1.0 Threats, Attacks, Vulnerabilities PDF

1.
0 Threats, Attacks and Vulnerabilities 21%

Saturday, June 15, 2019 6:35 AM
1.0 Threats, Attacks, Vulnerabilities Page 1

1.1 Given a scenario, analyze indicators of compromise
and determine the type of malware.
Screen clipping taken: 6/15/2019 6:40 AM
first need to classify them. Then we need to define how these threats can be delivered to the target computer.
Afterward we can discuss how to prevent security threats from happening and troubleshoot them if they do occur.
MALICIOUS SOFTWARE TYPES

Malware -
is software designed to infiltrate a computer system and possibly damage it without the user’s knowledge or consent.
to include viruses, worms, Trojan horses, spyware, rootkits, adware, and other types of undesirable software.
-Virus
computer virus is One well-known example of a virus is the or one of several other permutations of this fictitious love.
Boot sector: Initially loads into the first sector of the hard drive; when the computer boots, the virus then loads into
memory.
Macro: Usually placed in documents and e-mailed to users in the hopes that the users will open the document, thus
executing the virus.
Program: Infects executable files.
Encrypted: Uses a simple cipher to encrypt itself. The virus consists of an encrypted copy of the virus code (to help avoid
detection) and a small decryption module. Different encrypting keys can be used for each file to be infected, but usually Screen clipping taken: 7/15/2019 4:51 AM
there is only one decrypting code.
Polymorphic: Builds on the concept of an encrypted virus, but the decrypting module is modified with each infection. So,
it can change every time it is executed in an attempt to avoid antivirus detection.
Metamorphic: Similar to polymorphic but rewrites itself completely each time it is going to infect a new file in a further
attempt to avoid detection.
Stealth: Uses various techniques to go unnoticed by antivirus programs.
Armored: Protects itself from antivirus programs by tricking the program into thinking that it is located in a different
place from where it actually resides. Essentially, it has a layer of protection that it can use against the person who tries
to analyze it; it will thwart attempts by analysts to examine its code.
:
Type Description Example

Virus code that runs on a computer without the user’s Love Bug (2000), this virus would arrive by
knowledge; it infects the computer when the code is an e-mail titled “I love you” with an
accessed and executed attachment named love-letter-for-
you.txt.vbs,
Cryptomalware Uses cryptography as part of the attack CryptoLocker, WannaCry, Locky, zCrypt,
NotPetya
Ransomeware a type of malware that restricts access to a computer cryptoviral extortion. One example of this is
system and demands that a ransom be paid. Also known CryptoLocker. This ransomware Trojan
as crypto-malware, it encrypts files and/or locks the encrypts certain files on the computer’s
system. It then informs the user that in order to decrypt drives using an RSA public key. (The
the files, or unlock the computer to regain access to the counterpart private key is stored on the
files, a payment would have to be made to one of malware creator’s server.)
several banking services, often overseas.
Worm A worm is much like a virus except that it self-replicates, Nimda (admin backward), which Screen clipping taken: 7/15/2019 4:52 AM
whereas a virus does not. propagated automatically through the
Worms take advantage of security holes in operating Internet in 22 minutes in 2001, causing
systems and applications, including backdoors widespread damage. It spread through
network shares, mass e-mailing, and
operating system vulnerabilities.
TROJAN HORSE appear to perform desirable functions but are actually One example of a Trojan is a file that is
performing malicious functions behind the scenes. contained within a downloaded program
These are not technically viruses and can easily be such as a key generator—known as a
downloaded without being noticed. They can also be “keygen” used with pirated software—or
transferred to a computer by way of removable media, another executable.
ROOTKIT A rootkit is a type of software designed to gain Alureon rootkit, which affects the master
administrator-level control over a computer system boot record (MBR) and low-level system
without being detected. drivers (such as atapi.sys). This particular
Usually, the purpose of a rootkit is to perform malicious rootkit was distributed by a botnet, and
operations on a target computer at a later date without affected over 200,000 (known) Microsoft
the knowledge of the administrators or users of that operating systems.
computer.
Rootkits can target the UEFI/BIOS, boot loader, kernel, Zeus,
and more. An example of a boot loader rootkit is the
Evil Maid Attack; this attack can extract the encryption
keys of a full disk encryption system,
Adware Adware usually falls into the realm of spyware because
it pops up advertisements based on what it has learned
from spying on the user.
Spyware Spyware is a type of malicious software either
downloaded unwittingly from a website or installed
along with some other third-party software. Usually,
this malware collects information about the user
without the user’s consent.
Botnets and malware can be distributed throughout the Internet by One example of this type of botnet is the
Zombies a group of compromised computers, known as a botnet, ZeroAccess botnet. It is based on Trojan
and controlled by a master computer (where the malware that affects various Microsoft
attacker resides). The individual compromised operating systems, and is used to mine
computers in the botnet are called zombies. This is Bitcoins or perpetuate click fraud. It is
because they are unaware of the malware that has hidden from many antivirus programs
been installed on them. This can occur in several ways, through the use of a rootkit (infecting the
including automated distribution of the malware from MBR).
one zombie computer to another.
Remote Access the most common type of Trojan Back Orifice, NetBus, Poison Ivy, and
Trojan (RAT) SubSeven; their capability to allow an
attacker higher administration privileges
than those of the owner of the system
makes them quite dangerous. The software
effectively acts as a remote administration
tool, which happens to be another name for
the RAT acronym. These programs have the
capability to scan for unprotected hosts and
make all kinds of changes to a host when

than those of the owner of the system
makes them quite dangerous. The software
effectively acts as a remote administration
tool, which happens to be another name for
the RAT acronym. These programs have the
capability to scan for unprotected hosts and
make all kinds of changes to a host when
connected. T
RATs are often used to persistently target a
specific entity such as a government or a Screen clipping taken: 7/15/2019 4:54 AM
specific corporation. One example of this is
the PlugX RAT.
Logic Bombs A logic bomb is code that has, in some way, been Action could include placing network
inserted into software; it is meant to initiate one of disaster recovery processes on standby;
many types of malicious functions when specific criteria notifying the software vendor; and closely
are met. managing usage of the software, including,
Trojans set off on a certain date are also referred to as perhaps, withdrawing it from service until
time bombs. the threat is mitigated
Backdoors Backdoors are used in computer programs to bypass

normal authentication and other security mechanisms
in place. Originally, backdoors were used by developers
as a legitimate way of accessing an application, but soon
after they were implemented by attackers who would
use backdoors to make changes to operating systems,
websites, and network devices. Or the attacker would
create a completely new application that would act as a
backdoor, for example Back Orifice, which enables a
user to control a Windows computer from a remote
location. Often, it is installed via a Trojan horse; this
particular one is known as a remote access Trojan, or
RAT,
there isn’t much that can be done about backdoors
aside from updating or patching the system infected
and keeping on top of updates. Screen clipping taken: 7/15/2019 4:55 AM
Grayware Grayware is another general term that describes
applications that are behaving improperly but without
serious consequences.
One example (of many) of spyware is the Internet
Optimizer, which redirects Internet Explorer error pages
out to other websites’ advertising pages.
Fileless Malware doesn’t have to reside on the hard drive of a
Malware computer. It can also reside within RAM (and possibly
other locations). Fileless malware—also known as non-
malware—functions without putting malicious
executables within the file system, and instead works in
a memory-based environment.
SPAM Spam is the abuse of electronic messaging systems
such as e-mail, texting, social media, broadcast media,
instant messaging, and so on.
spim (spam over instant messaging), is the abuse of
instant messaging systems, chat rooms, and chat
functions in games specifically. It is also known as
messaging spam, or IM spam.
Typosquatting This type of attack is known as typosquatting or URL One example of an exploit kit is the
hijacking. URL stands for uniform resource locator, Blackhole exploit kit. This is used (and
which is the web address that begins with http or https. purchased) by potential attackers to
The potential attacker counts on the fact that millions distribute malware to computers that meet
of typos are performed in web browsers every day. particular criteria, while the entire process
These attackers “squat” on similar (but not exact) is logged and documented.
domain names. Once the user is at the new and The automating of cyber-crime, and the
incorrect site, the system becomes an easy target for software used to do so, is collectively
spyware and other forms of malware. referred to as crimeware.
Exploit kits within PHP scripts
Active Active interception normally includes a computer Examples of this include session theft and
Interception placed between the sender and the receiver to capture man-in-the-middle (MITM) attacks.
and possibly modify information. If a person can
eavesdrop on your computer’s data session, then that
data can be stolen, modified, or exploited in other ways.
Privileged Privilege escalation is the act of exploiting a bug or
Escalation design flaw in a software or firmware application to gain
access to resources that normally would’ve been
protected from an application or user. This results in a
user gaining additional privileges, more than were
originally intended by the developer of the application;
for example, if a regular user gains administrative
control, or if a particular user can read another user’s e-
mail without authorization.
Multipartite A hybrid of boot and program viruses that attacks the
boot sector or system files first and then attacks the
other files on the system.
Retro virus - a virus that attacks or bypasses the antivirus software installed on a computer.
Stealth virus: a virus that attempts to avoid detection by antivirus software and from the operating system by remaining
in memory.
Phage virus - a virus that modifies and alters other programs and databases.
Advanced Persistent Threat (APT) - a set of stealthy and continuous computer hacking processes often orchestrated by a
person or persons targeting a specific entity.
Usually targets either private organization, states, or both for business or political motives.
APT processes require a high degree of covertness over a long period of time.
The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems
The "persistent" process suggests that an external command and control system is continuously monitoring and
extracting data from a specific target.
The "threat" process indicates human involvement in orchestrating the attack
Malware Delivery
The method that a threat uses to access a target is known as a threat vector. Collectively, the means by which an
attacker gains access to a computer in order to deliver malicious software is known as an attack vector. Probably the
most common attack vector is via software.
Email, FTP, PTP,websites, advertisements, portable media storage devices, connected smartphones


