cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-20 13:50:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add GBL vulnerability assessment lab sheet

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2025-11-19 18:24:26 +00:00
parent 1a0539d432
commit a94a8e4b55
1 changed files with 562 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

562
story_design/ink/lab_sheets/vulnerability_analysis.ink Normal file
View File

@@ -0,0 +1,562 @@
// Vulnerability Analysis Lab Sheet
// Based on HacktivityLabSheets: introducing_attacks/8_vulnerability_analysis.md
// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Tom Shaw
// License: CC BY-SA 4.0
// Global persistent state
VAR instructor_rapport = 0
VAR vuln_scanning_mastery = 0
// External variables
EXTERNAL player_name
=== start ===
Vulnerability Assessment Specialist: Welcome, Agent {player_name}. I'm your instructor for Vulnerability Analysis and Assessment.
~ instructor_rapport = 0
~ vuln_scanning_mastery = 0
Vulnerability Assessment Specialist: Vulnerability assessment is critical for efficiently identifying security weaknesses in systems before attackers find them.
Vulnerability Assessment Specialist: While penetration testing involves manually researching and exploiting vulnerabilities, vulnerability scanning is an automated approach that quickly surveys systems for known security issues.
Vulnerability Assessment Specialist: You'll learn to use industry-standard tools like Nmap NSE, Nessus, and Nikto - understanding their strengths, limitations, and when to use each.
Vulnerability Assessment Specialist: Remember: these are powerful reconnaissance tools. Use them only on systems you're authorized to assess.
~ vuln_scanning_mastery += 10
-> vuln_scan_hub
=== vuln_scan_hub ===
Vulnerability Assessment Specialist: What aspect of vulnerability assessment would you like to explore?
+ [What is vulnerability scanning?]
-> vuln_scanning_intro
+ [Vulnerability scanning vs penetration testing]
-> scanning_vs_pentesting
+ [Nmap Scripting Engine (NSE)]
-> nmap_nse
+ [Using Nessus vulnerability scanner]
-> nessus_scanner
+ [Web vulnerability scanning with Nikto]
-> nikto_scanner
+ [Limitations of automated tools]
-> tool_limitations
+ [Show me the commands reference]
-> commands_reference
+ [Practical challenge tips]
-> challenge_tips
+ [I'm ready for the lab exercises]
-> ready_for_practice
+ [That's all for now]
#exit_conversation
-> END
=== vuln_scanning_intro ===
Vulnerability Assessment Specialist: Vulnerability scanning is an automated approach to identifying security weaknesses in systems.
~ instructor_rapport += 5
Vulnerability Assessment Specialist: Scanners typically perform or import network scans like port scans and service identification, then automatically check whether detected services contain known vulnerabilities.
Vulnerability Assessment Specialist: They compare detected service versions against databases of known vulnerabilities - similar to what you did manually using CVE databases.
+ [How do vulnerability scanners work?]
Vulnerability Assessment Specialist: Most vulnerability scanners follow a standard process:
Vulnerability Assessment Specialist: First, they conduct or import a port scan to identify running services and their versions.
Vulnerability Assessment Specialist: Then they compare this information against databases of known vulnerabilities for those specific versions.
Vulnerability Assessment Specialist: Many also send probes to confirm vulnerabilities actually exist, not just assume based on version numbers.
Vulnerability Assessment Specialist: Some tests are potentially dangerous and might crash services, so most scanners offer a "safe mode" to avoid risky checks.
~ instructor_rapport += 5
+ [Why use automated scanning?]
Vulnerability Assessment Specialist: Automated scanning has several advantages:
Vulnerability Assessment Specialist: It's fast - scanning hundreds of systems in the time it would take to manually test one.
Vulnerability Assessment Specialist: It's comprehensive - checking for thousands of known vulnerabilities systematically.
Vulnerability Assessment Specialist: It's repeatable - you can regularly rescan to catch newly introduced vulnerabilities.
Vulnerability Assessment Specialist: It reduces the risk of human error or overlooking obvious issues.
Vulnerability Assessment Specialist: However, it also has significant limitations we'll discuss.
