Opening Framing: From Enumeration to Exploitation Planning
You've mapped the network and enumerated services. Now comes the critical question: which of these services have exploitable vulnerabilities? Vulnerability analysis bridges enumeration and exploitation.
This phase involves vulnerability scanning, manual verification, researching CVEs, and prioritizing findings. Not every vulnerability is worth exploiting—you need to identify which weaknesses provide the best path to your objectives.
This week covers vulnerability scanning tools, CVE research, manual vulnerability verification, and how to prioritize findings for exploitation.
Key insight: Vulnerability scanners find potential issues; skilled analysts determine which are real and exploitable.
1) Understanding Vulnerabilities
Vulnerability fundamentals for penetration testers:
Vulnerability Types:
Software Vulnerabilities:
- Buffer overflows
- SQL injection
- Cross-site scripting (XSS)
- Remote code execution
- Authentication bypass
- Privilege escalation
Configuration Vulnerabilities:
- Default credentials
- Unnecessary services
- Excessive permissions
- Missing patches
- Insecure protocols
- Debug modes enabled
Design Vulnerabilities:
- Weak authentication schemes
- Insecure data storage
- Missing encryption
- Poor session management
- Logic flawsCVE and Vulnerability Databases:
CVE (Common Vulnerabilities and Exposures):
- Standardized vulnerability identifiers
- Format: CVE-YEAR-NUMBER
- Example: CVE-2021-44228 (Log4Shell)
Key databases:
NVD (National Vulnerability Database):
https://nvd.nist.gov
- US government maintained
- CVSS scores
- Detailed descriptions
Exploit-DB:
https://www.exploit-db.com
- Exploit code repository
- Searchable by CVE, product
- Includes proof-of-concept code
CVE Details:
https://www.cvedetails.com
- Searchable by product/vendor
- Statistics and trends
- CVSS scores
Vulners:
https://vulners.com
- Aggregates multiple sources
- API available
- Good for automationCVSS Scoring:
CVSS (Common Vulnerability Scoring System):
Score ranges:
0.0 - None
0.1-3.9 - Low
4.0-6.9 - Medium
7.0-8.9 - High
9.0-10.0 - Critical
Base metrics:
- Attack Vector (Network, Adjacent, Local, Physical)
- Attack Complexity (Low, High)
- Privileges Required (None, Low, High)
- User Interaction (None, Required)
- Scope (Unchanged, Changed)
- Impact (Confidentiality, Integrity, Availability)
Example interpretation:
CVE-2021-44228 (Log4Shell): CVSS 10.0
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: Complete system compromise
High score = prioritize for exploitationKey insight: CVSS scores indicate severity, but context matters. A CVSS 7.0 on a critical server may matter more than a CVSS 9.0 on an isolated test system.
2) Vulnerability Scanning
Automated scanners identify potential vulnerabilities:
Popular Vulnerability Scanners:
Commercial:
- Nessus (Tenable)
- Qualys
- Rapid7 Nexpose/InsightVM
- Burp Suite Professional
Free/Open Source:
- OpenVAS (Greenbone)
- Nikto (web)
- Nuclei
- Nmap NSE scripts
Each has strengths:
- Nessus: Comprehensive, good reports
- OpenVAS: Free alternative to Nessus
- Nikto: Fast web scanning
- Nuclei: Template-based, customizableNmap Vulnerability Scanning:
# Nmap vuln scripts
nmap --script=vuln [target]
# Specific vulnerability checks
nmap --script=smb-vuln-* [target]
nmap --script=http-vuln-* [target]
# Common vulnerability scripts:
smb-vuln-ms17-010 # EternalBlue
smb-vuln-ms08-067 # Conficker
http-vuln-cve2017-5638 # Apache Struts
ssl-heartbleed # Heartbleed
# Example output:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1
| State: VULNERABLE
| Risk factor: HIGH
| CVE: CVE-2017-0143Nikto Web Scanning:
# Basic web scan
nikto -h http://target.com
# With SSL
nikto -h https://target.com -ssl
# Save output
nikto -h http://target.com -o nikto_results.txt
# Nikto checks for:
- Server misconfigurations
- Default files
- Dangerous HTTP methods
- Known vulnerable scripts
- Outdated server software
- Information disclosure
# Example findings:
+ Server: Apache/2.4.7
+ The X-XSS-Protection header is not defined
+ /admin/: Directory indexing found
+ /phpinfo.php: PHP info file foundNuclei Template Scanning:
# Update templates
nuclei -ut
# Basic scan
nuclei -u http://target.com
# Scan with specific templates
nuclei -u http://target.com -t cves/
# Scan multiple targets
nuclei -l targets.txt -t cves/
# Severity filter
nuclei -u http://target.com -severity critical,high
# Template categories:
# cves/ - Known CVEs
# vulnerabilities/ - Generic vulns
# misconfigurations/ - Config issues
# exposures/ - Information disclosure
# takeovers/ - Subdomain takeoverKey insight: Scanners are a starting point, not the final answer. They produce false positives and miss vulnerabilities that require manual analysis.