• Delivery - How it gets to the target
• Propagation - How malware spreads
• Payload - what malware does once it's there
Indicators of Compromise (IoC) - an artifact observed on a network or in an operating system that with high confidence indicates a computer
intrusion. (virus signatures, MD Hash, IP addresses, URLs)

intrusion. (virus signatures, MD Hash, IP addresses, URLs)
"Applications that can help to secure your computers against malware threats include antivirus programs, anti-spyware applications, or
combination anti-malware programs"
Scan files for potential malware with the virustotal community

1.2 Compare and contrast types of attacks.
Anticipating Cyber Attacks

Impact:
Can result in:
violation of confidentiality - unauthorized access to or theft of data
○ Violation of integrity -> modification of data
○ Violation of availability -> inaccessibility of data or disruption of service
CIA
Confidentiality, integrity, and availability are the cornerstones of information security.
Confidentiality is the principle that only authorized people, processes, or systems have access to
information and that information must be protected from unauthorized disclosure.
Integrity is the principle that information or systems should be protected from unintentional,
unauthorized, or accidental changes.
Availability is the principle that information systems are operating and accessible when needed.



Social Engineering Psychology
Monday, July 15, 2019 6:13 AM
Social Engineering Describes a class of techniques uses to manipulate people by deception, into divulging information or performing an action (e.g. unwitting
(psychology) malware distribution)
- The information may be useful or a stepping stone in carrying out an attack
Using perception, persuasion, and influence, social engineers take advantage of basic human instincts and responses including:
- The instinct to respond to authority
- The tendency to trust people
- The desire to be responsive
- The fear of getting into trouble
- The threat of harm
- The promise of a reward
- The process by which intruders gain access to facilities, network, systems, data, and even employees by exploiting the generally trusting nature of people.
- The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Reasons for effectiveness:

Reciprocity

Online
Phishing; vishing, Whaling; spear phishing
Spoofing
Offline/Physical
Tailgaiting
Impersonation
Dumpster diving
Shoulder surfing
Either
Phishing - sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information
Spear Phishing: sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.

- Whaling: a phishing attack that is specifically aimed at wealthy, powerful, or prominent individuals
• Vishing: making phone calls or leaving voice messages purporting to be from reputable companies.
• Pharming: traffic redirect to a spoofed web site
• Variants - SMiShing - sending fraudulent text messages
Communications Spoofing

Communications Spoofing
Hoax: Malicious actors issuing false warnings to alarm users
Swatting: Fraudulent calls to the police
Watering Hole Attack: a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to
visit.
Physical
- Tailgaiting
- Dumpster Diving
- Shoulder Surfing
Social Engineer must have physical access for these:

Social Engineering - Prevention
- User education
- Trust, but verify
- If you see something, say something

Table 17-1 Summary of Social Engineering Types

Type Description

Type Description
Pretexting When a person invents a scenario, or pretext, in the hope of persuading a victim to divulge information.
Malicious insider When a person works at an organization with the secret purpose of obtaining secret information, financial information, design work, and PII.
threat
Diversion theft When a thief attempts to take responsibility for a shipment by diverting the delivery to a nearby location.
Phishing The attempt at fraudulently obtaining private information, usually done electronically.
Vishing is done by phone.
Spear phishing targets specific individuals.
Whaling targets senior executives.
Hoax The attempt at deceiving people into believing something that is false.
Shoulder surfing When a person uses direct observation to find out a target’s password, PIN, or other such authentication information.
Eavesdropping When a person uses direct observation to “listen” in to a conversation. This could be a person hiding around the corner or a person tapping into a phone
conversation.
Dumpster diving When a person literally scavenges for private information in garbage and recycling containers.
Baiting When a malicious individual leaves malware-infected removable media such as a USB drive or optical disc lying around in plain view in the hopes that
unknowing people will bring it back to their computer and access it.
Piggybacking/tailga When an unauthorized person tags along with an authorized person to gain entry to a restricted area.
ting
Watering hole When an attacker targets users’ specific browsing habits in the hopes that they will access particular websites and activate the malware hidden within
attack them.
Screen clipping taken: 7/17/2019 2:12 PM


Lab - Social Engineering Reconnaissance
Exercise 1 - Social Engineering Reconnaissance

Often a compromise in a company begins by attackers searching through social media for personal
information that might aid them in gaining legitimate details or by impersonating that person to
business.
The aim usually is to get access to the initial system that the person either owns or has access to,
from here the attacker will try to escalate and move through a building or network gaining access to
more interesting areas.
In this exercise you will complete the following tasks:
• Log into MyBook
• Exploring and gathering information
We will briefly explore some of the personal information that they might use and typical details that
should always be guarded by reviewing a website.
Task 1 - Log into MyBook
In this task, we are going to login into MyBook which is a website hosted by Practice Labs.
Step 1
Ensure the required devices from the introduction are powered on and connect to PLABWIN10.
You will see the internet explorer icon in the taskbar.
Go ahead and enter into the search bar Internet Explorer.

Figure 1.1 Screenshot of PLABWIN10: Desktop
Type the following into the address bar.
http://mybook
Figure 1.2 Screenshot of PLABWIN10: MyBook Philip Nomad Timeline page

We are presented immediately with the profile of Phillip Nomad, on this very select site of MyBook.
Currently, we are viewing the Timeline page where recent activities regarding his life are being
posted publicly and can be viewed by everyone.
Task 2 - Exploring and Gathering Information
Information gathering is a key part used in any attack; we are going to review the types of details
that an attacker might use to gain the confidence of others by impersonating Philip in some manner.
Step 1
Exploring this site, a little further we can see that Phillip is quite popular with 1,325 followers and his
job role is as a Front End Software Engineer. This makes Phillip an interesting target given its highly
likely he has personal information that could be used to trick a company into thinking the attacker is

likely he has personal information that could be used to trick a company into thinking the attacker is
Phillip.
Step 2
He is an active member of this site with a posting just 5 min’s ago where he has commented on
someone else’s photo, and he is sharing his personal album with what might be a friend.

We can see that Phillip is married and has a wife. Note the type of clothes own on the wedding day,
and background location of the wedding might be key if work employees were also invited to the
wedding.

There are two friends namely John and Alexis who are close enough to Phillip to comment on his
pictures and we learn that there is the possibility of a baby.
Scroll down a little further.

Interestingly Phillips car has broken down, this might be a very useful piece of information were the
attacker to begin investigating Phillips personal life and make contact with car garage to enquire
about the vehicle posing as Phillip.
Step 3
Now Scroll back up and click on the tab for About.
Figure 1.6 Screenshot of PLABWIN10: MyBook Philip Nomad Bio page

Phillip has been kind enough to provide us with his phone number and date of birth and where he
was educated. Key information used by attackers to gain the confidence of personnel who might be
performing security checks. One of the most common questions used is “what is your date of birth?”.
Now we have a legitimate answer to respond with.
If Phillip was real, we could also begin to search the Oxford University for personal information and
see if we get any hits for him attending the university, all information that aids the reconnaissance
process.

process.
Figure 1.7 Screenshot of PLABWIN10: MyBook Philip Nomad Bio page

Here we are presented with his past working experience of working with HP and previous to that we
can see Costa. Again we could search the HP site to see what details come up about Phillip; it might
lead an attacker to more useful information to convince an IT department that Phillip needs his
password changed and can they do that for him.
Another piece of the puzzle is a possible home location based in Kingston upon Thames, often
mobile software these days populates images or posts with details of the user’s location at the time
of posting.
Step 4
Scroll up and click on the tab Album.
Figure 1.8 Screenshot of PLABWIN10: MyBook Philip Nomad Album page

Notice here that Phillips job title has developed, it has him listed as a Creative Director, who works in
Front End Software Design. A Director role means some very important things; Phillip has access to

Front End Software Design. A Director role means some very important things; Phillip has access to
important resources and information; his passwords likely provide him with Admin level or root
access to domains or servers full of data which in situations like corporate espionage could be very
lucrative.
This is an album which was shared, and we can see that he enjoys going to raves, scenic views and
possibly has a small pug dog, again a classic question asked in secure questions is “what is/was the
name of your first pet/dog/cat?”
Additionally, many people use their pet names as their passwords, and Date of Births for passwords
or pins to accounts.
Step 5
Scroll up and click on Friends.
Figure 1.9 Screenshot of PLABWIN10: MyBook Philip Nomad Friends page

Here we can see that Phillip has a few contacts, of which some could be worth learning more about.
Notice that Sophia Lee is at Oxford and its possible they attended University at the same as each
other.
Robert Cook being a photographer might have more interesting photos of Phillips life providing more
insist into the type of person he is, giving away characteristics to be used when impersonating him.

