Vulnerability Information Gathering Johnson
Zenmap save of scan in XML format (5 points)
<?xml version="1.0" encoding="iso-8859-1"?>
<?xml-stylesheet href="file:///C:/Program Files (x86)/Nmap/nmap.xsl" type="text/xsl"?><nmaprun start="1676312861" profile_name="Quick scan plus" xmloutputversion="1.04" scanner="nmap" version="7.93" startstr="Mon Feb 13 13:27:41 2023" args="nmap -sV -T4 -O -F --version-light 192.168.3.25"><scaninfo services="7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157" protocol="tcp" numservices="100" type="syn"></scaninfo><verbose level="0"></verbose><debugging level="0"></debugging><output type="interactive">Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 13:27 Eastern Standard Time
NSOCK ERROR [0.2450s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for 192.168.3.25
Host is up (0.0015s latency).
Not shown: 82 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
513/tcp open login?
514/tcp open shell?
2049/tcp open rpcbind
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.93%I=2%D=2/13%Time=63EA8120%P=i686-pc-windows-windows%r
SF:(NULL,42,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(DE
SF:SKTOP-LNDIM9C\.cyber\.local\)\n")%r(GenericLines,42,"\x01Couldn't\x20ge
SF:t\x20address\x20for\x20your\x20host\x20\(DESKTOP-LNDIM9C\.cyber\.local\
SF:)\n");
MAC Address: 00:0C:29:52:D7:E0 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.44 seconds
</output><host comment=""><status state="up"></status><address addrtype="ipv4" vendor="" addr="192.168.3.25"></address><address addrtype="mac" vendor="VMware" addr="00:0C:29:52:D7:E0"></address><hostnames></hostnames><ports><extraports count="82" state="closed"></extraports><port protocol="tcp" portid="21"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="vsftpd" version="2.3.4" method="probed" conf="10" name="ftp"></service></port><port protocol="tcp" portid="22"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="OpenSSH" name="ssh" extrainfo="protocol 2.0" version="4.7p1 Debian 8ubuntu1" conf="10" method="probed"></service></port><port protocol="tcp" portid="23"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="Linux telnetd" method="probed" conf="10" name="telnet"></service></port><port protocol="tcp" portid="25"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="Postfix smtpd" method="probed" conf="10" name="smtp"></service></port><port protocol="tcp" portid="53"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="ISC BIND" version="9.4.2" method="probed" conf="10" name="domain"></service></port><port protocol="tcp" portid="80"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="Apache httpd" name="http" extrainfo="(Ubuntu) DAV/2" version="2.2.8" conf="10" method="probed"></service></port><port protocol="tcp" portid="111"><state reason="syn-ack" state="open" reason_ttl="64"></state><service method="probed" conf="10" name="rpcbind"></service></port><port protocol="tcp" portid="139"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="Samba smbd" name="netbios-ssn" extrainfo="workgroup: WORKGROUP" version="3.X - 4.X" conf="10" method="probed"></service></port><port protocol="tcp" portid="445"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="Samba smbd" name="netbios-ssn" extrainfo="workgroup: WORKGROUP" version="3.X - 4.X" conf="10" method="probed"></service></port><port protocol="tcp" portid="513"><state reason="syn-ack" state="open" reason_ttl="64"></state><service method="table" conf="3" name="login"></service></port><port protocol="tcp" portid="514"><state reason="syn-ack" state="open" reason_ttl="64"></state><service method="table" conf="3" name="shell"></service></port><port protocol="tcp" portid="2049"><state reason="syn-ack" state="open" reason_ttl="64"></state><service method="probed" conf="10" name="rpcbind"></service></port><port protocol="tcp" portid="2121"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="ProFTPD" version="1.3.1" method="probed" conf="10" name="ftp"></service></port><port protocol="tcp" portid="3306"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="MySQL" version="5.0.51a-3ubuntu5" method="probed" conf="10" name="mysql"></service></port><port protocol="tcp" portid="5432"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="PostgreSQL DB" version="8.3.0 - 8.3.7" method="probed" conf="10" name="postgresql"></service></port><port protocol="tcp" portid="5900"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="VNC" extrainfo="protocol 3.3" method="probed" conf="10" name="vnc"></service></port><port protocol="tcp" portid="6000"><state reason="syn-ack" state="open" reason_ttl="64"></state><service extrainfo="access denied" method="probed" conf="10" name="X11"></service></port><port protocol="tcp" portid="8009"><state reason="syn-ack" state="open" reason_ttl="64"></state><service product="Apache Jserv" extrainfo="Protocol v1.3" method="probed" conf="10" name="ajp13"></service></port></ports><os><portused state="open" portid="21" proto="tcp"></portused><portused state="closed" portid="7" proto="tcp"></portused><portused state="closed" portid="30097" proto="udp"></portused><osmatch line="59343" name="Linux 2.6.9 - 2.6.33" accuracy="100"><osclass type="general purpose" osfamily="Linux" vendor="Linux" osgen="2.6.X" accuracy="100"></osclass></osmatch></os><uptime lastboot="Mon Feb 13 12:51:11 2023" seconds="2206"></uptime><tcpsequence index="205" values="C61AFBB4,C67EA91D,C69AF16F,C715E6A2,C65AFDBE,C752DF81" difficulty="Good luck!"></tcpsequence><ipidsequence values="0,0,0,0,0,0" class="All zeros"></ipidsequence><tcptssequence values="35D91,35D9C,35DA7,35DB2,35DBD,35DC8" class="100HZ"></tcptssequence></host><runstats><finished timestr="Mon Feb 13 13:27:57 2023" time="1676312877"></finished><hosts down="0" total="1" up="1"></hosts></runstats></nmaprun>
Document with all results from zenmap scan and a table of the 5 researched vulnerabilities including the port number, the service, the service version of the vulnerability, and the fix if one exists. (5 points)
Port 21 | FTP | ProFTPD 1.3.1 | Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server. | Update to a supported version of Linux. |
Port 23 | Telnet | Linux telnetd, Linux 2.3 | telnet daemon (telnetd) from the Linux netkit package before netkit-telnet-0.16 allows remote attackers to bypass authentication when telnetd is running with the -L command line option. | Update to a supported version of linux |
Port 80 | Apache HTTP Server | Apache httpd 2.2.8 | The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. | Cloudflare DNS protection or upgrade to a newer version of Apache httpd. |
Port 3306 | MySQL | MySQL 5.0.51a-3ubuntu5 | Stack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long scramble string. | Cloudflare DNS protection for the DNS concern, update to a version of MySQL that doesn't allow code execution through arbitrary code scramble strings. |
Port 5432 | PostgreSQL | PostgreSQL DB 8.3.0 - 8.3.7 | CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored. | Before restoring databases run a scan to check for a file containing odd SQL commands or update to a newer version of the service. |
Based on your research, which vulnerability would you try to use to gain the greatest access to the system. Explain your reasoning. (5 points)
Out of all the vulnerable services listed above, I would take advantage of a vulnerability in SSH 4.7. OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252. If they had J-PAKE enabled then this would be the easiest way to access the vulnerable system remotely. Use ssh to connect to the machine and bypass the need for a shared secret to authenticate. From there a backdoor with persistence and elevated privileges can be established to do a number of things.
Last updated