 A weakness that might be exploitable

5.1
 Can occur anywhere in the network:
 People
 Vulnerability Scans  Processes

VULNERABILITY  Vulnerability Scanning Tools

 Technology

 You can have vulnerabilities that you are not aware of

SCANNING  Scanner Output and Reports
 You can have known vulnerabilities that no one has yet created an exploit for

 Misconfigurations  Design flaws

 Not applying secure settings or configuring per best practices  Software that had a hurried development process with insufficient built-in security

 No firewall, no anti-virus, etc.  OS flaws

 Vulnerabilities discovered in the operating system
 Leaving defaults in place
 Configurations  Application flaws
 Vulnerabilities discovered in an application, or services that ship with an OS
 Passwords
 Services  Open services
 Services that freely permit client connections with no authentication or security controls
 Buffer overflows
 User-based vulnerabilities
 Not patching against known code weaknesses
 User susceptibility to social engineering, lack of training or awareness
 Unpatched systems  Process-based vulnerabilities
 Not applying security updates from the vendor  Security gaps in a business process that might allow exploitation by an attacker
  Passive scanning
 Observation
 You can scan for vulnerabilities and/or compliance
 Passive sniffing
 Should include both physical and virtual systems (VMs, containers)
 Active scanning
 Tools are typically automated and include host discovery and port scanning as part of
the scan  Send probes and specially crafted requests to targets
 Host discovery – see what hosts are live
 Some tools only “rattle the door knob” to see if the vulnerability exists
 Port scan and service enumeration – see what open ports, services, and versions exist on the hosts
 They do not attempt to actually exploit the vulnerability
 “Rattle the doorknob”
 Some tools also attempt to exploit the vulnerability and provide proof  See if the OS or service responds in a way that suggests it is susceptible to a specific attack
 Such as a stolen file, obtaining a shell (command prompt), etc.  Need not include actually launching the attack and compromising the device
 That is usually done in a penetration test
 Most tools refer to discovered vulnerabilities by CVE number
 They provide links to additional information and recommendations  Credentialed scans
 Most tools have reporting capabilities  You provide the scanner with authentication credentials for the various systems it will scan
 The scanner logs into the systems to retrieve their configuration information and log data
 Some tools use standardized output that you can import into another tool for additional
validation  Uncredentialed scans are generally unable to detect many vulnerabilities on a device
 The rely on external resources for configuration settings that can be altered or incorrect

 Host-based  Cloud-based
 OS  Comprehensive solutions
 Services  Emulated attacks  Follows an inference-based approach  Can be automated
 Assess vulnerabilities depending on the
 Apps  Good for DevSecOps  Signature database regularly updated
inventory of protocols in the environment
 Versions  Often use AI for advanced analysis
 Supports different network/host types
 Patch levels  Inventories protocols
 Depth assessment  Suggests proper remedies and workarounds
 Defaults and misconfigurations  Detects open ports
 Fuzzers
 Imitates outside attackers
 Network-based  Look for previously unknown vulnerabilities  Identifies services behind the ports
 Protocols  Creates actionable, customizable reports
 Checks for vulnerabilities
 Ports
 Includes trends and categorizes by severity
 ACLs / firewall rules / IDS/IPS  Validates vulnerabilities
  OpenVAS  ImmuniWeb  Kiuwan Code Security
 Just a start
 Tripwire IP360  SolarWinds  Acunetix
 Only one part of a larger penetration test
 Nessus  Intruder  Invicti
 Tools only look for known signatures
 Nexpose  Core Impact  Hakware Archangel
 Automated tools can produce a lot of false positives
 Comodo HackerProof  SecPod SanerNow  Runecast Analyzer
 Automated tools focus on technology
 You will need a skilled pentester to also evaluate vulnerabilities in people and processes  Vulnerability Manager Plus  ManageEngine  Astra Pentest

 Requires a pen test to determine if the system can truly be compromised  Nikto  Paessler  Qualsys

 Can destabilize fragile systems/interfere with normal operations  Retina  CrowdStrike Falcon  Aqua