Figure 1.10 Screenshot of PLABWIN10: MyBook Philip Nomad Friends page
We can see a posting for Nina Nomad who might be a family relation, and we see Linda who is also
a Software Engineer that might work with Phillip, additionally we see James who is a CEO of a
company called IT Farm, he could have a working relationship that might be useful to learn more
about in terms of the type of work performed and what access Philip had to IT Farm.
The next stage used by an attacker is to request a “friendship” usually by setting up a fake account
with information that might trick Phillip into accepting it, like pretending to work at IT Farm and using
that as an excuse to get Phillip to access a friendship link. The purpose, of course, is to gain
information which leads to a possible email phishing attack against the CEO of IT Farm, James
Carter, or to social engineer the IT/HR department of Google to get them to change Philips
password providing them access.
We can now close this browser tab and move onto the next exercise when ready.

Application and Service Attacks











Network & Wireless Attacks
Tuesday, July 16, 2019 3:08 PM
Hijacking and related attacks
Clickjacking - tricking a web user into clicking a spoofed button or graphic

Session Exploiting a valid computer session, or session key, to gain unauthorized access to
hijacking information or services.
(cookie
hijacking)
URL hijacking / The act of registering domains that are similar to those for a known entity but based
typo squatting on a misspelling or typographical error (examples: g00gole.com , gooogle.com
Network Hijacking Attacks

MAC spoofing: the Media Access Control (MAC) address is a hard-coded on a network interface
controller (NIC) number. Many drivers allow the MAC address to be changed. A technique for changing
a factory-assigned MAC address of a network interface on a networked device.
IP spoofing: a technique used to gain unauthorized access to machines, whereby an attacker illicitly
impersonates another machine by manipulating IP packets. IP Spoofing involves modifying the packet
header with a forged (spoofed) source IP address, a checksum, and the order value.
ARP spoofing: when an attacker sends a fake ARP (Address Resolution Protocol) messages over a local
area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate
computer or server on the network.

Main-in-the-Middle Attacks
An attack where the attacker secretly relays and possibly alters the communication between two parties
who believe they are directly communicating with each other.
The attacker may either observe (confidentiality attack) or alter (integrity attack)
















Wireless Attacks






Security in Action : Typosquatting

1.3 Explain threat actor types and attributes.
Types of Actors




Open Source Threat Intelligence




Security in Action: Open Source Intelligence


1.4 Explain penetration testing concepts.



http://professormesser.link/800115




You'll only be sure you're vulnerable if you can bypass security
- If you can get through, the bad guys can get through

Metasploit tool - allows exploiting of vulnerabilities

Pen Testing Techniques
Wednesday, July 17, 2019 5:04 PM
Passive Reconnaissance - they want to learn more about your organization (IP addresses, OS versions,
locations, in the cloud)
Active Reconnaissance - trying to get or extract info from your organization ; port scan, vulnerability
scan (applications, patch versions, systems, firewall rules)
Exploitation
Additional Research
Continued Exploitation
Reporting
*Research and exploitation are iterative processes









Security in Action: Passive Recon
Netcraft.com


1.5 Explain vulnerability scanning concepts.

Nikto - tool use to scan for vulnerability on web servers and find out what might be running.

Nikto - tool use to scan for vulnerability on web servers and find out what might be running.



Vulnerability Scanning Types / Assessment Process





Vulnerability Scanning Process
• Passively testing security controls

• Identify vulnerability
• Identify lack of security controls
• Identify common misconfiguration
• Intrusive vs Non-intrusive






Common Findings




Security in Action - Port Scanning
Angry IP Scanner
Installed software, processes, and software

Green active and reply received with open ports

Blue - not responding to request
Investigate what's using the open ports

Lab - Network Vulnerabilities Part 1
Thursday, July 18, 2019 12:04 AM
Introduction
The Network Vulnerabilities Part 1 module provides you with the instruction and
Server hardware to develop your hands on skills in the defined topics. This module
includes the following exercises:
• Network Footprinting
• Packet Sniffing
Lab time: It will take approximately 1 hour to complete this lab.
Exam Objectives
The following exam objectives are covered in this lab:
• SY0-501 1.2: Compare and contrast types of attacks
• SY0-501 2.2: Given a scenario, use appropriate software tools to assess the
security posture of an organization
• SY0-501 2.4: Given a scenario, analyse and interpret output from security
technologies
Lab Diagram
During your session you will have access to the following lab configuration. Depending
on the exercises you may or may not use all of the devices, but they are shown here in
the layout to get an overall understanding of the topology of the lab.
Connecting to your lab

In this module, you will be working on the following equipment to carry out the steps
defined in each exercise.
• PLABDC01 (Windows Server 2016 - Domain Controller)
• PLABWIN10 (Windows 10 - Domain Member)
• PLABKALI01 (Kali)
To start, simply choose a device and click Power on. In some cases, the devices may
power on automatically.

Exercise 1 - Network Footprinting
Exercise 1 - Network Footprinting

In this lab, you will practise attack strategies such as footprinting, spoofing, and Denial
of Service.
A network scan is usually the first step in an attempt to penetrate security (or indeed to
establish what needs defending). Footprinting establishes the topology and protocols
deployed on the network while fingerprinting determines the services and other
configuration details of a target host.
One of the most popular scanning tools in nmap. This is a command-line program
operated using scripts. A GUI version (Zenmap) can perform several very useful pre-
configured scans though.
To get a better understanding of this technology, please refer to your course material or
use your preferred search engine to research this topic in more detail.
Task 1 - Using Nmap
To start using nmap scanner, follow these steps:
Step 1
Ensure you have powered on the required devices and connect to PLABWIN10.
Open TigerVNC Viewer by double clicking the icon on the desktop.
Figure 1.1 Screenshot of PLABWIN10: Desktop.

Step 2
Enter the following IP into the VNC server box:
192.168.0.3:1
Click Connect then enter the following into the password box:
Passw0rd

Figure 1.2 Screenshot of PLABWIN10: Desktop with VNC Viewer.
Step 3
The Root’s X desktop (kali:1) - TigerVNC window is displayed.
On the bottom menu, click Applications > 01 Information Gathering> nmap
Figure 1.3 Screenshot of PLABWIN10: Kali Desktop accessing nmap.

Step 4
The root@kali terminal window opens.
We will be scanning the vulnerable topology.
You will find hosts and their open ports on the network 192.168.27.0 where the lab
devices are connected.
Within the root@kali terminal window, type:
nmap 192.168.27.0/24 > hosts.txt
Press Enter.

Press Enter.
Note: This command will save the results in a file called hosts.txt
Figure 1.4 Screenshot of PLABWIN10: Kali terminal entering nmap commands.

Step 5
When NMAP is finished scanning the network 192.168.27.0/24,
close root@kali terminal window.
Back in Root’s X desktop (kali:1) - TigerVNC window, click Applications menu,
choose Usual Applications, Accessories then click LeafPad.
Figure 1.5 Screenshot of PLABWIN10: Kali accessing Leafpad.

Step 6
Click File then choose Open.

Figure 1.6 Screenshot of PLABWIN10: Kali accessing Leafpad.
Step 7
On the Open dialog box, under Places section, click File System.
On the right details pane, scroll down a bit and select hosts.txt file.
Click Open.
Figure 1.7 Screenshot of PLABWIN10: Kali using Leafpad to find hosts.txt.

Step 8
Find the results of the scan of hosts in the network 192.168.27.0.
Look for host with IP address 192.168.27.18
Click X to close LeafPad text editor.

Figure 1.8 Screenshot of PLABWIN10: Kali using Leafpad to view the results.
Step 9
Click Root Terminal icon located on the desktop.
Figure 1.9 Screenshot of PLABWIN10: Kali Desktop.

Step 10
The root@kali terminal window opens.
To identify the operating system versions and to send scan TCP ports using the SYN
packet, type
nmap -O -sS 192.168.27.0/24 > hosts.txt
Press Enter.
This scan will take about 1 minute to complete.

Figure 1.10 Screenshot of PLABWIN10: Kali performing an nmap scan.
Step 11
Keep root@kali terminal window open.
Click Applications menu, choose Usual Applications, Accessories then
click LeafPad.
Step 12
Click File then Open.
Step 13
On the Open dialog box, navigate to File System.
On the details pane on the right, then click hosts.txt and choose Open.
Figure 1.11 Screenshot of PLABWIN10: Kali using Leafpad.

Step 14
Find the results of the nmap scan on 192.168.27.18 regarding the os details.

Find the results of the nmap scan on 192.168.27.18 regarding the os details.
Close Leafpad.
Minimize root@kali terminal window.
Figure 1.12 Screenshot of PLABWIN10: Kali viewing nmap results.

Keep all devices powered on in their current state and proceed to the next task.
Task 2 - Using Zenmap
Zenmap is the GUI equivalent of nmap which is easier to use. To start using Zenmap,
follow these steps:
Step 1
While in root’s X desktop (kali:1) - TigerVNC window, click Applications > 01
Information Gathering > and click Zenmap.
Figure 1.13 Screenshot of PLABWIN10: Kali accessing Zenmap.

Step 2

Step 2
Keep Zenmap open.
Figure 1.14 Screenshot of PLABWIN10: Kali with Zenmap.

