An external network perimeter is most often attacked, defining the task for technical specialists to make it as secure and inaccessible as possible. To do this, it is necessary to perform penetration testing, one of the stages of which is scanning the perimeter for vulnerabilities. If you can’t attract professional pentesters, at the basic level you can independently evaluate the security of network resources for free. As a distribution for security analysis, you can use Kali Linux with necessary tools.
Information provided for informational purposes only. Do not break the law!
First, scan the IP address using Nmap (we assume that we are scanning the gateway):
Nmap has quite a few scanning features that can be combined, for example:
- scan TCP and UDP ports;
- define services;
- collect banners and more.
If you discover open ports, you need to check the services and try to collect as much information as possible about them by adding the -sV key.
# nmap 192.168.60.50 -sV
Nmap supports a huge number of scripts written in Lua. With the following command, we will launch a standard set that will be applied to the specified ports. This set includes scripts designed to determine the name of the user from whom the service is launched, collect website banners, check anonymous access to the FTP server, etc:
# nmap 192.168.60.50 -sC -p 21,22,53,80,3389
And, of course, let’s scan the UDP ports:
# nmap 192.168.60.50 -sU
In addition, you should pay attention to a special script vulscan, which can expand the capabilities of Nmap to functionality vulnerability scanner, using exploit-db, CVE, OpenVAS, etc.
For services such as SSH, FTP, MySQL, MSSQL, RDS, etc you can try to brute-force to obtain accounts. For more details how to perform brute-force attacks and using different tools you can found here.
SSH (22 port)
# hydra -l user -P /root/passlist.lst ssh://192.168.60.50
MSSQL (port 1433)
# hydra -l sa -P /root/passlist.lst mssql://192.168.60.50
RDS (3389 port)
# patator rdp_login host=192.168.60.203 user=test_user password=FILE0 0=passlist.lst -x ignore:code=131
In the latast case we chose Patator, because Hydra currently does not have the ability to brute force password for RDS. The username for the search is specified in the user parameter, and the dictionary is specified through the FILE0 parameter. We also add the parameter -x, in which we specify filtering by the response code and ignore all answers with the code 131.
In addition, it is recommended to use vulnerability scanners such as OpenVAS or Nessus. They scan the target host and look for all kinds of “entry points”, providing a detailed report. For example, OpenVAS scans open ports, sends specially formed packets to simulate an attack, or even logs on to a node, gains access to the management console and executes commands on it. Upon completion, OpenVAS analyzes the collected data and draws conclusions about the presence of any security problems related, in most cases, to the lack of recent updates or misconfiguration.
To scan web applications for vulnerabilities, there are various tools available in Kali Linux. As a rule, specialized scanners designed for specific purposes are used. For example, if a web application uses WordPress CMS, then for its analysis you can use the WPScan, which is able to determine the version of the CMS used, installed components, as well as plugins. If any of the components have vulnerabilities, then in addition to the output you can see links to the description of vulnerabilities and exploits.
# wpscan --url http://192.168.60.50 --random-user-agent
The random-user-agent switch may be needed to change the User Agent header to try to bypass the security features during scanning. Nevertheless, we recommend temporarily adding the address from which the scan is made to the list of exceptions for a more accurate analysis.
Nikto is designed to search for various default and insecure files, configurations, and programs on any type of web server, and Wapiti analyzes the site structure, looks for available attack scenarios, analyzes the parameters, and then turns on the fuzzer with which it detects vulnerabilities.
Wapiti in its arsenal has techniques for determining Injections; XSS; CRLF bugs (HTTP Response Splitting); errors in processing files (RFI/LFI, fopen, readfile), etc. You can run it with the command:
# wapiti http://example.com/about -u -v 2 -o /home/outfile.html
- –u – highlight detected vulnerabilities with color;
- -v 2 – show all vulnerabilities;
- -o – the path to create the report.
It happens that all the main ports are either closed or filtered during scanning, but a 500 (UDP) port is open to establish an IPSec connection, allowing you to gain access to the company’s internal resources. Using the ikeforce utility, attacks on community strings for IPSec can be carried out. Also, when using ikeforce, it is possible to obtain a hash for a bruteforce attack offline. Example usage in enumiration mode:
# python ikeforce.py 192.168.60.50 -e -w wordlist.txt -t 5 2 1 2
- – e – enumiration mode;
- –w – path to the dictionary for search;
- –t – select encryption options, hash types, authorization, etc.
The situation is similar to IPSec. Only in the case of OpenVPN, the 1194 (UDP) port will most likely be open, which can also become a vector for attack. Using the openvpn-brute script, it is possible to perform a brute-force attacks in order to obtain an account for connecting to a VPN and, accordingly, access to less secure internal corporate resources.
./openvpn_brute_force.sh ovpn_dict Office-2.conf
- ovpn_dict – the path to the dictionary with a username and passwords for enumeration, written through a colon;
- Office-2.conf – path to the configuration file for connecting to the VPN.
If the company uses wireless networks, attackers can take advantage of this to perform an attack on connected clients and internal resources of the company. Kali Linux also provides a toolkit for testing wireless networks.
With the help of one, for example, Wifite, you can fully automate testing of a wireless network. When using others, for example, Aircrack-ng, all stages of testing will have to be carried out manually.
It is also important to understand that for this kind of testing it may often require additional equipment — wireless adapters that are able to work in the monitoring mode (promiscuous mode) — a prerequisite for intercepting traffic. To do this, only adapters with the appropriate chips are suitable, and you will have to choose in accordance with their specification. These can be quite expensive Alpha devices, as well as conventional ones: built-in laptops or USB adapters.
If the right adapter is selected, then you can start testing. First you need to put the device into monitoring mode with the command:
# airmon-ng start wlan0
If everything is correct, then the name of the interface will change with the addition of the word mon. Now you can scan the wireless broadcast for a corporate access point:
# airodump-ng wlan0mon
Having intercepted the handshake of connecting to the access point and saving it, you can proceed to enumerate the passwords in the dictionary:
# aircrack-ng /root/1.cap -w /usr/share/john/password.lst
- /root/1.cap – path to the saved handshake file;
- –w – a key to specify a dictionary with passwords for search.
If WPA2-Enterprise is used as the security protocol, recommend that you pay attention to the eaphammer tool designed for testing this protocol.
Specializing in the field of practical information security, we search for vulnerabilities on secure Internet resources, speak on the international forums, develop Nemesida WAF and launched a unique Test lab – free penetration testing laboratories, which are attended by professionals from all over the world.
Stay healthy and protected!