16.2 Student Guide: Network Discovery and Vulnerability

Question 1

What are the 5 phases of engagement?

Answer 1

1. Active and passive reconnaissance
2. Scanning and enumeration
3. Gaining access
   4 . Maintaining access
4. Covering your tracks

Question 2

_______ and _______ are essential to the early stages of an engagement.

Answer 2

Network discovery and vulnerability scanning are essential to the early stages of an engagement.

Question 3

Network discovery and vulnerability scanning are essential to the early stages of an engagement. With the proper tools, we can complete the following tasks: (4)

Answer 3

**Network mapping:** Using host discovery, we can identify network devices like servers, switches, and routers, and how how they’re physically interconnected.

**Service discovery:** Allows us to identify which services are running on which hosts, such as DNS, mail, or web servers.

**OS detection:** Also known as OS fingerprinting, lets us detect which operating system is running on a networked device, such as OS name, vendor, software versions, and estimated device uptime.

**Security auditing:** The discovery process of finding OS versions and apps running on hosts to determine the depth of vulnerabilities.

Question 4

How might an attacker benefit from knowing what version of service is running on a host?

Answer 4

An attacker can research all documented vulnerabilities for the specific application services and versions running on a host or server.

Question 5

______, _______, is a free, open-source tool used for network discovery and vulnerability scanning.

Answer 5

**Nmap**, short for Network Mapper, is a free, open-source tool used for network discovery and vulnerability scanning.

Nmap is useful for identifying devices running on a network, discovering hosts, services, open ports, and IP addresses, and detecting security risks.

Question 6

What are the most common Nmap functions? (6)

Answer 6

• Ping scans
• Port scans
• Host scans
• OS fingerprinting
• Top port scans
• Outputting scan results to files

Question 7

What is the command to perform a TCP connect scan with Nmap?

Answer 7

nmap -sT [target IP]

Question 8

What is the command to perform a service and version detection scan with Nmap?

Answer 8

nmap -sV [target IP]

Question 9

What web service vulnerability is associated with

Apache httpd 2.2.8 ((Ubuntu) DAV/2)

Answer 9

One possible vulnerability is CVE-2016-4975 (possible CRLF injection), which allows HTTP response splitting attacks for sites that use mod_userdir

Question 10

What vulnerability is associated with Google VSFTPD v2.3.4?

Answer 10

VSFTPD v2.3.4 is vulnerable to backdoor command execution, which presents a threat to organizations running this particular version of software.

Question 11

Knowing the web server type and version number allows an attacker to __________.

Answer 11

Knowing the web server type and version number allows an attacker to compile a list of potential vulnerabilities to exploit.

Question 12

Most malicious actors will not choose to use what type of Nmap scan?

Answer 12

TCP full-connect (nmap -sT) scans are aggressive and noisy and will, in most cases, generate alarms on the targeted network that alert the target to your presence. Attackers prefer to use the SYN half-connect scan, which we’ll cover next.

Question 13

The _______ allows users to write and share scripts that automate a variety of networking tasks.

Answer 13

The Nmap Scripting Engine (NSE) allows users to write and share scripts that automate a variety of networking tasks.

Question 14

You can use NSE scripting for any of the following tasks: (8)

Answer 14

• DNS enumeration
• Brute force attack
• OS fingerprinting
• Banner grabbing
• Vulnerability detection
• Vulnerability exploitation
• Backdoor identification
• Malware discovery

Question 15

While NSE scripts can serve multiple functions, most exist to _________.

Answer 15

While NSE scripts can serve multiple functions, most exist to gather information on a target.

Question 16

Where are .nse scripts stored?

Answer 16

.nse scripts are stored in the /usr/share/nmap/scripts` directory.

Question 17

Display all of the currently installed NSE scripts by running what command?

Answer 17

ls /usr/share/nmap/scripts

Question 18

While we can run scans directly on the command line, we can use Nmap with a free open-source GUI option called _____.

Answer 18

While we can run scans directly on the command line, we can use Nmap with a free open-source GUI option called **Zenmap**.

Question 19

True or False:

Zenmap works with Nmap to make it more user-friendly. For example, Zenmap displays Nmap output in a convenient GUI display. It can also:

• Customize display options.
• Provide summaries about a single host or a network scan.
• Generate topology maps of discovered networks.

Answer 19

True

Question 20

What are the benefits of Zenamp? (3)

Answer 20

Comparison: Zenmap can compare changes between system scans run at different times and differences between hosts.