Step 3
Minimise Kali, and on the PLABWIN10 desktop, right-click on WireShark and Run as
Administrator.
Click Yes to the prompt.
Figure 1.15 Screenshot of PLABWIN10: Desktop accessing Wireshark.

Step 4
Select Ethernet and click the Blue Shark Fin. From WireShark, go to Capture menu
and click Options.
And select Ethernet and then press Start.

Figure 1.16 Screenshot of PLABWIN10: Wireshark.
Step 5
You are back in Root’s X desktop (kali:1) - TigerVNCwindow.
Zenmap application is open.
Click in the Target box and type:
192.168.27.18
Click Scan.
Figure 1.17 Screenshot of PLABWIN10: Kali on Zenmap.

Step 6
Let Zenmap run the scan on 192.168.27.18
Wait until the scan is completed on zenmap.

Figure 1.18 Screenshot of PLABWIN10: Kali on Zenmap performing a scan.
Step 7
When zenmap scan is completed, reopen WireShark.
Figure 1.19 Screenshot of PLABWIN10: Kali on Zenmap performing a scan.

Step 8
From Wireshark, click Capture menu and choose Stop.

Figure 1.20 Screenshot of PLABWIN10: Wireshark stopping the capture.
Step 9
Click in Filter box and type:
tcp
Press Enter or Click the Blue Arrow.
Figure 1.21 Screenshot of PLABWIN10: Wireshark filtering the capture.

Step 10
Scroll up to the capture file. Go to Source column and look for 192.168.27.18 (refers to
a vulnerable host), and Destination 192.168.0.3 (refers to Kali Linux).
When the zenmap port scan was ran against the vulnerable host, network applications
will reply with a SYN/ACK (sequence and acknowledgement) packet when a connection
is made to it. The zenmap tool will send the RST (reset) to tear down the connection.

Figure 1.22 Screenshot of PLABWIN10: Wireshark filtering the capture.
Step 11
Go back to Root’s X desktop (kali:1) - TigerVNC window.
Zenmap application is open.
Click in the Target box and type:
192.168.27.0/24
Click Scan.
Figure 1.23 Screenshot of PLABWIN10: Kali on Zenmap entering the scan address.
Step 12
This will scan available hosts in the mentioned network ID 192.168.27.0
This will take about 3 minutes to complete.

Figure 1.24 Screenshot of PLABWIN10: Kali on Zenmap reviewing the scan results.
Step 13
When the scan is complete, the Hosts left column, indicates the IP addresses of
computers detected in the scan.
Click on 192.168.27.18 to view the details about this host.
Step 14
Click on Topology tab and then click Fisheye.
The topology tab, shows the discovered network hosts detected by the scan.

Step 15
Click Host Details tab to get a graphical view about the selected host.
Step 16
Click Ports/Hosts tab to see summary detected open ports in 192.168.27.18.
Close Zenmap application, discarding any changes.
Minimize the root’s X desktop (kali:1) - TigerVNC window

Exercise 2 - Packet Sniffing
Exercise 2 - Packet Sniffing

Another critical information gathering tool is a protocol analyzer. This tool captures
unicast packets sent to the host and broadcast packets on the same subnet. The most
widely used is WireShark, which is bundled with Kali Linux.
Task 1 - Observe traffic pattern using WireShark
To view network traffic pattern using WireShark, follow these steps:
Step 1
On PLABWIN10, reopen WireShark from taskbar.
Click File menu choose Open.
Figure 2.1 Screenshot of PLABWIN10: Wireshark.

Step 2
Enter the folder called Vulnerable Network Captures.
Select vulnerable network capture 5.
Click Open.
Click Continue without Saving.

Figure 2.2 Screenshot of PLABWIN10: Wireshark selecting the network capture.
Step 3
This is a network capture from the vulnerable topology.
Clear the filter if there is one present but deleting anything still within it i.e. tcp and
pressing enter or the blue arrow button.
Figure 2.3 Screenshot of PLABWIN10: Wireshark viewing the network capture information.
Step 4
Click on Statistics and then select Conversations.

Step 5
Here we are presented with the Ethernet addresses for the devices on the network.
Click on the tab for IPv4.15.
Step 6
This section shows us the devices who are communicating on the network and we can
see that 192.168.27.18 is having quite a few conversations with various addresses on
the network.

Step 7
Click on the tab for TCP.62.
Here we can see that the same device has traffic flowing in sequence from ports
60251-60296 mainly with 192.168.27.12 on port 162.
Shutdown all virtual machines used in this lab, before proceeding to the next module.
Alternatively you can log out of the lab platform.

Summary
Summary
In this lab you completed the following practical tasks:
• Network Footprinting
• Packet Sniffing

Lab - Network Vulnerabilities Part 2 - Introduction
The Network Vulnerabilities Part 2 module provides you with the instruction and
Server hardware to develop your hands-on skills in the defined topics. This module
includes the following exercises:
• Denial of Service
• Anti-Phishing Toolbar
Lab time: It will take approximately 1 hour to complete this lab.
Exam Objectives
• SY0-501 1.2: Compare and contrast types of attacks
• SY0-501 3.2: Given a scenario, implement secure network architecture concepts
Lab Diagram
During your session, you will have access to the following lab configuration. Depending

• PLABDC01 (Windows Server 2012 R2 - Domain Controller)
• PLABDM01 (Windows Server 2012 R2 - Member Server)

Exercise 1 - Denial of Service
Exercise 1 - Denial of Service

There are any number of ways to prevent a server from responding to clients. We could
have used Ettercap to simply discard any packets from client or server for instance.
Flood type attacks really depend on overwhelming the victim system with superior
bandwidth, which itself depends on compromising thousands or even millions of
"zombie" PCs in a "botnet". This exercise just illustrates how simple it is to craft the sort
of malformed packets that can be used to try to flood a server.
Task 1 - Create a DoS attack scenario
To create a DoS attack scenario, follow these steps:
Step 1
On the PLABWIN10 device, right-click the Wireshark icon on the desktop and select
Run as administrator.
Figure 1.1 Screenshot of the PLABWIN10 desktop: Wireshark icon on taskbar is highlighted on the
PLABWIN10 Windows desktop.
Step 2
On the User Account Control dialog box, click Yes.

Figure 1.2 Screenshot of the PLABWIN10 desktop: The User Account Control dialog box is displayed.
Step 3
On The Wireshark Network Analyzer window, click Capture and click Options...
Figure 1.3 Screenshot of the PLABWIN10 desktop: Capture > Options menu-options are highlighted on
The Wireshark Network Analyzer window.
Step 4
On the Input tab of the WireShark: Capture Interfaces dialog box, click the textbox
next to Capture filter for selected interfaces and type:
tcp port 80
Note: Please Ensure the Ethernet Interface is selected.
Then, click Start the capture.
Step 5
Switch to PLABDM01, open Internet Explorer type the following URL into the address

Switch to PLABDM01, open Internet Explorer type the following URL into the address
bar:
http://PLABWIN10/
Navigate around the webpages making a mental note of how quick they are to load
(there should be no noticeable delay). Close the Internet Explorer.
Figure 1.5 Screenshot of the PLABDM01 desktop: The default page of the IIS is displayed in the Internet
Explorer.
Step 6
Minimize all open windows. Right-click the Start charm and select Control Panel.
Figure 1.6 Screenshot of the PLABDM01 desktop: Right-clicking on the Start charm to select Control
Panel.
Step 7
From the View by drop-down, select Large icons.

From the View by drop-down, select Large icons.
Figure 1.7 Screenshot of the PLABDM01 desktop: The default view of the Control Panel is displayed.
Step 8
Click the Internet Options applet.
Step 9
On Internet Properties dialogue box, under Browsing history section, click Delete.
Figure 1.9 Screenshot of the PLABDM01 desktop: General tab on the Internet Properties dialog box is
displayed showing the required Delete button available.
Step 10
All checkboxes will be selected by default. Click Delete.

Figure 1.10 Screenshot of the PLABDM01 desktop: Delete Browsing History dialog box is displayed
showing the required settings performed and the Delete button available.
Step 11
Click OK to close the Internet Properties dialog box.
Figure 1.10 Screenshot of the PLABDM01 desktop: Closing of the Internet Options dialog box.
Step 12
Switch to the PLABWIN10 and review the details in WireShark, note the SYN >
SYN/ACK > ACK sequence in the first three packets (hint: try scrolling up to the
beginning of the capture).
The remainder of the capture shows the PLABDM01workstation retrieving the page
using HTTP.
Minimize WireShark application.

Figure 1.12 Screenshot of the PLABWIN10 desktop: Wireshark capture window is displayed listing the
captured data packets and the selected data packet expanded to list the details.
Step 13
Click Start, expand TigerVNC 64-bit, and then select TigerVNC Viewer.
Figure 1.13 Screenshot of the PLABWIN10 desktop: Select TigerVNC Viewer from the Start menu.
Step 14
In the VNC Viewer: Connection Details dialog box, type the following in the VNC
server textbox:
192.168.0.3:1
Click Connect.

Figure 1.14 Screenshot of the PLABWIN10 desktop: Providing the Kali server IP address in the VNC server
textbox of the VNC Viewer Connection Details dialog box.
Step 15
In the VNC authentication dialog box, type the following in the Password dialog box:
Passw0rd
Click OK.
Figure 1.15 Screenshot of the PLABWIN10 desktop: Providing the password in the Password textbox of
the VNC authentication dialog box.
Step 16
After successful authentication, you should see the Kali window. If prompted with an
error, click OK.