3) Manual Vulnerability Verification
Verify scanner findings before reporting or exploiting:
Why Manual Verification Matters:
Scanner limitations:
- False positives (reports non-existent vulns)
- False negatives (misses real vulns)
- Can't assess business context
- Limited logic flaw detection
- Version-based guessing
Manual verification:
- Confirms vulnerability exists
- Assesses actual exploitability
- Determines real impact
- Finds what scanners miss
- Required for quality reportsVersion-Based Vulnerability Research:
From enumeration, you found:
"Apache/2.4.49"
Research process:
1. Search for CVEs:
Google: "Apache 2.4.49 CVE"
NVD: Search "Apache HTTP Server 2.4.49"
2. Find: CVE-2021-41773
- Path traversal vulnerability
- CVSS: 7.5
- Can read files outside document root
3. Find exploit/PoC:
Exploit-DB, GitHub, security blogs
4. Verify manually:
curl "http://target/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
5. Document:
- Confirmed vulnerable
- Evidence screenshot
- Impact assessmentSearchsploit - Local Exploit Database:
# Searchsploit searches local Exploit-DB copy
# Basic search
searchsploit apache 2.4
# More specific
searchsploit "Apache 2.4.49"
# Copy exploit to current directory
searchsploit -m 50383
# Update database
searchsploit -u
# Example output:
-------------------------------------------
Exploit Title | Path
-------------------------------------------
Apache 2.4.49 - Path Traversal | multiple/webapps/50383.sh
Apache 2.4.50 - RCE | multiple/webapps/50406.sh
-------------------------------------------
# Examine exploit
cat /usr/share/exploitdb/exploits/multiple/webapps/50383.shManual Testing Examples:
# Testing for default credentials
# FTP
ftp target.com
> USER anonymous
> PASS anonymous@
# SSH (never brute force without authorization)
# Just check if password auth is enabled
ssh -o PreferredAuthentications=password target.com
# Web admin panels
# Try admin:admin, admin:password, etc.
# Check documentation for defaults
# Testing for information disclosure
curl -I http://target.com # Check headers
curl http://target.com/robots.txt
curl http://target.com/.git/HEAD
curl http://target.com/phpinfo.php
curl http://target.com/server-status
# Testing for directory traversal
curl "http://target.com/file?path=../../../etc/passwd"
curl "http://target.com/file?path=....//....//etc/passwd"Key insight: Manual verification separates professional pentesters from script kiddies. Anyone can run a scanner; skill is in validating and understanding findings.
4) Vulnerability Prioritization
Not all vulnerabilities are equal—prioritize effectively:
Prioritization Factors:
1. Exploitability
- Is exploit available?
- Does it work reliably?
- What conditions required?
2. Impact
- What access does it provide?
- RCE > Info disclosure
- Admin > User
3. Asset Value
- How important is the target?
- What data/access does it have?
- Business criticality
4. Path to Objective
- Does this help reach the goal?
- Stepping stone to more valuable targets?
