Student ID: 21110641Lab overviewIn this lab, we will explore the use of the powerful network scanning tool, Nmap, to detect the operating system, services, and vulnerabilities on a targe
Trang 1TRƯỜNG ĐẠI HỌC SƯ PHẠM KỸ THUẬT TP.HCM KHOA CÔNG NGHỆ THÔNG TIN
BỘ MÔN AN TOÀN THÔNG TIN
BÁO CÁO BÀI THỰC HÀNH LAB 01: OS security
MÃ MÔN HỌC: INSE330380
THỰC HIÊ3N: Trần Nguyễn Phương Tây
MSSV: 21110641
GI?NG VIÊN HƯỚNG DẪN: TS HuBnh Nguyên ChDnh
Tp Hồ ChD Minh, tháng 09 năm 2022
Trang 2Student ID: 21110641
Trang 3Student ID: 21110641
Lab overview
In this lab, we will explore the use of the powerful network scanning tool, Nmap, to detect the operating system, services, and vulnerabilities on a target machine
Lab task
Connection between two machines
- Create virtual network card:
- Attach the card to the 1st virtual machine:
Trang 4Student ID: 21110641
- IP configuration information of the 1st machine:
Trang 5Student ID: 21110641
- Successful connection between 2 machines:
1 Using nmap to scan a machine (via IP address or name) to detect an OS
& services
sudo nmap -F 192.168.12.0/24
This option specifies a type of quick scan, called a "Fast" or "Quick" scan It will scan some common ports instead of scanning all possible ports
- Turn on firewall:
Trang 6Student ID: 21110641
- Turn off firewall:
Can scan out 6 ports on the machine 192.168.12.129
sudo nmap -O 192.168.12.129
Nmap will send network packets to the computer with IP address 192.168.12.129 and analyze the responses to try to determine that computer's operating system The results will display information about the identified operating system (if any) along with the services and network ports the computer is running on
- Turn on firewall:
Could not scan any OS information
Trang 7Student ID: 21110641
Information about the target machine's operating system has been scanned: running, OS CPE,
OS details
sudo nmap -A 192.168.12.129
-A: This is an aggregate option in Nmap and is often called "Aggressive Scan" or "All-in-one." Nmap will perform a detailed scan using a variety of scan types and system analysis techniques
to provide a detailed output about the target computer This includes identifying the operating system, checking for open network ports, identifying running services, and even executing scripts through discovered services The results will include a lot of useful information for security analysis and system testing
- Turn on firewall:
Could not scan any information
Trang 8Student ID: 21110641
Scans out information about network ports, operating system and device information This result shows that the computer with IP address 192.168.12.129 runs Ubuntu Linux with many services such as SSH, FTP, Telnet, DNS, HTTP, and HTTP Proxy
sudo nmap -sV 192.168.12.129
Nmap will send requests to network ports on the computer with IP address 192.168.12.129 and attempt to determine the versions of services running on those ports The result will show a list
of network ports that have been scanned, information about the service (name and version) if available, and network ports for which no service or version has been identified => overview about the services running on the target computer and their versions
- Turn on firewall:
Could not scan any service version information
Trang 9Student ID: 21110641
Scans out services running on ports and their versions
Some other options:
nmap -sn 192.168.12.0/24
Command to identify active hosts Scan results show a total of 2 hosts detected in the 192.168.12.0/24 subnet
- IP address 192.168.12.128 was detected and determined to be "up" with a response time of 0.00017 seconds
- IP address 192.168.12.129 was also detected and also identified as "up" with a response time
of 0.00074 seconds
nmap -sT 192.168.12.129
The computer with IP address 192.168.12.129 is running various services on different network ports such as FTP, SSH, Telnet, DNS, HTTP, and Squid HTTP Proxy Scan results only show
Trang 10Student ID: 21110641
2 Using nmap with vul-scipt to detect vulnerabilities on an OS
CVE-2010-3773:
Description: Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey
before 2.0.11, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0179
Summary: This vulnerability allows remote attackers to initiate remote processes, read
arbitrary local files, and establish network connections through vectors related to the refresh value in the http-equiv attribute of a META element, leading to the misuse of security principles
CVE-2010-1197:
Description: Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and
SeaMonkey before 2.0.5, does not properly handle situations in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an uploaded HTML document
Summary: This vulnerability occurs when using the XMLHttpRequestSpy module in
