Lab 1: Perform Vulnerability Research with Vulnerability

Scoring Systems and Databases

Lab Scenario

As a professional ethical hacker or pen tester, your first step is to search for vulnerabilities in the
target system or network using vulnerability scoring systems and databases. Vulnerability
research provides awareness of advanced techniques to identify flaws or loopholes in the
software that could be exploited. Using this information, you can use various tricks and
techniques to launch attacks on the target system.

Lab Objectives

 Perform vulnerability research in Common Weakness Enumeration (CWE)

 Perform vulnerability research in Common Vulnerabilities and Exposures (CVE)
 Perform vulnerability research in National Vulnerability Database (NVD)

Overview of Vulnerabilities in Vulnerability Scoring Systems and Databases

Vulnerability databases collect and maintain information about various vulnerabilities present in
the information systems.

The following are some of the vulnerability scoring systems and databases:

 Common Weakness Enumeration (CWE)

 Common Vulnerabilities and Exposures (CVE)
 National Vulnerability Database (NVD)
 Common Vulnerability Scoring System (CVSS)

Task 1: Perform Vulnerability Research in Common Weakness

Enumeration (CWE)

Common Weakness Enumeration (CWE) is a category system for software vulnerabilities and
weaknesses. It has numerous categories of weaknesses that means that CWE can be effectively
employed by the community as a baseline for weakness identification, mitigation, and prevention
efforts. Further, CWE has an advanced search technique with which you can search and view the
weaknesses based on research concepts, development concepts, and architectural concepts.

Here, we will use CWE to view the latest underlying system vulnerabilities.

1. By default, Windows 10 machine is selected, click  Ctrl+Alt+Delete  to activate

the machine.
 Alternatively, you can also click Ctrl+Alt+Delete button under Windows
10 machine thumbnail in the Resources pane or Click Ctrl+Alt+Delete button
under Commands (thunder icon) menu.

2. By default, Admin user profile is selected, click Pa$$w0rd to paste the password

in the Password field and press Enter to login.

Alternatively, you can also click Pa$$w0rd under Windows 10 machine thumbnail in

the Resources pane or Click Type Text | Type Password button under Commands
(thunder icon) menu.

If Welcome to Windows wizard appears, click Continue and in Sign in with

Microsoft wizard, click Cancel.

Networks screen appears, click Yes to allow your PC to be discoverable by other PCs

and devices on the network.

3. Launch any browser, here, we are using Mozilla Firefox. In the address bar of
the browser place your mouse cursor and click https://cwe.mitre.org/ and
press Enter
o If the Default Browser pop-up window appears, uncheck the Always
perform this check when starting Firefox checkbox and click the Not
now button.

o If a New in Firefox: Content Blocking pop-up window appears, follow the

step and click Got it to finish viewing the information.
4. CWE website appears. In the Google Custom Search under Search
CWE section, type SMB and click the search icon.

Here, we are searching for the vulnerabilities of the running services that were found
in the target systems in previous module labs (Module 04 Enumeration).

5. The search results appear, displaying the underlying vulnerabilities in the target
service (here, SMB). You can click any link to view detailed information on the
vulnerability.

The search results might differ in your lab environment.

6. Now, click any link (here, CWE-200) to view detailed information about the
vulnerability.

7. A new webpage appears in the new tab, displaying detailed information

regarding the vulnerability. You can scroll-down further to view more information.
8. Similarly, you can click on other vulnerabilities and view detailed information.

9. Now, navigate back to the CWE website, scroll down, and click the CWE List link
present below the searched results.

10. A new webpage appears, displaying CWE List Version. Scroll down, and under
the External Mappings section, click CWE Top 25 (2019).

The result might differ in your lab environment.

11. A webpage appears, displaying CWE VIEW: Weaknesses in the 2019 CWE Top
25 Most Dangerous Software Errors. Scroll down and view a list of Weaknesses in
the 2019 CWE Top 25 Most Dangerous Software Errors under
the Relationships section. You can click on each weakness to view detailed
information on it.

