CSY202 Week 04 - Validate vulnerabilities before moving to reading resources.

Opening Framing: From Enumeration to Exploitation Planning

You've mapped the network and enumerated services. Now comes the critical question: which of these services have exploitable vulnerabilities? Vulnerability analysis bridges enumeration and exploitation.

This phase involves vulnerability scanning, manual verification, researching CVEs, and prioritizing findings. Not every vulnerability is worth exploiting—you need to identify which weaknesses provide the best path to your objectives.

This week covers vulnerability scanning tools, CVE research, manual vulnerability verification, and how to prioritize findings for exploitation.

Key insight: Vulnerability scanners find potential issues; skilled analysts determine which are real and exploitable.

1) Understanding Vulnerabilities

Vulnerability fundamentals for penetration testers:

Vulnerability Types:

Software Vulnerabilities:
- Buffer overflows
- SQL injection
- Cross-site scripting (XSS)
- Remote code execution
- Authentication bypass
- Privilege escalation

Configuration Vulnerabilities:
- Default credentials
- Unnecessary services
- Excessive permissions
- Missing patches
- Insecure protocols
- Debug modes enabled

Design Vulnerabilities:
- Weak authentication schemes
- Insecure data storage
- Missing encryption
- Poor session management
- Logic flaws

CVE and Vulnerability Databases:

CVE (Common Vulnerabilities and Exposures):
- Standardized vulnerability identifiers
- Format: CVE-YEAR-NUMBER
- Example: CVE-2021-44228 (Log4Shell)

Key databases:

NVD (National Vulnerability Database):
https://nvd.nist.gov
- US government maintained
- CVSS scores
- Detailed descriptions

Exploit-DB:
https://www.exploit-db.com
- Exploit code repository
- Searchable by CVE, product
- Includes proof-of-concept code

CVE Details:
https://www.cvedetails.com
- Searchable by product/vendor
- Statistics and trends
- CVSS scores

Vulners:
https://vulners.com
- Aggregates multiple sources
- API available
- Good for automation

CVSS Scoring:

CVSS (Common Vulnerability Scoring System):

Score ranges:
0.0       - None
0.1-3.9   - Low
4.0-6.9   - Medium
7.0-8.9   - High
9.0-10.0  - Critical

Base metrics:
- Attack Vector (Network, Adjacent, Local, Physical)
- Attack Complexity (Low, High)
- Privileges Required (None, Low, High)
- User Interaction (None, Required)
- Scope (Unchanged, Changed)
- Impact (Confidentiality, Integrity, Availability)

Example interpretation:
CVE-2021-44228 (Log4Shell): CVSS 10.0
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: Complete system compromise

High score = prioritize for exploitation

Key insight: CVSS scores indicate severity, but context matters. A CVSS 7.0 on a critical server may matter more than a CVSS 9.0 on an isolated test system.

2) Vulnerability Scanning

Automated scanners identify potential vulnerabilities:

Popular Vulnerability Scanners:

Commercial:
- Nessus (Tenable)
- Qualys
- Rapid7 Nexpose/InsightVM
- Burp Suite Professional

Free/Open Source:
- OpenVAS (Greenbone)
- Nikto (web)
- Nuclei
- Nmap NSE scripts

Each has strengths:
- Nessus: Comprehensive, good reports
- OpenVAS: Free alternative to Nessus
- Nikto: Fast web scanning
- Nuclei: Template-based, customizable

Nmap Vulnerability Scanning:

# Nmap vuln scripts
nmap --script=vuln [target]

# Specific vulnerability checks
nmap --script=smb-vuln-* [target]
nmap --script=http-vuln-* [target]

# Common vulnerability scripts:
smb-vuln-ms17-010    # EternalBlue
smb-vuln-ms08-067    # Conficker
http-vuln-cve2017-5638  # Apache Struts
ssl-heartbleed       # Heartbleed

