CEH Practical - Module 5

Module 05: Vulnerability Analysis

Module 05: Vulnerability Analysis

Objective
Overview of Vulnerability Assessment
Lab Tasks
Lab 1: Perform Vulnerability Research with Vulnerability Scoring Systems and Databases
Task 1: Perform Vulnerability Research in Common Weakness Enumeration (CWE)
Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools
Task 1: Perform Vulnerability Analysis using OpenVAS
Lab 3: Perform Vulnerability Analysis using AI
Task 1: Perform Vulnerability Analysis using ShellGPT

Objective
Network vulnerabilities

The objective of this lab is to extract information about the target system that includes, but not limited to:

IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports and services that are listening

Application and services configuration errors/vulnerabilities

The OS version running on computers or devices

Applications installed on computers

Accounts with weak passwords

Files and folders with weak permissions

Default services and applications that may have to be uninstalled

Mistakes in the security configuration of common applications

Computers exposed to known or publicly reported vulnerabilities

Overview of Vulnerability Assessment

A vulnerability refers to a weakness in the design or implementation of a system that can be exploited to
compromise the security of the system. It is frequently a security loophole that enables an attacker to enter the
system by bypassing user authentication. There are generally two main causes for vulnerable systems in a
network, software or hardware misconfiguration and poor programming practices. Attackers exploit these
vulnerabilities to perform various types of attacks on organizational resources.

Lab Tasks
Ethical hackers or pen testers use numerous tools and techniques to collect information about the underlying
vulnerability in a target system or network. Recommended labs that will assist you in learning various vulnerability
assessment techniques include:

1. Perform vulnerability research with vulnerability scoring systems and databases

Perform vulnerability research in Common Weakness Enumeration (CWE)

2. Perform vulnerability assessment using various vulnerability assessment tools

Perform vulnerability analysis using OpenVAS

3. Perform Vulnerability Analysis using AI

Perform vulnerability analysis using ShellGPT

CEH Practical - Module 5 1

 Lab 1: Perform Vulnerability Research with Vulnerability
Scoring Systems and Databases
Lab Scenario

As a professional ethical hacker or pen tester, your first step is to search for vulnerabilities in the target system or
network using vulnerability scoring systems and databases. Vulnerability research provides awareness of
advanced techniques to identify flaws or loopholes in the software that could be exploited. Using this information,
you can use various tricks and techniques to launch attacks on the target system.

Lab Objectives

Perform vulnerability research in Common Weakness Enumeration (CWE)

Overview of Vulnerabilities in Vulnerability Scoring Systems and Databases

Vulnerability databases collect and maintain information about various vulnerabilities present in the information
systems.
The following are some of the vulnerability scoring systems and databases:

Common Weakness Enumeration (CWE)

Common Vulnerabilities and Exposures (CVE)

National Vulnerability Database (NVD)

Task 1: Perform Vulnerability Research in Common

Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a category system for software vulnerabilities and weaknesses. It has
numerous categories of weaknesses that means that CWE can be effectively employed by the community as a
baseline for weakness identification, mitigation, and prevention efforts. Further, CWE has an advanced search
technique with which you can search and view the weaknesses based on research concepts, development
concepts, and architectural concepts.
Here, we will use CWE to view the latest underlying system vulnerabilities.

By default, Windows 11 machine is selected, click Ctrl+Alt+Delete to activate the machine and login
with Admin/Pa$$w0rd.

Networks screen appears, click Yes to allow your PC to be discoverable by other PCs
and devices on the network.

Launch any web browser, and go to [Link] website (here, we are using Mozilla Firefox).

If the Default Browser pop-up window appears, uncheck the Always perform this
check when starting Firefox checkbox and click the Not now button.

If a New in Firefox: Content Blocking pop-up window appears, follow the step and
click start browsing to finish viewing the information.

CWE website appears. Navigate to Search tab, in the Google Custom Search under Access Content section
and search for SMB in the search field.

Here, we are searching for the vulnerabilities of the running services that were found
in the target systems in previous module labs (Module 04 Enumeration).

CEH Practical - Module 5 2

 The search results appear, scroll-down to view the underlying vulnerabilities in the target service (here, SMB).
You can click any link to view detailed information on the vulnerability.

The search results might differ when you perform this task

Now, click any link (here, CWE-284) to view detailed information about the vulnerability.

CEH Practical - Module 5 3

 Similarly, you can click on other vulnerabilities and view detailed information.

Now, navigate to the CWE List tab. CWE List Version will be displayed. Scroll down, and under the External
Mappings section, select CWE Top 25 (2023).

The result might differ when you perform this task.

CEH Practical - Module 5 4

 A webpage appears, displaying CWE VIEW: Weaknesses in the 2023 CWE Top 25 Most Dangerous Software
Weaknesses. Scroll down and view a list of Weaknesses in the 2023 CWE Top 25 Most Dangerous Software
Weaknesses under the Relationships section. You can check each weakness to view detailed information on it.

This information can be used to exploit the vulnerabilities in the software and further
launch attacks.

The result showing publishing year might differ when you perform this task.

Similarly, you can go back to the CWE website and explore other options, as well.