This information can be used to exploit the vulnerabilities in the software and further
launch attacks.

The result publishing year be might different in your lab environment.

 12. Similarly, you can go back to the CWE website and explore other options, as
well.

13. This concludes the demonstration of checking vulnerabilities in the Common

Weakness Enumeration (CWE).

14. Close all open windows and document all the acquired information.

Task 2: Perform Vulnerability Research in Common Vulnerabilities

and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a publicly available and free-to-use list or
dictionary of standardized identifiers for common software vulnerabilities and exposures. It is
used to discuss or share information about a unique software or firmware vulnerability, provides
a baseline for tool evaluation, and enables data exchange for cybersecurity automation.

Here, we will use CVE to view the latest underlying system and software vulnerabilities.

1. In Windows 10 machine, launch any browser (here, Mozilla Firefox). In the

address bar of the browser place your mouse cursor and
click https://cve.mitre.org/ and press Enter
2. CVE website appears. In the right pane, under the Newest CVE Entries section,
recently discovered vulnerabilities are displayed.

The results might differ in your lab environment.

3. You can copy the name of any vulnerability under the Newest CVE
Entries section and search on CVE to view detailed information on it. (here, we are
selecting the vulnerability CVE-2020-13910)

4. Now, click on the Search CVE List tab. Under Search CVE List section, type the
vulnerability name (here, CVE-2020-4051) in the search bar, and click Submit.
5. Search Results page appears, displaying the information regarding the
searched vulnerability. You can click the vulnerability link to view further detailed
information regarding the vulnerability.
6. Similarly, in the Search CVE List section, you can search for a service-related
vulnerability by typing the service name (here, SMB) and click Submit.

You can search for the vulnerabilities of the running services that were found in the
target systems in previous module labs (Module 04 Enumeration).

7. Search Results page appears, displaying a list of vulnerabilities in the target

service (SMB) along with their description, as shown in the screenshot.

The results might vary in your lab environment.

8. Further, you can click on CVE-ID of any vulnerability to view its detailed
information. Here, we will click on the first CVE-ID link.

9. Detailed information regarding the vulnerability is displayed such as

its Description, References, and Date Entry Created. Further, you can click on links
under the References section to view more information on the vulnerability.
 10. Likewise, you can search for other target services for the underlying
vulnerabilities in the Search CVE List section.

11. This concludes the demonstration of checking vulnerabilities in the Common

Vulnerabilities and Exposures (CVE).

12. Close all open windows and document all the acquired information.

Task 3: Perform Vulnerability Research in National Vulnerability

Database (NVD)

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based
vulnerability management data represented using the Security Content Automation Protocol
(SCAP). These data enable the automation of vulnerability management, security measurement,
and compliance. The NVD includes databases of security checklist references, security-related
software flaws, misconfigurations, product names, and impact metrics.

Here, we will use the NVD to view the latest underlying system and software vulnerabilities.
1. In Windows 10 machine, launch any browser (here, Mozilla Firefox). In the
address bar of the browser place your mouse cursor and
click https://nvd.nist.gov/ and press Enter

2. NATIONAL VULNERABILITY DATABASE website appears: the recently

discovered vulnerabilities can be viewed.

3. You can click on the CVE-ID link (here, CVE-2020-6269) to view detailed

information about the vulnerability.

The results might differ in your lab environment.

4. A new webpage appears, displaying CVE-2020-6269 Detail. You can view

detailed information such as Current Description, Severity, References,
and Weakness Enumeration.

5. Under the Severity section, click the Base Score link to view the CVSS details

regarding the vulnerability.
6. A new webpage appears, displaying information such as Base Scores, Temporal
Score, and Environmental Score Overall Score related to a vulnerability in
graphical form, under Common Vulnerability Scoring System Calculator CVE-
2020-6269.
o Base Score: The metric most relied upon by enterprises and deals with the
inherent qualities of a vulnerability. The table below describes the severity of
a vulnerability depending upon the Base Score range:

CVSS v3.0 Ratings

Severity Base Score Range

None 0.0

Low 0.1-3.9

Medium 4.0-6.9

High 7.0-8.9

Critical 9.0-10.0

CVSS v2.0
Ratings
 Severity Base Score Range

Severity Base Score Range

Low 0.0-3.9

Medium 4.0-6.9

High 7.0-10
more...
o Temporal Score: Represents the qualities of the vulnerability that change
over time, and the Environmental score represents the qualities of the
vulnerability that are specific to the affected user's environment.

o Overall Score: Sum total of both the scores (CVSS Base Score, CVSS
Temporal Score).

