- Vulnerability research helps identify vulnerabilities which could compromise the system
- Scanning types
- Active scanning: interacting directly with the target network to discover vulnerabilities
- Passive scanning: discovering vulnerabilities without a direct interaction with the target network
- Misconfiguration
- Default installations
- Buffer overflows
- Unpatched servers
- Design flaws
- Operating system flaws
- Application flaws
- Open services
- Default passwords
- Active assessment: through network scanners
- Passive assessment: by sniffing the traffic
- External assessment: vulnerabilities & threats that are accessible outside of the organization
- Internal assessment: vulnerabilities & threats that are present internally
- Host-Based assessment: vulnerabilities & threats on a specific server by examining the configuration
- Network assessment: identifies potential attacks on the network
- Application assessment: examines the configuration of the web infrastructure
- Wireless network assessment: vulnerabilities & threats in the organization's wireless network
- Evaluation and control of the risks and vulnerabilities in the system
- Phases:
- Pre-assessment phase
- Creating baseline: Identifying critical assets and prioritizing them
- Assessment phase
- Vulnerability assessment: identifying known vulnerabilities
- Post-assessment phase
- Risk assessment: assessing the vulnerability and risk levels for the identified assets
- Remediation: mitigating and reducing the severity of the identified vulnerabilities
- Verification: ensuring that all phases have been successfully completed
- Monitoring: identifying new threats and vulnerabilities
- Pre-assessment phase
- Product-based solutions: installed in the internal network
- Service-based solutions: offered by third parties
- Tree-based assessment: different strategies are selected for each machine
- Inference-based assessment
- Find the protocols to scan
- Scan and find the found protocols and their services,
- Select the vulnerabilities and begins with executing relevant tests.
- Vulnerabilities that are identified are stored into databases
- Certain scores based on their severity and risk
- A free and open industry standard for assessing the severity of computer system security vulnerabilities
- Helps to assess and prioritize vulnerability management processes.
- Assigns severity scores to vulnerabilities
- Score calculator depends on metrics that include ease and impact of exploit.
- Mitre.org
- List of common identifiers for publicly known cybersecurity vulnerabilities
- E.g.
CVE-2020-0023
: disclosure of user contacts over bluetooth due to a missing permission check on Android.
- U.S. government repository of standards based vulnerability management data
- nvd.nist.gov
- Includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics
- E.g. CVE
- Written after an assessment is performed
- Classified into security vulnerability report and security vulnerability summary.
- Details of what has been done and what has been discovered during the assessment
- Created to help organizations resolve security issues if they exist
- Typically contain information about the scan, target, and results.
- Also known as vulnerability scanners
- Scanning solutions perform vulnerability penetration tests in three steps
- locate the live hosts in the network
- enumerate open ports and services
- test the found services for known vulnerabilities by analyzing responses.
- Tool types
- Host-based vulnerability assessment tools
- Depth assessment tools
- Application-layer vulnerability assessment tools
- Scope assessment tools
- Active/Passive tools
- Location/Data examined tools
- OpenVAS
- Open-source software framework of several services and tools offering vulnerability scanning and vulnerability management.
- Nmap has scripting functionality, written in LUA
- You can scan multiple servers for multiple ports for multiple vulnerabilities.
-A
: Enables OS detection, version detection, script scanning and traceroute.- Read more about Nmap in Nmap | Scanning Tools
- See Detecting Shellshock using Nmap | Common vulnerabilities
- Website
- 📝 Proprietary port and vulnerability scanner
- Scans include • misconfigurations • default passwords (has Hydra built-in) • DoS vulnerabilities
- Can be used to perform compliance auditing, like internal and external PCI DSS audit scans.
- 📝 Proxy tool to scan web vulnerabilities
- Allows manual testers to intercept all requests and responses between the browser and the target application
- Allows to view, edit or drop individual messages to manipulate the server-side or client-side components of the application.
- Nikto is an open source Nikto web server vulnerability scanner.
- Majorly looks for outdated software, dangerous files/CGI etc.
- E.g.
nikto -host cloudarchitecture.io
- 🤗 Many of the modern scanners including Nessus, OpenVAS use Nikto to get information for their analysis.
- Identifies missing security updates and common security misconfigurations
- Assesses Windows and its sofware e.g.• Internet Explorer • IIS web server • Microsoft SQL Server, • Office macro settings
- It's deprecated