~ instructor_rapport += 5
- -> vuln_scan_hub
=== scanning_vs_pentesting ===
Vulnerability Assessment Specialist: Penetration testing and vulnerability scanning are complementary but distinct approaches.
~ instructor_rapport += 5
Vulnerability Assessment Specialist: Penetration testing involves manual research, planning, and actual exploitation of vulnerabilities. It's deeper but slower.
Vulnerability Assessment Specialist: Vulnerability scanning is automated, faster, and broader but shallower.
+ [What are the advantages of penetration testing?]
Vulnerability Assessment Specialist: Penetration testing has several key advantages:
Vulnerability Assessment Specialist: Very few false positives - if a tester successfully exploits a vulnerability, it's definitely real.
Vulnerability Assessment Specialist: Testers can chain vulnerabilities together in creative ways automated tools can't imagine.
Vulnerability Assessment Specialist: Human intuition can spot logical flaws and business logic vulnerabilities that scanners miss.
Vulnerability Assessment Specialist: However, there's always risk that an exploit may cause unintentional damage.
Vulnerability Assessment Specialist: And even skilled testers might miss something obvious if they're checking things manually.
~ instructor_rapport += 5
+ [What are the advantages of vulnerability scanning?]
Vulnerability Assessment Specialist: Vulnerability scanning excels at:
Vulnerability Assessment Specialist: Speed - scanning entire networks in hours instead of days or weeks.
Vulnerability Assessment Specialist: Coverage - systematically checking for thousands of known vulnerabilities.
Vulnerability Assessment Specialist: Safety - tests can be configured to avoid dangerous probes that might crash services.
Vulnerability Assessment Specialist: Consistency - same tests run the same way every time.
Vulnerability Assessment Specialist: Cost-effectiveness - after initial setup, scanning is cheap to repeat regularly.
~ instructor_rapport += 5
+ [Which approach is better?]
Vulnerability Assessment Specialist: The best security assessments use both!
Vulnerability Assessment Specialist: Start with vulnerability scanning to quickly identify low-hanging fruit and obvious issues.
Vulnerability Assessment Specialist: Then use penetration testing to go deeper, verify critical findings, and test how vulnerabilities can be chained together.
Vulnerability Assessment Specialist: Many organizations do frequent vulnerability scans with periodic penetration tests.
Vulnerability Assessment Specialist: Think of scanning as your smoke detector, and penetration testing as your fire drill.
~ instructor_rapport += 5
- -> vuln_scan_hub
=== nmap_nse ===
Vulnerability Assessment Specialist: The Nmap Scripting Engine (NSE) extends Nmap's capabilities beyond simple port scanning.
~ instructor_rapport += 5
Vulnerability Assessment Specialist: NSE allows Nmap to be extended with scripts that add service detection, vulnerability checking, and even exploitation capabilities.
Vulnerability Assessment Specialist: Nmap is distributed with hundreds of scripts written in the Lua programming language.
+ [How do I use Nmap scripts?]
Vulnerability Assessment Specialist: The simplest way is to use the default script set:
Vulnerability Assessment Specialist: nmap -sC TARGET
Vulnerability Assessment Specialist: This runs all scripts categorized as "default" - safe, useful, and not overly intrusive.
Vulnerability Assessment Specialist: For vulnerability scanning specifically: nmap --script vuln -sV TARGET
Vulnerability Assessment Specialist: The vuln category includes scripts that check for known vulnerabilities.
Vulnerability Assessment Specialist: You can also run specific scripts: nmap --script distcc-cve2004-2687 TARGET
~ instructor_rapport += 5
+ [Where are NSE scripts located?]
Vulnerability Assessment Specialist: All NSE scripts are stored in /usr/share/nmap/scripts/
Vulnerability Assessment Specialist: You can list them with: ls /usr/share/nmap/scripts/
Vulnerability Assessment Specialist: Each script is a .nse file. Looking at their code shows what they check for.
Vulnerability Assessment Specialist: For example, distcc-cve2004-2687.nse checks for the specific Distcc vulnerability.
Vulnerability Assessment Specialist: The scripts are organized by category: auth, broadcast, default, discovery, dos, exploit, fuzzer, intrusive, malware, safe, version, and vuln.
