CEHv12-05 - Vulnerabilities

In

Vulnerability assessment concepts and resources

Vulnerability research helps identify vulnerabilities which could compromise the system.

  • Scanning types:

    • Active scanning: interacting directly with the target network to discover vulnerabilities.
    • Passive scanning: discovering vulnerabilities without a direct interaction with the target network.

  • Solution types:

    • Product-based solutions: installed in the internal network.
    • Service-based solutions: offered by third parties.
    • Tree-based assessment: different strategies are selected for each machine.
    • Inference-based assessment:
      1. Find the protocols to scan.
      2. Scan and find the found protocols and their services.
      3. Select the vulnerabilities and begins with executing relevant tests.

Vulnerability scoring systems

Vulnerabilities that are identified are stored into databases, scored according to their severity and risk:

  • CVSS - Common Vulnerability Scoring System: (how to rate them)

    • A free and open industry standard for assessing the severity of computer system security vulnerabilities.
    • Helps to assess and prioritize vulnerability management processes.
    • Assigns severity scores to vulnerabilities.
    • Score calculator depends on metrics that include ease and impact of exploit.

  • CVE - Common Vulnerabilities and Exposures: (identification for common vulnerabilities)

    • Mitre.org: eg. CVE-2020-0023.
    • List of common identifiers for publicly known cybersecurity vulnerabilities.

  • NVD - National Vulnerability Database: (database with CVEs)

    • U.S. government repository of standards based vulnerability management data.
    • nvd.nist.gov.
    • Includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Vulnerability management life-Cycle

Evaluation and control of the risks and vulnerabilities in the system.

  • Phases:
    • Pre-assessment phase: creating baseline: Identifying critical assets and prioritizing them.
    • Assessment phase: vulnerability assessment: identifying known vulnerabilities.
    • Post-assessment phase:
      • Risk assessment: assessing the vulnerability and risk levels for the identified assets.
      • Remediation: mitigating and reducing the severity of the identified vulnerabilities.
      • Verification: ensuring that all phases have been successfully completed.
      • Monitoring: identifying new threats and vulnerabilities.
1
2
3
4
5
# check connetions on ports
netstat -antup
# check open services
sudo nmap -T5 -n -Pn -p- 8.8.8.8
# some port may be overflowed, close them uf not needed

Vulnerability classification

  • Misconfiguration.
  • Default installations.
  • Buffer overflows.
  • Unpatched servers.
  • Design flaws.
  • Operating system flaws.
  • Application flaws.
  • Open services.
  • Default passwords.

Vulnerability assessment types

  • Active assessment: through network scanners.
  • Passive assessment: by sniffing the traffic.
  • External assessment: vulnerabilities & threats that are accessible outside of the organization.
  • Internal assessment: vulnerabilities & threats that are present internally.
  • Host-Based assessment: vulnerabilities & threats on a specific server by examining the configuration.
  • Network assessment: identifies potential attacks on the network.
  • Application assessment: examines the configuration of the web infrastructure.
  • Wireless network assessment: vulnerabilities & threats in the organization’s wireless network.

Vulnerability assessment models and tools

Also known as vulnerability scanners

  • Scanning solutions perform vulnerability penetration tests in three steps:

    1. locate the live hosts in the network.
    2. enumerate open ports and services.
    3. test the found services for known vulnerabilities by analyzing responses.

  • Tool types:

    • Host-based vulnerability assessment tools.
    • Depth assessment tools.
    • Application-layer vulnerability assessment tools.
    • Scope assessment tools.
    • Active/Passive tools.
    • Location/Data examined tools.

  • Tools

    • Openvas software framework of several services and tools offering vulnerability scanning and vulnerability management.
    • Nmap: you can scan multiple servers for multiple ports for multiple vulnerabilities: -A: enables OS detection, version detection, script scanning and traceroute.
    • Nessus: proprietary port and vulnerability scanner, which includes: misconfigurations, default passwords and DoS vulnerabilities. It can be used to perform compliance auditing, like internal and external PCI DSS audit scans.
    • Burp Suite: proxy tool to scan web vulnerabilities. It allows manual testers to intercept all requests and responses between the browser and the target application. It visualices, edit or drops individual messages to manipulate the server-side or client-side components of the application.
    • Nikto is an open source Nikto web server vulnerability scanner. Looks for outdated software, dangerous files/CGI etc.

Vulnerability assessment reports

  • Written after an assessment is performed.
  • Classified into security vulnerability report and security vulnerability summary.
  • Details of what has been done and what has been discovered during the assessment
  • Created to help organizations resolve security issues if they exist
  • Typically contain information about the scan, target, and results.