Figure 1.16 Screenshot of the PLABWIN10 desktop: After successful connection, the Error dialog box is
displayed.
Step 17
On the desktop, double-click Root Terminal.
Figure 1.17 Screenshot of the PLABWIN10 desktop: Starting the terminal by double-clicking the Root
Terminal icon.
Step 18
Run the following command (remember that it is case sensitive and ignore the line
break - type the whole command:
hping3 192.168.0.1 -p 80 -i u1000 -S -q --rand-source
Press Enter.

Figure 1.18 Screenshot of the PLABWIN10 desktop: root@kali/ window is displayed showing the required ping
command typed-in.
Step 19
Switch to Wireshark application. And Stop the capture by pressing the red square.
Step 20
From the Capture menu, select Options.
Step 21
In the Wireshark - Capture Interfaces dialog box, click the red X.
Step 22
Click Close.
Step 23
Click Capture and then click Start.
Figure 1.23 Screenshot of the PLABWIN10 desktop: Clicking Start on the Capture menu on the
Wireshark - Capture Interfaces dialog box.
Alert: If Start is greyed out, please select options and make sure Ethernet is selected.

Alert: If Start is greyed out, please select options and make sure Ethernet is selected.
Step 24
On the Unsaved packets dialog box, click Continue without saving.
Figure 1.24 Screenshot of the PLABWIN10 desktop: Discarding the current capture by clicking on the
Continue without Saving button.
Step 25
Hping3 crafts "SYN" (sequence) packets from random spoofed IP addresses and
sends them out at very short intervals.
Note the flood of packets captured by Wireshark on PLABWIN10.
Note: You may lose connectivity to PLABWIN10 while working on this lab, as a result of
a flood of SYN packets being sent to the interface. If this happens, reconnect to
PLABWIN10 through the Practice Labs web application.
Figure 1.25 Screenshot of the PLABDC01 desktop: Wireshark capture window is displayed listing the
captured data packets.
Step 26
Switch to PLABDM01 workstation, restore IE and refresh to the same webpage you did
previously
previously
http://PLABWIN10/
You will notice it may take a bit longer to load or not load at all.
Stop Wireshark without saving the capture and close all open windows
on PLABWIN10 and PLABDM01.
Figure 1.26 Screenshot of the PLABDM01 desktop: Browser window trying to access the specified
website is displayed.
Keep all devices powered on in their current state and proceed to the next exercise.

Exercise 2- Anti-Phishing Toolbar
Exercise 2- Anti-Phishing Toolbar

In this exercise, you will learn the following in this course:
• Anti-Phishing Toolbar: Netcraft
Please refer to your course material or use your favourite search engine to research this
topic in more detail.
Task 1 - Download and Install Mozilla Firefox
Before installing the Anti-Phishing Toolbar: Netcraft, you will first download and install
Mozilla Firefox on PLABWIN10. The Anti-Phishing Toolbar will work as a plug-in for said
web browser. To download and install Mozilla Firefox, perform the following steps:
Step 1
Connect to PLABWIN10 device. Click Microsoft Edge on the taskbar.
Figure 2.1 Screenshot of the PLABWIN10 desktop: Internet Explorer icon on taskbar is
highlighted on the PLABWIN10 Windows desktop.
Step 2
From Practice-labs intranet, you will be directed to Tools and resources page.
Click Installation_Files.

Figure 2.3 Screenshot of the PLABWIN10 desktop: Tools and resources webpage is
displayed showing the Tools option available.
Step 3
On the [..] > Tools and resources webpage, scroll down and locate and click Firefox.
Figure 2.4 Screenshot of the PLABWIN10 desktop: Tools and resources > Tools
webpage is displayed on the PLABWIN10 Windows desktop.
Step 4
You can see Firefox Setup 67.0.exe under this location, click this file.
On the notification toolbar, click Save.

Figure 2.6 Screenshot of the PLABWIN10 desktop: firefox_install_en_uk.exe notification
bar is displayed showing the Run button available.
Step 5
Click Run to proceed with the program setup.
Note: If prompted by User Account Control press Yes.

The installation of the package starts.

Figure 2.9 Screenshot of the PLABWIN10 desktop: The extraction of files is displayed.
Note: This can take a few minutes to complete.
Step 6
The Mozilla Firefox Web browser opens with the welcome page.
Task 2 - Download and Install Anti-Phishing Toolbar: Netcraft
NetCraft offers a toolbar for Mozilla Firefox, Google Chrome and Opera Web browsers.
This toolbar helps you detect phishing Websites as well as provide detailed report of a
Website including its rank.
In this task, you will learn to use Netcraft anti-phishing toolbar.
To use Netcraft Anti-phishing toolbar, perform the following steps:

To use Netcraft Anti-phishing toolbar, perform the following steps:
Step 1
In the address bar, enter http://toolbar.netcraft.com/
Press Enter.
Figure 2.21 Screenshot of the PLABWIN10 desktop: Required URL typed in the
address bar at the top is displayed on the Welcome to Firefox webpage.
Step 2
The Netcraft Extension page is displayed.
Figure 2.22 Screenshot of the PLABWIN10 desktop: Netcraft Extension webpage is

displayed on the web browser window.
Step 3
Scroll down the webpage and click Download the Netcraft Extension button.

Scroll down the webpage and click Download the Netcraft Extension button.
Figure 2.23 Screenshot of the PLABWIN10 desktop: Download the Netcraft Extension
button is displayed on the web browser window.
Step 4
The Download Now page is displayed. Click Firefox.
Figure 2.24 Screenshot of the PLABWIN10 desktop: Download Now webpage showing
the Firefox option available is displayed on the web browser window.
Step 5
Click Add to Firefox.

Figure 2.25 Screenshot of the PLABWIN10 desktop: Download Now webpage showing
the Firefox option available is displayed on the web browser window.
Step 6
You will be prompted to add the Netcraft Extension please select Add.
Figure 2.26 Screenshot of the PLABWIN10 desktop: Add Netcraft Extension is

displayed prompting for confirmation and the Add button highlighted.
Task 3 - Verify websites that are phished
To find out if a website is phished, follow these steps:
Step 1
You will now check for a Website that is phished. You can obtain a list from the
following Website: http://www.phishtank.com
This Website has one of the most recent database of phished Websites. Copy any of

This Website has one of the most recent database of phished Websites. Copy any of
the phished Website on this list.
Important: Please note that this website is dynamically updated and collects a list of
suspected phishing websites. If you clicked on a URL that needs to be voted as a
phishing site, you need to register with “phishtank” to vote.
Figure 2.29 Screenshot of the PLABWIN10 desktop: Specified toolbar integrated into
the web browser is displayed on the web browser window.
Step 2
Select and right-click a URL and select Copy.
Note: You may have to try several urls before you encounter the error, if you have tried
all of the links on the page please select See more suspected phishes…And this will
provide more links.
Figure 2.30 Screenshot of the PLABWIN10 desktop: Context menu (that appears on
Figure 2.30 Screenshot of the PLABWIN10 desktop: Context menu (that appears on
right-clicking a listed phishing website) > Copy menu-options are displayed PhishTank
website.
Step 3
Paste the Website name in the address bar on a new tab and press Enter.
Figure 2.31 Screenshot of the PLABWIN10 desktop: Pasting the Website name in the
address bar.
Step 4
The phishing Website warning page is displayed.
A Firefox red screen alert of “Deceptive site ahead” might be shown instead of the
Netcraft site blocked page. If this occurs, select see details and then “ignore the risk” or
try another link from http://www.phishtank.com
Figure 2.33 Screenshot of the PLABWIN10 desktop: Phishing Site Blocked webpage is

Figure 2.33 Screenshot of the PLABWIN10 desktop: Phishing Site Blocked webpage is
displayed confirming that the malignant website is detected and blocked.
Shut down all virtual machines used in this exercise using Practice Labs power button
function to revert these devices to their default settings. Alternatively, you may sign out
to power down all devices.
Prev
3 of 4
NextT

Summary
Summary
In this lab you completed the following practical tasks:
• MitM with ARP Spoofing
• Denial of Service
• Anti-Phishing Toolbar
Prev
4 of 4
T

Lab - Scanning and Remediating Vulnerabilities with
OpenVAS
Introduction
The module Scanning and Remediating Vulnerabilities with OpenVAS provides you
with the instructions and devices to develop your hands-on skills in the following topics.
• Connecting to Win10 and Kali
• OpenVAS Scanning
• Security Active Directory Access LDAP
• Validating Security Changes with OpenVAS
Lab time: It will take approximately 1.5 hours to complete this lab.
Exam Objectives
• SY0-501 1.5: Explain vulnerability scanning concepts
Lab Diagram
During your session, you will have access to the following lab configuration. Depending