~ instructor_rapport += 5
+ [How effective is NSE for vulnerability detection?]
Vulnerability Assessment Specialist: NSE vulnerability detection is useful but limited.
Vulnerability Assessment Specialist: The vuln scripts check for specific, well-known vulnerabilities - they're not comprehensive like dedicated vulnerability scanners.
Vulnerability Assessment Specialist: However, they're very useful for quick checks and are actively maintained by the Nmap community.
Vulnerability Assessment Specialist: Think of NSE as a lightweight vulnerability scanner - good for initial assessment but not a replacement for tools like Nessus.
~ instructor_rapport += 5
- -> vuln_scan_hub
=== nessus_scanner ===
Vulnerability Assessment Specialist: Nessus by Tenable is one of the most popular commercial vulnerability scanners in the industry.
~ instructor_rapport += 5
Vulnerability Assessment Specialist: It uses a client-server architecture with a web interface, and can scan for tens of thousands of vulnerabilities.
Vulnerability Assessment Specialist: Vulnerability tests are written in NASL (Nessus Attack Scripting Language), and subscribers receive regular updates to vulnerability signatures.
+ [How do I use Nessus?]
Vulnerability Assessment Specialist: Access Nessus through its web interface at https://localhost:8834
Vulnerability Assessment Specialist: Login with the credentials provided (typically nessusadmin)
Vulnerability Assessment Specialist: Click "New Scan" and choose a scan template - Basic Network Scan is a good starting point.
Vulnerability Assessment Specialist: Enter your target IP addresses and click "Launch"
Vulnerability Assessment Specialist: Nessus will systematically test the targets and present results categorized by severity: Critical, High, Medium, Low, Info.
~ instructor_rapport += 5
+ [What scan templates does Nessus offer?]
Vulnerability Assessment Specialist: Nessus offers various scan profiles for different purposes:
Vulnerability Assessment Specialist: Basic Network Scan - Good general-purpose scan for network services
Vulnerability Assessment Specialist: Advanced Scan - Allows detailed customization of what to check
Vulnerability Assessment Specialist: Web Application Tests - Focused on web vulnerabilities
Vulnerability Assessment Specialist: Compliance scans - Check systems against security policy standards
Vulnerability Assessment Specialist: Each template determines which vulnerability checks run and how aggressive the scanning is.
~ instructor_rapport += 5
+ [How do I interpret Nessus results?]
Vulnerability Assessment Specialist: Nessus presents results with detailed information for each finding:
Vulnerability Assessment Specialist: Severity rating (Critical to Info) helps prioritize remediation
Vulnerability Assessment Specialist: CVE identifiers link to official vulnerability databases
Vulnerability Assessment Specialist: Plugin descriptions explain what was found and why it's a problem
Vulnerability Assessment Specialist: Solution sections provide remediation guidance
Vulnerability Assessment Specialist: References link to additional information and exploit code
Vulnerability Assessment Specialist: You can export results as HTML, PDF, or XML for reports or import into Metasploit.
~ instructor_rapport += 5
+ [What's the difference between Basic and Advanced scans?]
Vulnerability Assessment Specialist: Basic scans use default settings optimized for speed and safety.
Vulnerability Assessment Specialist: Advanced scans let you customize:
Vulnerability Assessment Specialist: Which vulnerability checks to run
Vulnerability Assessment Specialist: Whether to perform "thorough tests" (slower but more comprehensive)
Vulnerability Assessment Specialist: Whether to show potential false alarms
Vulnerability Assessment Specialist: Advanced scans typically find more vulnerabilities but take longer and carry slightly higher risk of disruption.
~ instructor_rapport += 5
- -> vuln_scan_hub
=== nikto_scanner ===
Vulnerability Assessment Specialist: Nikto is a command-line web vulnerability scanner focused exclusively on web servers and applications.
~ instructor_rapport += 5
Vulnerability Assessment Specialist: While general scanners like Nmap and Nessus check web servers, Nikto specializes in web-specific vulnerabilities.