7. Scroll down to view more detailed information on different score metrics such
as Base Score Metrics, Temporal Score Metrics, and Environmental Score
Metrics.

The results might differ depending upon the selected vulnerability

8. Now, navigate back to the main page of the NATIONAL VULNERABILITY
DATABASE website. Expand Vulnerabilities and click Search & Statistics option, as
shown in the screenshot.
9. Search Vulnerability Database page appears. In the Keyword Search field,
type a target service (here, SMB) to find vulnerabilities associated with it and
click Search.

You can search for the vulnerabilities of the running services that were found in the
target systems in previous module labs (Module 04 Enumeration).
 10. The Search Results page appears, displaying detailed information on the
underlying vulnerabilities in the target service.

11. You can further view detailed information on each vulnerability by clicking on
the Vuln ID link.

12. Likewise, you can search for other target services for the underlying vulnerability
in the Search Vulnerability Database section.

13. This concludes the demonstration of checking vulnerabilities in the National

Vulnerability Database (NVD).

14. Close all open windows and document all the acquired information.

Lab 2: Perform Vulnerability Assessment using Various

Vulnerability Assessment Tools

Lab Scenario

The information gathered in the previous labs might not be sufficient to reveal potential
vulnerabilities of the target: there could be more information available that may help in finding
loopholes. As an ethical hacker, you should look for as much information as possible using all
available tools. This lab will demonstrate other information that you can extract from the target
using various vulnerability assessment tools.

Lab Objectives

 Perform vulnerability analysis using OpenVAS

 Perform vulnerability scanning using Nessus
 Perform vulnerability scanning using GFI LanGuard
 Perform web servers and applications vulnerability scanning using CGI Scanner Nikto

Overview of Vulnerability Assessment Tools

Vulnerability assessment tools are used to secure and protect the organization’s system or
network: security analysts can use these tools to identify weaknesses present in the organization’s
security posture and remediate the identified vulnerabilities before an attacker exploits them.
Network vulnerability scanners analyze and identify vulnerabilities in the target network or
network resources using vulnerability assessment and network auditing. These tools also assist in
overcoming weaknesses in the network by suggesting various remediation techniques.

Task 1: Perform Vulnerability Analysis using OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful
vulnerability scanning and vulnerability management solution. Its capabilities include
unauthenticated testing, authenticated testing, various high level and low-level Internet and
industrial protocols, performance tuning for large-scale scans, and a powerful internal
programming language to implement any vulnerability test. The actual security scanner is
accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs)—over 50,000
in total.

Here, we will perform a vulnerability analysis using OpenVAS.

In this task, we will use the Parrot Security (10.10.10.13) machine as a host machine and
the Windows Server 2016 (10.10.10.16) machine as a target machine.

1. Click on Parrot Security to switch to the Parrot Security machine.

2. In the login page, the attacker username will be selected by default. Enter
password as toor in the Password field and press Enter to log in to the machine.

If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and

close it.

If a Question pop-up window appears asking you to update the machine,

click No to close the window.
3. Click Applications at the top of the Desktop window and navigate
to Pentesting --> Vulnerability Analysis --> Openvas - Greenbone --> Start to
launch OpenVAS tool.
4. A terminal window appears, in the [sudo] password for attacker field,
type toor as a password and press Enter. OpenVAS initializes.

The password that you type will not be visible.

5. After the tool initializes, click Firefox icon from the top-section of the Desktop.
6. The Firefox browser appears, in the address bar,
type https://127.0.0.1:9392 and press Enter.

