8 November 2015


by mo

Day 2 Homework: (due before the start of class November 9th) Answer the following in one or two sentences and add the information to your notes:

Vulnerability/Patch Questions: Resources: cve-details.com, OSVDB.org, and exploit-db.com

  1. What is a CVE #?
    • Common Vulnerabilities and Exposure
  2. How is a CVE structured/defined/scored?
    • Vendor, product names and version numbers.
  3. How do you search for a CVE by name? Provide an example via screenshot.
    • You can search by product, vendor or version. For example screenshot
  4. How do you search for a CVE by #? Provide an example via screenshot. screenshot
  5. How is a CVSS(v2) score assigned?
    • https://www.first.org/cvss/v2/guide
    • Composed for 3 metric groups: base, temporal, environmental
    • base and temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors.
  6. What is the CVSS rating criteria?
    • a series of equations that combine three metric groups: base, temporal, environmental.
  7. What is a security BID #?
  8. Where would you find a BID?
    • http://www.securityfocus.com/bid
  9. How is a BID associated to a CVE?
  10. What is a Microsoft Security Bulletin?
    • a microsoft website that tracks vulnerabilities in microsoft products.
  11. How does a MS Security Bulletin relate to a CVE?
    • CVE appears to be more of an open standard where MS Security Bulletin seems to be focused on microsoft products and have their own standard identifier.
  12. What is a Microsoft security KB (Knowledge Base) Article and how does it relate to a security bulletin?
    • the knowledge base article includes additional information about a security bulletin such as how to apply the patches and what versions of the product are affected.
  13. Provide a link the the cve-details.com page listing all vulnerabilities for Apache Tomcat version 6.0.29
    • https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/version_id-100326/Apache-Tomcat-6.0.29.html

Describe the vulnerability associated with MS08-067

  1. What is the vulnerability title?
  2. What is the severity rating?
    • Critical
  3. What is the impact?
    • Remote Code Execution
  4. Provide a quick summary of what systems are affected?
    • Windows 2000
    • Windows XP
    • Windows Server 2003
    • Windows Vista
    • Windows Server 2008
  5. What is the associated CVE #?
  6. What is an associated KB patch for Server 2003?
    • https://support.microsoft.com/en-gb/kb/958644
  7. What is an associated KB patch for Windows XP?
    • https://support.microsoft.com/en-gb/kb/958644
  8. What is an associated Metasploit exploit for it?
msf > search ms08_067

Matching Modules

   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption

msf > 

Metasploit: Resource: https://www.offensive-security.com/metasploit-unleashed/

  1. What is a payload?
  2. What is an interactive shell?
  3. What is a meterpreter reverse shell?
  4. What is a meterpreter bind shell?
  5. Try exploiting the vulnerability again with a meterpreter bind shell.
  6. How could a firewall impact a bind shell?
    • it could block incoming connections
  7. Disable the firewall and try running the bind shell again.
  8. What does the command “show payloads” do?
    • Running ‘show payloads’ will display all of the different payloads for all platforms available within Metasploit.
    • https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
  9. What does the command “show options” do?
    • display which settings are available and/or required for that specific module.
  10. What does the command “show targets” do?
    • see which targets are supported. e.g windows 2000, windows 2003 universal
  11. What does the command msfupdate do?
    • update the metasploit database to get the latest.
  12. What exploits/techniques does the meterpreter command “get system” use?
    • escalate the current session to the SYSTEM account from an administrator user account.
    • https://www.rapid7.com/db/modules/post/windows/escalate/getsystem
  13. How do you specify a single technique from get system?
  getsystem -t <option>
  1. For the command “hashdump” to be successful, what permission level do you need?
    • run as SYSTEM