Vulnerability Scanning: Unpacking the Joys Of Networks

Technical Report:

IP: 10.20.160.126 operating on Linux. After conducting a detailed scan there were many services shown. There were 0 critical vulnerabilities. SSH weak algorithms supported, was the only medium vulnerability. ?The SSH weak algorithm supported prompts you to contact your vendor in order to remove the weak ciphers. There was four Nessus SYN scanner present. It asks that you protect your target with an IP filter. One service detection. There was one SSH server CBC mode cipher enabled with low vulnerability. The SSH server CBC mode cipher asks you to contact your vendor to disable CBC mode cipher encryption and to enable CTR or GCM cipher mode encryption. ?Lastly, POP3 cleartext logins permitted prompts you to contact a vendor to fix traffic with SSL. POP3 cleartext logins permitted was a low vulnerability. The 10.20.160.126 scan was in good standing.

IP: 10.20.160.104 operating on Microsoft Windows Vista/ Server 2008. After conducting a detailed scan there were many servers shown. There were 0 critical vulnerabilities. SSL Certificate cannot be trusted was shown which is asking you to simply purchase or generate a proper certificate for the service. It is up to you if you would want to keep it or not. There was a Nessus SYN scanner present which asked you to protect your target with an IP filter. This is not something to truly worry about. There is an SSL Self-signed certificate that shows a medium vulnerability level and is once again asking you to simply purchase or generate a proper certificate for the service. Another medium vulnerability service was the SSL RC4 Cipher suites supported which asks you to reconfigure your affected application and to avoid the use of RC4 ciphers. These are all low vulnerabilities and nothing to worry about unless you want to make these changes to feel more comfortable.

IP: 10.20.160.107. After conducting a detailed scan there were many servers shown. The SSL Certificate cannot be trusted is shown and is at a medium vulnerability ranking along with the SSL Self-signed certificate which is asking you to simply purchase or generate a proper certificate for the service. A low vulnerability that was spotted was OpenSSL AES-NI padding oracle Mltm which is a simple upgrade. Lastly a service detection information notice. There is nothing critical to be fixed unless you chose to fix these low-medium vulnerabilities.

IP: 10.20.160.105 operating on Microsoft Windows 7 professional. After conducting a detailed scan there were many servers shown. The Microsoft Windows SMBv1 multiple vulnerabilities was prompted. The vulnerabilities showed that there were Multiple information disclosure vulnerabilities due to improper handling of SMBv1 packets, Multiple denial of service vulnerabilities due to improper handling of requests and Multiple remote code execution vulnerabilities due to improper handling of SMBv1 packets. In order to combat this critical vulnerability, you need to update your applicable security update for your windows version. There was a medium vulnerability, SSL Certificate cannot be trusted which asks you to simply purchase or generate a proper certificate for the service. It is up to you if you would want to keep it or not. Another medium vulnerability service was the SSL RC4 Cipher suites supported which asks you to reconfigure your affected application and to avoid the use of RC4 ciphers. These are all manageable updates.

IP: 10.20.160.122 operating on Microsoft windows server 2008 R2. ?After conducting a detailed scan there were many servers shown. There were two critical vulnerabilities present. The first one is Apache Tomcat/ JBoss / JMX invoker. This is accessible to unauthenticated users. The host is affected by security bypass vulnerability by improper restriction of bypass, Remote code execution vulnerability by not properly restricting access to profiles, Remote code execution vulnerability by the ability to post a marshalled object. In order to combat if you are using the EMC data protection advisor, ??you need to upgrade to version 6.x or apply the workaround for 5.x. The second critical vulnerability is Microsoft Windows SMBv1 multiple vulnerabilities. The vulnerabilities showed that there were Multiple information disclosure vulnerabilities due to improper handling of SMBv1 packets, Multiple denial of service vulnerabilities due to improper handling of requests and Multiple remote code execution vulnerabilities due to improper handling of SMBv1 packets. In order to combat this critical vulnerability, you need to update your applicable security update for your windows version. A high vulnerability was the Unsupported web server detection. In order to combat this, you need to let it go. The service is no longer needed. Another high vulnerability is the JBoss JMX console unrestricted access. In order to combat this vulnerability, you need to secure or remove access to the JMX and Web console using the advanced installer options. It is best that these vulnerabilities are to be dealt with in a critical time frame.