# Example output:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1
|     State: VULNERABLE
|     Risk factor: HIGH
|     CVE: CVE-2017-0143

Nikto Web Scanning:

# Basic web scan
nikto -h http://target.com

# With SSL
nikto -h https://target.com -ssl

# Save output
nikto -h http://target.com -o nikto_results.txt

# Nikto checks for:
- Server misconfigurations
- Default files
- Dangerous HTTP methods
- Known vulnerable scripts
- Outdated server software
- Information disclosure

# Example findings:
+ Server: Apache/2.4.7
+ The X-XSS-Protection header is not defined
+ /admin/: Directory indexing found
+ /phpinfo.php: PHP info file found

Nuclei Template Scanning:

# Update templates
nuclei -ut

# Basic scan
nuclei -u http://target.com

# Scan with specific templates
nuclei -u http://target.com -t cves/

# Scan multiple targets
nuclei -l targets.txt -t cves/

# Severity filter
nuclei -u http://target.com -severity critical,high

# Template categories:
# cves/          - Known CVEs
# vulnerabilities/ - Generic vulns
# misconfigurations/ - Config issues
# exposures/     - Information disclosure
# takeovers/     - Subdomain takeover

Key insight: Scanners are a starting point, not the final answer. They produce false positives and miss vulnerabilities that require manual analysis.

3) Manual Vulnerability Verification

Verify scanner findings before reporting or exploiting:

Why Manual Verification Matters:

Scanner limitations:
- False positives (reports non-existent vulns)
- False negatives (misses real vulns)
- Can't assess business context
- Limited logic flaw detection
- Version-based guessing

Manual verification:
- Confirms vulnerability exists
- Assesses actual exploitability
- Determines real impact
- Finds what scanners miss
- Required for quality reports

Version-Based Vulnerability Research:

From enumeration, you found:
"Apache/2.4.49"

Research process:

1. Search for CVEs:
   Google: "Apache 2.4.49 CVE"
   NVD: Search "Apache HTTP Server 2.4.49"

2. Find: CVE-2021-41773
   - Path traversal vulnerability
   - CVSS: 7.5
   - Can read files outside document root

3. Find exploit/PoC:
   Exploit-DB, GitHub, security blogs

4. Verify manually:
   curl "http://target/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"

5. Document:
   - Confirmed vulnerable
   - Evidence screenshot
   - Impact assessment

Searchsploit - Local Exploit Database:

# Searchsploit searches local Exploit-DB copy

# Basic search
searchsploit apache 2.4

# More specific
searchsploit "Apache 2.4.49"

# Copy exploit to current directory
searchsploit -m 50383

# Update database
searchsploit -u

# Example output:
-------------------------------------------
 Exploit Title                             |  Path
-------------------------------------------
Apache 2.4.49 - Path Traversal            | multiple/webapps/50383.sh
Apache 2.4.50 - RCE                       | multiple/webapps/50406.sh
-------------------------------------------

# Examine exploit
cat /usr/share/exploitdb/exploits/multiple/webapps/50383.sh

Manual Testing Examples:

# Testing for default credentials
# FTP
ftp target.com
> USER anonymous
> PASS anonymous@

# SSH (never brute force without authorization)
# Just check if password auth is enabled
ssh -o PreferredAuthentications=password target.com

# Web admin panels
# Try admin:admin, admin:password, etc.
# Check documentation for defaults

# Testing for information disclosure
curl -I http://target.com  # Check headers
curl http://target.com/robots.txt
curl http://target.com/.git/HEAD
curl http://target.com/phpinfo.php
curl http://target.com/server-status

# Testing for directory traversal
curl "http://target.com/file?path=../../../etc/passwd"
curl "http://target.com/file?path=....//....//etc/passwd"

Key insight: Manual verification separates professional pentesters from script kiddies. Anyone can run a scanner; skill is in validating and understanding findings.