• PLABDC01 (Windows Server 2012 R2 - Domain Controller)
• PLABKALI01 (Kali 2016.2)
For further information and technical support, please see our Help and Support
page.Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2017. All rights
reserved. Any redistribution or reproduction of part or all of the contents in any form is

reserved. Any redistribution or reproduction of part or all of the contents in any form is
prohibited other than the following:
1. You may print or download to a local hard disk extracts for your personal and non-
commercial use only.
2. You may copy the content to individual third parties for their personal use, but only if
you acknowledge the website as the source of the material. You may not, except with
our express written permission, distribute or commercially exploit the content. Nor may
you transmit it or store it in any other website or other form of electronic retrieval
system.
1 of 6
NextT

Exercise 1 - Connecting to Kali
Exercise 1 - Connecting to Kali

Kali is a multifaceted Linux operating system which is mainly focused towards security
and penetration testing. It combines a wide range of tools, from port scanners both
active and passive to forensic tools which can be used to pull deleted data off hard
drives.
Task 1 - Connecting to Win10 and Kali
In this task, you will power on and connect to the lab devices used within this exercise.
Step 1
Ensure you have powered on all the devices listed in the introduction and connect
to PLABWIN10.
On the desktop of PLABWIN10, click on the vncviewer-1.7 Icon.
VNC Viewer will launch. You’ll now use VNC to connect to the Kali Linux device.
Enter the following IP address:
192.168.0.3:1
Note the value 1 represents the port number that VNC is operating on.
Step 2
You will be prompted to enter a password. The credentials for this device are below:
User: root
Password: Passw0rd
Press the Connect button, and you will automatically log into PLABKALI01 as the root.
Note: When first logging into the Kali terminal you might be greeted with a PID session
error. This will not affect your working environment. Simply click on the X button to
remove the message and continue with the lab practical.
Figure 1.2 Screenshot of PLABKALI: Initial screen presented by TigerVNCViewer.

At the top of the screen confirm you are logged in a root of the Kali interface, it will be
written into the frame of the device. You are the administrator of this device as well.
Note: You may need to reposition the frame to gain access to the Taskbar by moving
the frame up and scrolling down.

Figure 1.3 Screenshot of PLABKALI01: The Taskbar is correctly displayed once the
viewer has been moved.
Leave the devices you have powered on in their current state and proceed to the next
exercise.
Prev
2 of 6
NextT

Exercise 2 OpenVAS Scanning
Exercise 2 - OpenVAS Scanning

OpenVAS stands for Open Vulnerability Assessment System and is a fork from an older
version of Nessus, formally known as GNessUs. It’s a free tool to use and can be quite
comprehensive in its scanning techniques as well assisting in finding vulnerabilities. It
can be used in conjunction with other Kali tools to help pen test environments more
efficiently.
Task 1 - Starting up OpenVAS
In this task, we start up the OpenVAS services and access the Dashboard interface.
Step 1
Connect to OpenVAS by first starting up the services.
Click on the Kali start icon found in the bottom left.
Then use the following path.
02-Vulnerability Analysis > OpenVAS Scanner > openvas start
The terminal screen will be opened to show that OpenVas has begun, give it a moment
to initialize the processes.
Figure 2.1 Screenshot of PLABKALI01: Starting up OpenVAS Services.

Step 2
Once a prompt has been provided type firefox into the terminal to launch the browser.

Figure 2.2 Screenshot of PLABKALI01: Using the terminal to begin Firefox.
Step 3
Now scroll up a little in Firefox and enter the following URL then press enter.
https://127.0.0.1:9392
Note: If you get the error “Your Connection is not Secure”, click “Advanced” and add
an exception for this page.
Enter the following credentials.
admin
Passw0rd
Figure 2.3 Screenshot of PLABKALI01: OpenVAS Greenbone Security Assistant

interface.
We are now presented with the main front page of Greenbone Security Assistant.

Figure 2.4 Screenshot of PLABKALI01: Greenbone main dashboard page.
There are quite a few options in this area.
• Scan Management where ‘New Tasks’ can be set,
• Asset Management for monitoring and presenting a list of hosts where scans have
been performed.
• SecInfo Management which is used to organize vulnerability databases,
Configuration works to organize target ports and scanning types.
• Extras allows for Web UI configuration itself.
• Administration is used to organize User and Feed Management updates.
• Help provides some useful hints and tips on the above.
Task 2 - Using OpenVAS
In this task, we will briefly explore OpenVAS and perform a scan with the application.
Step 1
We are now logged into the OpenVAS interface.
Let’s review some of the configuration files to familiarize ourselves with the scanner.
Click on Configuration then move down to Ports.

Figure 2.5 Screenshot of PLABKALI01: Greenbone on Configurations tab.
Step 2
Click on the first entry to the list which:
All TCP and NMAP 5.51 top 1000 UDP
Figure 2.6 Screenshot of PLABKALI01: Greenbone showing the Port lists for scanning.
Step 3
A brief review of this list shows all the ports that NMAP scanner will check against. This
list is designed against the NMAP version 5.5.1.
This is a very invasive scan as it takes places against all the TCP ports from 1-65535
and then focuses on famous UDP ports which are more selectively chosen at a total of
999. UDP port scanning can take a while longer to complete so knowing which ports are
important can be a great time saver.
Reviewing this on your favorite search engine or theory support materials would be

Reviewing this on your favorite search engine or theory support materials would be
advisable.
Figure 2.7 Screenshot of PLABKALI01: Greenbone showing the exact Port range used
for a NMAP 5.51 scan type.
Step 4
Again hover over the Configuration tab and then move down to Scan Configs.
Figure 2.8 Screenshot of PLABKALI01: Greenbone on the Configuration tab.

These are the scanning types which are installed by default to OpenVAS, when
performing a scan, one of these is typically chosen. However, customized scans are
possible.

Figure 2.9 Screenshot of PLABKALI01: Greenbone showing the Scan Configurations.
Step 5
Click on:
Full and very deep ultimate
Under Network Vulnerability Test Families.
This scan is very intrusive and provides a great deal of depth; it looks for a very wide
range of faults and some of which might not be very useful depending on the device
being scanned.
For example, this scan will check the device against CISCO, CentOS, and Amazon
Linux security checks. If you know the network has multiple facing devices with these
services, then this type of scan can be very productive. Understanding the network and
device scope is important to maintaining useful scan types and results.
Figure 2.10 Screenshot of PLABKALI01: Greenbone showing the Network Vulnerability

Figure 2.10 Screenshot of PLABKALI01: Greenbone showing the Network Vulnerability
Test Families.
Step 6
Click on the back button within Firefox.
Click on:
Full and fast
Under Network Vulnerability Test Families.
Reviewing that scan type shows it’s similar to the previous one except its quicker on a
performance level. With multiple tests for Buffer Overflow and multiple OS, scroll down
and there is a section for Windows.
Figure 2.11 Screenshot of PLABKALI01: Greenbone showing further settings for the
Full and Fast option.
Step 7
Scroll down the page to view the Network Vulnerability Test Preferences.
Within this area we can see multiple tests used against SSL, LDAP, Services, etc.
Review these to have a better understanding of what exactly the test is going to
perform.

Figure 2.12 Screenshot of PLABKALI01: Greenbone showing settings in more detail.
Step 8
Feel free to choose any of interest, for this example, we will investigate the value:
Search in LDAP, Users with conf.LogonHours
Click on the search icon in blue on the left-hand tab of the screen.
Figure 2.13 Screenshot of PLABKALI01: Greenbone showing Scan Configurations for a

vulnerability.
Here we can see the family this vulnerability belongs to:
IT-Grundschutz
They are a German agency who specialize in secure and are the authors of locating this
vulnerability.
Moving to the bottom we can see the Current Value and Default Value has been
assigned to test against.

assigned to test against.
Task 3 - OpenVAS Scanning
In this task, we will perform the scanning procedure using OpenVAS.
Step 1
Let’s begin with a scan against some of the key devices on the system.
Scroll back to the top.
Click on Scan Management to return to the main interface.
Figure 2.11 Screenshot of PLABKALI01: Greenbone on the main dashboard.

Now hover the mouse over the purple Wand icon to see a drop down.
Step 2
Click on Advanced Task Wizard.
Figure 2.12 Screenshot of PLABKALI01: Greenbone on the Advanced Task Wizard.

Step 3

Step 3
Change the details to the following.
Task Name: PLABDC01
Scan Config: Full and fast ultimate
Target Host: 192.168.0.1
Note: We have chosen Full and fast ultimate to get a nice combination of speed with
comprehensive searching against the domain controller.
Leave the rest as default options.
Click on Create Task.
Figure 2.13 Screenshot of PLABKALI01: Greenbone on the Create a new Task.

Step 4
Greenbone will then generate the task and it will be shown as Orange for requested.
It will automatically initiate and begin to scan the target against the scanning type.

Figure 2.14 Screenshot of PLABKALI01: Greenbone dashboard showing the scan
taking place.
Alert: Give the scan a little time to complete; it will complete in about 5 minutes.
Step 5
The report is generated and presented on a Dashboard; Greenbone gives us an initial
response which is Medium.
Figure 2.15 Screenshot of PLABKALI01: Greenbone dashboard showing the scan

taking place.
Step 6
Click on the Name of the scan to review the results in more detail.
PLABDC01
We see some more breakdown of the results, mainly referring to dates and scanner
type which in this case the OpenVAS Default type used against the Full and Fast Scan.

type which in this case the OpenVAS Default type used against the Full and Fast Scan.
Now click on the Reports value which in this case is 1.
Figure 2.16 Screenshot of PLABKALI01: Greenbone showing scan results.

