Let’s start with vulnerability assessment. Enterprises should conduct continuous automated scanning to keep current on threats to their networks. The infrastructure penetration testing discussed in this blog post should then be used to dig deeper to uncover issues and attack chains with manual testing.
Red Team engagements are an option for mature environments that have well-established patch management policies. They can also be used to detect real-world adversaries.
I have performed vulnerability assessments on large networks during infrastructure tests. Nessus and other scanning software have their place. However, it is important to be able work efficiently to provide more value to an engagement than just providing output that clients can manage (which they should be doing regularly).
Introduction
It is much easier to use tools efficiently than it is to perform manual testing. It is not worth paying for a pen tester to run scans. This is how I practiced this art. While everyone is different in this industry which is what makes it so amazing, this is how my cat is groomed.
Here’s the bottom line: This list contains scripts and tools that will help you get started.
Nessus is a de-facto vulnerability scanner
Sparta is an Infrastructure scanner GUI created by SECFORCE
My extended configuration can be found in the README file for helper-scripts.
Scrying/ Eyewitness – RDP/Web / VNC screenshotters
default Creds/ Seclists- Database of known vendor default credential / wordlists
nessusToExcel.py I wrote this script to make reporting easier
Getting started
It is no surprise that Nessus is the first port of contact. You can continue to do productive work while the scan goes by. Sparta is the answer. Sparta, which is a GUI, is a great tool. “Real hackers don’t use GUIs,” says Sparta. It is, however, a wrapper for Nmap and can be customized to your liking. It hasn’t been updated in a while and can sometimes be slow.
Let’s start by identifying our scan targets:
For more information on these two options, click here
- Run initial arp / ping sweeps in order to find hosts. Or run scans using -Pn (required when ICMP is disabled, but significantly increases scanning time).
- You can either run a staged scan (described further below), or a complete TCP scan.
According to the CHECK guidelines all 65535 TCP ports and top 1000 UDP ports must be scanned. Many testers have felt the pain of scanning subnets for an exponentially longer time. These are broken down into five separate scans. I start with TCP port 80, 443 and it completes in a matter of seconds. This allows me to prod all web portals within my network. The results of further scans are added to the database for future analysis as they become available.
Identifying default credentials
The fun begins! Each command is contextualized based on the service identified. In this case, we’ll be looking at Microsoft SQL servers.
Right-clicking the “mssql-s”, service in the services tab, will execute this command against all databases found. You will find the tool output in the “mssql default” section. This section identifies hosts that have a default password.
The command structure is found in the sparta.conf files.
=, , mssql-default=MSSQL - default credentials, hydra -s [PORT] -C /usr/share/seclists/Passwords/Default-Credentials/mssql -betterdefaultpasslist.txt -u -o \"[OUTPUT].txt\" -f [IP] mssql, ms-sql-s
Notice – When apt is installed, my instance of sparta was configured to use seclists’ default location.
Although hydra is integrated in Nessus’s software, this way of working allows for greater control over the wordlists used. Using the rockyou wordlist at each management port isn’t going to make you any favors. This approach allowed me to access hundreds of SSH/SMB/FTP/DBMS/VNC/RDP services that I might not have had access to before because of time constraints.
Sparta Expanded
There are over 100 commands that can be run. This is only one example of how sparta could be used. Many other commands will also run the NSE required for the service. These commands can give Nessus different results, as well as confirm the vulnerabilities it has detected.
Sometimes, it is necessary to run a different command on a particular service. This can be done by holding shift and right-clicking the service on one host. This example shows the service being identified as “ccproxy://”. The configuration file doesn’t recognize this service. We would like to see all commands, and run nikto against it.
You can also use sparta to do the nmap by yourself. After that, you can feed the XML into software. This will populate the database in the same way as above. Scheduler functionality will run commands automatically when the service is identified. You can see in my configuration file that this is disabled to prevent unwanted commands from being run.
Interfaces for the web
It is common to see many different web endpoints in larger networks. Each one has its own set of default credentials. It is difficult to test each one. Scying and eyewitness are able to provide screenshots of all http service within nmap/Nessus.xml files. This HTML report categorizes each service based on their response code or headers.
If you know the default password, it will show these for your:
If the credentials are not found, then the DefaultCreds-cheat-sheet database can be queried for the vendor which can outputted in several different formats:
Reporting
After Nessus is done and all tools have been used, I must report all findings. My mantra of automation doesn’t end there. My nessusToExcel python program parses Nessus XML into multiple Excel worksheets to make data processing easier. It will automatically run all modules. However, I will briefly outline some below (running -h to describe each module on command line).
- HTTP– HTTP Servers, versions
- LastUpdated Windows security patches effective levels
- Compliance – Format CIS Compliance data
- Issues All plugins that aren’t informational in severity
- Win/nix Security Patches Summary of missing security patches
- Third Party Software Remediations
Some of these won’t output unless the proper scan has been performed, authenticated scan for patch, Compliance scan for compliance output, etc. Clients will find many of these useful as they give an easy-to-read audit of their network. This includes a list of all scanned hostnames, addresses, and operating systems within the Host Information tab. Additional information is available on the HTTP / Open Ports/ Databases tabs.
The “All Issues tab is my favorite for reporting issues. It allows me to group common vulnerabilities like TLS configuration problems, obsolete software, etc. When unsupported versions are found, I have hard-coded the relevant information.
Final thoughts
This allows me to finish engagements on time and to a high standard. This allows me to expand the scope of my work (if requested by the client) and provide more value. This is often done by performing more extensive testing of Active Directory than a vulnerability assessment for the Domain Controller. These results often result in a significant reduction of the attack surface within the test estate, sometimes more than the vulnerability assessment.