [Note1: To run a shell script, you may need to .include the local path (e.g., ./script).] Confirm it completes successfully. [Note2: When you create a shell script in Linux, you need to ensure the permissions are set to be able to execute it. See the chmod command for more information.] Include your script with this exercise. Provide an explanation of your script and the output it provides. Include how it could be used by system testers. Bellevue University CYBR 525 5 Python Exercise Note: Complete this exercise on the Kali system in the virtual environment. In this exercise you will write a short python script to execute a port scan of a target you select. 1. Open up a terminal window and type ‘gedit scan.py’ this will start the gedit text editor where you will write this script and create a new file called scan.py. Feel free to use another editor of your choice as desired. 2. Enter the following code in the editor. Use the tab key for indents, python uses indents for code blocking and code in the same block must be aligned the same. #!/usr/bin/env python3 from socket import * import time startTime = time.time() target = input (‘Enter the IP of the host to be scanned: ‘) low_port = int(input (‘Enter the low port to scan: ‘)) high_port = int(input (‘Enter the high port to scan: ‘)) print (‘Scanning ‘, target) for p in range (low_port, high_port): s = socket(AF_INET, SOCK_STREAM) conn = s.connect_ex((target, p)) if(conn == 0): print (‘Port’, p, ‘OPEN’) s.close() print (‘Elapsed time: ‘, time.time() – startTime) 3. The first line of the code tells the command interpreter what language we will be using in the script. The next two lines import libraries needed for this scanner to run correctly. The socket library contains the data structures and functions necessary for us to make network connections to other computers 4. The commands in the for loop attempt to make a network connection to the host at the IP address you entered for each port in the range of low_port to high_port. The connection is attempted through the command conn = s.connect_e((target, p)) Bellevue University CYBR 525 6 5. If the function returns a 0 that means a successful connection was made and the port is open. 6. This is a very simple script and not optimized for efficient scanning so depending on the host you are scanning it could take several seconds for each port. You may first want to start with a narrow range of ports and expand or adjust the range as needed. 7. After you enter the code save the file by clicking the save button at the top of the editor. You can leave the editor open in case you need to fix any errors, just remember to save the file before you run it again. 8. Now you need to make the file executable, do this by opening a new terminal window and entering the following command chmod +x scan.py 9. Now you are ready to run your script, in the terminal window enter ./scan.py 10. Enter the IP and range of ports you wish to scan. a. If you receive any errors read the error message closely and go back to the editor and correct the error. Refer back to the code listing provided above. You must be sure to save the file after making any edits. b. If the scanner appears stuck or is taking too long (remember to use small ranges) you can type CTRL-C to stop the program 11. Answer the following questions: a. Conduct a scan of ports 1-200 on the host at 192.168.25.10, provide a screen shot of your results b. Conduct a nmap scan of your choice on the same host, you don’t need to specify the ports. Do the two scanner results differ? Why do you think they do or don’t differ? c. Use your scanner to scan another host in the range 192.168.25.1-100 with a port range of your choosing. Provide a screen shot of your results. d. Research the socket connection function provided in the socket library and/or use wireshark to monitor one of your scans. Is the type of scan your scanner does a full-open or half-open scan? Why? Refer back to previous week’s material if you don’t remember what these scans are. e. What does the s.close command do in your script and why is it important? f. Provide a screen shot of the code you wrote. Bellevue University CYBR 525 7 CYBR525, Ethical Hacking and Response Week 6 Lab – Vulnerability Scanning The lab for this week has two parts. In part one you will scan the Woeson Books clients for vulnerabilities. In part two you will research those vulnerabilities and report on what you find. Part 1: Scanning with OpenVas (25 points) To start openvas use the ‘Applications’ drop down menu. Go to the ‘Vulnerability Analysis’ section and click ‘openvas start.’ Your menu may clip the right side of the menu. Choose the second one as show below. You system will launch a terminal window and state that it is ‘Starting OpenVas Services.’ When you terminal returns to a command prompt you are ready to continue. You will interact with the openvas scanner through your Firefox Browser. Start Firefox by clicking on the top tile on the left tile bar, right above the tile you use to start a terminal. Once Firefox launches go to https://127.0.0.1:9392. You will be greeted by the Greenbone Security Assistant login screen. Your username will be admin and your password is the same as your password for Kali sighburrS2S Once you have logged in you will be presented with the dashboard for openvas scans. At present you have no scans so you are viewing the number of CVEs contained in the openvas database. Look through the menus to see some of the capabilities of the Greenbone Security Assistant and the openvas scanner. The website for openvas is linked in your course readings for this week, it’s a great place to find documentation. When you are ready to start scanning use the ‘Scans’ menu and select ‘tasks.’ You will be presented with the scan task dashboard which is empty at present. Click the new scan wizard, indicated in the image below, to configure a scan. When the menu appears select the ‘task wizard’ menu choice. The second option, ‘Advanced Task Wizard’ allows you to change the type of scan, identify multiple IPs, schedule a scan in the future, and do credentialed scans. Credentialed scans will give more accurate results however as of yet you don’t have credentials for the target systems so you are limited to non-credentialed scans. Feel free to explore the Advanced Task Wizard and try out its features but for this lab all that is required is the basic ‘task wizard’ option. Replace the highlighted IP address with the IP you wish to scan. As you are scanning the Woeson network you have seen the network address is 192.168.25. and the last tuple (the question marks in the above image) should be replaced with the host you are going to scan. You will want to conduct scans of all the systems on the Woeson network. Remember these are the systems you found in your nmap scans that have IPs in the range 192.168.25.1-100. Above that range are student systems. For your first tries I recommend scanning one system at a time. You will be able to access all the reports even if the systems are scanned individually. Once the scan task is complete you will be returned to the dashboard which at present isn’t very interesting as it is showing just your one scan task. If you had multiple tasks (also, remember a task could be a scan of multiple systems) the dashboard would show how many tasks were complete, scheduled, severity, etc. By clicking on the name of the task (underlined in blue) at the lower left of the screen you will be taken to the details screen for that particular task. From the detail screen click the results number as indicated in the image above. This is the number of findings in this particular task. The next screen will be the results dashboard along the top showing several results categorized by severity and CVSS number. Along the bottom will be a table with the vulnerabilities found. The columns provide the following information: Vulnerability: The name of the vulnerability. Clicking on it will provide more information. This is where you will need to look for the information to complete Part 2 of the lab. Solution type (puzzle piece): If a patch, work around, or mitigation exists it MAY be indicated here. There may be other mitigations or work arounds you can find. Severity: How bad is it, scale of 1 – 10. This is the CVSS score. QoD: Quality of Detection. The closer to 100 the less chance of a false positive. Host: Which host was the vulnerability found on. Remember a task can scan multiple hosts. Clicking on the host IP can provide some additional enumeration information. Location: Where was the vulnerability detected on the host. Created: When was the scan done. Complete scans on the Woeson assets. Once complete provide a screen shot of your task dashboard showing the completed scans. It’s the screen that looks like the below but should show all your scanning tasks complete. Be sure your scans and scan titles reflect your targets. Only indicating you scanned every address in the Woeson range will not receive full points. At this stage you know what your targets are. Part 2: Vulnerability Research (25 points) For this part of your lab you will list the vulnerabilities you found across all hosts which are rated as high (ignore the medium and low), and research them through the Open VAS, CVE, and NVD databases on your system and on the web. As shown in part 1, your scan task dashboard will show at the bottom of the screen a list of all scan tasks. Below you will see one task, an immediate scan of 10.19.99.211. Your screen would show appropriate IP addresses for the Woeson network. By clicking on the name of the scan task you will be brought to the scan summary page. At the bottom of this screen you will see a link with the number of results (findings) on this scan. Click that number to go to the summary page for findings in that scan. At the bottom of the screen is a list of the vulnerabilities found in that scan. Remember, depending on how you did the scan task your results could show multiple hosts. Clicking on a vulnerability in the list will take you to the summary page for that vulnerability. Across the top of the screen will be the title of the vulnerability, the severity (CVSS Score followed by a Low/Medium/High assessment) and other related information. At the bottom of the screen under the references section is a link to information on the applicable CVE. The link itself is the CVE number. By clicking the CVE link you will be taken to the CVE summary page for that vulnerability. Other options for finding information on the vulnerability are under the SecInfo menu at the top of the screen. This is information that openvas downloads from external information sources. You can also go directly to the source and check the CVE (cve.mitre.org) and NVD (nvd.nist.gov) web sites. Searching by the CVE number will provide applicable information. You will need to access these websites from outside the toxic lab as the toxic lab does not have internet access. Using the information in openvas and the CVE and NVD databases research the vulnerabilities you have found. Complete the table below based on your research. Host(s) IP 192.168.25.4045 CVE or other Identifier CVE-2017-3119 Severity High CVSS Score (if Available) 8.8 Vulnerability Name/Description Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and earlier, 2015.006.30306 and earlier, and 11.0.20 and earlier has an exploitable memory corruption vulnerability in Acrobat/Reader 11.0.19 engine. Successful exploitation could lead to arbitrary code execution. The first line in the table is an example, information is fictitious. Delete it before submission. Add lines to table as needed. ... Purchase answer to see full attachment