 Likely to be incomplete if uncredentialed

 A popular scripting language

 Can be installed on any platform
 Including Linux, Windows, macOS
iOS and Android
 You can write a script to:
 Perform customized vulnerability scanning
 Automate tasks
 Parse results

 Used in some commercial scanning tools

 GitHub has many Python hacking tools that
you can download

Python is only one example of a programming language

that you can use to create your own hacking tools.
from socket import *
import time
startTime = [Link]()  A multi-purpose framework of specifications supporting:
 Automated configuration
if __name__ == '__main__':  Vulnerability and patch checking
target = input('Enter the host to be scanned: ')  Technical control compliance
t_IP = gethostbyname(target)  Security measurement
print ('Starting scan on host: ', t_IP)
 Used by the NVD
for i in range(50, 500):
 SCAP is an industry standard
s = socket(AF_INET, SOCK_STREAM)
 SCAP scanners are typically used to test a system for compliance
conn = s.connect_ex((t_IP, i))
if(conn == 0) :
print ('Port %d: OPEN' % (i,))
[Link]()
print('Time taken:', [Link]() - startTime)
 You are creating baseline system images  Usually includes:
 The images will be used to remediate vulnerabilities found in different  Dashboard with summaries
operating systems  Details for each device

 Before any of the images can be deployed, they must be scanned for malware  Output for both physical and virtual hosts
and vulnerabilities
 Device names, types, IP addresses, MAC addresses
 You must ensure the configurations meet industry-standard benchmarks and
 Device OS version
that the baselining creation process can be repeated frequently
 Open TCP and UPD ports
 Use an operating system SCAP plugin to check the OS against known good
baselines  Installed applications and services
 Discovered vulnerabilities, insecure default settings and misconfigurations

 Accounts with weak or default passwords

 Files and folders with weak permissions
 Technology- or device-specific issues
 Missing patches and hotfixes
 End-of-Life / End-of-Service software information
 Higher-end scanning tools will separate the report into:
 Executive summary
 Technical details

 May include CVE and CVSS references

 Should include recommendations to correct/mitigate discovered issues
 True Positive  Executive Summary  Vulnerability Classification
 The scanner detects a vulnerability
 Major findings  Typically includes CVE references
 The vulnerability actually exists on the scanned system
 The scan did its job!  Scan information (tools used,  Threat Assessment
 True Negative scope)
 The scanner does not detect a vulnerability  Recommendations
 Target information
 The vulnerability really does not exist on the scanned system
 Summary
 This is our preferred result!  Results
 False Positive  Target details
 The scanner detects a vulnerability
 Node
 But the vulnerability does not actually exist on the scanned system
 OS
 Too many of these can be annoying!
 Services / ports
 False Negative
 Date
 The scanner does not detect a vulnerability
 But the vulnerability actually exists on the scanned system  Modules used
 This is the worst result!  Outcomes

5.2  Overview

VULNERABILITY  CVSS
 CVE
ASSESSMENT  Vulnerability Research
 A comprehensive assessment of a system’s ability to withstand attack
 Includes the use of automated vulnerability scanning tools  Open framework for communicating characteristics and impacts of IT vulnerabilities
 Part of the overall security audit
 Uses three groups of metrics for measuring vulnerabilities:
 Should also assess non-technical vulnerabilities (people, processes)  Base metrics - inherent qualities of a vulnerability

 Should produce an actionable report  Temporal metrics - features that keep changing during vulnerability lifetime
 Environmental metrics - vulnerabilities based on a particular environment or
implementation
 1 (lowest) - 10 (most severe) scoring
 Recorded in National Vulnerability Database

The Attack Vector metric is scored in one of four levels:

 Network (N)
 Vulnerabilities with this rating are remotely exploitable, from one or more hops away, up to,
and including, remote exploitation over the Internet
 Adjacent (A)
 A vulnerability with this rating requires network adjacency for exploitation
 The attack must be launched from the same physical or logical network
 The attacker must have access to the local network that the system is connected to

