Penetration testing

Vulnerability mapping with Kali linux

Lester Obbayi
November 25, 2018 by
Lester Obbayi

Vulnerability mapping is an activity carried out to identify security flaws that can result in the compromise of a system. Sometimes researchers will use the term “vulnerability assessment” instead of “vulnerability mapping.” They are, however, the same thing.

In pentesting and malicious hacking, vulnerability mapping is a step that follows after the tester or hacker has adequately conducted information gathering and enumeration of the target network or host.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In this article, we will look at how various tools within the Kali Linux Operating System can be implemented to discover vulnerabilities that could lead to compromising targets and thus result in the hacker or penetration tester violating the confidentiality, integrity and availability of a business system.

Vulnerability types

Today, three main classes of vulnerabilities exist from which a clear distinction can be made. The three classes are:

  • Design vulnerabilities: These will be discovered via weaknesses that result from software specifications. These are by far the most cumbersome to resolve, since they require patches to be applied based on security requirements given by the pentester
  • Implementation vulnerabilities: Whenever glitches within software code are discovered, they are classified here.
  • Operational vulnerabilities: These vulnerabilities will result from improper configuration and deployment of software.

The classes of vulnerabilities above will either occur locally or remotely within the target environment.

Local vulnerabilities will require the tester or attacker to have local access to the target system in order to exploit them. A good example of this is the CVE-2013-0232, otherwise known as GP Trap Handler nt!KiTrap0D, which would allow an attacker or tester with access to a vulnerable Windows Server 2008 machine to gain escalated privileged access.

Remote vulnerabilities allow for exploitation to occur without physical access to the target system. These could occur from the Internet or within the network on which the vulnerable system sits. One common example of this is the MS08-067 Windows Server Service vulnerability, which affects Windows XP systems.

Vulnerability taxonomy

As the number of technologies increases daily, there have been numerous attempts to design a taxonomy that could best cater for commonly-identifiable vulnerabilities. Despite these efforts, it really still is not possible to account for all coding mistakes that can be made.

Organizations have come up with the following standards that have even been implemented in many tools that can be utilized while searching for vulnerabilities.

Security taxonomy Resource link

Common Weakness Enumeration http://cwe.mitre.org/data/index.html

OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

WASC Threat Classification http://projects.webappsec.org/w/page/13246978/Threat%20Classification

National Vulnerability Database https://nvd.nist.gov/vuln

Google Hacking Database (GHDB) https://www.exploit-db.com/google-hacking-database/

Vulnerability scanning with Kali Linux

Kali Linux comes bundled with numerous tools for the penetration tester. Some of these tools can effectively be used during a pentest engagement to carry out vulnerability mapping across the three classes discussed above.

Web application vulnerability scanning

Web applications are being generated daily, yet most programmers do not observe the secure coding principles that need to be followed while designing applications. The following tools allow a developer or pentester to discover vulnerabilities that fall within the documentation available in the table above.

1. Nikto2

Nikto2 is a very simple web application vulnerability scanner built on LibWhisker2, meaning it has numerous capabilities. For instance, it can be deployed cross-platform, it supports SSL, it can manage host authentication via NTLM and can even manage IDS evasion.

Launching Nikto against a host as shown above with the command “nikto -h [target]” will return results that will vary depending on how vulnerable the target is. You can be sure that Nikto will detect outdated server implementations, default installer files, server misconfigurations and numerous other security issues. You can also specify the port by appending “-p [port_number]” after specifying the target in order to find any issues on desired ports.

2. OWASP ZAP

The OWASP Zed Attack Proxy (ZAP) is created by the OWASP project, one of the parties in the table covered above. It is an open-source web application proxy tool and offers some good functionality such as web app vulnerability scanning.

On Kali Linux, you simply start it by issuing the command below in the terminal:

#owasp-zap

You will be presented with the main screen. Performing a scan is quite simple, though. You would issue the target to be scanned as shown below:

Once you hit the “Attack” button, the scanning will commence, and you will see some activity in the section below on your screen.

OWASP ZAP crawls the target website looking for vulnerabilities. It will also identify some misconfigurations that will appear within the Alerts tab, so keep an eye on that tab as well. OWASP ZAP will allow you to narrow down to affected links, as shown below:

A commercial competitor to ZAP is BurpSuite, which offers similar functionality with its free version but much more in its commercial version.