Vulnerability Assessment Specialist: It scans for over 6,000 web security issues including dangerous CGI scripts, misconfigurations, and known vulnerable software.
+ [How do I use Nikto?]
Vulnerability Assessment Specialist: Nikto is straightforward to use:
Vulnerability Assessment Specialist: nikto -host TARGET_IP
Vulnerability Assessment Specialist: Nikto will automatically detect web servers on common ports and scan them.
Vulnerability Assessment Specialist: You can also specify a port: nikto -host TARGET_IP -port 8080
Vulnerability Assessment Specialist: Or scan SSL/TLS sites: nikto -host TARGET_IP -ssl
Vulnerability Assessment Specialist: The output shows each issue found with references to more information.
~ instructor_rapport += 5
+ [What kinds of issues does Nikto detect?]
Vulnerability Assessment Specialist: Nikto looks for web-specific vulnerabilities:
Vulnerability Assessment Specialist: Outdated server software with known exploits
Vulnerability Assessment Specialist: Dangerous default files and directories (admin panels, config files)
Vulnerability Assessment Specialist: Server misconfigurations (directory listings, verbose errors)
Vulnerability Assessment Specialist: Known vulnerable web applications and frameworks
Vulnerability Assessment Specialist: Interesting HTTP headers that might reveal information
~ instructor_rapport += 5
+ [How does Nikto compare to Nessus for web scanning?]
Vulnerability Assessment Specialist: Nikto and Nessus overlap but have different strengths:
Vulnerability Assessment Specialist: Nikto is specialized - it goes deeper on web-specific issues.
Vulnerability Assessment Specialist: Nessus is broader - it checks web servers along with everything else.
Vulnerability Assessment Specialist: Nikto is free and open source; Nessus commercial versions are quite expensive.
Vulnerability Assessment Specialist: For comprehensive web testing, use both! They often find different issues.
~ instructor_rapport += 5
- -> vuln_scan_hub
=== tool_limitations ===
Vulnerability Assessment Specialist: Understanding the limitations of automated tools is crucial for effective security assessment.
~ instructor_rapport += 5
Vulnerability Assessment Specialist: No single tool finds everything. Different tools detect different vulnerabilities based on their databases and testing methods.
Vulnerability Assessment Specialist: All automated tools produce false positives and false negatives.
+ [What are false positives and false negatives?]
Vulnerability Assessment Specialist: False positives are vulnerabilities reported that don't actually exist.
Vulnerability Assessment Specialist: For example, a scanner might think software is vulnerable based on version number, but a patch was backported.
Vulnerability Assessment Specialist: False negatives are real vulnerabilities that scanners miss completely.
Vulnerability Assessment Specialist: This happens when vulnerabilities aren't in the scanner's database, or tests aren't configured to detect them.
Vulnerability Assessment Specialist: Penetration testing helps confirm scanner findings and find what was missed.
~ instructor_rapport += 5
+ [Why don't scanners detect all vulnerabilities?]
Vulnerability Assessment Specialist: Several factors limit scanner effectiveness:
Vulnerability Assessment Specialist: Signature-based detection only finds KNOWN vulnerabilities in their databases.
Vulnerability Assessment Specialist: Zero-day vulnerabilities (unknown to vendors) won't be detected.
Vulnerability Assessment Specialist: Configuration issues and logical flaws often can't be detected automatically.
Vulnerability Assessment Specialist: Scanners might not test certain services if they're on non-standard ports.
Vulnerability Assessment Specialist: Safe mode settings might skip tests that could confirm vulnerabilities.
~ instructor_rapport += 5
+ [How can different scanners miss different things?]
Vulnerability Assessment Specialist: Each scanner has different vulnerability databases and detection methods:
Vulnerability Assessment Specialist: Nmap NSE has a limited set of vulnerability scripts focused on network services.
Vulnerability Assessment Specialist: Nessus has an extensive database of checks but might not detect web-specific issues.
Vulnerability Assessment Specialist: Nikto specializes in web vulnerabilities but doesn't check other services.
Vulnerability Assessment Specialist: This is why security professionals run multiple scanners - each catches things others miss.
Vulnerability Assessment Specialist: Even then, manual testing is essential to find what all the scanners missed!