- Part of attack chain?Prioritization Matrix:
Exploitability
Easy Medium Hard
┌─────────┬─────────┬─────────┐
High │ DO NOW │ DO NEXT │ CONSIDER│
├─────────┼─────────┼─────────┤
Impact Med │ DO NEXT │ CONSIDER│ LATER │
├─────────┼─────────┼─────────┤
Low │ CONSIDER│ LATER │ SKIP │
└─────────┴─────────┴─────────┘
Examples:
DO NOW:
- EternalBlue on domain controller
- SQL injection on login page
- Default admin credentials
DO NEXT:
- RCE requiring authentication
- Privilege escalation on compromised host
CONSIDER:
- Complex exploit chain
- Information disclosure
SKIP (for now):
- DoS vulnerabilities (usually out of scope)
- Theoretical vulns without PoCBuilding an Attack Plan:
Attack Plan Template:
TARGET: 192.168.1.100 (Web Server)
Priority 1 - High Impact, Easy Exploit:
┌────────────────────────────────────────────────┐
│ Vulnerability: Apache 2.4.49 Path Traversal │
│ CVE: CVE-2021-41773 │
│ Exploitability: Easy (curl command) │
│ Impact: File read, possible RCE │
│ Status: VERIFIED │
│ Next: Attempt exploitation │
└────────────────────────────────────────────────┘
Priority 2 - Requires More Work:
┌────────────────────────────────────────────────┐
│ Vulnerability: PHPMyAdmin 4.8.1 LFI │
│ CVE: CVE-2018-12613 │
│ Exploitability: Medium (need session) │
│ Impact: RCE │
│ Status: VERSION CONFIRMED │
│ Next: Attempt after Priority 1 │
└────────────────────────────────────────────────┘
Priority 3 - Backup Options:
┌────────────────────────────────────────────────┐
│ Vulnerability: Weak SSH credentials │
│ CVE: N/A (misconfiguration) │
│ Exploitability: Medium (brute force) │
│ Impact: Shell access │
│ Status: PASSWORD AUTH ENABLED │
│ Next: Try if others fail │
└────────────────────────────────────────────────┘Key insight: Time is limited in real engagements. Prioritization ensures you pursue the most valuable paths first.
5) Vulnerability Documentation
Document findings for exploitation phase and reporting:
Vulnerability Documentation Template:
VULNERABILITY RECORD
====================
ID: VULN-001
Date Found: 2024-01-15
Target: 192.168.1.100
Port/Service: 80/HTTP (Apache 2.4.49)
IDENTIFICATION
--------------
Title: Apache HTTP Server Path Traversal
CVE: CVE-2021-41773
CVSS: 7.5 (High)
CWE: CWE-22 (Path Traversal)
VERIFICATION
------------
Method: Manual testing
Command: curl "http://192.168.1.100/cgi-bin/.%2e/%2e%2e/etc/passwd"
Result: File contents returned
Evidence: [screenshot or output]
EXPLOITABILITY
--------------
Exploit Available: Yes
Exploit Source: Exploit-DB 50383
Requirements: None (unauthenticated)
Reliability: High
IMPACT
------
Confidentiality: High (file read)
Integrity: Medium (possible RCE)
Availability: Low
Business Impact: Access to sensitive files
RECOMMENDATIONS
---------------
Remediation: Upgrade to Apache 2.4.51+
Workaround: Disable CGI if not needed
Priority: Critical
REFERENCES
----------
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://www.exploit-db.com/exploits/50383Evidence Collection:
What to capture:
Screenshots:
- Scanner output showing vulnerability
- Manual verification results
- Successful exploitation (if attempted)
Command output:
- Exact commands used
- Full response received
- Timestamps
Request/Response:
- HTTP requests (Burp)
- Full headers
- Response codes and body
For reporting:
- Clear, labeled screenshots
- Sanitized output (remove sensitive data if needed)
- Reproducible stepsKey insight: Good documentation now saves time during reporting and ensures findings can be reproduced and verified.
Real-World Context: Vulnerability Analysis in Practice
How professionals approach vulnerability analysis:
Scanner Overload: Enterprise scanners can produce thousands of findings. Experienced analysts quickly triage based on context, false positive patterns, and exploitation potential.
Zero-Days: Scanners only find known vulnerabilities. Manual analysis and creative thinking find zero-days and logic flaws that scanners miss.
Client Expectations: Clients want actionable findings. Reporting thousands of "medium" findings without context isn't helpful. Prioritization and clear recommendations matter.
MITRE ATT&CK Mapping:
- T1595.002 - Vulnerability Scanning: Automated scanning
- T1190 - Exploit Public-Facing Application: Web vulns
- T1212 - Exploitation for Credential Access: Auth bypass
Key insight: Vulnerability analysis is where technical knowledge meets critical thinking. Tools help, but judgment matters most.
Guided Lab: Vulnerability Analysis
Analyze vulnerabilities on Metasploitable 2.