Vulnerabililty process until Eksploitations process
After collecting the information gathering and saw service enumiration, then we willlook for loopholes Vulnarbility or system that is a weakness that allows for theexploitation done on the target computer.
In this case we will use some tools of Nessus and Nmap. Both tools are verysupportive to perform Vulnerability scanners.
Previously I apologize for my writing this time .. not equipped with a screenshot of the results of execution of Nmap in Terminal because I forgot to do so. but I'll give anotherexample of a common purpose.
First
NMAP scanning
1. I will do the scanner to the network.
sinobi root @: ~ # nmap-sV 192.168.0.0/24
Which produces IP
192.168.0.21
192.168.0.26
192.168.0.32
192.168.0.35
192.168.0.40
192.168.0.43
192.168.0.44
192.168.0.45
192.168.0.63
192.168.0.64
192.168.0.65
192.168.0.66
192.168.0.67
192.168.0.70
192.168.0.71
Here in the show 15 Host is currently active. As an example results in the show by using nmap-sV
From this process we can look at some of the essential information, such as:
IP addresses
Port / Service is running etc.
=======================================================================
second
Nessus
1. Run the Nessus
- Open the Browser
- The type the URL https://127.0.0.1
- It will appear
enter your username and password.
- On the Scan menu, click Add. Then it will show
Please fill in your name on the column name as your wish, the column type (run now),select the column policy (external network scans) and enter the target IP scan will be scanned. In this case 192.168.0.0/24. it will do the scanning terhapat network. The reason why I use nmap is also to ensure that all hosts have been recorded byNessus.
2. After the scanning process, it will display menu
look here there are 15 hosts are active, results of the nmap scanning and Nessus scanning results is the same.
3. Repot the results of the first ip is 192.168.0.22
look here there are 9 currently running services, such as:
- icmp
- tcp
- udp
- ssh
- www
- Netbios-ns
- smb
- cifs
-www
I will explain the results of the analysis nessus on ssh service running on port 22
Synopsis: A SSH server is running on the remote host.
>> SSH / PORT 22
ssh port is divided into 5
*** Debian openSSH/openSSL package random number generator weakness
Explanation
Synopsis: The remote SSH host keys are weak.
Description
The remote SSH host key has been generated on a Debian
or Ubuntu system which contains a bug in the random number
generator of its OpenSSL library.
The problem is due to a Debian packager removing nearly all
sources of entropy in the remote version of OpenSSL.
An attacker can easily obtain the private part of the remote
key and use this to set up decipher the remote session or
set up a man in the middle attack.
Solution
Consider all cryptographic material generated on the remote host
to be guessable. In particuliar, all SSH, SSL and OpenVPN key
material should be re-generated.
conclusion
there is a vulnerability
*** SSH Server type and version information
Synopsis: An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH
server by sending an empty authentication request.
Solution
n/a
Risk Factor: None
Plugin Output
SSH version : SSH-2.0-OpenSSH_4.6p1 Debian-5build1
SSH supported authentication : publickey,password
Plugin Publication Date: 1999/10/12
Plugin Last Modification Date: 2011/10/24
conclusion
there is'nt a vulnerability
*** Service Detection
Synopsis: The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.
Solution
n/a
Risk Factor: None
Plugin Output
An SSH server is running on this port.
Plugin Publication Date: 2007/08/19
Plugin Last Modification Date: 2012/01/19
conclusion
there is'nt a vulnerability
*** SSH Protocol Versions Supported
Synopsis: A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by
the remote SSH daemon.
Solution
n/a
Risk Factor: None
Plugin Output
The remote SSH daemon supports the following versions of the
SSH protocol :
- 1.99
- 2.0
SSHv2 host key fingerprint : 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d
Plugin Publication Date: 2002/03/06
Plugin Last Modification Date: 2011/03/30
conclusion
there is'nt a vulnerability
*** Backported Security Patch Detection (SSH)
Synopsis: Security patches are backported.
Description
Security patches may have been 'back ported' to the remote SSH server
without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any
security problem.
Solution
N/A
See Also
http://www.nessus.org/u?d636c8c7
Risk Factor: None
Plugin Output
Give Nessus credentials to perform local checks.
Plugin Publication Date: 2009/06/25
conclusion
there is'nt a vulnerability
>> WWW / PORT 80
there are vulnerability
*** Plugin ID 34850
Name Web Server Uses Basic Authentivication without HTTPS
*** Plugin ID 46803
Name PHP expose _php Information Disclosure
*** Plugin ID 11213
Name HTTP TRACE / TRACK Methods Allowed
>> WWW / PORT 80
*** Plugin ID 10394
Name Microsoft windows SMB Log In Possible
***Plugin ID 10859
Name Microsoft windows SMB LsaQueryinformationPolicy function SID enumuration
>> WWW / PORT 10000
*** Plugin ID 10757
Name Webmin Detection
*** Plugin ID 22300
Name Webmin / Usermin Null Byte Filtering Vulnerbilities
*** Plugin ID 21785
Name
Webmin / Usermin miniserv.pl albitrary file Disclosure
4. Trying vulnerability with making ExploitDB
FOr example
root@sinobi:/pentest/exploits/exploitdb# ./searchsploit smb then
root@sinobi:/pentest/exploits/exploitdb# cd platforms/windows/remote/14
root@sinobi:/pentest/exploits/exploitdb# cd platforms/windows/remote/14674.txt
root@sinobi:/pentest/exploits/exploitdb# cat /14674.txt to get information hot exploit it.