Hands-on: Target Port, Services, and Vulnerability Identification (en)
Before we begin, it’s important to understand some basic concepts:
- Port: Think of a port as the doorway to an application or service on a system. Each application or service uses a specific port to communicate.
- Service: A service is an application that runs on a system and provides a specific function, such as a web server, database server, or email server.
- Vulnerability: A vulnerability is a weakness in a system that can be exploited by an attacker to gain unauthorized access or damage the system.
Hands-On Objectives
The goals of this hands-on are to:
- Learn how to identify open ports and services on a system.
- Understand the types of vulnerabilities that are commonly found.
- Learn Tools used for scanning and penetration testing.
Hands-On Steps
Setting Up Environment:
- Make sure Kali Linux 2024.3 is installed and running.
- Select a target to test. It can be a virtual machine, a personal computer, or an online service that has been authorized for testing.
Identifying Ports and Services:
- Nmap: The most commonly used tool for port scanning.
- `nmap -sS -sV <target_IP>`: Performs a SYN scan and version detection to get detailed information about open ports and services.
- `nmap -sC <target_IP>`: Uses the default Nmap script to perform more accurate service detection.
- Masscan: A faster tool for performing port scanning on a large scale.
- `masscan -p1-65535 <target_IP>`: Scan all ports from 1 to 65535.
Analyze Scan Results:
- Pay attention to open ports and running services.
- Look for services that are already known to have vulnerabilities (e.g., Apache Tomcat, OpenSSH with default configuration).
- Use a vulnerability database such as CVE Details to find more information about the vulnerabilities found.
Identify Vulnerabilities:
- Manual: Find information about vulnerabilities related to the services found.
- Automatic Tools: Use tools such as Nikto, Nessus, or OpenVAS to perform vulnerability scanning automatically.
- Exploit Database: Find exploits that can be used to exploit the vulnerabilities found.
Port, Services, and Vulnerabilities Identification Practice
Nmap: Scanning and Identifying Ports & Services
Nmap (Network Mapper) is a very popular tool for scanning networks, identifying open ports, the services running on those ports, and the operating system used by the target.
Steps:
- Open a terminal in Kali Linux.
- Run the following command for a basic scan:
nmap -sS <target IP>
- -sS is a TCP SYN (half-open scan) scan type used to identify open ports on a target without making a full connection.
- <target IP> is the IP address of the target to be scanned.
Example Output:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-25 10:00 Nmap scan report for 192.168.1.10 Host is up (0.045s latency). Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 8080/tcp open http-proxy
From the results above, it can be seen that ports 22, 80, 443, and 8080 are open, indicating that services such as SSH, HTTP, HTTPS, and HTTP Proxy are active on the target.
Identifying Running Service Versions
To identify the service version running on a port, run the command Nmap service version detection:
nmap -sV <target IP>
Example Output:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.54 443/tcp open https Apache httpd 2.4.54 8080/tcp open http-proxy Squid 4.13
This indicates that services such as OpenSSH version 8.4 are running on port 22, and Apache HTTP server version 2.4.54 are running on ports 80 and 443.
Vulnerability Scanning Web
For example, after performing an Nmap scan on a web server, we find that ports 80 (HTTP) and 443 (HTTPS) are open. With this information, we can:
- Find the version of the web server being used (e.g., Apache 2.4).
- Check for known vulnerabilities in that version (e.g., CVE-2021-44228).
- Use a tool like Nikto to scan for specific vulnerabilities on the web server.
Vulnerability Scanning with Nmap
Nmap can also be used to search for potential vulnerabilities using built-in scripts. One option is to use the Nmap Scripting Engine (NSE) to perform a vulnerability scan.
The following command can be used to check for common vulnerabilities:
nmap --script vuln <target IP>
Example Output:
PORT STATE SERVICE 22/tcp open ssh | vulners: | CVE-2020-15778: | description: OpenSSH 8.3 and earlier allows command injection via a crafted message to an ssh-agent forwarding request. | exploits: https://www.exploit-db.com/exploits/48634 80/tcp open http | http-vuln-cve2017-5638: | description: Apache Struts 2 vulnerability allows remote attackers to execute arbitrary commands. | exploits: https://www.exploit-db.com/exploits/41570
In this result, we can see several CVE (Common Vulnerabilities and Exposures) related to the services found, such as CVE -2020-15778 related to OpenSSH, and CVE-2017-5638 which is a vulnerability in Apache Struts 2.
OpenVAS: Vulnerability Assessment
For scanning deeper into vulnerabilities, Kali Linux 2024.3 has tools such as OpenVAS (Open Vulnerability Assessment System), which is one of the most powerful open-source tools for identifying vulnerabilities in a system.
Steps to use OpenVAS:
- Install OpenVAS (if not already installed):
sudo apt install openvas
- Initialize OpenVAS:
sudo gvm-setup
- Start OpenVAS service:
sudo gvm-start
Access OpenVAS via browser
- Enter URL: `https://localhost:9392`
- Login with the account created during installation.
- Create New Scan by selecting a target and running a vulnerability scan.
OpenVAS Output:
OpenVAS will generate a detailed report of the various vulnerabilities found on the target, complete with explanations , risks, and mitigation suggestions.
Nikto: Web Server Vulnerability Scanner
For specific scanning of web servers, Nikto is one of the tools that can be used.
Run Nikto:
nikto -host <target IP> nikto - Display 1234EP -o report.html -Format htm -Tuning 123bde -host 192.168.0.102
Example Output:
- Nikto v2.5.0 - Target IP: 192.168.1.10 + Server: Apache/2.4.54 + The server is running outdated software. Apache 2.4.54 has known vulnerabilities. + OSVDB-3092: /admin/: This might be interesting...
Nikto provides information such as web server version, possible sensitive directories that are accessible, and information about vulnerabilities server version used.
Conclusion
Through tools such as Nmap, OpenVAS, and Nikto, an ethical hacker can perform in-depth analysis of a target to identify open ports, services running, and potential vulnerabilities that can be exploited. Mastery of these tools is an important step in the penetration testing process, which helps identify risks and provide mitigation recommendations to targets or clients.
Ethical Considerations
- Always perform penetration testing with permission from the system owner.
- Do not perform activities that can damage or disrupt the system.
- Report all vulnerability findings to the system owner so that they can be fixed immediately.
Important to Remember
- Identification is the first step in penetration testing.
- A thorough understanding of the operating system, network, and applications is essential.
- Continue learn and follow the latest developments in the world of cybersecurity.