Executive Summary:

The objective of this engagement is to discover all five hosts within the authorized scope, in order to discover any associated vulnerabilities. After we discover any associated vulnerabilities it is then important to exploit the vulnerabilities in any way possible to gain access to the machines. The engagement was carried out with explicit permission and approval. In order to track down the vulnerabilities, I used Nessus. Nessus was able to provide me with Plugin details and risk information. The duty was successful because I was able to target critical, high, medium and low vulnerabilities within the scope.

In order to mitigate the identified vulnerabilities, it is recommended that the organization adopts several systems in order to combat the numerous issues found. On the five hosts, we found were different arrays of vulnerabilities. On IP 10.20.160.126 there were 0 critical vulnerabilities. This host was in good standing. On IP 10.20.160.104 there were 0 critical vulnerabilities. There are several aspects that you could tweak like the SSL certificate but it is not critical. On IP 10.20.160.107 there was once again 0 critical vulnerabilities. It is suggested that you upgrade due to the OpenSSL AES-NI padding Oracle mltm. On IP 10.20.160.105 there was one critical vulnerability which was the Microsoft Windows SMBv1 multiple vulnerabilities. The vulnerabilities showed that there were Multiple information disclosure vulnerabilities due to improper handling of SMBv1 packets, Multiple denial of service vulnerabilities due to improper handling of requests and Multiple remote code execution vulnerabilities due to improper handling of SMBv1 packets. In order to combat this critical vulnerability, you need to update your applicable security update for your windows version. Lastly, on 10.20.160.122, there were two critical vulnerabilities present.

The first one is Apache Tomcat/ JBoss / JMX invoker. This is accessible to unauthenticated users. The host is affected by security bypass vulnerability by improper restriction of bypass, Remote code execution vulnerability by not properly restricting access to profiles, Remote code execution vulnerability by the ability to post a marshalled object. In order to combat if you are using the EMC data protection advisor, ??you need to upgrade to version 6.x or apply the workaround for 5.x. The second critical vulnerability is Microsoft Windows SMBv1 multiple vulnerabilities. The vulnerabilities showed that there were Multiple information disclosure vulnerabilities due to improper handling of SMBv1 packets, Multiple denial of service vulnerabilities due to improper handling of requests and Multiple remote code execution vulnerabilities due to improper handling of SMBv1 packets. In order to combat this critical vulnerability, you need to update your applicable security update for your windows version. Overall three critical vulnerabilities were found out of all five hosts. The vulnerabilities are not hard to fix and could easily become uncritical. It is important that you fix these three vulnerabilities in a timely manner to ensure the protection of your company. It is very important to stay up to date on your host to ensure that there will be no vulnerabilities in the future. I hope this provided enough insight to tackle each vulnerability present.

CVSS Write-up:

Entire Network/ Plugin #100464

The Microsoft Windows SMBv1 multiple vulnerabilities was prompted.

State: CRITICAL

Description:

The vulnerabilities showed that there was Multiple information disclosure vulnerabilities due to improper handling of SMBv1 packets, Multiple denial of service vulnerabilities due to improper handling of requests and Multiple remote code execution vulnerabilities due to improper handling of SMBv1 packets. In order to combat this critical vulnerability you need to update your applicable security update for your windows version.

CVSS Base score: 10.0

CVSS Temporal Score: 7.4

The base score being at 10 and Temporal score being at 7.4 is overdoing it. I do not believe this should be ranked at “worst” there are far more greater attacks that could happen. As I conducted more research simply applying your applicable security update for your Windows version should fix this.

Nessus Info: ?

The Nessus vulnerability scanner has a free home edition that can be found at: https://www.tenable.com/products/nessus-home. ?You must sign up to get the activation key emailed to you and then you will be prompted to download the tool. It is recommended to download the .rpm file and running the tool within your Kali image. ?Once the file is downloaded, you can install by issuing the command #dpkg -i <file.rpm>. Like OpenVAS, Nessus is accessed through a web application portal. Point your browser to https://127.0.0.1:8834 and you will then be prompted to go through the initial setup. ?Make sure your Kali VM has Internet access as it needs to download all the signatures and plug-ins.

The easiest way to scan your network is to choose an "Advanced Scan" which includes all the plugins. ?Insert your home network range and start the scan. Feel free to play around with the scanner though. Create your own policy and look at all the plugin categories. ?The home edition can be run unlimited but is restricted to 16 total IP addresses per scan.