Convenience and discoverability: While Nmap’s hundreds of options can be overwhelming for beginners, Zenmap’s simple interface helps beginners learn and understand how to perform Nmap scans.

Repeatability: Zenmap has command profiles that make it easy to run scans more than once. You can also use preinstalled shell scripts to perform common tasks.

Question 21

Define each component of the following command:

nmap -T4 -F –script ftp-vsftpd-backdoor 192.168.0.10

Answer 21

• T4: Adjusts the speed of the scan. Ranging from 0-5, 4 is a fast and aggressive timing option.
• F: Indicates a fast scan by only scanning the 100 most common ports.

–script: Runs a scripted scan.

• ftp-vsftpd-backdoor`: Indicates which scripted scan to run.
• 192.168.0.10`: IP address of host that will be scanned.

Question 22

Although NSE has its advantages, it also has disadvantages when compared to vulnerability scanners:(4)

Answer 22

• NSE is not fully comprehensive, meaning many vulnerabilities are not covered.
• NSE cannot perform a large number of scans simultaneously.
• NSE is most efficient when performing single host scans.
• NSE is most useful when doing basic information gathering or enumeration activities.

Question 23

Vulnerability testing often gets confused with penetration testing. What are the differences:

Answer 23

Vulnerability scanning identifies systems that have known vulnerabilities

• Scans use a database of known vulnerabilities.
• Vulnerabilities are rated based on the severity level.
• Vulnerabilities are given a Common Vulnerability Scoring System (CVSS) score.

Penetration testing attempts to identify weaknesses that can be exploited, such as:

• Specific system configurations
• Organizational processes and practices

Question 24

______ is one of many vulnerability scanners available today. It is used to perform vulnerability assessments and penetration tests, in addition to malicious attacks. What are other popular vulnerability scanners?

Answer 24

**Nessus** is one of many vulnerability scanners available today. It is used to perform vulnerability assessments and penetration tests, in addition to malicious attacks.

Other popular vulnerability scanners:

**OpenVAS**: A fully featured, freely available open-source vulnerability scanner sharing many of the same capabilities as Nessus. It comes preinstalled with Kali Linux.

**Nexpose**: A vulnerability scanner developed by Rapid7 that comes fully integrated with Metasploit. It’s sold as a stand-alone software package that can also be used as a managed service or private cloud deployment.

Question 25

A vulnerability scanner, such as Nessus, is an application that identifies vulnerabilities and creates inventory of all interconnected systems. These include the following: (8)

Answer 25

1. Servers
2. Desktops
3. Laptops
4. Virtual machines
5. Containers
6. Firewalls
7. Switches
8. Printers

Question 26

The ___________ is a source of exploit information that grades each vulnerability based on its severity level.

Answer 26

The **National Vulnerability Database** (NVD) is a source of exploit information that grades each vulnerability based on its severity level.

- For example, if you google NIST CVE-2016-0800, you will find the nvd.nist.gov webpage, which provides details, references, and a score of 5.9.

• Severity levels are scored using the Common Vulnerability Scoring System (CVSS).

Numerical scores are translated into qualitative categories (low, medium, high, and critical), to help security administrators properly assess and prioritize vulnerabilities.

Question 27

What is the primary purpose of Samba?

Answer 27

The Samba server allows machines of different operating systems to share resources.

For example, if a user is using a Windows computer and needs to share files with Mac or Linux users, they can upload the file to the Samba network share, where the other users can access it.

Question 28

What is the primary purpose of a network file system (NFS) and why is it vulnerable?

Answer 28

Similarly to Samba, the NFS system contains files shared between users.

NFS does not have the capability to implement authentication or encryption. Therefore, hackers can connect directly to the system, read and possibly write to the files that are on there.

Question 29

1. What is the purpose of Telnet?
2. What port does it use?
3. What protocol should we use to connect to a server?

Answer 29

1. Telnet is an older protocol that can be used to send files and connect to the Metasploitable server
2. Port 23
3. SSH service

Telnet is one of the earliest remote login protocols on the Internet. It was initially released in the early days of IP networking in 1969, and was for a long time the default way to access remote networked computers.

The Telnet session between the client and the server is not encrypted. Anyone with access to the TCP/IP packet flow between the communicating hosts can reconstruct the data that flows between the endpoints and read the messaging, including the usernames and passwords that are used to log in to the remote machine.