4) Vulnerability Prioritization

Not all vulnerabilities are equal—prioritize effectively:

Prioritization Factors:

1. Exploitability
   - Is exploit available?
   - Does it work reliably?
   - What conditions required?

2. Impact
   - What access does it provide?
   - RCE > Info disclosure
   - Admin > User

3. Asset Value
   - How important is the target?
   - What data/access does it have?
   - Business criticality

4. Path to Objective
   - Does this help reach the goal?
   - Stepping stone to more valuable targets?
   - Part of attack chain?

Prioritization Matrix:

                    Exploitability
                Easy      Medium    Hard
           ┌─────────┬─────────┬─────────┐
    High   │  DO NOW │ DO NEXT │ CONSIDER│
           ├─────────┼─────────┼─────────┤
Impact Med │ DO NEXT │ CONSIDER│  LATER  │
           ├─────────┼─────────┼─────────┤
    Low    │ CONSIDER│  LATER  │  SKIP   │
           └─────────┴─────────┴─────────┘

Examples:

DO NOW:
- EternalBlue on domain controller
- SQL injection on login page
- Default admin credentials

DO NEXT:
- RCE requiring authentication
- Privilege escalation on compromised host

CONSIDER:
- Complex exploit chain
- Information disclosure

SKIP (for now):
- DoS vulnerabilities (usually out of scope)
- Theoretical vulns without PoC

Building an Attack Plan:

Attack Plan Template:

TARGET: 192.168.1.100 (Web Server)

Priority 1 - High Impact, Easy Exploit:
┌────────────────────────────────────────────────┐
│ Vulnerability: Apache 2.4.49 Path Traversal    │
│ CVE: CVE-2021-41773                           │
│ Exploitability: Easy (curl command)            │
│ Impact: File read, possible RCE                │
│ Status: VERIFIED                               │
│ Next: Attempt exploitation                     │
└────────────────────────────────────────────────┘

Priority 2 - Requires More Work:
┌────────────────────────────────────────────────┐
│ Vulnerability: PHPMyAdmin 4.8.1 LFI            │
│ CVE: CVE-2018-12613                           │
│ Exploitability: Medium (need session)          │
│ Impact: RCE                                    │
│ Status: VERSION CONFIRMED                      │
│ Next: Attempt after Priority 1                 │
└────────────────────────────────────────────────┘

Priority 3 - Backup Options:
┌────────────────────────────────────────────────┐
│ Vulnerability: Weak SSH credentials            │
│ CVE: N/A (misconfiguration)                   │
│ Exploitability: Medium (brute force)          │
│ Impact: Shell access                           │
│ Status: PASSWORD AUTH ENABLED                  │
│ Next: Try if others fail                       │
└────────────────────────────────────────────────┘

Key insight: Time is limited in real engagements. Prioritization ensures you pursue the most valuable paths first.

5) Vulnerability Documentation

Document findings for exploitation phase and reporting:

Vulnerability Documentation Template:

VULNERABILITY RECORD
====================
ID: VULN-001
Date Found: 2024-01-15
Target: 192.168.1.100
Port/Service: 80/HTTP (Apache 2.4.49)

IDENTIFICATION
--------------
Title: Apache HTTP Server Path Traversal
CVE: CVE-2021-41773
CVSS: 7.5 (High)
CWE: CWE-22 (Path Traversal)

VERIFICATION
------------
Method: Manual testing
Command: curl "http://192.168.1.100/cgi-bin/.%2e/%2e%2e/etc/passwd"
Result: File contents returned
Evidence: [screenshot or output]

EXPLOITABILITY
--------------
Exploit Available: Yes
Exploit Source: Exploit-DB 50383
Requirements: None (unauthenticated)
Reliability: High

IMPACT
------
Confidentiality: High (file read)
Integrity: Medium (possible RCE)
Availability: Low
Business Impact: Access to sensitive files

