LPTv4 module 17 vulnerability analysis

Before starting a penetration test, you must identify vulnerabilities against network systems using vulnerability scannerg y g b y Produce and analyze the vulnerability assessment report

/ ECSA/ LPT

Vuln erability An alysis y y

Penetration Testing Roadmap

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social Engineering Application

Cont’d

Penetration Testing Penetration Testing Penetration Testing

Penetration Testing

Penetration Testing Roadmap

Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held Device

Penetration Testing

Telecommunication And Broadband Communication

Email Security

Penetration Testing

Security Patches

Penetration Testing

Why Assess?

Before starting a penetration test, you must identify vulnerabilities

against network systems using vulnerability scannerg y g b y

Produce and analyze the vulnerability assessment report

Identify areas where penetration is possible

Locate hacking tools

Attempt to penetrate

Vulnerability Classification

Misconfigurations Default installations Buffer Overflows Unpatched servers Default passwords Open services

Application flaws Operating systems flaws Design flaws

What is Vulnerability Assessment?

Vulnerability assessment is an examination of the ability of a system or

application, including current security procedures and controls, to

withstand assault

A vulnerability assessment may be used to:

• Identify weaknesses that could be exploited

• Predict the effectiveness of additional security measures in

A vulnerability assessment may be used to:

y protecting information resources from attack.

Types of Vulnerability Assessment

An Active Assessment scans the network using any network scanner

to find hosts, services, and vulnerabilities

A Passive Assessment is a technique that sniffs the network traffic to

find out active systems, network services, applications, andvulnerabilities present

A Host-based Assessment is a sort of security check that carries out

a configuration level test through command line

An Internal Assessment is a technique to scan the internal

infrastructure to find out the exploits and vulnerabilities.p

Types of Vulnerability Assessment (cont’d)

An External Assessment assesses the network from a hacker's point

of view to find out what exploits and vulnerabilities are accessible to theoutside world

Application Assessments tests the web server infrastructure for any

misconfiguration, outdated content, and known vulnerabilities

Network Assessments determine the possible network security

attacks that may occur on the organizations system

Wireless Network Assessments determine and track all the wireless

networks prevalent at the client’s site

How to Conduct a Vulnerability

Assessment

Use vulnerability assessment tools

Check for misconfigured web servers, mail servers, firewalls, etc

Search the web for posting about the company’s vulnerability:

• Example: A hacker would post something like “I could not believe the XSECURITY’s website had serious SQL injection flaws! Oh my God!”

Search at underground websites for more postings about the company’svulnerabilities

Hackers frequently exchange attack information with one another

How to Obtain a High Quality

Vulnerability Assessment

Select the adviser carefully:

• Check if he/she has good experience with various applications and operating systems

• Check if he/she has good understanding of the core protocol / g g p

• Check if he/she has an idea of the detection techniques

• Check if he/she has good communication skills and has the ability

to offer proper mitigation recommendation

Define the scope of the vulnerability assessment

Define the rules that will manage the assessment

Classify the vulnerabilities that need instant notification

Vulnerability Assessment Phases

Pre-Assessment Phase

Describes the scope of the assessment

Creates proper information protection procedures such as effective

planning, scheduling, coordination, and logistics

Identifies and ranks the critical assets

• Evaluates the threat environment

• Allows penetration testing

• Examines and evaluates physical security

• Performs a physical asset analysis

• Observes policies and procedures

• Conducts an impact analysis

• Performs a risk characterization

Post-Assessment Phase

The post-assessment phase involves:

• Prioritizing assessment recommendations

• Providing action plan development to implement the

Vulnerability Analysis Stages

Vulnerability analysis refers to identifying areas where vulnerability

i t

exists

Perform vulnerability analysis and list the areas that needs testing and

t tipenetration

Vulnerability penetration capabilities can be

• Locating nodes

• Performing service discoveries on them

broken down into three steps:

• Performing service discoveries on them

• Testing those services for known security holes

Comparing Approaches to Vulnerability Assessment

Product-based versus service-based assessments solution

They are installed in the organization’s

internal network

They are offered by third party, such

as auditing firms or security consultant firms

They are installed in private or non

routable, or Internet addressable

portion of an organization’s network

Some of the solutions are hosted inside the network and others are hosted outside the network

If it is installed in the private network

or in other words, behind the firewall,

it cannot always detect outside attacks

Comparing Approaches to Vulnerability Assessment (cont’d)

Tree-based versus inference-based assessment

Tree-based assessment Inference-based assessment

In a tree-based assessment, administrator

selects the tree appropriate for each

machine

In an inference-based assessment, scanning starts by building an inventory of protocol found on the machine.