7. OpenVAS login page appears, log in

with Username and Password as admin and password and click the Login button.
8. OpenVAS Dashboards appears, as shown in the screenshot.
9. Navigate to Scans --> Tasks from the Menu bar.

If a Welcome to the scan management! pop-up appears, close it.

10. Hover over wand icon and click the Task Wizard option.
11. The Task Wizard window appears; enter the target IP address in the IP
address or hostname field (here, the target system is Windows Server 2016
[10.10.10.16]) and click the Start Scan button.
12. The task appears under the Tasks section; OpenVAS starts scanning the target
IP address.
13. Wait for the Status to change from Requested to Done. Once it is completed,
click the Done button under the Status column to view the vulnerabilities found in
the target system.

If you are logged out of the session then login again using
credentials admin/password.
14. Report: Information appears, click Results tab to view the discovered
vulnerabilities along with their severity and port numbers on which they are running.
15. Click on any vulnerability under the Vulnerability column (here, Apache HTTP
Server 2.4.20 - 2.4.39 Multiple Vulnerabilities (Windows) to view its detailed
information.

16. Detailed information regarding selected vulnerability appears, as shown in the

screenshot.
17. Similarly, you can click other discovered vulnerabilities under
the Report: Results section to view detailed information regarding the
vulnerabilities in the target system.

18. Next, go through the findings, including all high or critical vulnerabilities.
Manually use your skills to verify the vulnerability. The challenge with vulnerability
scanners is that they are quite limited; they work well for an internal or white box
test only if the credentials are known. We will explore that now: return to your
OpenVAS tool, and set up for the same scan again; but this time, turn your firewall
ON in the Windows Server 2016 machine.

19. Now, we will enable Windows Firewall in the target system and scan it for
vulnerabilities.

20. Click on Windows Server 2016 to switch to the Windows Server 2016 machine

and click  Ctrl+Alt+Delete  to activate it, by default, Administrator user profile is
selected, click Pa$$w0rd to paste the password in the Password field and
press Enter to login.
21. Navigate to Control Panel --> System and Security --> Windows Firewall --
> Turn Windows Firewall on or off, enable Windows Firewall, and click OK.

By turning the Firewall ON, you are making it more difficult for the scanning tool to
scan for vulnerabilities in the target system.
22. click on Parrot Security to switch to Parrot Security machine and
perform Steps# 9-11 to create another task for scanning the target system.

23. A newly created task appears under the Tasks section and starts scanning the
target system for vulnerabilities.

24. After the completion of the scan, click the Done button under

the Status column.
25. Report: Information appears, click Results tab to view the discovered
vulnerabilities along with their severity and port numbers on which they are running.

The results might vary in your lab environment.

26. The scan results for the target machine before and after the Windows Firewall
was enabled are the same, thereby indicating that the target system is vulnerable to
attack even if the Firewall is enabled.

27. This concludes the demonstration performing vulnerabilities analysis using

OpenVAS.

28. Close all open windows and document all the acquired information.

29. Click on Windows Server 2016 to switch to the Windows Server 2016 machine

and click  Ctrl+Alt+Delete  to activate it, by default, Administrator user profile is
selected, click Pa$$w0rd to paste the password in the Password field and
press Enter to login.
30. Navigate to Control Panel --> System and Security --> Windows Firewall --
> Turn Windows Firewall on or off, disable Windows Firewall, and click OK.
Task 2: Perform Vulnerability Scanning using Nessus

Nessus is an assessment solution for identifying vulnerabilities, configuration issues, and

malware, which can be used to penetrate networks. It performs vulnerability, configuration, and
compliance assessment. It supports various technologies such as OSes, network devices,
hypervisors, databases, tablets/phones, web servers, and critical infrastructure.

Here, we will use Nessus to perform vulnerability scanning on the target system.

1. Click on Windows 10 to switch to Windows 10 machine.

2. Launch any browser, (here, Microsoft Edge). In the address bar of the browser
place your mouse cursor and click https://localhost:8834/ and press Enter

3. This site is not secure page appears, expand the Details section and click Go

on to the webpage

4. In the Nessus login page use Admin as the username and password as

Password and click Sign In
5. Nessus begins to initialize; this will take some time. On completion of
initialization, the Nessus dashboard appears along with the Welcome to Nessus
Essentials pop-up. Close the pop-up.