RECOMMENDATIONS
---------------
Remediation: Upgrade to Apache 2.4.51+
Workaround: Disable CGI if not needed
Priority: Critical

REFERENCES
----------
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://www.exploit-db.com/exploits/50383

Evidence Collection:

What to capture:

Screenshots:
- Scanner output showing vulnerability
- Manual verification results
- Successful exploitation (if attempted)

Command output:
- Exact commands used
- Full response received
- Timestamps

Request/Response:
- HTTP requests (Burp)
- Full headers
- Response codes and body

For reporting:
- Clear, labeled screenshots
- Sanitized output (remove sensitive data if needed)
- Reproducible steps

Key insight: Good documentation now saves time during reporting and ensures findings can be reproduced and verified.

Real-World Context: Vulnerability Analysis in Practice

How professionals approach vulnerability analysis:

Scanner Overload: Enterprise scanners can produce thousands of findings. Experienced analysts quickly triage based on context, false positive patterns, and exploitation potential.

Zero-Days: Scanners only find known vulnerabilities. Manual analysis and creative thinking find zero-days and logic flaws that scanners miss.

Client Expectations: Clients want actionable findings. Reporting thousands of "medium" findings without context isn't helpful. Prioritization and clear recommendations matter.

MITRE ATT&CK Mapping:

T1595.002 - Vulnerability Scanning: Automated scanning
T1190 - Exploit Public-Facing Application: Web vulns
T1212 - Exploitation for Credential Access: Auth bypass

Key insight: Vulnerability analysis is where technical knowledge meets critical thinking. Tools help, but judgment matters most.

Guided Lab: Vulnerability Analysis

Analyze vulnerabilities on Metasploitable 2.

Step 1: Run Vulnerability Scans

# Nmap vulnerability scripts
nmap --script=vuln [metasploitable-ip] -oN vuln_scan.txt

# If you have Nikto
nikto -h http://[metasploitable-ip] -o nikto_scan.txt

# Nuclei (if installed)
nuclei -u http://[metasploitable-ip]

Step 2: Research Findings

# For each service found in Week 3:

# Example: vsftpd 2.3.4
searchsploit vsftpd 2.3.4
# Research: CVE-2011-2523 (backdoor)

# Example: Apache Tomcat
searchsploit tomcat
# Check version-specific vulnerabilities

# Example: Samba
searchsploit samba [version]

# Document each finding with CVE and CVSS

Step 3: Manual Verification

# Verify at least 3 vulnerabilities manually

# Example: Check for anonymous FTP
ftp [metasploitable-ip]
> USER anonymous
> PASS test@test.com

# Example: Check for default Tomcat credentials
curl http://[metasploitable-ip]:8080/manager/html

# Example: Test for web vulnerabilities
# DVWA on Metasploitable has many!

Step 4: Prioritize and Plan

# Create attack plan:
1. List all confirmed vulnerabilities
2. Assign priority (High/Medium/Low)
3. Note exploitation approach for each
4. Order by priority for next week

Reflection (mandatory)

How many vulnerabilities did the scanner find vs. what you verified?
Which vulnerability would you exploit first and why?
What vulnerabilities might scanners miss on this target?
How would you explain the risk to a non-technical client?

Week 4 Outcome Check

By the end of this week, you should be able to:

Understand vulnerability types and CVE/CVSS systems
Use vulnerability scanning tools effectively
Manually verify scanner findings
Research vulnerabilities using CVE databases
Prioritize vulnerabilities for exploitation
Document vulnerabilities professionally

Next week: Exploitation Fundamentals—turning vulnerabilities into access.

🎯 Hands-On Labs (Free & Essential)

Validate vulnerabilities before moving to reading resources.

