๐ Why you need to know this
In 2021, a hacker scanned a major bank (legally โ it was a commissioned pentest). In the nmap output, he saw one line: port 10000, Webmin version 1.962.
He Googled "Webmin 1.962 vulnerabilities". He found a ready-made instruction: "this version has a vulnerability through which you can log in without a password". Within 3 minutes, he had full access to the server. The pentest boiled down to one line from the scan.
In the previous lesson, we learned how to run a scanner. Now you need to read its output like a detective โ which clues are real, and which are red herrings.
Without this lesson, scanning is a waste of time. With it, it's your main skill for the first years of pentesting.
๐ What is CVE
๐ฏ In a nutshell in 30 seconds
CVE = a catalog of all known vulnerabilities in software.
Imagine: for every lock brand, there's a police file: "this brand of lock has a known vulnerability, it can be opened with a coin". It's the same for software โ there's a huge public catalog of all known vulnerabilities.
Each vulnerability gets a number like CVE-2024-12345: year + sequential number. The catalog website is nvd.nist.gov.
Full name: Common Vulnerabilities and Exposures. You don't need to memorize it โ it's enough to know "CVE = a known vulnerability with a public file".
๐ How dangerous is a vulnerability โ CVSS
Each vulnerability in the catalog has a severity rating from 0 to 10 โ called CVSS. The higher, the worse.
| Rating | Level | In a nutshell |
|---|
| 9.0-10.0 | ๐ด Critical | "House with no door โ anyone can walk in" |
| 7.0-8.9 | ๐ High | "Lock opens with a pick in 5 minutes" |
| 4.0-6.9 | ๐ก Medium | "Complex lock, but can be breached" |
| 0.1-3.9 | ๐ข Low | "Theoretically possible, but few would bother" |
A hacker always looks at ๐ด and ๐ first.
๐ Path from scan to lead
๐ฏ In a nutshell in 30 seconds
5 steps:
- nmap found service + version:
OpenSSH 7.4
- Google: "OpenSSH 7.4 CVE" โ list of vulnerabilities
- Read description + check rating (9.0 = very dangerous)
- Look for a ready-made "exploitation tool" on Exploit-DB or GitHub
- Test on a training virtual machine (not on someone else's production server!)
๐จ 4 "red flags" in nmap output
Let's say nmap showed this:
22/tcp open ssh OpenSSH 7.4 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
3306/tcp open mysql MySQL 5.5.40
8080/tcp open http Jenkins httpd 2.107
An experienced hacker immediately sees 4 problems:
๐จ Flag 1: old versions
MySQL 5.5 โ from 2014. Apache 2.4.7 โ from 2013. This is ancient. Public vulnerabilities are guaranteed. Analogy: a 1980 house with its original wooden door.
๐จ Flag 2: database exposed to the outside
Port 3306 (MySQL) should not be open to the internet. The database should only be visible to its own server. If it's open, a hacker will simply try to log in as root without a password. Analogy: a warehouse open to passers-by from the street.
๐จ Flag 3: Jenkins on 8080
Jenkins is a program for developers that builds code. It contains secret keys, tokens, and access to prod servers. It's often left open without a password. An RCE (remote code execution) vulnerability is common.
๐จ Flag 4: default passwords
Many services start with the pair admin/admin, root/root, root/123456. Owners forget to change them. Thousands of servers with such "passwords" are exposed on the internet right now.
๐ Where to go with the version
| Website | What's there | How to explain to mom |
|---|
| nvd.nist.gov | Official CVE catalog | "Police file on every vulnerability" |
| exploit-db.com | Database of ready-made "exploitation tools" | "Lock-picking tool shop with instructions" |