In the Let Microsoft Edge save and fill your password for this site next
time? pop-up, click Never.
6. The Nessus Essentials dashboard appears;
click Policies under RESOURCES section from the pane on the left.

7. The Policies window appears; click Create a new policy.

8. The Policy Templates window appears; click Advanced Scan.

9. The New Policy / Advanced Scan section appears.

10. In the Settings tab under the BASIC setting type, specify a policy name in

the Name field (here, NetworkScan_Policy), and give a Description about the
policy (here, Scanning a Network).
11. In the Settings tab, click DISCOVERY setting type and turn off the Ping the
remote host option from the right pane.
12. Select the Port Scanning option under the DISCOVERY setting type, and then
click the Verify open TCP ports found by local port enumerators checkbox. Leave
the other fields with default options, as shown in the screenshot.

13. Select the ADVANCED setting type. In the right pane, under the Performance

Options settings, set the values of Max number of concurrent TCP sessions per
host and Max number of concurrent TCP sessions per scan to Unlimited.
14. To configure the credentials of a new policy, click the Credentials tab and
select Windows from the options.
15. Specify the Username and Password in the window. Here, the specified
credentials are CEH123/qwerty@123.

Re-enter the created user account credentials, Admin/password, if session timeout

notification pop-up appears.

16. Click the Plugins tab and do not alter any of the options in this window. Click
the Save button.
17. A Policy saved successfully notification pop-up appears, and the policy is
added in the Policies window, as shown in the screenshot.
18. Now, click Scans from the menu bar to open My Scans window; click Create a
new scan.

19. The Scan Templates window appears. Click the User Defined tab and

select NetworkScan Policy.

If an API Disabled pop-up appears, refresh the browser and log in again to

the Nessus Essentials using credentials (Admin/password), if it still shows the API
Disabled error then clear the cache of the browser by clicking on the three dots at
the top right of the browser --> Click on History --> Clear History and make sure
that cache and cookies are checked and click on clear and login to the Nessus
Essentials again.
20. The New Scan / NetworkScan_Policy window appears. Under General
Settings in the right pane, input the Name of the scan (here, Local Network) and
enter the Description for the scan (here, Scanning a local network); in
the Targets field, enter the IP address of the target on which you want to perform
the vulnerability analysis. In this lab, the target IP address is 10.10.10.16 (Windows
Server 2016).

The IP addresses may vary in your lab environment.

21. Click Schedule settings; ensure that the Enabled switch is turned off. Click the
drop-down icon next to the Save button and select Launch to start the scan.
22. The Scan saved and launched successfully notification pop-up appears. The
scan is launched, and Nessus begins to scan the target.

23. After the completion of the scan: click Local Network to view the detailed
results.

24. The Local Network window appears, displaying the summary of target hosts, as

well as the Scan Details and Vulnerabilities categorization under the Hosts tab, as
shown in the screenshot.
25. Click the Vulnerabilities tab, and scroll down to view all the vulnerabilities
associated with the target machine.

The list of vulnerabilities may differ in your lab environment.

26. Click these vulnerabilities to view detailed reports about each. For instance, in
this lab, we are selecting the first vulnerability in the list, that is, SNMP (Multiple
Issues).
27. The Local Network / SNMP (Multiple Issues) window appears, displaying
multiple issues in SNMP service. Click on any issue (here, SNMP Agent Default) to
view its detailed information.
28. The report regarding selected vulnerability SNMP Agent Default Community
Name (public) appears with detailed information such as plugin details, risk
information, vulnerability information, reference information and the solution, and
output, as shown in the screenshot.

29. On completing the vulnerability analysis, click Scans, and then click the recently
performed scan (here, Local Network).
30. In the Local Network window, click the Report tab from the top-right corner,
and choose a file format (here, HTML) from the drop-down list. By downloading a
report, you can access it anytime, instead of logging in to Nessus again and again.
31. The Generate HTML Report pop-up appears: leave the Report type option on
default (Executive Summary). Click Generate Report to download the report.