 Local (L)
 Vulnerabilities with this rating are not exploitable over a network
 The attacker must access the system locally, remotely (via protocol like SSH or RDP)
 Or requires use of social engineering or other techniques to trick an unsuspecting user to help
initiate the exploit
 Physical (P)
 In this type of attack, the adversary must physically interact with the target system
 The Attack Complexity metric indicates conditions beyond the attacker’s control  This metric is exactly as it sounds, describing the level of privileges, or access, an
 These conditions must exist in order to exploit the vulnerability attacker must have before successful exploit
 Most commonly, this refers to either required user interaction, or specific configurations
of the target system  Privileges requires falls under three ratings:
 None (N)
 The Attack Complexity metric is scored as either Low or High:  There is no privilege or special access required to conduct the attack
 Low (L)  Low (L)
 There are no specific pre-conditions required for exploitation  The attacker requires basic, “user” level privileges to leverage the exploit
 High (H)  High (H)
 There are conditions beyond the attackers control for successful attack  Administrative or similar access privileges are required for successful attack
 For this type of attack, the attacker must complete some number of preparatory steps in order to
get access
 This might include gather reconnaissance data, overcoming mitigations, or becoming a man-in-
the-middle For additional information on CVSS metrics see
[Link]

 ID system to precisely identify a vulnerability

 [Link]
 Used by both malicious and ethical hackers
 US government repository of standards-based vulnerability management data
 [Link]
 Uses Security Content Automation Protocol (SCAP)
 Suite of specifications for automatically exchanging security content between systems

 Enables automation of vulnerability management

 Aggregates data to produce:
 CVSS
 Common Weakness Enumeration (CWE)
 Common Platform Enumeration (CPE)

 Does not perform the actual tests

  Gather information about security trends, threats and attacks
 Discover system design faults and find weaknesses before an attack
 Learn how to recover from a network attack
 Classify vulnerabilities by:
 Priority
 Severity
 Scope

 Stay updated about new products, technologies, and exploits

 Check underground hacking web sites (Deep and Dark Web sites) for newly
discovered vulnerabilities and exploits
 Check for news releases on security innovations and product improvements

 SANS ([Link]  Exploit Database ([Link]

 CISA ([Link]  Rapid7 ([Link]
 CVE Details ([Link]
 Security Focus ([Link]
 OWASP ([Link]
 Help Net Security ([Link]
 Microsoft Vulnerability Research (MSVR) ([Link]
 HackerStorm ([Link]
 Dark Reading ([Link]
 Computerworld ([Link]
 SecurityTracker ([Link]
 Trend Micro ([Link]  WindowsSecurity ([Link]

 Security Magazine ([Link]  D'Crypt ([Link]

 PenTest Magazine ([Link]  Sophos ([Link]
 SC Magazine ([Link]
 INTRO TO
 You can perform vulnerability scans to identify weaknesses or lack of compliance

5.3


ETHICAL
Scanning can be passive or active
Vulnerability scanning tools can focus on hosts, network devices, cloud services, or
HACKING
applications
VULNERABILITY Credentialed scans typically provide more information than uncredentialed scans
SCAPREVIEW

 Review
ANALYSIS  scans are used to test a system for compliance

 Scan results can return four different types of results:

REVIEW  True positive – there really is a vulnerability

 True negative – there really is no vulnerability
 False positive – the scanner reports vulnerabilities that do not actually
exist
 False negative – the scanner fails to report vulnerabilities that actually
exist

INTRO TO
 Vulnerability assessment should include both technical and non-technical targets

ETHICAL
(people, processes)
 A vulnerability assessment should produce an actionable report

HACKING
Common Vulnerability Scoring System (CVSS) ranks vulnerability severity on a scale
of 1-10
 CVSSREVIEW
identifies four attack vectors: network, adjacent, local, physical

 The National Vulnerability Database is a central repository of

vulnerability information
 Common Vulnerabilities and Exposures (CVE) is an identification
system used to precisely identify a specific vulnerability
 CVEs are used by both malicious and ethical hackers
 Vulnerability research should be an ongoing process
 There are many sites and services dedicated to providing the latest
vulnerability information