I started answering this question last night and stupidly closed the window. Anyhow, j0rdy hit it spot on so let me elaborate a bit more. Imagine that as a security manager your tasked with an allocated budget to protect your network/infrastructure. You hire someone to perform a vulnerability assessment. After some time the assessor yields the following:
Not shown: 989 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open unknown
1026/tcp open LSA-or-nterm
1027/tcp open IIS
5357/tcp open unknown
8222/tcp open unknown
8333/tcp open unknown
MAC Address: 00:14:C1:4C:XX:XX (MISINFOWARFARE)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2008
OS details: Microsoft Windows Server 2008 SP1
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=6/16%OT=80%CT=%CU=%PV=Y%DS=1%G=N%M=0014C1%TM=4C18C945%P=i6
OS:86-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10E%TI=I%II=I%SS=S%TS=7)OPS(O1=M5B4
OS:NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=
OS:M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=
OS:Y%TG=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=N)U1(R=N)IE(R=Y%DFI=N%TG=80%CD=Z)
Uptime guess: 400.988 days
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Any vulnerability assessment tool is going to give you a lot of information on this machine similar to nmap output with the risks associated with those services running on those ports. So here I go assessing and attempting to penetrat my machine since OpenVAS thinks my machine is a ticking timebomb and it lists EPMAP as high on the "exploitable" scale:
Open Ports 22/tcp 80/tcp 135/tcp 137/udp 139/tcp 445/tcp 902/tcp 912/tcp 1025/tcp 1026/tcp 1027/tcp 1028/tcp 1068/tcp 5357/tcp 8222/tcp
epmap (135/tcp) High
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.
Solution: see
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-051.mspx
CVE : AN-2003-0352
BID : 205
Other references : AVA:2003-A-0011
Nothing for epmap here...
msf > search epmap
[*] Searching loaded modules for pattern 'epmap'...
msf >
OpenVAS + Nessus and a few other tools label this machine as being swiss cheese (a lot holes). The output from a vulnerability assessment might make a manager spend resources (time is money) and or unecessary money trying to protect this machine. "OMG that machine is so ownable... You need Security Protection X (firewall, IDS, IPS, etc.)" Just getting information from an assessment is useless. Now here is the deal when I pentested against this "ticking time bomb" machine. Was I able to get in? Absolutely not. Let's try the low hanging fruit with Metasploit:
sil@axios:# svn update
U scripts/meterpreter/gettelnet.rb
U scripts/meterpreter/getgui.rb
U scripts/meterpreter/persistence.rb
U lib/msf/core/auxiliary/auth_brute.rb
U modules/auxiliary/scanner/http/wordpress_login_enum.rb
U modules/auxiliary/scanner/ftp/ftp_login.rb
U modules/auxiliary/scanner/smb/smb_login.rb
U modules/auxiliary/scanner/telnet/telnet_login.rb
U modules/auxiliary/scanner/mssql/mssql_login.rb
U modules/exploits/multi/handler.rb
D modules/exploits/windows/browser/ms_visual_studio_msmask.rb
U modules/exploits/windows/browser/ms09_002_memory_corruption.rb
A modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb
U modules/exploits/windows/browser/ms08_078_xml_corruption.rb
U modules/exploits/windows/browser/ms06_067_keyframe.rb
U modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb
U modules/exploits/windows/iis/ms01_026_dbldecode.rb
U data/meterpreter/meterpreter.php
Updated to revision 9532.
sil@axios:# ./msfconsole
=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 567 exploits - 271 auxiliary
+ -- --=[ 272 payloads - 26 encoders - 8 nops
=[ svn r9532 updated today (2010.06.15)
msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_connect pwnThisBox
msf > db_nmap -P0 -sS solidsound
Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-16 09:40 EDT
Interesting ports on solidsound (xxx.68.51.144.in-addr.arpa):
Not shown: 989 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open unknown
1026/tcp open LSA-or-nterm
1027/tcp open IIS
5357/tcp open unknown
8222/tcp open unknown
8333/tcp open unknown
MAC Address: 00:14:C1:4C:XX:XX (MISINFOWARFARE)
Nmap done: 1 IP address (1 host up) scanned in 5.22 seconds
msf > db_autopwn -p -t -e
LOT OF OUTPUT HERE
[*] (143/143 [0 sessions]): Waiting on 0 launched modules to finish execution...
[*] The autopwn command has completed with 0 sessions
msf >
No low hanging fruit via most common exploits. From an
unstructured penetration test any random hacker is going to walk away from this box. How about taking it to another extreme with Canvas + VulnDisco + private zero day?