Step 7
A slightly more detailed breakdown is given with High, medium and low results to be
considered and confirmed, we are also provided with a log output which might contain
useful information, logs, however, laborious to look over can hold information about
possible vulnerabilities which are yet undiscovered. Remember it's possible some of the
results could be false positives.

Step 8
Click on the Date to now view those results.

Step 9
Click on the vulnerability listed as:
Use LDAP search request to retrieve information from the NT directory services.
This took place on port 389 using a TCP service.

We see a more detailed output regarding this vulnerability, Greenbone details that
LDAP could be leaking data via an enumeration which would allow information about
Server and Site Names to be disclosed. This could aid an attacker who is trying to
credential details and for use when logging into devices, or impersonating devices on
the network so that they appear legitimate. Additionally, it could be used for social
engineering, if the attacker was to learn key information they could pose as an
employee and call the IT office for additional help and use key words to hint at the fact

employee and call the IT office for additional help and use key words to hint at the fact
they are legitimate users accessing devices.
Greenbone provides us with a solution option to consider (if we are not concern about
compatibility with pre-Windows 2000 devices). This very useful and something we will
be implementing very soon.
Note: Best Practice is to rescan the device again to have repeatable results. The
solution’s given don’t always have an effect due to complexities with LDAP and Active
Directory, and are not necessarily best practice methods so use with caution.Leave the
devices you have powered on in their current state and proceed to the next exercise.
Prev
3 of 6
NextT

Exercise 3 - Securing Active Directory Access LDAP
Exercise 3 - Securing Active Directory Access LDAP

Active Directory holds a great of critical information about a business or organisation
regarding how its structured, who the participating members are, the groups and
positions of those members, how the domain is defined and which computer groups are
assigned. It has overall control across the network and is very powerful at enforcing
policy rights. Throughout the years as Windows and devices have changed it has grown
very large and complicated, it provides backwards compatibility for older services as
well, however back in the days of Windows 2000 security wasn’t well understood and
mainly holes in older system were exploitable.
Task 1 - Editing Security Advanced Security Settings for Pre-Windows
We have highlighted a vulnerability in the system which needs to be corrected through
access of Pre-Windows 2000 environments.
In this task, we will be removing users from Active Directory related to Pre-Windows
2000.
Step 1
Connect to PLABDC01.
On the Desktop, open Command Prompt with Administrator privileges by right-clicking
on the Windows start Charm and selecting as such.
Figure 3.1 Screenshot of PLABDC01: Accessing Command Prompt from the Start Icon.
Step 2
So longing as there are no devices or users in this part of LDAP for ‘Pre-Windows 2000
Compatible Access’ it can be safely removed. Its main function is backwards
compatibility for older hardware and applications, for example, Windows NT 4.0 RAS
Servers.
Click on Start then move to Run.
Enter:
dsa.msc

Figure 3.2 Screenshot of PLABDC01: Entering the command for Active Directory Users
and Computers.
Step 3
This will begin Active Directory Users and Computers.
From here navigate to Builtin and scroll down to:
‘Pre-Windows 2000 Compatible Access’
Figure 3.3 Screenshot of PLABDC01: Active Directory Users and Computers.

Step 4
This is not a functionality which is required on the server so all users can be removed.
Right click:
‘Pre-Windows 2000 Compatible Access’.

Choose Properties.
Then click the Members tab.
Here we can see the Members of this group who have this function enable.

Step 5
Click the Remove button for each member to remove them from this group.
Click Yes to the Active Directory Domain Service windows which serve as a warning on
removing these groups.

Step 6
Click on the Security Tab.
Then within Group or user names click on:

Then within Group or user names click on:
“Pre-Windows 2000 Compatible Access”
Click Remove.
Figure 3.6 Screenshot of PLABDC01: Active Directory Users and Computers Windows
Security Notice.
The notice tells us there is an inheritance problem.
Click OK.
Click Advanced.
Click the Permissions Tab and click the Principles Header to organize the values by
name.

On each Pre-Windows 2000 Compatible Access.

On each Pre-Windows 2000 Compatible Access.
Click Disable Inheritance.
Select:
Remove all inherited permissions from this object

This will remove;
‘Pre-Windows 2000 Compatible Access’
From the Security Group member list automatically.

Step 7
Click on the Auditing tab.
On the Principal “Everyone” click Disable Inheritance.
Click Apply and OK.
Close the Pre-Windows 2000 Compatible Access explorer frame.
Step 8
Back on the AD User and Groups page, with ‘Pre-Windows 2000 Compatible Access’
selected, close Active Directory Users and Computers and any other explorer shells.

Task 2 - Editing Network Access
In this task, we will edit the Network Access to LDAP function and remove rights gained
through anonymous access through Active Directory Group Policy.
Step 1
Click Run.
Enter:
gpmc.msc
Figure 3.10 Screenshot of PLABDC01: Group Policy Management.

We have 2 areas to consider. The Default Domain Policy and also the Default Domain
Controllers Policy.
We are working on the Default Domain Controller, so the later policy will be a main
controlling feature. However the Domain Policy should match the same configuration as

controlling feature. However the Domain Policy should match the same configuration as
this vulnerability might be affecting other devices.
We are going to apply the changes to both domains.
Right-click the Default Domain Controllers Policy. Select Edit.
Figure 3.11 Screenshot of PLABDC01: Group Policy Management editing the policy.
Step 2
Then follow this path.
Computer Configuration \ Policies\ Windows Settings\ Security Settings\Local Policies\ Security Options
Figure 3.12 Screenshot of PLABDC01: Group Policy Management Editor on Security

Options.
Step 2
For both:
Network Access: Let Everyone permission apply to anonymous users

Network Access: Let Everyone permission apply to anonymous users
Network Access: Allow anonymous SID/Name translation
Right click on the values, select Properties and select Disabled from the Security
Policy Setting.
Check:
Define the policy setting:
Select Disabled.
Click Apply and OK.
Step 3
We must also Enable:
Network Access: Restrict Anonymous access to Named Pipes and Shares
Network Access: Do not allow anonymous enumeration of SAM accounts
Network Access: Do not allow anonymous enumeration of SAM accounts and shares
To enable right click on the above values and select Enabled from the Security Policy
Setting. Click Apply and click Yes to Confirm Setting Change and OK.

Options.
Step 4
Right click the value of:
Network Access: Shares that can be accessed anonymously
Select Properties.
Check the Box for “Define this policy setting in the template”.
On Security Policy Setting delete all the contents.
Click Apply and OK.

Options.
Step 5
For the value:
Network Access: Named Pipes that be can be accessed anonymously
Perform the same as the step 4.
Clear the list and Apply then OK the value.
This the policy configured for Default Domain Controllers Policy.

Options.
Step 6
Exit this screen to return to the Group Policy Management.
Now right click and select edit for the Default Domain Policy.

Now right click and select edit for the Default Domain Policy.
Repeat Steps 1-5 for this policy now.
Figure 3.16 Screenshot of PLABDC01: Group Policy Management selecting Default

Domain Policy.
Figure 3.17 Screenshot of PLABDC01: Group Policy Management selecting Default

Domain Policy configured.
Step 7
Once configured exit from Group Policy Management Editor.
Exit from Group Policy Management.
Right-click the Windows Start Icon.
Select Command Prompt (Admin).
Type and press Enter.
gpupdate

gpupdate
Figure 3.18 Screenshot of PLABDC01: CMD open performing gpupdate.

Task 3 - Reconfiguring Regedit Values
In this task, we will be editing a value from the registry to prevent restrict null sessions.
Step 1
We must now make sure the registry key values are set to restrict null sessions.
Now in Run enter:
regedit
Go to the following path.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Click on Lsa to present the values.
Figure 3.19 Screenshot of PLABDC01: Registry Editor.

Step 2

Step 2
To prevent anonymous access, we must change a few parameters here.
Right Click on both one at a time to check they match the values below:
restrictanonymous = 2
restrictanonymoussam = 2
everyoneincludesanonymous =o
If not, then right click and Modify the value by entering the binary value.
Figure 3.20 Screenshot of PLABDC01: Registry Editor changing the registry value.
Step 3
Exit the registry.
Figure 3.21 Screenshot of PLABDC01: Registry Editor with final results.

Task 4 - Network Configuration for NetBIOS
In this task, we will configure the network to disable NetBIOS on TCPIPv4.

In this task, we will configure the network to disable NetBIOS on TCPIPv4.
Step 1
Right-click the network icon.
Select Open Network and Sharing Center.
Figure 3.22 Screenshot of PLABDC01: Desktop selecting Network and Sharing Center.
Step 2
Click Ethernet.
Figure 3.23 Screenshot of PLABDC01: Network and Sharing Center.

Step 3
Click on Properties.
On the Ethernet Properties windows select:
Internet Protocol Version 4 (TCP/IPv4)

Click on Advanced.
Click radio box for:
Disable NetBIOS over TCP/IP
Click OK.
Then close the other boxes to return to the desktop.
Figure 3.24 Screenshot of PLABDC01: Advanced TCP/IP Settings.

Task 5 -Advanced Firewall Configurations
In this task, we will configure the firewall to prevent port access to this vulnerability for
private and public networks.
Step 1
Right-click the Windows Start Charm.
Select Control Panel.

