Northern Kentucky University



CIT 480: Securing Computer SystemsLab #12: Vulnerability ScanningName: _____________________1: IntroductionIn this lab, we will discover and research vulnerabilities using the Nessus vulnerability scanner, which you will install on the Kali Linux VM. The Metasploitable 2 VM will be the target of all scans. This lab will refer to its IP address as TARGET_IP. Start both VMs at the beginning of the lab.ReferencesNessus documentation, videos, : Finding Vulnerabilities with NessusBefore using Nessus, we will need to install and activate it on your Kali Linux VM.First, request an activation code for Nessus Home edition to be sent to your e-mail address by filling out the form at Nessus as root by going to root's Downloads directory and running: dpkg -i Nessus*Register Nessus by running the following command, replacing the placeholder CODE with the activation code you received in email from step 1./opt/nessus/sbin/nessuscli fetch –-register CODEStart Nessus with the following command as root. You will need to run this command every time you need to use Nessus after a reboot or shutdown./etc/init.d/nessusd startLogin with username nessus and the same password as the Kali root account.Step 2 will take a substantial amount of time, as it will download the Nessus scan plugins.To scan a target with Nessus, login to the web interface at then:Click on New Scan.Click on Basic Network Scan.For Name, enter “Lab #12”.For Targets, enter the IP address of the target VM.Do not modify any of the other fields.Click on Save.When you save a new scan, it should begin running immediately. If for some reason it does not start, click on the Launch icon to start the scan. The scan will take between 5 and 10 minutes to complete.Once the scan completes, click on the scan name to view the summary of results. Click on the color-coded bar showing all of the vulnerabilities to view vulnerability details.2.1: How many vulnerabilities were found in total? 22860679452286067945 2.2: How many in each severity level from critical to info? List one severity level per line below.-5715438153: Understanding VulnerabilitiesClick on the first vulnerability of critical severity to see the details Nessus reported about the vulnerability. Each vulnerability has multiple attributes, the most important of which areNessus plugin ID number: Identifies the plugin that reported the vulnerability.Nessus plugin name: The name of the plugin that reported the vulnerability.CVE (Common Vulnerabilities and Exposures) vulnerability identifier: Some vulnerabilities will not have this identifier, but vulnerabilties that do are recorded in the National Vulnerability Database (nvd.) and can be looked up there or at . A single Nessus vulnerability may correspond to multiple CVE identifiers. These identifiers are of the form CVE-YEAR-####. Other vulnerability identifiers: Many vendors, such as Microsoft (MS-## format) and the Mozilla Foundation (MFSA-YEAR-####) record vulnerabilities in their own databases, which may provide more information than Nessus shows or that can be found in CVE databases. Other identifiers include OSVDB numbers for the Open Source Vulnerability Database and BID numbers for the Bugtraq database at .CVSS base score: The Common Vulnerability Scoring System (CVSS) provides a numerical indication of vulnerability severity raning from 0 to 10. Critical vulnerabilities will have CVSS scores near 10. The current CVSS version is 2.0. More details can be found at available: Indicates whether or not an open source (like Metasploit) or commercial (like Canvas or Core Impact) exploit framework has an exploit for this vulnerability. Even if no exploit exists for a vulnerability in a popular framework, individual exploit scripts may be found on sites like Exploit DB (exploit-).Exploitable with: Names which frameworks have exploits for this vulnerability.See also: This section contains additional references to the vulnerability, which may help to better understand its impact or aid you in finding exploits for the vulnerability.3.1: For each of the critical severity vulnerabilities reported by Nessus, enter all of the items in the list above in order except for the last one (See also). For item 4, other vulnerability identifiers, only list CVE identifiers if available; otherwise, list only the first other identifier reported.2286067945 3.2: Exploit the Tomcat Common Administrative Credentials vulnerability using the information reported by Nessus. Using the Tomcat Web Application Manager, explore the installed Tomcat applications until you find a sub-application named Request Info. Run that application, then write the URL you used and the text returned in the box below.22860679453.3: Exploit the backdoor identified by the Rogue Shell Backdoor Detection vulnerability using the netcat command with the target IP and the target port number reported by Nessus for this vulnerability.$ nc TARGET_IP TARGET_PORTOnce logged into the target machine, determine which user you are logged in as and which directory you are currently in. Include both command output and answers to the questions in the previous sentence in the box below.# id# pwd2286067945 3.4: Let's use this backdoor shell login, to learn more about the system. In particular, we can determine which network services are running on the target.# lsof -i -n -P22860679453.5: Using nmap from your Kali VM, determine which network services are running on the target.# nmap -sT TARGET_IP22860679453.6: Which ports did lsof find that nmap did not report?22860679453.6: Exploit the vulnerability reported by VNC Server 'password' Password plugin. To access the VNC remote desktop on the target use the following command. The number 0 following the target IP address indicates the first VNC remote desktop on the target. If multiple desktops are running, you will need to experiment with changing that number to 1, 2, 3, etc. to reach the remote desktop.$ xvnc4viewer TARGET_IP:0Run the id command once logged into the target and write the results below. Which user's remote desktop are you accessing?22860679454: Submitting the LabBring a printed copy with your name on it to class on the class period after which this lab was assigned. Online students should submit the lab via the Blackboard LMS. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download