Scanning and Exploiting Host Vulnerabilities

By Matthew Loong

Vulnerability Scoring

Common Vulnerabilities and Exposures (CVE) are regularly published by not-for-profit organization MITRE Corporation and further analyzed by researchers from the US National Institute of Standards and Technology (NIST), who maintain the National Vulnerability Database (NVD) and score the CVEs according to a Common Vulnerability Scoring System (CVSS) based on a scale of 1 to 10. You can view all the CVEs with their CVSS in the link below.

Vulnerability Scanning

As good cyber security practice, it is important for the blue team to regularly scan for vulnerabilities on your hosts and within your network. For penetration testing, scanning is a key step during the reconnaissance phase. Scanning can be done using automated tools like Nessus. In the demonstration below I will show how I scan a box and exploit its vulnerabilities. Before I begin, I want to stress that you should not conduct unauthorized scanning in the wild.

Set-up

I am using a Kali Virtual Machine (VM) with Nessus Essentials to probe an intentionally vulnerable VM called Metasploitable. These can be downloaded from the links below.

Port Scan

First I locate the box and its open ports. Box is on 10.0.2.14 with the listed open ports.

Scanning With Nessus

By targeting 10.0.2.14, I find 108 vulnerabilities, of which, 7 are critical, 3 are high, 20 medium, 7 low, rest for information.

Exploiting Vulnerabilities

With the discovered vulnerabilities, I will now exploit two of them to attain a remote shell as root.

1. Backdoor Shell

Looking at the details of the critical vulnerabilities I see that there is a shell on port 1524 that does not authenticate. I proceed to simply establish connection as root using a netcat command.

2. VNC Server

I also see that the VNC on the box has a weak password of "password". Hence, I connect and login as root using the password.

Ending Remarks

As you can see, it really is very easy to scan and exploit a host on the network if security settings are weak and there is no detection or monitoring.