If the What do you want to do with Local_Network_5cfvy7.html? pop-up

appears, click Save.

The file name might differ in your lab environment

32. Once the download is finished, a pop-up appears at the bottom of the browser;
click Open.

33. If the How do you want to open this file? pop-up appears, choose any
browser (here, Firefox) to view the downloaded HTML file.

34. The Nessus scan report appears in the Firefox web browser, as shown in the
screenshot.

Screenshots and browser might differ in your lab environment.

35. You can click the Expand All option to view the detailed scan report.
36. A list of discovered vulnerabilities appears. You can further click on plugins
(here, 130276) to view more detailed information on the vulnerability

The results might differ in your lab environment.

37. The selected plugin details are displayed, as shown in the screenshot.

38. In this way, you can select a vulnerability of your choice to view the complete
details.

39. Once the vulnerability analysis is done, switch back to Microsoft Edge where
Nessus is running and click Admin --> Sign Out in the top-right corner.
40. Once the session is successfully logged out, a Signed out successfully.
Goodbye, admin notification appears.
 41. This concludes the demonstration of performing vulnerability assessment using
Nessus.

42. Close all open windows and document all the acquired information.

Task 3: Perform Vulnerability Scanning using GFI LanGuard

GFI LanGuard scans, detects, assesses, and rectifies security vulnerabilities in your network and
connected devices. It scans the network and ports to detect, assess, and correct security
vulnerabilities, with minimal administrative effort. It scans your OSes, virtual environments, and
installed applications through vulnerability check databases. It enables you to analyze the state of
your network security, identify risks, and address how to take action before it is compromised.

Here, we will use GFI LanGuard to perform vulnerability scanning on the target system.

1. Click on Windows Server 2019 to switch to the Windows Server 2019 machine,

click  Ctrl+Alt+Delete  to activate the machine. By default, Administrator user
account is selected and click on Pa$$w0rd to enter the password and press Enter.
2. Launch any browser, in this lab we are using Mozilla Firefox. In the address bar
of the browser place your mouse cursor and click https://www.gfi.com/products-
and-solutions/network-security-solutions/gfi-languard/download/ and press Enter

3. The GFI LanGuard registration page appears. Enter your details and business

email under the Business Email field and click Continue.

4. On the next page, enter the required details and select the I agree to GFI
Software terms of service and privacy policy and consent to GFI Software to
process data checkbox and click Start my free trial
5. The Download your GFI LanGuard trial page appears; click the Download
your free trial button.

The Opening languard.exe pop-up appears; click Save File.

6. Now, navigate to the download location (here, Downloads) and double-
click languard.exe to install.

If the User File - Security Warning pop-up appears, click Run.

7. The GFI LanGuard dialog box appears; select preferred language (here, English)
and click OK.

8. The GFI LanGuard wizard appears with selected components for installation;

click Next to proceed.
9. The Database Configuration window appears. In the SQL server name field,
type .\SQLEXPRESS and leave SQL database name as default. Ensure that the Use
Windows Authentication checkbox is selected and click OK.

The SQL server name might differ in your lab environment.

10. Now, switch back to the Mozilla Firefox browser, open a new tab, and log in to
your email account that you have given while registration.

11. Open an email from GFI Downloads and copy the activation key.

12. The GFI LanGuard License Key window appears. Paste the received activation
key in the Enter License Key field and click OK.
13. GFI LanGuard starts installing after the completion of the installation; when
the GFI LanGuard Setup window appears, click Next.
14. The End-User License Agreement wizard appears; accept the terms and
click Next.

15. In the Attendant service credentials wizard, leave the Name field as default

(here, SERVER2019\Administrator) and enter the Password of the administrator
account (here, Pa$$w0rd); then, click Next.

The Name field might differ in your lab environment.

