Lab: Vulnerability Scanning

By Drs. Dave Eargle and Anthony Vance

This lab uses the following VMs:
  • Kali
  • Metasploitable2
Important!
  • Read the section here on how to launch the Metasploitable2 virtual machine within Kali.
  • Ensure that you can ping Metasploitable2 from Kali, and Kali from Metasploitable2, before continuing the lab.
  • Use the addresses shown in the infosec-net network map.

The objective of this lab is to create a report of potential vulnerabilities for a virtual machine. The VM is a Ubuntu-based Linux distribution called MetaSploitable2, which is specifically designed to teach penetration testing skills such as vulnerability scanning.

During the lab, you may envision yourself as a defender, checking an organizational assets for vulnerabilities visible from an external perspective with the ultimate intention of patching them. Alternatively, you may envision yourself as an attacker, checking a target victim asset for vulnerabilities, with the ultimate intention of exploiting them. Both defenders and attackers may perform the same steps of vulnerability scanning.

Troubleshooting

Metasploitable2 is an ancient operating system. It is prone to crashing and otherwise behaving unexpectedly suddenly. If Metasploitable stops responding during the lab, then try force-off’ing it and starting it up again:

Part 1. Host Discovery and Scanning using NMAP

NMAP is the de facto standard of host discovery and port scanning and has a host of features that make the tool very robust. In this section of the lab, you’ll try a few of NMAP’s features.

Throughout the lab, you should replace <IP.addr.of.metasploitable2> with the actual IPv4 address of Metasploitable.
  1. Open a “Terminal Emulator” window in Kali.
  2. Run all nmap commands as root – you’ll get more information as root for some commands.
    • “Get root” in your shell (i.e., sudo -s or su root).
  3. Run nmap. Take a quick look at the available options.
  4. Use nmap to determine whether the your Metasploitable2 VM is live using a “ping scan”:

    nmap -sn <IP.addr.of.metasploitable2>
    

    The ping scan not only sends an ICMP request, but also an ARP ping, TCP pinging, and other techniques to determine if a host is live on the network.

    Question : What kind of information is shown when you run this ping scan for Metasploitable2?

    You could also scan a range of IPs using CIDR block notation. See the network map for the ipv4 block of the infosec-net network. This can be fun to do if you also have your vulnerable Windows 7 vm running at the same time, although this is not required.

    nmap -sn <ipv4 CIDR block>
    

    You can know your network by typing ifconfig on either Kali or Metasploitable2, and looking for the inet address plus the mask value on the same line. For example, a “mask” of 255.255.255.0 applied to an “inet” address of 192.168.56.17 translates to a network of 192.168.56.0/ 24. (Where 24 is the number of bits to mask and it takes 8 bits to make 255, 8x3=24, so that would mask three of the ‘.’ blocks.)

  5. Once you determine that a host is live, you can use NMAP to scan for open ports. Use a TCP scan to determine which ports are open on Metasploitable2:

    nmap -sS <IP.addr.of.metasploitable2>
    

    This scans approximately 1,800 of the most common TCP ports on the target machine.

    Question : Which ports are open on the Metasploitable2 VM?
  6. You can also specify additional ports to scan. Scan the first 10,000 ports of the Metasploitable2 VM:

    nmap -sS -p1-10000 <IP.addr.of.metasploitable2>
    
    Question : Did you find any additional ports?
  7. Nmap can provide additional information about open ports by interrogating the ports it finds using the “sV” flag:

    nmap -sV <IP.addr.of.metasploitable2>
    

    Note: Press the “enter” key to see a status of the NMAP scan.

  8. You can get further information still by using the aggressive flag (“-A”), which is a kitchen-sink of sorts.

    nmap -A <IP.addr.of.metasploitable2>
    
    Question : What additional information about the open ports on Metasploitable2 were you able to obtain by using the -sV and -A flags?
  9. A useful feature of nmap is operating system fingerprinting, which it accomplishes by profiling how a system responds to its scans.

    nmap -O <IP.addr.of.metasploitable2>
    

    Note: That’s a capital “oh” not a “zero.”

    Question : What operating system does nmap report Metasploitable2 to be?
  10. Now scan for web applications on Metasploitable2. Metasploitable2 has many intentionally vulnerable web apps. A web “application” is a loose term for a distinct website, or app, that runs over http. Applications may run off of different base URL paths, all sharing the same port, such as port 80 – but web apps can run off of any port.

    nmap -sV --script=http-enum <IP.addr.of.metasploitable2>
    

    The scan will list, for a given port, many different /paths/ that the scan found to return HTTP responses. You can browse these ports and paths in Kali’s web browser. For instance, if a scan of 192.168.56.102 reported that the path /tikiwiki/ was found running on port 4454, then the app could be investigated by entering the following address in a web browser address bar:

    192.168.56.102:4454/tikiwiki/

    (Recall that specifying a :port after an address changes the default for for a given protocol, and that the default protocol that a web browser tries is http, which hsa a default port of 80.)

    Feeling adventurous? Use a web browser to visit the /dvwa path off of Metasploitable2's ip address. You'll find an intentionally vulnerable web app. Default username/password is on the bottom of the page.
    Question : What web applications are available on Metasploitable2?

Part 2. Vulnerability scanning using Nessus

In this part of the lab, you will use Nessus, a product by Tenable, to replicate what you did with nmap using a tool used in industry. According to Tenable:

Nessus is trusted by more than 30,000 organizations worldwide as one of the most widely deployed security technologies on the planet - and the gold standard for vulnerability assessment.

Start and register the Nessus Scanner

Nessus should already be installed on your Kali-on-GCP instance. It should also already be running.

  1. Open Firefox on Kali and browse to https://kali:8834.

    To get past the SSL warning, click ‘Advanced’ > ‘Accept the Risk and Continue’.

  2. Select “Nessus Essentials”
  3. Get a free registration activation code.

    The prompt on the https://kali:8834 webpage seems to never send a registration link when an email is submitted. Instead, get a registration code by visiting the following tenable.com webpage: https://www.tenable.com/products/nessus/nessus-essentials

    Submit your registration code on the https://kali:8834 page.

  4. Choose any username:password you prefer for use with nessus. For instance, you could use user root password toor when prompted by Nessus. Click “reload” if the page fails to load.

Run a Nessus Scan

  1. Click the “Scans” tab and press the “New Scan” button.

  2. Choose “Basic Network Scan”

  3. In the “Name” field, enter “Metasploitable2” or something more cool-sounding. In the “Targets” field, enter the IP address of the MetaSploitable2 VM.

  4. Under the category “Discovery,” change the “Scan Type” to “All ports.”

  5. Under “Assessment”, change the dropdown to “Scan for known web vulnerabilities.”

  6. Under “Advanced”, select Scan Type “Custom”. Then select “General” on the left. Uncheck “Enable safe checks,” and (Important!) set “Max number of concurrent TCP sessions per host” to 100.

  7. Click the “Save” button, then click the “Scans” tab at the top of the web page. Next, on row of the Metasploitable2 scan you just created, click the triangle “play” symbol to launch the scan .

  8. In the Scans tab you should see the scan job running. This should take about 10 minutes to complete. In the meantime, you can click the job to see the vulnerabilities that Nessus has found so far. Vulnerabilities can be sorted by severity.

Reflect: Do you think it would be difficult to compromise this system?
Question : Which vulnerabilities are critical? Of these, which appear to be most serious? Double-click a vulnerability in the report and read the description.
Consider: What would be the first thing you would do to secure this system?