Attacker can find vulnerabilities on the services running on the target systems and further exploit them to
launch attacks.

This concludes the demonstration of checking vulnerabilities in the Common Weakness Enumeration (CWE).

Close all open windows and document all the acquired information.

Question [Link]

Search the Common Weakness Enumeration (CWE) list and find the name of the vulnerability with the CWE ID 591.
Question [Link]

Search the Common Weakness Enumeration (CWE) list and find the top weakness in the list “Weaknesses in the
2023 CWE Top 25 Most Dangerous Software Weakness.”

Lab 2: Perform Vulnerability Assessment using Various

Vulnerability Assessment Tools
Lab Scenario

The information gathered in the previous labs might not be sufficient to reveal potential vulnerabilities of the
target: there could be more information available that may help in finding loopholes. As an ethical hacker, you

CEH Practical - Module 5 5

 should look for as much information as possible using all available tools. This lab will demonstrate other
information that you can extract from the target using various vulnerability assessment tools.

Lab Objectives

Perform vulnerability analysis using OpenVAS

Overview of Vulnerability Assessment

A vulnerability assessment is an in-depth examination of the ability of a system or application, including current
security procedures and controls, to withstand exploitation. It scans networks for known security weaknesses,
and recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and
communication channels. It identifies, quantifies, and ranks possible vulnerabilities to threats in a system.
Additionally, it assists security professionals in securing the network by identifying security loopholes or
vulnerabilities in the current security mechanism before attackers can exploit them.
There are two approaches to network vulnerability scanning:

Active Scanning

Passive Scanning

Task 1: Perform Vulnerability Analysis using OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability
scanning and vulnerability management solution. Its capabilities include unauthenticated testing, authenticated
testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale
scans, and a powerful internal programming language to implement any vulnerability test. The actual security
scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs)-over 50,000 in total.
Here, we will perform a vulnerability analysis using OpenVAS.

In this task, we will use the Parrot Security ([Link]) machine as a host machine and
the Windows Server 2022 ([Link]) machine as a target machine.

Click on Parrot Security to switch to the Parrot Security machine and login with attacker/toor.

If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.

If a Question pop-up window appears asking you to update the machine, click No to
close the window.

Open a Terminal window and execute sudo su to run the programs as a root user (When prompted, enter the
password toor).

The password that you type will not be visible.

Run docker run -d -p 443:443 --name openvas mikesplain/openvas command to launch OpenVAS.

After the tool initializes, click Firefox icon from the top-section of the Desktop.

The Firefox browser appears, go to [Link] OpenVAS login page appears, log in with admin/admin.

If a Warning page appears, click Advanced and select Accept the Risk and Continue.

CEH Practical - Module 5 6

 The OpenVAS Dashboards appears. Navigate to Scans --> Tasks from the Menu bar.

If a Welcome to the scan task management! pop-up appears, close it.

Hover over wand icon and click the Task Wizard option.

CEH Practical - Module 5 7

 The Task Wizard window appears; enter the target IP address in the IP address or hostname field (here, the
target system is Windows Server 2022 [[Link]]) and click the Start Scan button.

The task appears under the Tasks section; OpenVAS starts scanning the target IP address.

CEH Practical - Module 5 8

 Wait for the Status to change from Requested to Done. Once it is completed, click the Done button under
the Status column to view the vulnerabilities found in the target system.

It takes approximately 20 minutes for the scan to complete.

If you are logged out of the session then login again using credentials admin/admin.

Report: Results appear, displaying the discovered vulnerabilities along with their severity and port numbers
on which they are running.

The results might differ when you perform this task.

CEH Practical - Module 5 9

 Click on any vulnerability under the Vulnerability column to view its detailed information.

Detailed information regarding selected vulnerability appears, as shown in the screenshot.

Similarly, you can check other Reports by hovering over the Report: Results section to view other Reports
regarding the vulnerabilities in the target system.

CEH Practical - Module 5 10

 Next, go through the findings, including all high or critical vulnerabilities. Manually use your skills to verify the
vulnerability. The challenge with vulnerability scanners is that they are quite limited; they work well for an internal
or white box test only if the credentials are known. We will explore that now: return to your OpenVAS tool, and set
up for the same scan again; but this time, turn your firewall ON in the Windows Server 2022 machine.

Now, we will enable Windows Firewall in the target system and scan it for vulnerabilities.

Click on Windows Server 2022 to switch to the Windows Server 2022 machine and click Ctrl+Alt+Delete and
login with CEH\Administrator / Pa$$w0rd.

Navigate to Control Panel --> System and Security --> Windows Defender Firewall --> Turn Windows
Defender Firewall on or off, enable Windows Firewall, and click OK.

By turning the Firewall ON, you are making it more difficult for the scanning tool to
scan for vulnerabilities in the target system.

Click on Parrot Security to switch to Parrot Security machine and perform Steps# 7-9 to create another task
for scanning the target system.

A newly created task appears under the Tasks section and starts scanning the target system for
vulnerabilities.

After the completion of the scan, click the Done button under the Status column.

It takes approximately 15-20 minutes for the scan to complete.