3. Nessus

Nessus will provide you with automated Web application vulnerability scanning for those situations where you are limited in time and need a quick vulnerability assessment or pentest.

Nessus can be run for free with limited capabilities, or as a commercial tool with much more capabilities that can come in handy — especially for large pentest teams and engagements.

To perform a vulnerability scan, you would first need to install the free version of Nessus, then navigate your browser to https://localhost:8834. See below:

You would then hit the “New Scan” button above and select the type of scan to perform from the numerous templates available.

The templates shown above will be limited within the free version of Nessus if you run that but are much more in number and capability in the commercial version.

You would then issue your targets. Nessus is capable of performing scans on multiple targets separated by commas or issued in CIDR format.

Once you are done filling out the required fields, you will be presented with the screen above. Click the “play” icon to launch your scan.

Vulnerabilities will be presented in the manner in the screen above, summarizing the severity and instances of issues discovered.

Nessus even allows you to drill down to specific hosts and vulnerabilities and get more information on how they were discovered, together with recommendations on how to patch identified risks.

Network vulnerability scanning

Kali Linux also provides tools that are capable of scanning network devices such as databases, routers, switches and protocols such as SNMP and SMB. There are numerous tools, but we will take a look at the most common.

1. CISCO Analysis

CISCO devices are susceptible to a number of vulnerabilities that can be assessed with a couple of tools. When auditing routers, Kali Linux ships with the Cisco Auditing Tool (CAT), which can help an attacker or penetration tester identify vulnerabilities ranging from SNMP community strings to old CISCO bugs and default credentials that can be used to gain illegal access to the router.

To test our host on Kali, we executed the command below:

#CAT -h 192.168.67.73 -w lists/community -a lists/passwords -i

CAT proceeds to audit for default credentials and SNMP community strings as shown above.

2. SNMP analysis

Kali Linux also allows attackers and pentesters to obtain information from hosts with the Simple Network Management Protocol (SNMP) protocol. This can be extremely vital in preparing further attacks targeting the host.

On our attacking machine, we executed the command below and were able to get a ton of information about our target.

As can be seen above, we were able to identify the ethernet card information, how long the system had been connected via that card, the host name and, as shown below, the number of network interfaces with their respective information.

Database assessment in Kali linux

Kali Linux allows the testing of MySQL, Oracle and Microsoft’s MSSQL databases for vulnerabilities such as SQL injection. Tests on password policies and default password checks are also supported by some tools.

1. SQLMap

SQLMap is a neat tool within Kali Linux that is capable of performing various SQL injection tests against a couple of databases such as PostgreSQL, MSSQL, Oracle and MySQL. It is capable of detecting as well as exploiting the detected flaws, making it a very common tool for attackers and testers. SQLMap can quickly assist you in carrying out the following attacks, which would otherwise be difficult and time-consuming:

  • Inferential blind SQL injection
  • UNION query SQL injection
  • Stacked query SQL injection
  • Time-based blind SQL injection

On our Kali Linux system, we executed the command below to attempt to discover information about our underlying database within our target system.

# sqlmap -u "http://192.168.0.30/mutillidae/index.php?page=view-someones-

blog.php" --forms --batch --dbs

The result above shows us the available databases and also lets us know the injectable parameters within our Web application at the given URL.

To find the contents of the database “owasp10,” we would issue the command below:

# sqlmap -u "http://192.168.0.30/mutillidae/index.php?page=view-someones-

blog.php" --forms --batch -D owasp10 –tables

The option -D specifies the database to use and --tables asks SQLMap to list available tables.

SQLMap offers much more functionality that will not be covered, but that you should check within the help documentation with the command “sqlmap -h”.

Other tools also do exist, such as SQLNinja, that are similar in functionality to SQLMap.

Conclusion

After you have mapped the vulnerabilities using the tools available discussed above, you can now proceed with to the next phase which during a penetration test or attack would be exploitation. However you could only be interested in enumerating vulnerabilities for a Vulnerability Assessment. In this case, the tools above will work.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sources

  1. Penetration Testing Tools Cheat Sheet, HighOn.Coffee
  2. CWE List Version 3.1, CWE
  3. OWASP Top Ten, OWASP
  4. The WASC Threat Classification v2.0, The Web Application Security Consortium
  5. National Vulnerability Database, NIST
  6. Google Hacking Database (GHDB), Exploit Database
Lester Obbayi
Lester Obbayi

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.