For example, administrator selects trees

for server running window, databases,

and web services.

After finding protocol, scanning process starts to detect which ports are attached to the service such as an email server, web, or database server.

This approach relies on the administrator

to provide starting shot of intelligence and

then to start scanning continuously

without incorporating any information

After finding services, it selects vulnerabilities on each machine and starts

to execute only those relevant tests.

without incorporating any information

found at the time of scanning.

Characteristics of a Good Vulnerability Assessment Solution

Ensures correct outcomes by testing network, network resources, ports,

protocols and operating systems

Uses well-organized inference-based approach for testing

Automatic scan against continuously updated database

Creates brief, actionable, customizable reports, including report of

vulnerabilities by severity level and trend analysis

Supports various networks

Gives tested remedies and workarounds to correct vulnerabilities

Vulnerability Assessment

Considerations

What parts of the organization will be included?

How much (if not all) of the network will be reviewed?

How many people will be consulted?

How many people will be working on the project?

Vulnerability Assessment Reports

Vulnerability Report Model

Target Information

Results

Scanner Node

Target Information

Summary Target

Vulnerability

Vulnerability Node

OS Date

y Information Classification

Name URL

Date

Security

A typical vulnerability assessment can take as long as 12 weeks

A typical vulnerability assessment can take as long as 12 weeks.

Penetration Attempts

Analyze Vulnerability Assessment Report

Start

Vulnerability assessment

Penetration Attempts

Identify areas

Of vulnerability assessment

Locate Hacking tools

Types of Vulnerability

Assessment Tools

Host-based vulnerability assessment tools:

• A host-based vulnerability assessment tool finds and identifies the OS running on a particular host computer and tests it for known deficiencies

• Searches for common applications and services Searches for common applications and services

Application-layer vulnerability assessment tools:

• Application-layer vulnerability assessment tools are directed toward web servers or databases

Types of Vulnerability Assessment Tools (cont’d)

Scope assessment tools:

• They provide security to the IT system by testing for vulnerabilities in the applications and OS

Depth assessment tools:

• These tools find and identifies previously unknown vulnerabilities in a system

• Such types of tools include ‘fuzzers’

Types of Vulnerability Assessment

Tools (cont’d)

Active/passive tools:

• Active scanners perform vulnerability checks on the network that consumes resources on the network

Passive scanners though does not affect system resources

• Passive scanners though, does not affect system resources considerably, they only observe system data and performs data processing on a separate analysis machine

• Network based scanner

Location/data examined tools:

Choosing a Vulnerability

Assessment Tool

Vulnerability assessment tools are used to test a host or application for vulnerabilities While choosing these tools, they should satisfy the following requirements:

• Test from dozens to 30,000 different vulnerabilities, depending on the product

• Contain several hundred different attack signatures

• Match with your environment and expertise

• Have accurate network, application mapping and penetration tests

• Number of vulnerability scripts the tools have for the platforms you're scanning and how often they're updated

• Generate reports

• Check different levels of penetration to prevent lockups

Choosing a Vulnerability Assessment Tool (cont’d) Assessment Tool (cont d)

Types of vulnerabilities being assessed

Testing the capability of scanning

Ability to provide accurate reports

Efficient and accurate scanning

Capability to perform smart search

Functionality for writing own tests

Test run scheduling

Vulnerability Assessment Tools

collect before starting

Decide source location of the scan, based on the what information you

want to collect

Enable the loggings everytime you scan on every computer

Users should scan their systems frequently for vulnerabilities

Users should scan their systems frequently for vulnerabilities

Vulnerability Assessment Tools

Qualys Vulnerability Scanner

Cycorp CycSecure Scanner

eEye Retina Network Security Scanner

Foundstone Professional Scanner

GFI LANguard Network Security Scanner

ISS Internet Scanner

SAINT Vulnerability Scanner

Symantec NetRecon Scanner

Shadow Security Scanner

Open Source Nessus

Microsoft Baseline Security Analyzer(MBSA)

SPIKE Proxy

Foundstone’s ScanLine

Qualys Vulnerability Scanner:

Screenshot

Cycorp CycSecure Scanner

Features:

• Automated network state detection

• Compound vulnerability analysis

• Identifying the most critical vulnerabilities to be corrected

• Reporting the actual sequences of actions that can compromise your network

• "What if" analysis

• Network state and compliance monitoring

• Non-invasive and continuous assessment

eEye Retina Network Security

Scanner

The eEye Retina Network security scanner performs an audit

scan for identified vulnerabilities and configuration related

problems.