16. In the Choose Destination Location wizard, leave the Folder location set to

default and click Install.
17. The Installing GFI LanGuard wizard appears. After the completion of
installation, the GFI LanGuard Central Management Server Setup window
appears; then, click Next.
18. In the Service logon information wizard, leave the User Name field
(Administrator user account) set to its default, enter the Password of the
administrator account (here, Pa$$w0rd), and click Next.

The Name field might differ in your lab environment.

19. The HTTPS Settings wizard appears; keep the name in its default and
click Next.

The name field might differ in your lab environment.

20. In the Destination Folder wizard, choose the location where you want to install
the application (here, the default location is selected) and click Next.

21. In the Ready to install wizard, click Install to proceed.

22. Once the installation is complete in the GFI LanGuard Central Management
Server Setup window, click Finish.

23. In the GFI LanGuard Setup window, ensure that the Launch GFI

LanGuard checkbox is selected. De-select the Launch GFI LanGuard Central
Management Server checkbox and click Finish.
24. A GFI LanGuard pop-up appears on the main window of the application;
click Continue evaluation.
25. The GFI LanGuard main window appears, and it begins to inspect the security
status of the local computer.

26. Click Launch a Scan or View details.

27. A window indicates that a scan on the local machine is already in progress.
 Allow the scan to finish analyzing vulnerabilities in the host machine.

28. Click Stop to halt the vulnerability scan on the host machine.

If the Stop scanning confirmation pop-up appears, click Yes.

The scan might take time to stop.

29. The Launch a New Scan page appears: specify the details required to scan a
target/machine as follows:
o Enter the IP address of the machine in the Scan Target field (here, the target
machine is Windows Server 2016 [10.10.10.16]), and ensure that the Full
Scan option is selected from the Profile drop-down list.
o Ensure that Currently logged on user is selected in the Credentials drop-
down list.
o Click Scan.
 This may vary in your lab environment.

30. GFI LanGuard takes some time to perform the vulnerability assessment on the
intended machine.
31. Once the scanning is complete, a Scan completed! message is displayed
under Scan Results Details, as shown in the screenshot.

The scanning takes approximately 20–30 minutes to complete.

32. To examine the scanned result, in the left pane under Scan Results Overview,
click the IP address (10.10.10.16) node to expand it. The Vulnerability
Assessment and Network & Software Audit nodes are displayed, as shown in the
screenshot.

The results might differ in your lab environment.

33. Click the Vulnerability Assessment node. This shows category-wise details of
assessed vulnerabilities. Click each category to view the vulnerabilities in detail.
34. Expand Ports and click Open TCP Ports to view all the open TCP Ports under
the Scan Results Details section in the right pane, as shown in the screenshot.

35. Click System Information to view detailed information about the target system
under the Scan Results Details section in the right pane.
36. Expand the System Information node and click Shares to view the details of
shared folders in the target machine.
37. Similarly, you can click the Hardware and Software nodes to view detailed scan
information.

38. Click the Dashboard tab to display the scanned network information. In the left
pane, expand Entire Network, and then CEH; then, click SERVER2016.

39. Detailed information such as Vulnerability Level, Security Sensors, Computer

Details, Scan Activity, and Results Statistics are displayed in the right pane, as
shown in the screenshot

In real-time, using this vulnerability information about the target systems can be
used to develop and design exploits suitable to break into a network or a single
target.

40. You can further explore the tool by clicking on various options. For instance,
click on Software from the options at the top to view a list of applications installed
on the target machine under the Application Category list. You can also click on
any application (here, Google Chrome) to view its detailed information
under Details sections, as shown in the screenshot.
41. Click on the Vulnerabilities option; a list of various categories of vulnerabilities
appears under the Vulnerability Types section. Click on any category of
vulnerability (here, High Security Vulnerabilities): detailed information on this
category is displayed under the Details section, and a list of vulnerabilities is
displayed under the Vulnerability List section.
42. You can further explore scanned results by clicking various options such
as Patches, System Information, Hardware, and Ports.

43. Now, click on the Report tab and click the Vulnerability Status type

under General Reports from the right pane.

