Unit 3

1. Utilization: Vulnerability scanners

Vulnerability scanners are tools used to identify, assess, and report security weaknesses
(vulnerabilities) in computer systems, networks, and software. Their utilization spans multiple
areas in cybersecurity, providing organizations with valuable insights to mitigate potential
risks. Here are some key aspects of their utilization:
 Network Security Audits: Vulnerability scanners are commonly used to audit
and analyze network security, identifying issues such as open ports, weak
passwords, misconfigured services, or outdated software that could expose the
network to attacks.
 Application Security Testing: They can scan web applications and software to
detect flaws such as SQL injection, cross-site scripting (XSS), or insecure
authentication mechanisms.
 Compliance Verification: Many industries have regulations and standards (like
PCI-DSS, HIPAA) requiring organizations to regularly scan their systems for
vulnerabilities. Vulnerability scanners help ensure compliance by identifying areas
that need remediation.
 Patch Management: Scanners can identify outdated software versions, missing
patches, or misconfigurations that leave systems exposed. This helps
organizations prioritize patching to mitigate critical vulnerabilities quickly.
 Cloud Security: For organizations using cloud infrastructures, vulnerability
scanners can assess cloud-based assets, services, and configurations for
potential security weaknesses, ensuring secure cloud environments.
 Penetration Testing Assistance: Vulnerability scanners are often used in the
initial phase of penetration testing, where they help in identifying targets and
gathering information on vulnerabilities that could be exploited by attackers.
 Continuous Monitoring: Automated vulnerability scanners can be set up for
continuous monitoring, alerting security teams whenever a new vulnerability is
detected in the environment.
 Examples of popular vulnerability scanners include Nessus, OpenVAS, Qualys,
and Acunetix.

2. Vulnerability in detail
A vulnerability in the context of cybersecurity refers to a flaw or weakness in a system,
network, application, or software that could be exploited by an attacker to compromise its
confidentiality, integrity, or availability. These weaknesses can arise due to various
reasons such as design flaws, improper configurations, coding errors, or the absence of
necessary security measures. Understanding vulnerabilities in detail helps in their
identification, mitigation, and prevention.
Types of Vulnerabilities:
 Software Vulnerabilities: These occur due to bugs, poor coding practices, or
misconfigurations in software. Common examples include:
a. Buffer Overflows: When more data is written to a buffer (temporary storage)
than it can handle, causing data corruption or enabling code execution.
b. SQL Injection: A web security vulnerability where an attacker manipulates a SQL
query to gain unauthorized access to the database.
c. Cross-Site Scripting (XSS): A vulnerability where an attacker injects malicious
scripts into web pages, executed by other users.
 d. Insecure Deserialization: Occurs when untrusted data is used to reconstruct
objects, leading to code execution or attacks.
 Network Vulnerabilities: These are weaknesses in a network's design, configuration, or
hardware. Examples include:
a. Open Ports: Unprotected open ports on a network can be exploited by attackers
to access services or sensitive data.
b. Man-in-the-Middle Attacks (MITM): When an attacker intercepts and possibly
alters communication between two parties.
c. Unencrypted Communication: Lack of encryption can expose sensitive data
during transmission.
 Configuration Vulnerabilities: Misconfigured systems, networks, or applications that
allow unauthorized access. Examples include:
a. Default Credentials: Using default usernames and passwords (e.g., "admin" and
"password") leaves systems vulnerable to attacks.
b. Exposed APIs: Poorly secured APIs may leak data or allow unauthorized control.
c. Human-Induced Vulnerabilities: Human errors, such as weak passwords,
failing to apply security patches, or improper system administration, often lead to
exploitable vulnerabilities.
3. Ethical hacking
Ethical hacking, also known as white-hat hacking or penetration testing, involves
legally probing systems, networks, or applications for security vulnerabilities. The goal of
ethical hacking is to discover and fix security flaws before malicious hackers (black-hat
hackers) can exploit them. Ethical hackers work with the permission of the system owner
and adhere to professional standards and legal regulations.
Types of Hackers:
 White-Hat Hackers (Ethical Hackers): These individuals use their skills to find and
fix security vulnerabilities with the system owner’s consent.
 Black-Hat Hackers (Malicious Hackers): These hackers exploit vulnerabilities for
illegal or unethical purposes, such as theft or disruption.
 Gray-Hat Hackers: These hackers fall between white and black hats. They may
explore systems without permission but do not intend to cause harm, and may later
inform the organization of their findings.
Common Tools Used in Ethical Hacking:
 Nmap: A powerful tool for network scanning and mapping open ports and services.
 Wireshark: A network protocol analyzer used for monitoring network traffic and
diagnosing issues.
 Metasploit: A popular penetration testing framework that provides various tools for
discovering vulnerabilities, developing exploits, and executing attacks.
 Burp Suite: A tool for web application security testing, commonly used for finding
vulnerabilities like SQL injection and XSS.
 Aircrack-ng: A suite of tools used for wireless network security auditing and cracking
Wi-Fi passwords.