the Firebug utility and mishandles interactions between the XMLHttpRequestSpy object and objects with chrome privileges This allows remote attacks to execute arbitrary JavaScript code through HTTP responses, creating an opportunity for exploitation
Trang 11Student ID: 21110641
Description: Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey
before 2.0.11, does not properly handle certain redirections involving data: URLs and Java LiveConnect scripts, which allows remote attackers to start processes, read arbitrary local files, and establish network connections via vectors involving a refresh value in the http-equiv attribute of a META element, which causes the wrong security principal to be used
Summary: A concise summary of the vulnerability, particularly highlighting the
impacts and consequences it may have on the affected system or application
CVE-2002-2246:
Description: Cross-site scripting (XSS) vulnerability in VisNetic Website before 3.5.15 allows remote attackers to inject arbitrary web script or HTML via the HTTP referer header (HTTP_REFERER) to a non-existent page, which is injected into the resulting 404 error page
Summary: This vulnerability allows remote attackers to inject arbitrary web or HTML
script via the HTTP_REFERER header
CVE-2002-2241:
Description: Buffer overflow in httpd32.exe in Deerfield VisNetic WebSite before 3.5.15 allows remote attackers to cause a denial of service (crash) via a long HTTP OPTIONS request
Summary: This vulnerability allows remote attacks to cause a service crash. Summary
In this laboratory session, we immersed ourselves in the realm of operating system security, with our focal point being the utilization of the Nmap tool for the thorough examination of a target machine Our primary objectives encompassed comprehending the methodologies employed in security assessments and the discernment of potential system vulnerabilities The ensuing key points encapsulate the essence of our laboratory experience:
- Initial Scan: The inception of our laboratory endeavor involved the execution of a swift scan
on the target machine through the deployment of Nmap's -F flag This expedited scan facilitated the swift identification of commonly open ports and services
- Operating System Detection: We harnessed Nmap's -O flag to discern the operating system that was operational on the target machine This pivotal step furnished us with invaluable insights into the unique characteristics of the system
- Thorough Service Scrutiny: A comprehensive service analysis was undertaken through the application of the -sV flag This exhaustive examination not only revealed the active services but also unveiled their precise version numbers This particular insight proved indispensable for the evaluation
of potential vulnerabilities
- Firewall Evaluation: We embarked on an exploration of the firewall's influence on the target machine by temporarily deactivating it and subsequently replicating the Nmap scans This comparative analysis shed illuminating light on the pivotal role played by firewalls in the realm of network security
- Exploration of Supplementary Nmap Features: In our quest for a deeper comprehension, we
Trang 12Student ID: 21110641
exploration expanded our knowledge base and allowed us to amass a wealth of information concerning the configuration of the target machine
- Vulnerability Assessment: Our quest for insight led us to the installation and execution of the vulscan Nmap script This process unearthed latent vulnerabilities within the target machine, effectively underscoring the critical role played by vulnerability assessments within the realm of security practices
- CVE Vulnerability Analysis: A judicious selection of approximately five vulnerabilities from the scan results, each adorned with a CVE identifier, was followed by in-depth research endeavors Our goal was to unravel the potential consequences and exploitation methodologies associated with these identified vulnerabilities
- Lab Report: Finally, our efforts culminated in the meticulous compilation of a comprehensive laboratory report This report encompassed an introductory section, an elaborate breakdown of our procedural steps, recorded observations, a meticulous analysis of the detected vulnerabilities, and a succinct conclusion This report served as a document of our findings and the insights garnered during the course of the laboratory exercise
Upon the successful completion of this laboratory undertaking, we have acquired tangible practical experience in the domains of network scanning, vulnerability identification, and the paramount importance of safeguarding operating systems and services Furthermore, we have refined our abilities in the assessment and enhancement of computer system security This knowledge is indeed invaluable for individuals venturing into the captivating realms of cybersecurity and network administration
Reference
Security Trails (2023, 09) Nmap Vulnerability Scan: A Comprehensive Guide Retrieved from