This lecture will focus on information leakage from chatty protocols and banners
This exercise will be used to setup the access to the laboratory environment. Then it aims to explore how an attacker can enumerate vulnerabilities in a set of hosts, by making use of commonly available tools. The objective is not so much the exploitation of the hosts present, but the acquaintance to the tools and the positioning as assessing vulnerabilities in distributed systems.
As the scope we consider all hosts and services available at the laboratory network (
10.110.2.0/24 scope). The assessment should not try to penetration test the systems, but small explorations are allowed (Hint: most have interesting mistakes). No data should be corrupted, and no credentials should be modified. Normal operation of the hosts should not be disrupted.
For the purpose you will require the use of a Virtual Machine with Kali distribution. Kali is a GNU/Linux distribution based on Debian and designed with Security and Privacy in mind. It includes a full portable laboratory for all kinds of cyber security operations, from penetration testing to digital forensics and reverse engineering, but it also includes everything needed to develop your own software or keep your data secure.
Such a distribution is used solely because it already has the required software. A standard Linux distribution may also be used, or even a Windows or mac OS, given that students install the software.
We recommend you to use VirtualBox, but other virtualization platform available may be used. The steps to take in consideration are:
Download VirtualBox and install it. Take notice that if you are running a Linux Distribution, and have Secure Boot enabled, you must use the version provided by the distribution packages. The reason is that only those packages provide signed drivers.
Create a Virtual Machine for a Linux 64 bits host, with at least 2048MB of RAM.
Optional: Add a hard disk to the VM in order to persist changes and notes.
Add the Kali OS ISO as a CDROM
Configure one Network interface as NAT
Start the VM
Run Kali from the ISO or install it to the disk
The lab consists of Virtual Machines running on a restricted environment. In order to access that environment you will need to be connected to the eduroam wireless network, or to connect to the University network through the Checkpoint VPN. For the VPN, please go to go.ua.pt.
On top of the existing connection to the University, you will need an additional VPN to reach the servers.
To connect to the VPN, use the configuration provided by the professor. If you are using MS Windows, OpenVPN GUI is recommended.
The lab VMs are in a isolated network, with addresses in the range
Only this scope should be used while connected to the VPN.
After the VPN is connected, you should be able to ping
10.110.0.1, which corresponds to the VPN server interface in the laboratory network. Other addresses will be available later.
The first task is to know your environment, how many hosts are available and what services they have. To discover the hosts, you can use any tool that sends packets into the network and issues a response. An ICMP (
ping) may be enough, or you can build your own tools using sockets or python scapy, or use
The go to tool probably is nmap as it is very powerful and simple to use. Just open the console and write
nmap -h or check it’s manual
- Want to scan a network?
nmap -sn IPRANGE
- Want to scan a host?
- Want to enumerate the version of each host?
nmap -sV target
- Want to find the OS of a host?
nmap -O target
There are many toggles that change the behavior of this tool. You can make it more or less aggressive (
-T), specify ports to scan (
-PS), and much more.
- How many host are there in the network?
- What operating systems and versions are running?
- Which services are available in each host?
- Based on the service information, do you have recommendations to make?
Save the dumps to your computer and write summary information in your notes.
nmap -sV it is possible to guess the version of the software running on each VM. This version can be correlated with the information available at public repositories, such as cvedetails and an initial assessment can be started. In this case, it will be based on public vulnerabilities, expressed in CVEs. Some specific vulnerabilities of custom software, of configuration flaws may be misses by the assessment. Moreover, hosts can fake the software they have or the versions.
- Also enumerate software versions for each server.
- Look for older versions. You suspect of any specific CVE?
- Look at the versions of the software available. Do you have specific recommendations for the infrastructure owner?
Write your conclusions in your notes and support them with the logs obtained from running the tools.
An interesting feature of
nmap is that it allows running specially crafted scripts that automate many tasks. From the perspective of an assessment, the scripts can test the existence of specific vulnerabilities, or enumerate vulnerabilities based on the versions of the software packages detected.
You can list the scripts available by listing the content of
/usr/share/nmap/scripts/. Finally, you can run a script by issuing
nmap -sV --script script_name target.
- Use the
nmapscripting capability and assess the existence of specific vulnerabilities
- Use the
vulnersscript to enumerate vulnerabilities at a larger scale
- Any CVE is critical? Would you do any recommendation from your assessment. Be realistic as there is no such thing as perfect security
Other tools besides
nmap provide the capabilities to assess how a system is exposed. In particular
openvas are popular ones, as they cover a wider range of tests with more depth.
Several other tools (browser and tool add-ons) will enable fingerprinting by analysing the resources used, their names, and their content.
- One host may have another tool to help you with enumeration. Have you found it?
Some of the machines host a webpage and the scope of this assessment also includes such services. Web pages present a completely different challenge as the services provided are richer in terms of functionality, but also more complex and less secure. Web portals are typical paths towards compromising the security of a system.
For this assessment lets focus on assessing issues with configurations and content. The objective is not to explore typical vulnerabilities (SQLi, LFI, IDOR, etc…) as these will be explored in a future assessment.
For now, lets focus on 3 tools:
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
Nikto has many settings to tweak it’s behaviour, and it will produce a report to a file. The basic usage is something like:
nikto -o report.html -Format htm -host target
- Use this tool against the hosts and report the findings
- Take notes about each host
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analysing the response.
DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.
DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerable.
To use DIRB you need to provide a target address and a wordlist. An example would be:
dirb http://IP/ wordlist
You can find many wordlists at
A limitation of DIRB is that it’s limited by the wordlist. If you choose a wordlist inadequate to the host, it may find nothing. This is why there are several wordlists available there. Other tools such as
wfuzz provide additional features.
- Enumerate the web hosts for exposed information
- Is there something wrong with some hosts?
- Save the tool dumps and write summary notes with your findings
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. This scanner is more specific than the previous ones and only applies to a specific software. You can check it’s help page with
wpscan -h and devise an enumeration against a host. However, the results will only be valid for Wordpress installations.
- Find a system running Wordpress
- Assess the Wordpress installation