Using NMAP to identify OS and services on the vulnerable machine (Windows 2000 server)
Nmap is a free and open source for network discovery and security auditing.
Firstly we have to setup the virtual environments of vulnerable machine (Windows 2000) and kali Linux on the VM virtual box. And we have to set their IP’s as in a same network range.
Once open kali terminal, nmap –sV -O 192.168.56.99 (IP of the Windows 2000 machine) this will give us a report of version of each network processes and operating system as shown below.
Nessus vulnerability scanner
Nessus is a proprietary vulnerability scanner developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment.
Nessus does not come pre-installed. So we have to download Nessus and install and configure.
Nessus allows scans for the following types of vulnerabilities,
- Detection of security holes in local or remote hosts.
- Detection of missing security updates and patches.
- Simulated attacks to pinpoint vulnerabilities.
- Execution of security tests in a contained environment.
- Scheduled security audits.
Then, Open a Kali terminal and run Nessus with the command:
service nessusd start
Nessus run as a server in background and is accessible via a web interface. Open a web browser and browse https://127.0.0.1:8834 and login. Then the following web interface will be appeared.
Go to Scan Templates -> New Scan and give the Name of the system.
For Policy choose the Internal Network scan.
Put the IP address of the target (Windows 2000) in to the Scan Target Box and Run Scan.
Wait till the scan complete, then go to the results tab and see the scans populate in real time.
The vulnerabilities are categorized related to the severity as shown below,
Purple – Critical
Red – High
Orange – Medium
Green – Low
Grey – Information
To view vulnerability summary go to the Vulnerabilities tab and Click on a vulnerability.
From these vulnerabilities I will select the vulnerability MS05-47 for the demonstration purpose of the followings.
Using Metasploit to compromise a Vulnerability host
After identifying the possible vulnerabilities in order to launch the attack we are using Metasploit to execute the exploits.
To execute this exploit we need,
· An exploit – MS04_047_wins (above selected vulnerability)
· A payload – code which will run once the exploit is successful
· Option- IP address etc...
Metasploit Framework is Open source and it is a software platform for developing,testing and executing exploits. It can be used to create security testing tools and exploit modules and as a penetration testing system. It was originally created as a portable network tool in 2003 by HD Moore.
To start Metasploit open a terminal, start by initialing the database and web-server,
service apache2 start
service postgresql start
Then the command, msfconsole
This command provides an "all-in-one" centralized console and allows you efficient acess to virtually all of the options available :) .
By using the search command Metasploit will search for the given search term in the module names and description as following,
The use command in Metasploit is used to activate a particular module and changes the context of the msfconsole to that particular module. The exploit name will be mentioned in red on the command line as following,
Info and show option commands
We can view the information of this vulnerability by info command and view other information byshow option command.
The set command allows you to configure Framework options and parameters for the current module you are working with.
set RHOST 192.168.56.99 (RHOST – remote host (windows 2000))
Then exploit it by the command exploit. This exploit is capable of shutting down windows 2000.
This is another exploit of a vulnerability to get a remote desktop of windows 2000.ility
Vulnerability - ms04-045
Search the vulnerability,
Use the module path,
Set the remote host and exploit,
Then we run a meterpreter to get a remote desktop of the windows 2000 machine by the command
Finally we will be getting a remote desktop as follows,
Hope you would understand :)