~ instructor_rapport += 5
- -> vuln_scan_hub
=== commands_reference ===
Vulnerability Assessment Specialist: Let me provide a comprehensive vulnerability scanning commands reference.
~ instructor_rapport += 5
Vulnerability Assessment Specialist: **Nmap NSE Scanning:**
Vulnerability Assessment Specialist: Default script scan: nmap -sC TARGET
Vulnerability Assessment Specialist: Vulnerability scripts: nmap --script vuln -sV TARGET
Vulnerability Assessment Specialist: Specific ports: nmap --script vuln -sV -p 1-5000 TARGET
Vulnerability Assessment Specialist: Specific script: nmap --script distcc-cve2004-2687 TARGET
Vulnerability Assessment Specialist: List available scripts: ls /usr/share/nmap/scripts/
Vulnerability Assessment Specialist: View script code: cat /usr/share/nmap/scripts/SCRIPT_NAME.nse
+ [Show me Nessus workflow]
Vulnerability Assessment Specialist: **Nessus Scanning:**
Vulnerability Assessment Specialist: Access web interface: https://localhost:8834
Vulnerability Assessment Specialist: Login: nessusadmin / nessusadmin01
Vulnerability Assessment Specialist: **Workflow:**
Vulnerability Assessment Specialist: 1. Click "New Scan"
Vulnerability Assessment Specialist: 2. Select scan template (Basic Network Scan or Advanced Scan)
Vulnerability Assessment Specialist: 3. Enter scan name and target IP addresses
Vulnerability Assessment Specialist: 4. For Advanced scans, configure: Thorough tests, Show potential false alarms
Vulnerability Assessment Specialist: 5. Click "Save" then "Launch"
Vulnerability Assessment Specialist: 6. View results: Click scan name → "Vulnerabilities" tab
Vulnerability Assessment Specialist: 7. Export results: "Export" → choose format (HTML, PDF, CSV, XML)
~ instructor_rapport += 3
+ [Show me Nikto commands]
Vulnerability Assessment Specialist: **Nikto Web Scanning:**
Vulnerability Assessment Specialist: Basic scan: nikto -host TARGET_IP
Vulnerability Assessment Specialist: Specific port: nikto -host TARGET_IP -port 8080
Vulnerability Assessment Specialist: SSL/HTTPS: nikto -host TARGET_IP -ssl
Vulnerability Assessment Specialist: Multiple ports: nikto -host TARGET_IP -port 80,443,8080
Vulnerability Assessment Specialist: **Tips:**
Vulnerability Assessment Specialist: Output can be verbose - redirect to file: nikto -host TARGET > nikto_results.txt
Vulnerability Assessment Specialist: Check specific paths: nikto -host TARGET -root /admin/
~ instructor_rapport += 3
+ [Show me comparison workflow]
Vulnerability Assessment Specialist: **Comprehensive Assessment Workflow:**
Vulnerability Assessment Specialist: 1. Start with Nmap service detection: nmap -sV -p- TARGET
Vulnerability Assessment Specialist: 2. Run Nmap vuln scripts: nmap --script vuln -sV TARGET
Vulnerability Assessment Specialist: 3. Launch Nessus Basic scan for broad coverage
Vulnerability Assessment Specialist: 4. Launch Nessus Advanced scan with thorough tests
Vulnerability Assessment Specialist: 5. For web servers, run Nikto: nikto -host TARGET
Vulnerability Assessment Specialist: 6. Compare results - note what each tool found uniquely
Vulnerability Assessment Specialist: 7. Verify critical findings with manual testing or exploitation
~ instructor_rapport += 3
- -> vuln_scan_hub
=== challenge_tips ===
Vulnerability Assessment Specialist: Let me give you practical tips for the vulnerability assessment challenges.
~ instructor_rapport += 5
Vulnerability Assessment Specialist: **Running Scans:**
Vulnerability Assessment Specialist: Start Nmap vuln scans early - they take time to complete.
Vulnerability Assessment Specialist: While Nmap runs, start your Nessus scans in parallel.
Vulnerability Assessment Specialist: If Nessus is still initializing plugins, skip ahead to Nikto and come back.