Figure 3.25 Screenshot of PLABDC01: Control Panel being selecting from Start Icon.
Step 2
Click on System and Security.
Click on Windows Firewall.
Click on Turn Windows Firewall on or Off.
Turn on the firewall for the Domain, Private and Public Networks.
Click OK.
Figure 3.26 Screenshot of PLABDC01: Windows Firewall on Customize Settings.

Step 3
Click on Advanced Settings.

Figure 3.27 Screenshot of PLABDC01: Windows Firewall.
Step 4
Click on Inbound Rules.
Organize the Inbound Rules by Name by clicking on the Tab.
Figure 3.28 Screenshot of PLABDC01: Windows Firewall with Advanced Security.

Step 5
Right Click on the value:
Active Directory Domain Controller - LDAP (TCP-In)
Select Properties and on Action choose Block the Connection.

Step 6
Select the Advanced Tab.
Deselect the Domain Profile, leaving only the Private and Public Profiles checked.
Click Apply and OK.

Step 7
Perform the same for:
Active Directory Domain Controller-LDAP (UDAP-In)
Follow Steps 1-6.
Exit from Windows Firewall with Advanced Security.
Exit from Windows Firewall.

Step 8
Restart the PLABDC01 device for these events to take effect using Windows Start and
then selecting Restart.
Press Continue on the prompt.
Figure 3.31 Screenshot of PLABDC01: Restarting the device.

Leave the devices you have powered on in their current state and proceed to the next
exercise.
Prev
4 of 6
NextT

Exercise 4 - Validating Security Changes with OpenVAS
Exercise 4 - Validating Security Changes with OpenVAS

Once changes have been made to any system, it is vital that a recheck of the system is
made in order to confirm that updates, patches and security configuration have taken
place and are functioning correctly as expected.
Task 1 - Rescanning with OpenVAS
In this task, we will be rescanning PLABDC01 with OpenVAS to confirm that our
changes have had an effect on the system and that we have configured the system
correctly.
Step 1
Connect back to PLABWIN10; the VNC connection should still be active
to PLABKALI01, if not then open this again.
The session will most likely have expired though.
If so then enter the credentials to enter Greenbone again.
admin
Passw0rd
Step 2
On the Tasks Dashboard, move to the Actions tab found towards the right-hand side.
Click on the green arrow.
This will start the scanning process again.
Figure 4.1 Screenshot of PLABKALI01: Greenbone Security Assistant.

Once more give the scan about 5 minutes to complete the objective. You will notice it
has changed to requested and then moves to a progress bar which begins to change as
the scan is completed.
Step 3
Once completed click on the Name of the Scan, which is PLABDC01.
Click on Reports value which is now 2.
Then choose the latest of the reports by Time.

Figure 4.2 Screenshot of PLABKALI01: Greenbone Security Assistant restarting the
scan.
Notice that the Medium count changed, in fact what we will see is that sometimes
rescanning the device can highlight new vulnerabilities not found in the first attempt.
The changes we made have no effect on SSL certificates. Therefore the new
vulnerabilities were something picked up on the second scan attempt and is strongly
related to SSL.
This is excellent practice, and it shows that scanning a device once is not enough to
confirm that it has passed all the tests. Certainly, in a production environment, multiple
scans are commonplace.
Step 4
Click on the latest report by date and time.

Figure 4.3 Screenshot of PLABKALI01: Greenbone results from the second scan.
From the above results, we have now removed the problem with LDAP leaking data
with NULL input.
Use LDAP search request to retrieve information from NT Directory Services
This is no longer present as it has been corrected by a combination of changing rules
on the Domain Policy for the Domain and Controller accounts.
Changing the Network Access values, editing regedit key values and activate the
firewall for Private and Public Networks.
Step 5
Click the back button on Firefox.
Press the Compare button under Actions for each report which appears as a triangle.
Figure 4.4 Screenshot of PLABKALI01: Greenbone comparing the results.

We can see which functions have been changed since the updated scan.

We can see which functions have been changed since the updated scan.
Figure 4.5 Screenshot of PLABKALI01: Greenbone comparing the results.

Here we can see that the LDAP has been remediating. This now leaves us with SSL
certificates as our main vulnerability with Relative IP identification as a low value.
Of course in a production environment, we would now proceed with correcting those
problems as well.
Step 6
Click on the Green down arrow next to PDF to download the results.
Choose Open With, make sure xpdf is selected.
Click OK.
Figure 4.6 Screenshot of PLABKALI01: Greenbone saving the file.

Step 7
Here we see the Delta Report for the scan we performed and the results in this table

Here we see the Delta Report for the scan we performed and the results in this table
show the differences between the scans.
Figure 4.7 Screenshot of PLABKALI01: PDF format being viewed of the Delta Report.
Scrolling down we find the vulnerability we worked on.

This tells us about the CVSS value, the detection result again the solution and detection
method used to pull the information.
Shutdown all virtual machines used in this lab, before proceeding to the next module.
Alternatively you can log out of the lab platform.
Prev
5 of 6
NextT

Summary
Summary
You covered the following activities in this module:
• Connecting to Win10 and Kali
• OpenVAS Scanning
• Security Active Directory Access LDAP
• Validating Security Changes with OpenVAS

1.6 Explain the impact associated with types of
vulnerabilities.

1.0 Threats, Attacks, Vulnerabilities PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1.0 Threats, Attacks, Vulnerabilities PDF

Uploaded by

Copyright:

Available Formats

1.

0 Threats, Attacks and Vulnerabilities 21%

1.0 Threats, Attacks, Vulnerabilities Page 1

Screen clipping taken: 6/15/2019 6:40 AM

MALICIOUS SOFTWARE TYPES

Type Description Example

1.0 Threats, Attacks, Vulnerabilities Page 2

Backdoors Backdoors are used in computer programs to bypass

Screen clipping taken: 7/15/2019 4:56 AM

1.0 Threats, Attacks, Vulnerabilities Page 3

Screen clipping taken: 7/15/2019 4:56 AM

Screen clipping taken: 7/15/2019 4:59 AM

Screen clipping taken: 7/15/2019 4:59 AM

Screen clipping taken: 7/15/2019 5:00 AM

Screen clipping taken: 7/15/2019 5:00 AM

1.0 Threats, Attacks, Vulnerabilities Page 4

Scan files for potential malware with the virustotal community

Screen clipping taken: 7/15/2019 4:57 AM

1.0 Threats, Attacks, Vulnerabilities Page 5

Screen clipping taken: 6/15/2019 6:40 AM

Anticipating Cyber Attacks

1.0 Threats, Attacks, Vulnerabilities Page 6

Screen clipping taken: 7/15/2019 6:03 AM

Screen clipping taken: 7/15/2019 6:05 AM

1.0 Threats, Attacks, Vulnerabilities Page 7

Screen clipping taken: 7/15/2019 6:09 AM

1.0 Threats, Attacks, Vulnerabilities Page 8

Reasons for effectiveness:

Screen clipping taken: 7/15/2019 6:19 AM

1.0 Threats, Attacks, Vulnerabilities Page 9

Screen clipping taken: 7/15/2019 6:42 AM

1.0 Threats, Attacks, Vulnerabilities Page 10

Screen clipping taken: 7/15/2019 6:23 AM

Social Engineer must have physical access for these:

1.0 Threats, Attacks, Vulnerabilities Page 11

Screen clipping taken: 7/15/2019 6:34 AM

1.0 Threats, Attacks, Vulnerabilities Page 12

Screen clipping taken: 7/15/2019 6:49 AM

Screen clipping taken: 7/15/2019 6:50 AM

Table 17-1 Summary of Social Engineering Types

1.0 Threats, Attacks, Vulnerabilities Page 13

Screen clipping taken: 7/17/2019 2:12 PM

1.0 Threats, Attacks, Vulnerabilities Page 14

1.0 Threats, Attacks, Vulnerabilities Page 15

Screen clipping taken: 7/15/2019 6:54 AM

Exercise 1 - Social Engineering Reconnaissance

1.0 Threats, Attacks, Vulnerabilities Page 16

Figure 1.2 Screenshot of PLABWIN10: MyBook Philip Nomad Timeline page

1.0 Threats, Attacks, Vulnerabilities Page 17

Figure 1.3 Screenshot of PLABWIN10: MyBook Philip Nomad Timeline page

Figure 1.4 Screenshot of PLABWIN10: MyBook Philip Nomad Timeline page

1.0 Threats, Attacks, Vulnerabilities Page 18

Figure 1.6 Screenshot of PLABWIN10: MyBook Philip Nomad Bio page

1.0 Threats, Attacks, Vulnerabilities Page 19

Figure 1.7 Screenshot of PLABWIN10: MyBook Philip Nomad Bio page

Figure 1.8 Screenshot of PLABWIN10: MyBook Philip Nomad Album page

1.0 Threats, Attacks, Vulnerabilities Page 20

Figure 1.9 Screenshot of PLABWIN10: MyBook Philip Nomad Friends page

1.0 Threats, Attacks, Vulnerabilities Page 21

1.0 Threats, Attacks, Vulnerabilities Page 22

Screen clipping taken: 7/15/2019 7:12 AM

Screen clipping taken: 7/15/2019 7:41 AM

Screen clipping taken: 7/15/2019 7:41 AM