Exploring vulnerable services

Vulnerable services can be the Achilles heel of a system if left unpatched. What this means is vulnerabilities, if left unpatched, leave a severe weakness in companies' systems that can allow malicious hackers to gain access. A vulnerability is classed as an issue in a system that, if not fixed, could cause large issues if it were to become an attack vector. Vulnerabilities come in many variants and can come in the form of outdated operating systems, open ports, unauthorized access, and many more. To fix known vulnerabilities and protect systems from attacks, patches and updates have to be installed accordingly. Doing so helps remediate most of the major problems you will see.

Discovering vulnerable services

Now that we know what a vulnerability is, let's mention the typical way pentesting discovers vulnerabilities:

1. Ensure that you have a list of targets. Targets are categorized as hosts – we can think of EC2 instances as hosts.
2. Once you have a list of hosts, you'll need to scan them and enumerate information from them. Scanning can be used with various tools, which we will use more of in Chapter 9, Real-Life Pentesting with Metasploit and More!.
3. You then create the risk associated with vulnerabilities you found while scanning and enumerating. Risk is typically labeled as low, medium, high, or critical – with critical having the most impact.
4. You may also find "low-hanging fruit" while scanning. Low-hanging fruit are easy-to-exploit vulnerabilities that allow you to exploit a target quickly.
5. Discovered vulnerabilities should be reported immediately so that they can be properly patched. Typically, another team is assigned to fix these issues and apply patches to the systems.

This is the basis of how vulnerabilities are discovered in a pentesting environment. Now let's look at how vulnerable services are created from an administrator's point of view.

Creating vulnerable services

For this short example, we are going to install vsftpd and enable anonymous login on our CentOS 7 machine. Anonymous login is a default feature in quite a few FTP clients and allows anyone to connect to the FTP using the following credentials:

• Username: Anonymous
• Password: Anonymous

As you can already assume, allowing anyone such easy access to your server creates a huge security risk. We will learn how to set up the server as vulnerable, and then later will learn some security controls that we can put in place to lock down the FTP server:

1. ssh into the CentOS 7 server that we set up. You will need to log in as the user ec2-user, and not root.
2. Once logged into the server, run the following commands to update your server and install the vsftp service:

   $ sudo yum update

3. Follow this by running the following:

   $ sudo yum install vsftpd

   If you're having issues due to fewer rights and privileges, run the command sudo su to switch over to the root user account. This will allow you to run all commands as the root user.

4. Verify the service is running by typing sudo service vsftpd status. Now that vsftpd is installed, we need to ensure that anonymous login is enabled. Run the following command to access the vsftpd configuration file:

   anonymous_enabled=YES

   It will look like the following screenshot:

Figure 1.25 – Installing Metasploit

Now your server is set with anonymous login. Later on in the book, in Chapter 3, Exploring Pentesting and AWS, we will discuss how to scan and connect to the service locally and remotely from other instances within our environment.

We now have some understanding of what vulnerabilities are and how to reproduce them ourselves. It's important to understand the full scope of the technical attributes of what we will be doing throughout this book. In regard to vulnerabilities, please note that discovering vulnerabilities is not the same as attacking them. When discovering vulnerabilities, you will be assigned to discover, assess, and evaluate any vulnerabilities found. Pentesting executes this type of testing one step further by attacking and exploiting those vulnerabilities through manual and automated exploitation.

Let's move on to discussing what attacking vulnerabilities entails.