[ Wed Jun 16 09:00:53 2010 ](solidsound/32) Trying MS SQL Injection Routines
[ Wed Jun 16 09:01:00 2010 ](solidsound/32) Scanning with NETDDE through Netbios (MS04-031)
[ Wed Jun 16 09:01:01 2010 ](solidsound/32) (139) NETDDE through Netbios (MS04-031): Possible Not Vulnerable
[ Wed Jun 16 09:01:01 2010 ](solidsound/32) Trying PacerCMS 0.6 Remote Code Execution
[ Wed Jun 16 09:01:07 2010 ](solidsound/32) (80) FP30REG Chunked Heap Overflow (MS03-051): Possible Not Vulnerable
[ Wed Jun 16 09:01:07 2010 ](solidsound/32) Not a remote exploit: msimpersonate (MS04-044)
[ Wed Jun 16 09:01:07 2010 ](solidsound/32) Running FP30REG.DLL Chunked Heap Overflow (MS03-051)
[ Wed Jun 16 09:01:07 2010 ](solidsound/32) Scanning with FP30REG Chunked Heap Overflow (MS03-051)
[ Wed Jun 16 09:01:07 2010 ](solidsound/32) Trying FP30REG.DLL Chunked Heap Overflow (MS03-051)
[ Wed Jun 16 09:01:08 2010 ](solidsound/32) (0) Windows Server Service Overflow (MS06-040): Possible Not Vulnerable
[ Wed Jun 16 09:01:08 2010 ](solidsound/32) Scanning with Windows Server Service Overflow (MS06-040)
[ Wed Jun 16 09:01:09 2010 ](solidsound/32) (445) Windows Server Service Underflow (MS08-067): Possible Not
[ Wed Jun 16 09:01:09 2010 ](solidsound/32) Scanning with Windows Server Service Underflow (MS08-067)
[ Wed Jun 16 09:03:13 2010 ](solidsound/32) Not a remote exploit: Microsoft IE 7 url-handling error (MS07-061)
[ Wed Jun 16 09:03:13 2010 ](solidsound/32) Not a remote exploit: Microsoft Speech API 4v (MS07-033)
[ Wed Jun 16 09:03:14 2010 ](solidsound/32) Autohack considered module MSRPC Crash not suitable for remote os
[ Wed Jun 16 09:03:14 2010 ](solidsound/32) Module umpnp_dos (MS05-047) is banned
[ Wed Jun 16 09:03:14 2010 ](solidsound/32) Not a remote exploit: WMF SetAbort (MS06-001)
[ Wed Jun 16 09:03:14 2010 ](solidsound/32) Running MSASN1.DLL bitstring decoding heap overwrite
[ Wed Jun 16 09:03:14 2010 ](solidsound/32) Trying MSASN1.DLL bitstring decoding heap overwrite
[ Wed Jun 16 09:03:14 2010 ](solidsound/32) Trying [0day] MSRPC Crash (INSTANTREPLAY)
[ Wed Jun 16 09:03:19 2010 ](solidsound/32) Running MS Exchange 2000 contains a heap overflow flaw when handling
[ Wed Jun 16 09:03:19 2010 ](solidsound/32) Scanning with MS Exchange 2000 MS05-021 X-LINK2STATE heap overflow
[ Wed Jun 16 09:03:19 2010 ](solidsound/32) Trying MS Exchange 2000 contains a heap overflow flaw when handling
[ Wed Jun 16 09:03:24 2010 ](solidsound/32) (25) MS Exchange 2000 MS05-021 X-LINK2STATE heap overflow: Possible
[ Wed Jun 16 09:03:30 2010 ](solidsound/32) Trying Fuzzer for MSRPC Endpoints
[ Wed Jun 16 09:03:35 2010 ](solidsound/32) Scanning with MSSQL Hello Stack Overflow (MS02-056)
[ Wed Jun 16 09:03:35 2010 ](solidsound/32) Trying MS SQL Hello Stack Overflow
[ Wed Jun 16 09:03:36 2010 ](solidsound/32) Module Windows Server Service Double Free (MS09-041) is banned
[ Wed Jun 16 09:03:36 2010 ](solidsound/32) Skipped module MS SQL Hello Stack Overflow
[ Wed Jun 16 09:03:48 2010 ](solidsound/32) Not a remote exploit: MS09-061 Microsoft .NET CAS Type Verification
[ Wed Jun 16 09:03:48 2010 ](solidsound/32) Trying MS09-061 Microsoft .NET CAS Type Verification Vulnerability
[ Wed Jun 16 09:03:54 2010 ](solidsound/32) MSRPC Exploit scanning: [(135, 140), (445, 446), (1025, 1030)]
[ Wed Jun 16 09:03:59 2010 ](solidsound/32) MSRPC exploit attacking ncacn_ip_tcp:solidsound[135]
[ Wed Jun 16 09:04:01 2010 ](solidsound/32) MSRPC exploit attacking ncacn_np:solidsound[\lsarpc]
[ Wed Jun 16 09:04:02 2010 ](solidsound/32) MSRPC exploit attacking ncacn_ip_tcp:solidsound[1026]
[ Wed Jun 16 09:04:02 2010 ](solidsound/32) MSRPC exploit attacking ncacn_ip_tcp:solidsound[1027]
[ Wed Jun 16 09:04:03 2010 ](solidsound/32) (80) iis5asp (MS01-023): Possible Not Vulnerable
[ Wed Jun 16 09:04:03 2010 ](solidsound/32) Scanning with iis5asp (MS01-023)
[ Wed Jun 16 09:04:14 2010 ](solidsound/32) Not a remote exploit: GREENAPPLE (MS05-011)
[ Wed Jun 16 09:04:14 2010 ](solidsound/32) Not a remote exploit: LPC local (MS07-021)
[ Wed Jun 16 09:04:15 2010 ](solidsound/32) Running MSRPC MESSENGER Heap Overflow
[ Wed Jun 16 09:04:15 2010 ](solidsound/32) Scanning with MSRPC MESSENGER Heap Overflow (MS03-043)