+ [Tips for comparing results?]
Vulnerability Assessment Specialist: Document what each tool finds:
Vulnerability Assessment Specialist: Note which vulnerabilities Nmap NSE detects
Vulnerability Assessment Specialist: Count vulnerabilities by severity in Nessus (Critical, High, Medium, Low)
Vulnerability Assessment Specialist: Compare Basic vs Advanced Nessus scans - how many more does Advanced find?
Vulnerability Assessment Specialist: Check what Nikto finds that the others missed
Vulnerability Assessment Specialist: The lab has MULTIPLE exploitable vulnerabilities - see how many each tool detects.
~ instructor_rapport += 5
+ [Tips for exploiting found vulnerabilities?]
Vulnerability Assessment Specialist: The lab includes vulnerabilities you've seen before (like Distcc) and new ones.
Vulnerability Assessment Specialist: Try exploiting vulnerabilities detected by the scanners to confirm they're real.
Vulnerability Assessment Specialist: There's a NEW privilege escalation vulnerability this week - a different sudo vulnerability.
Vulnerability Assessment Specialist: This time you don't know the user's password, so the previous sudo exploit won't work!
Vulnerability Assessment Specialist: Look for CVE-2021-3156 (Baron Samedit) - affects sudo versions 1.8.2-1.8.31p2 and 1.9.0-1.9.5p1
~ instructor_rapport += 5
+ [Tips for privilege escalation?]
Vulnerability Assessment Specialist: After exploiting a service, check the sudo version: sudo --version
Vulnerability Assessment Specialist: The Baron Samedit vulnerability (CVE-2021-3156) might be present.
Vulnerability Assessment Specialist: This exploit works differently - it doesn't require knowing a password!
Vulnerability Assessment Specialist: You may need to upgrade your shell to Meterpreter first to use the Metasploit exploit.
Vulnerability Assessment Specialist: Search Metasploit: search baron_samedit or search CVE-2021-3156
Vulnerability Assessment Specialist: Use: exploit/linux/local/sudo_baron_samedit
~ instructor_rapport += 5
+ [Troubleshooting tips?]
Vulnerability Assessment Specialist: If Nessus gives API access errors, clear your browser cache (Ctrl+Shift+Delete)
Vulnerability Assessment Specialist: If you can't access a web server, check Firefox proxy settings - disable the proxy or add exclusion for 10.*.*.*
Vulnerability Assessment Specialist: Some vulnerable services might be patched - try attacking all available services.
Vulnerability Assessment Specialist: Nessus scans can take 15-30 minutes - be patient!
Vulnerability Assessment Specialist: Compare results across all tools to see their different strengths and blind spots.
~ instructor_rapport += 5
- -> vuln_scan_hub
=== ready_for_practice ===
Vulnerability Assessment Specialist: Excellent! You're ready for comprehensive vulnerability assessment.
~ instructor_rapport += 10
~ vuln_scanning_mastery += 10
Vulnerability Assessment Specialist: You'll use multiple industry-standard tools to assess the same target and compare their effectiveness.
Vulnerability Assessment Specialist: This lab demonstrates an important lesson: no single tool catches everything. Layer your defenses and your assessments!
Vulnerability Assessment Specialist: Remember: vulnerability scanners are reconnaissance tools. Use them only on authorized targets.
+ [Any final advice?]
Vulnerability Assessment Specialist: Be systematic. Run all the tools, document findings, and compare results.
Vulnerability Assessment Specialist: Pay attention to what each tool finds that others miss - this teaches you their strengths and weaknesses.
Vulnerability Assessment Specialist: Don't just collect scan results - verify critical findings by actually exploiting them.
Vulnerability Assessment Specialist: The limitations of these tools are as important as their capabilities. Real attackers won't stop at what scanners find.
Vulnerability Assessment Specialist: Take notes on severity ratings, CVE numbers, and remediation advice - these make great report content.
Vulnerability Assessment Specialist: Good luck, Agent {player_name}. Time to see what automated tools can and can't detect!
~ instructor_rapport += 10
- -> vuln_scan_hub
-> END