Foundstone Professional Scanner

Comprehensive map of the entire network, including wireless accesspoints and load balancers

Prices for Foundstone Professional TL start at $12,000/year

GFI LANguard Network Security

ISS Internet Scanner

The Internet Scanner performs distributed or event-driven probes of

network services operating systems routers/switches servers firewallsnetwork services, operating systems, routers/switches, servers, firewalls,and application routers to identify potential risks

SAINT Vulnerability Scanner

SAINT screens every live system on a network for TCP and UDP services

SAINT screens every live system on a network for TCP and UDP services.

For each service it finds running, it launches a set of probes designed to detect anything that could allow an attacker to gain unauthorized access, create a denial-of-service, or gain sensitive information about the network.

Symantec NetRecon Scanner

Tests the entire network infrastructure for security vulnerabilities and

provides recommendations on how to fix them

Displays scan progress with a real-time graphic view, revealing the root

cause of vulnerabilities

Provides customizable management reports for a range of audiences

Scans multiple operating systems, including UNIX, Linux, Windows

2000, and NetWare.,

Shadow Security Scanner

Shadow Security Scanner can audit more than 2 000 vulnerabilities in

UNIX, Windows, Linux, routers, devices, etc

The report can be delivered in XML, PDF, RTF and CHM (compiled

HTML) formats

Shadow Database Scanner

Shadow Database Scanner scans vulnerabilities in

databases such as, Oracle, IBMDB2, MiniSql, MySQL, and

Lotus Domino

Open source-based

Nessus is a remote security scanner for Linux, BSD,

Solaris, and other Unices

It is plug-in based, has a GTK interface, and

performs over 1200 remote security checks

It allows for reports to be generated in HTML, XML,

LaTeX, and ASCII text, and suggests solutions for

security problems

Microsoft Baseline Security

Analyzer (MBSA)

MBSA is a tool designed for the IT professional which helps

small- and medium-sized businesses to determine their security

state in accordance with Microsoft security recommendations.

It detects common security misconfigurations and missing

security updates on computers

security updates on computers.

Microsoft Baseline Security

Analyzer: Screenshot

SPIKE Proxy

SPIKE Proxy is a tool to find application-level vulnerabilities in webapplications

applications

Foundstone’s ScanLine

ScanLine is a command-line port scanner for all Windows platforms

ScanLine is a command-line port scanner for all Windows platforms

It performs traditional ICMP "pinging" optional additional ICMP

Foundstone’s ScanLine:

Screenshot

Cerberus Internet Scanner

Cerberus Internet Scanner (CIS) is a tool that scans a remote host for many known vulnerabilities including XSS web service checks FTP SMTP POP3 NT

known vulnerabilities including XSS, web service checks, FTP, SMTP, POP3, NT, NetBIOS, and MS SQL checks.

Cerberus Internet Scanner:

Screenshot

Other Vulnerability Tools

Record your activities

Collect various reports generated by different vulnerability scannersp g y y

Vulnerability Assessment Reports

Security vulnerability report:

• This report gives the information about:

• New vulnerabilities

• Open ports and detected services

• Open ports and detected services.

• Suggestion for remediation.

• Links to patches.

• This report is produced for every server after scanning which

id d il f

Security vulnerability summary:

provides details of:

• Current security flaws.

• Resolved prior detected vulnerabilities.

Security Vulnerability Report

Security Vulnerability Summary

Automated Scanning Server

Reports

Standard report:

• It provides complete analysis of vulnerabilities found

• It shows summary of risks found in the scan using charts and

hgraphs

• It also gives the technical information for each vulnerabilitydetected such as short summary, impact, and solution

Automated Scanning Server

Reports