Penetration Testing with Kali Linux OffSec
|
|
particular CVE. Figure 73: Select Family of Plugins covering CVE-2021-3156 One very handy feature of the dynamic plugin filter is the ability to combine multiple filters. In this example, we know that the target is an Ubuntu Linux system and we can therefore use a second filter to specify the related plugin family. Let’s add a new filter by clicking on the plus button next to the first filter. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 192 Figure 74: Add Filter A new plugin filter appears. To restrict the plugin family to specific checks for Ubuntu, let’s select Plugin Family on the left dropdown and Ubuntu Local Security Checks on the right dropdown. Figure 75: Combined Plugin Filters We can then click on Preview Plugins again to list the plugins determined by our filters. After it completes, let’s click on the dropdown and choose Ubuntu Local Security Checks . Nessus displays information about the plugin, including affected Ubuntu versions, short description, and patch number, as well as the Plugin ID. Figure 76: Ubuntu Local Security Check Plugin for CVE-2021-3156 We can get more information by clicking on the plugin. Figure 77 shows the detailed information of the specified plugin. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 193 Figure 77: Detailed Information of Plugin 145463 After closing this window, we can launch the vulnerability scan as we did before. Once the scan is finished, let’s review the results by clicking on the Vulnerabilities tab. Figure 78: Listed Findings of the Advanced Dynamic Scan The output lists one finding with a HIGH severity, which was found by the plugin we specified with our dynamic plugin filter. Figure 79 shows the detailed information of the finding, confirming that the target is in fact vulnerable to CVE-2021-3156. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 194 Figure 79: Detailed Information about the Findings of the specified Plugins The plugin output also contains information stating that Nessus only used the reported version number of the affected application and that it did not try to confirm the vulnerability by exploiting it in any way. In an assessment, we should verify these kinds of results to check if it is indeed an exploitable vulnerability. 7.3 Vulnerability Scanning with Nmap This Learning Unit covers the following Learning Objectives: • Understand the basics of the Nmap Scripting Engine (NSE) • Perform a lightweight Vulnerability Scan with Nmap • Work with custom NSE scripts In this Learning Unit, we will explore the Nmap Scripting Engine (NSE) and how to leverage Nmap as a lightweight vulnerability scanner. In addition, we will learn about the NSE script categories, how to use NSE scripts in Nmap, and how to work with custom NSE scripts. 7.3.1 NSE Vulnerability Scripts As an alternative to Nessus, we can also use the NSE 335 to perform automated vulnerability scans. NSE scripts extend the basic functionality of Nmap to do a variety of networking tasks. These tasks are grouped into categories around cases such as vulnerability detection, brute forcing, and network discovery. The scripts can also extend the version detection and information gathering capabilities of Nmap. An NSE script can have more than one category. For example, it can be categorized as safe and vuln , or intrusive and vuln . Scripts categorized as “safe” have no potential impact to stability, while scripts in the “intrusive” category might crash a target service or system. To avoid any stability 335 (Nmap, 2021), https://nmap.org/book/man-nse.html Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 195 issues, it’s imperative to check how the scripts are categorized and we should never run an NSE script or category without understanding the implications. We can determine the categories of a script by browsing the NSE Documentation 336 or locally in the NSE scripts directory. In this section, we will focus on the vuln category to leverage Nmap as a lightweight vulnerability scanner. On our Kali VM, the NSE scripts can be found in the /usr/share/nmap/scripts/ directory with the .nse filetype. This directory also contains the script.db file, which serves as an index to all currently available NSE scripts. We can use it to get a list of scripts in the vuln category. kali@kali:~$ Yüklə Dostları ilə paylaş:
|