-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathVulnerabilityAssessment.txt
59 lines (41 loc) · 3.14 KB
/
VulnerabilityAssessment.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
The calculation of a CVSS v3.1 score takes into account all the metrics discussed in this section. The National Vulnerability Database has a calculator available to the public here.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
For example, for the Windows Print Spooler Remote Code Execution Vulnerability, CVSS Base Metrics is 8.8. You can reference the values of each metric value here.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
quesadilla123@htb[/htb]$ sslscan example.com
<SNIP>
Preferred TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 256 bits AES256-SHA
<SNIP>
Note: To run a credentialed scan on the target, use the following credentials: htb-student_adm:HTB_@cademy_student! for Linux, and administrator:Academy_VA_adm1! for Windows. These scans have already been set up in the Nessus target to save you time.
Scripts such as the nessus-report-downloader can be used to quickly download scan results in all available formats from the CLI using the Nessus REST API:
Nessus gives us the option to export scan results in a variety of report formats as well as the option to export raw Nessus scan results to be imported into other tools, archived, or passed to tools, such as EyeWitness, which can be used to take screenshots of all web applications identified by Nessus and greatly assist us with working through the results and finding more value in them.
It is also essential to keep in mind the potential impact of vulnerability scanning on a network, especially on low bandwidth or congested links. This can be measured using vnstat:
sudo vnstat -l -i eth0
What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)
Open Nessus > basic_authed_windows > SMB Shares Enumeration
wsus
What were the targets for the authenticated scan?
(ip address of windows authed server)
172.16.16.100
What is the plugin ID of the highest criticality vulnerability for the Windows authenticated scan?
click highest vulernability (log4j) and on right side under 'plugin' it has id #
156032
What is the name of the vulnerability with plugin ID 26925 from the Windows authenticated scan? (Case sensitive)
Change filter > Plugin ID = 26925
VNC Server Unauthenticated Access
What port is the VNC server running on in the authenticated Windows scan?
Click report with VNC Server Unauthenticated Access. Look at Protocol/port section.
5900
What type of operating system is the Linux host running? (one word)
Ubuntu
What type of FTP vulnerability is on the Linux host? (Case Sensitive, four words)
Anonymous FTP Login Reporting
What is the IP of the Linux host targeted for the scan?
172.16.16.160
What vulnerability is associated with the HTTP server? (Case-sensitive)
Cleartext Transmission of Sensitive Information via HTTP