Report: Results appears, displaying the discovered vulnerabilities along with their severity and port numbers
on which they are running.

The results might differ when you perform this task.

CEH Practical - Module 5 11

 The scan results for the target machine before and after the Windows Firewall was enabled are the same,
thereby indicating that the target system is vulnerable to attack even if the Firewall is enabled.

This concludes the demonstration performing vulnerabilities analysis using OpenVAS.

Close all open windows and document all the acquired information.

Click on Windows Server 2022 to switch to the Windows Server 2022 machine and
click Ctrl+Alt+Delete login with Administrator/Pa$$w0rd.

Navigate to Control Panel --> System and Security --> Windows Defender Firewall --> Turn Windows
Defender Firewall on or off, disable Windows Firewall, and click OK.

Question [Link]
Perform vulnerability analysis for the target machine ([Link]) using OpenVAS and find the number of
vulnerabilities in the system. Enter the Severiety level of the DCE/RPC and MSRPC Services Enumeration
Reporting vulnerability.

Lab 3: Perform Vulnerability Analysis using AI

Lab Scenario
As a professional ethical hacker or pen tester, you must acknowledge the limitations of conventional approaches
in revealing all potential vulnerabilities. Therefore, you will utilize AI-driven vulnerability analysis tools to identify
and assess security weaknesses in a simulated network environment.
Lab Objectives

Perform vulnerability analysis using ShellGPT

Overview of vulnerability analysis using AI

Vulnerability Analysis with AI employs advanced algorithms to unearth hidden security flaws in networks. AI-
driven tools extract comprehensive data, prioritize risks, and fortify defenses, empowering ethical hackers to
anticipate and mitigate emerging threats effectively. This innovative approach enhances cybersecurity readiness
by leveraging AI's precision and adaptability.

CEH Practical - Module 5 12

 Task 1: Perform Vulnerability Analysis using ShellGPT
ShellGPT swiftly interprets and executes commands, conducting scans, identifying weaknesses, and suggesting
mitigation strategies in real-time. Its adaptive nature facilitates dynamic navigation through complex systems,
enhancing efficiency and precision in vulnerability analysis. By integrating ShellGPT, you can gain a powerful ally
in their quest to safeguard digital ecosystems, leveraging AI's capabilities to uncover and address security risks
with unparalleled speed and accuracy.
Here, we will use ShellGPT to discover potential vulnerabilites in the target.

The commands generated by ShellGPT may vary depending on the prompt used and the
tools available on the machine. Due to these variables, the output generated by ShellGPT
might differ from what is shown in the screenshots. These differences arise from the
dynamic nature of the AI's processing and the diverse environments in which it operates.
As a result, you may observe differences in command syntax, execution, and results
while performing this lab task.

Click Parrot Security to switch to Parrot machine, and login with attacker/toor. Open a Terminal window and
execute sudo su to run the program as a root user (When prompted, enter the password toor).

The password that you type will not be visible.

Run bash [Link] command to configure ShellGPT and the AI activation key.

You can follow the Instructions to Download your AI Activation Key in Module 00: CEH
Lab Setup to obtain the AI activation key. Alternatively, follow the instructions
available in the file, Instructions to Download your AI_Activation_Key.pdf

After configuring the ShellGPT in Parrot Security machine, in the terminal window, run sgpt--chat nikto --shell
"Scan the URL [Link] to identify potential vulnerabilities with nikto" to launch Nikto
scan on the target website.

CEH Practical - Module 5 13

 In the prompt, type E and press Enter to execute the command.

Scan result appears displaying the discovered vulnerabilities in the target website
(here, [Link]), as shown in the screenshot.

CEH Practical - Module 5 14

 Nikto scan takes long time to complete. You can terminate the scan, by pressing Ctrl +
Z.
In the terminal, run sgpt --chat vuln --shell "Perform vulnerability scan on target url
[Link] with Nmap" command to perform vulnerability scan on the target website. The
result appears displaying open ports and services running on the target website.

CEH Practical - Module 5 15

 Run sgpt --chat vuln --shell "Perform a vulnerability scan on target url [Link] with
skipfish" to scan the target URL using skipfish tool.

If a prompt appears, enter any key to continue the scanning process.

CEH Practical - Module 5 16

 The skipfish begins scanning the target url. After the successful completion of the scan, report is saved at
the /tmp/skipfish_scan_output/ location, named as [Link]. Navigate to the location, right-click
on [Link] and open with Firefox ESR Web Browser, as shown in the screenshot.

The location of scan report might differ. You can view the location in the skipfish
command generated by ShellGPT.

Firefox browser window appears displaying the complete scan report, as shown in the screenshot.

CEH Practical - Module 5 17

 Apart from the aforementioned commands, you can further explore additional options within the ShellGPT tool
and utilize various other tools to conduct vulnerability assessments on the target.

This concludes the demonstration of performing vulnerability assessment on the target system using
ShellGPT.

Close all open windows and document all the acquired information.

Question [Link]
Write a prompt using ShellGPT to perform vulnerability scan on [Link] website using Nikto
vulnerability scanner. Enter the contents of Uncommon header ‘host header’ found during the vulnerability scan.

CEH Practical - Module 5 18