[ Wed Jun 16 09:04:15 2010 ](solidsound/32) Trying MSRPC MESSENGER Heap Overflow
[ Wed Jun 16 09:04:22 2010 ](solidsound/32) (135) Microsoft Windows RPC Interface Overflow (MS03-026): Possible
[ Wed Jun 16 09:04:22 2010 ](solidsound/32) Not a remote exploit: Windows Animated Cursor Overflow (MS07-017)
[ Wed Jun 16 09:04:22 2010 ](solidsound/32) Scanning with Microsoft Windows RPC Interface Overflow (MS03-026)
[ Wed Jun 16 09:04:26 2010 ](solidsound/32) Scanning with iis_doubledecode (MS01-026)
[ Wed Jun 16 09:04:27 2010 ](solidsound/32) (80) iis_doubledecode (MS01-026): Possible Not Vulnerable
[ Wed Jun 16 09:04:32 2010 ](solidsound/32) Module msdtc MIDL_user_allocate bug (MS05-051) is banned
[ Wed Jun 16 09:04:32 2010 ](solidsound/32) Scanning with MSSQL (Null) Auth Connect
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) (25) MS Exchange 2000 XEXCH50 integer overflow (ms03-046): Possible
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) Not a remote exploit: RDS Datastore (MS06-014)
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) Running 1024 CMS <= 1.4.4 Remote File Include
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) Running MS Exchange 2000 contains a flaw when handling the XEXCH50
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) Scanning with MS Exchange 2000 XEXCH50 integer overflow (ms03-046)
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) Scanning with MSSQL Resolver Stack Overflow (MS02-056)
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) Skipped module MS SQL Resolver Stack Overflow
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) Trying MS Exchange 2000 contains a flaw when handling the XEXCH50
[ Wed Jun 16 09:04:33 2010 ](solidsound/32) Trying MS SQL Resolver Stack Overflow
[ Wed Jun 16 09:04:39 2010 ](solidsound/32) Not a remote exploit: GDIWrite4 (MS07-017)
[ Wed Jun 16 09:04:45 2010 ](solidsound/32) Not a remote exploit: Microsoft IE 7 url-handling error (MS07-061)
[ Wed Jun 16 09:04:45 2010 ](solidsound/32) Scanning with smartag_word (MS06-027)
[ Wed Jun 16 09:05:00 2010 ](solidsound/32) Not a remote exploit: MS Internet Explorer XML Parsing Vulnerability
[ Wed Jun 16 09:05:00 2010 ](solidsound/32) Scanning with WINS Pointer hijacking exploit (MS04-045)
[ Wed Jun 16 09:05:00 2010 ](solidsound/32) Trying MS Internet Explorer XML Parsing Vulnerability
[ Wed Jun 16 09:05:00 2010 ](solidsound/32) Trying MS SQL Resolver Ping
Nope, Canvas wasn't able to get in either. I could try plenty of other tools and exploits but I know the box is solid for now. So from a penetration testing perspective, I know its not worth spending money to lock down that machine. I know this because from an exploitability factor, there are no KNOWN mechanisms to get in. This would not defend against zerodays but a fix for me would be to perhaps do something simple like use the
WINDOWS FIREWALL for protection, perhaps install Snare on the machine for reporting, etc. I do factually know that this box is not as holy as a vulnerability assessment made it out to be.
In order to understand this a bit more, try to understand security concepts from a cost perspective. Which do you honestly think is a better bang for your buck? Anyone can run vulnerability assessment AND penetration testing tools. In most cases of a "vulnerability" assessment, it's pointless if you ask me.
Consider the following: Someone walks down the street and tells you "
your door is open.... someone can walk right in" Yet that's all they see from the outside scope. How do they know whether or not that's nothing more than a foyer they're seeing and there is or isn't another door not visible. How would they know whether a Rottweiler or armed psychopath isn't waiting inside for someone to peek in. They don't and they can't. All they're telling is: "
Your door is open... Someone can walk in" This is a vulnerability assessment... A pentest is someone either showing you your jewelry, television etc., or telling you: "
I saw the door open and I tried to go in..." They either got in and walked off with your most prized possessions or they couldn't get in.
OSCP - Offensive Security Certified Professional : Class Scheduled 6/8 - Linux n00b