🎮 TryHackMe: Vulnerabilities 101

What you'll do: Learn CVEs, CVSS scoring, and vulnerability verification.
Why it matters: You must distinguish real risk from scanner noise.
Time estimate: 1.5-2 hours

Start TryHackMe Vulnerabilities 101 →

🎮 TryHackMe: Metasploit Intro

What you'll do: Explore the Metasploit framework for validating vulnerabilities.
Why it matters: Verification proves impact and reduces false positives.
Time estimate: 1.5-2 hours

Start TryHackMe Metasploit Intro →

🏁 PicoCTF Practice: Web Exploitation (Vuln Review)

What you'll do: Solve beginner web challenges to practice vulnerability analysis.
Why it matters: Hands-on challenges reinforce identification and prioritization.
Time estimate: 1-2 hours

Start PicoCTF Web Exploitation →

🛡️ Lab: Analyze TLS Handshake

What you'll do: Capture a TLS handshake and identify protocol version, ciphers, and cert chain.
Deliverable: Short analysis note with screenshot or packet details.
Why it matters: Weak TLS choices are exploitable and common.
Time estimate: 60-90 minutes

💡 Lab Tip: Always reproduce a vulnerability manually before reporting it.

🛡️ TLS/PKI Analysis for Testers

Vulnerability analysis includes crypto hygiene. Weak TLS and bad certificate management create real exploitation paths.

What to check:
- TLS versions and cipher suites
- Certificate chain and expiration
- Self-signed or mismatched certs
- HSTS and secure headers

📚 Building on CSY101 Week-14: Tie weak TLS to compliance and audit findings.

Resources

Complete the required resources to build your foundation.

National Vulnerability Database · 45-60 min · 50 XP · Resource ID: csy202_w4_r1 (Required)
Exploit Database · 45-60 min · 50 XP · Resource ID: csy202_w4_r2 (Required)
Nuclei Scanner · Reference · 25 XP · Resource ID: csy202_w4_r3 (Optional)

Lab: Comprehensive Vulnerability Assessment

Goal: Perform full vulnerability assessment of Metasploitable 2 and create prioritized attack plan.

Part 1: Automated Scanning

Run Nmap vulnerability scripts on all ports
Run Nikto on web services
Document all scanner findings

Part 2: CVE Research

For each service/version found in Week 3:
- Search for known CVEs
- Document CVSS scores
- Find available exploits
Create vulnerability inventory spreadsheet

Part 3: Manual Verification

Select top 5 high-priority vulnerabilities
Manually verify each one
Document verification method and evidence
Note any false positives

Part 4: Attack Planning

Prioritize all confirmed vulnerabilities
Create exploitation plan with:
- Priority order
- Exploitation approach
- Expected outcome
- Backup options

Deliverable (submit):

Vulnerability inventory (all findings)
CVE research summary
Manual verification evidence
Prioritized attack plan
Scanner output files

Checkpoint Questions

What is a CVE and why is it useful?
What does a CVSS score of 9.8 indicate?
Why is manual verification important after scanning?
How would you use searchsploit to find exploits?
What factors should influence vulnerability prioritization?
What's the difference between a vulnerability and an exploit?

Week 04 Quiz

Test your understanding of vulnerability analysis, CVEs, and prioritization.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned vulnerability analysis—finding and understanding weaknesses. You used scanners, researched CVEs, and created attack plans.

Reflect on these questions:

Vulnerability scanners produce many findings, but not all are exploitable. How do you determine what's actually risky?
Some vulnerabilities have been known for years but remain unpatched. Why do you think this happens?
How does understanding vulnerabilities from an attacker's perspective help with defense?
What surprised you about the vulnerabilities present on Metasploitable?

A strong reflection will consider both offensive and defensive implications of vulnerability analysis.

Verified Resources & Videos

CVE Details: CVE Details Database
CVSS Calculator: FIRST CVSS v3.1 Calculator
Vulnerability Research: Vulners Aggregator

Vulnerability analysis is the bridge between reconnaissance and exploitation. The quality of your analysis determines which attacks you attempt and how likely they are to succeed. Next week: exploitation—putting this analysis into action.