Solution File

2. A
Part 1: Passive and Active Reconnaissance
1. Perform passive reconnaissance on fullstackacademy.com(opens in a new tab). This may
include using https://whois.domaintools.com (opens in a new tab) to get more information
about the fullstackacademy.com domain. It can also include going to the official LinkedIn
page of Fullstack Academy and viewing the profiles of FullStack Academy employees.

STEP 1: Please open your browser and search for the site:
“https://whois.domaintools.com”.

STEP 2: Enter the domain fullstackacademy.com, then select

SEARCH. If prompted for validation, complete it, then select
Go.
STEP 3: The results will now display on the screen.

STEP 4: Now using LinkedIn lets search the profiles of the

FullStack Academy employees.
STEP 5: Then click on “About”

STEP 6: Then click on “407 associated members” to see the

members.
2. Use a search engine to find information on how Fullstack Academy email addresses are
formatted.

STEP 1: Search in your preferred web browser “How Fullstack

Academy email addresses are formatted.”

STEP 2: Click on the first Link

3. Navigate to the Fullstack Academy career page to view some job descriptions. What
technologies are being used at Fullstack Academy?

STEP 1: Navigate to the page

“https://www.fullstackacademy.com/careers”

STEP 2: Now click on “VIEW OPEN ROLES”. This will lead to the
viewing some job descriptions.
STEP 3: Open the web-browser and search for
“https://builtwith.com/”
to know about the technologies running in the
“fullstackacademy.com”

STEP 4: Enter the website name “fullstackacademy.com” and

click on “Lookup”
4. Research vulnerabilities associated with the technologies being used at Fullstack Academy.

STEP 1: We can take the technologies we found through

builtwith.com and search in the web browser for “technology
name exploit”
Example: Search for “Hubspot exploit”
Part 2: Vulnerabilities
1. Start the Nessus scanner on your Kali system

a. Open up the terminal.

b. Become the root user.

c. Type in "systemctl start nessusd.service".

d. Open the Firefox web browser and clear its cache.

e. Navigate to https://localhost:8834 and wait for the plugins
to load. This may take a little while.
f. Login to Nessus with the password “fstack” and the password
“academy”.
2. Log into the Windows system, open up a command prompt, and type in ipconfig to get the
IP address of the Windows system, which should start with 172.

a. Open the Windows Command Prompt and use command: “ipconfig”

3. A physical penetration test of Fullstack Academy that was performed before yielded an
admin credential with the username of “Administrator” and the password “fstackacademy”.
Set up a credentialed scan for the Windows system and run the scan with these credentials.

a. Now in Nessus click on “Create a new scan”

b. Then click on “Advanced Scan”

d. Then enter the IP address of the Windows Machine.

c. Then click on “Credentials”. Then click on “Windows”.

d. Now enter the password and username

e. Then click on Save.

f. Now click on the play icon to “Launch”

g. Then you will see it gets started.

h. After completion of the scan you will see the result

appear.
i. Click on “Windows_Scan” name. Then you will see the
vulnerabilities appear.
4. Relect on the vulnerabilities found on the Windows system. Prioritize them by which ones
should be addressed first. If there are multiple critical and high vulnerabilities, how would
you address them?

After running a Nessus scan on a Windows system, you may

encounter various vulnerabilities ranked from Critical and
High to Medium and Low. In prioritizing remediation:

Critical Vulnerabilities: Address these first, as they

represent immediate threats that could lead to severe data
loss, unauthorized access, or system compromise. Examples
include vulnerabilities that allow remote code execution,
unauthenticated access, or privilege escalation. These should
be prioritized based on the Common Vulnerability Scoring
System (CVSS) score and the exploitability of each
vulnerability.

High Vulnerabilities: Next, focus on High vulnerabilities,

especially those affecting core functions, authentication, or
encryption, as they often enable lateral movement or data
exposure if exploited. Any High vulnerabilities with known
exploits available in the wild should be prioritized over less
severe vulnerabilities.

Multiple Critical and High Vulnerabilities: For systems with

numerous Critical and High vulnerabilities, prioritize those:

a. With the highest CVSS scores.

b. That are actively exploited or have public exploits.
c. Impacting network-facing applications or services,
especially those used for remote access (like RDP) and widely-
used protocols (like SMB).
d. Related to recently disclosed vulnerabilities, which are
often targeted by threat actors.
Triage and Plan: It’s essential to apply patches
systematically. Start with vulnerabilities that could expose
sensitive data, grant unauthorized access, or allow malware
injection.

5. Come up with a plan for how to address these vulnerabilities.

Immediate Actions:

a. Patch Management: Review and apply patches for all Critical

and High vulnerabilities, beginning with those that are
remotely exploitable or publicly exposed.
b. Disable or Restrict Vulnerable Services: For
vulnerabilities in non-essential services (e.g., SMBv1),
disable these services to prevent exploitation.
c. Implement Network Segmentation: Limit the exposure of
vulnerable services by isolating sensitive systems or network
segments.

System Hardening:

a. Restrict User Privileges: Ensure users only have the

necessary permissions. Limiting admin rights reduces the risk
of privilege escalation.
b. Strengthen Authentication: Enable multi-factor
authentication (MFA) for remote access and privileged
accounts, and enforce complex password policies.
c. Enable Firewall Rules: Configure Windows Defender Firewall
to block unwanted network traffic and limit the scope of
attack.

Long-term Security Enhancements:

a. Regular Patch Cycles: Schedule regular patch updates,

ensuring systems are up-to-date. Use Windows Update or a
centralized patch management tool for consistency.
b. Periodic Vulnerability Scans: Conduct regular Nessus scans
to monitor for new vulnerabilities and verify that applied
patches remain effective.
c. Education and Training: Ensure IT staff are aware of secure
configuration practices and respond promptly to new security
alerts.

Monitoring and Incident Response:

a. Implement Continuous Monitoring: Use a SIEM tool to monitor
for unusual activities or signs of exploitation, especially
for unpatched vulnerabilities.
b. Incident Response Plan: Have a plan in place to respond to
any detected exploitation attempts, including isolating
affected systems and restoring backups if necessary.
c. By following this plan, you can address current
vulnerabilities systematically while establishing processes to
minimize future risks on Windows systems.