44. Information about the Vulnerability Status report appears in the right pane;

click the Generate Report button to create the vulnerability report.
45. The Vulnerability Status report appears in the right pane. Click on the drop-
down icon next to icon and choose the HTML File format.
46. The HTML Export Options window appears; leave the settings to default and
click OK.

47. The Save As window appears; set the download location to Desktop. Rename
the file to Vulnerability Status Report.html and click Save.
48. The GFI LanGuard pop-up appears; click Yes to open the file.

49. In the How do you want to open this file? pop-up, select any web browser
(here, Firefox) and click OK.
50. The Vulnerability Status report appears; you can scroll down to view detailed
information regarding discovered vulnerabilities.
 51. This concludes the demonstration of scanning network vulnerabilities using GFI
LanGuard.

52. Close all open windows and document all the acquired information.

Task 4: Perform Web Servers and Applications Vulnerability

Scanning using CGI Scanner Nikto

Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests against
web servers for multiple items, including over 6700 potentially dangerous files/programs, checks
for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It
also checks for server configuration items such as the presence of multiple index files and HTTP
server options; it will also attempt to identify installed web servers and software.

Here, we will perform web servers and applications vulnerability scanning using CGI scanner
Nikto.

In this task, we will target the www.certifiedhacker.com website.

1. Click on Parrot Security to switch to Parrot Security machine.

2. Click the Applications menu in the top-left corner of Desktop and navigate

to Pentesting --> Web Application Analysis --> Web Vulnerability Scanners --
> nikto to open Nikto in the Terminal window.
3. A Parrot Terminal window appears, in the [sudo] password for attacker field,
type toor as a password and press Enter. Nikto initializes.

The password that you type will not be visible.

4. Nikto scanning options will be displayed to scan the target website.
5. You can further type nikto -H and press Enter to view various available
commands with full help text
6. The result appears, displaying various available options in Nikto. We will use
the Tuning option to do a deeper and more comprehensive scan on the target
webserver.

A tuning scan can be used to decrease the number of tests performed against a
target. By specifying the type of test to include or exclude, faster and focused testing
can be completed. This is useful in situations where the presence of certain file types
such as XSS or simply “interesting” files is undesired.
7. In the terminal window, type nikto -h (Target Website) -Tuning x (here, the
target website is www.certifiedhacker.com) and press Enter. Nikto starts scanning
with all the tuning options enabled.

-h: specifies the target host and x: specifies the Reverse Tuning Options (i.e., include
all except specified).

The scan takes approximately 10 minutes to complete.

8. The result appears, displaying various information such as the name of the
server, IP address, target port, retrieved files, and vulnerabilities details of the target
website.

The result might vary in your lab environment.

9. Here, we will check for cgi directories with the -Cgidirs option. In this option,
search for specific directories or use all options to search for all the available
directories.

10. In the terminal window, type nikto -h (Target Website) -Cgidirs all, (here, the
target website is www.certifiedhacker.com) and hit Enter.

-Cgidirs: scans the specified CGI directories; users can use filters such
as “none” or “all” to scan all CGI directories or none).

The scan takes approximately 10 minutes to complete.

11. The target website does not have any CGI directory; therefore, the same result
as the previous scan was obtained.

You can use try this command on another website to obtain information about CGI
directories.
12. Now, we will save the scan results in the form of a text file on Desktop. To do
so, type cd and press Enter to jump to the root directory.

13. Type cd Desktop and press Enter to navigate to the Desktop folder.

14. Type nikto -h (Target Website) -o (File_Name) -F txt, (here, the target website
is www.certifiedhacker.com) and press Enter.

-h: specifies the target, -o: specifies the name of the output file, and -F: specifies the
file format.

Name the file Nikto_Scan_Results

The scan takes approximately 10 minutes to complete.

15. Now, type pluma Nikto_Scan_Results and press Enter to open the created file
in a text editor window. The file appears displaying the scanned results, as shown in
the screenshot.
16. This concludes the demonstration of checking vulnerabilities in the target
website using Nikto.

17. Close all open windows and document all the acquired information.