4. Steps in vulnerability analysis

 Define Scope: Identify what to assess and set objectives.
 Information Gathering: Collect data about the target through passive (e.g.,
public info) and active (e.g., network scans) means.
 Vulnerability Scanning: Use automated tools to scan for known
weaknesses.
 Manual Verification: Review scan results to confirm vulnerabilities and
eliminate false positives.
  Risk Assessment: Determine the potential impact and likelihood of
exploitation, then prioritize vulnerabilities.
 Reporting: Document findings and recommend fixes.
 Remediation: Fix the vulnerabilities or apply temporary mitigation measures.
 Re-Scan: Verify the issues are resolved by re-scanning the system.
 Continuous Monitoring: Regularly check for new vulnerabilities and update
security measures.
5. CERT (Computer Emergency Response Team) is a group of cybersecurity experts
responsible for responding to and managing cybersecurity incidents, such as data
breaches, cyberattacks, or malware infections. CERT teams work to improve security by
providing threat intelligence, incident response coordination, and risk mitigation
strategies to organizations, governments, and the general public. They are vital in
addressing potential cybersecurity threats and maintaining the security posture of critical
systems.
Role of CERT:
a. Incident Response: Detecting, analyzing, and responding to cyber incidents.
b. Vulnerability Management: Providing information on vulnerabilities and issuing
patches or advisories.
c. Threat Intelligence: Gathering and sharing information on potential cyber threats
with organizations and governments.
d. Training and Awareness: Educating stakeholders on best security practices and
how to handle cyber incidents.
e. Coordination: Coordinating responses to large-scale cyberattacks across
different organizations or countries.
Potential Threats to Resources:
f. Malware: Viruses, ransomware, and worms that can disrupt services, steal
sensitive information, or encrypt data for ransom.
g. Phishing Attacks: Cyberattacks that trick users into providing sensitive
information, such as credentials or financial data, often via email or malicious
websites.
h. Denial-of-Service (DoS/DDoS): Attacks that overload systems or networks,
making them unavailable to legitimate users, often targeting critical infrastructure.
i. Insider Threats: Employees or contractors who misuse their access privileges to
compromise systems or steal sensitive data.
j. Zero-Day Exploits: Attacks that take advantage of vulnerabilities before they are
publicly known or patched.
6. Vulnerability scanners
Vulnerability scanners are automated tools used to identify security weaknesses in
systems, networks, and applications. They scan for vulnerabilities, such as
misconfigurations, outdated software, open ports, and known security flaws, to help
organizations detect potential threats before they can be exploited by attackers.

7. Netbrute scanner
NetBrute Scanner is a network-based vulnerability scanning tool that specializes in
identifying security weaknesses by performing brute-force attacks on services like SSH,
FTP, Telnet, and others. It is designed to test the strength of credentials and identify
network misconfigurations that could expose sensitive resources to attackers.
Key Features of NetBrute Scanner:
 1. Brute-Force Attack Testing: NetBrute Scanner performs brute-force attacks on
various services to test the strength of user passwords and authentication
mechanisms.
2. Protocol Scanning: It scans network protocols such as SSH, FTP, HTTP, Telnet,
and others to identify open ports and weak security configurations.
3. Password Guessing: It systematically attempts different combinations of
usernames and passwords (from a predefined list or dictionary) to gain
unauthorized access to systems.
4. Multithreading: Supports multiple simultaneous connections to speed up the
scanning and brute-force processes.

8. Difference in vulnerability scanning and penetration tests

9. Vulnerability scan: Nessus

Nessus is a popular vulnerability scanner developed by Tenable. It scans systems,
networks, and applications for security weaknesses, such as unpatched software,
misconfigurations, and open ports. Key features include:
 Comprehensive Scanning: Covers a wide range of devices, operating systems,
and applications.
 Plugin Library: Over 170,000 plugins to detect specific vulnerabilities.
 Detailed Reporting: Provides reports with severity levels and remediation
recommendations.
 Compliance Checking: Helps ensure adherence to standards like PCI DSS and
HIPAA.
 Customizable Scans: Users can tailor scans based on their needs.

Common Use Cases:

 1. Vulnerability Management: Nessus is commonly used to regularly scan systems
for known vulnerabilities, providing IT teams with insights on what needs to be
patched or reconfigured.
2. Compliance Audits: It helps organizations check for compliance with industry-
specific regulations and security standards by ensuring that their systems meet
required security controls.
3. Network Security: Nessus can scan entire networks to identify exposed
services, weak credentials, and open ports that could be exploited by attackers.
4. Web Application Scanning: It detects common web app vulnerabilities like SQL
injection, cross-site scripting (XSS), and insecure session management
Advantages of Nessus:
 Wide Coverage: Scans a broad range of platforms, devices, and applications.
 Detailed and Actionable Reports: Offers clear remediation steps based on industry-
standard scoring systems.
 Regular Updates: Continuously updated to detect the latest vulnerabilities and
threats.
 Highly Customizable: Supports tailored scans to meet specific organizational
needs.
Disadvantages:
 Limited Exploitation: Nessus is a vulnerability scanner, not a penetration testing
tool, meaning it identifies vulnerabilities but does not exploit them to show potential
impacts.
 Cost: While Nessus Essentials is free, its paid version, Nessus Professional, is
subscription-based and can be costly for small organizations.
 Requires Expertise: Interpreting scan results effectively requires a good
understanding of cybersecurity and network administration.

10. OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability

scanner that is part of the Greenbone Vulnerability Management (GVM) framework. It is
widely used for detecting security vulnerabilities in systems and networks. OpenVAS is
known for its flexibility and powerful scanning capabilities, making it a popular choice
for security assessments.

Key Features of OpenVAS:

a. Open-Source: OpenVAS is free to use and modify, making it accessible to

individuals and organizations of all sizes.
b. Extensive Vulnerability Coverage: It uses a large library of vulnerability tests
(VTs) to detect misconfigurations, unpatched software, and exposed services.
c. Regular Updates: OpenVAS regularly updates its vulnerability feeds, ensuring
that it can detect the latest security threats and vulnerabilities.
d. Scalability: It can perform both small-scale scans and large-scale network
assessments, making it suitable for organizations with diverse infrastructure.
Use Cases of OpenVAS:

1. Vulnerability Management: OpenVAS helps organizations regularly scan systems to

identify vulnerabilities and address security gaps in their infrastructure.
2. Network Security Assessments: It is often used to scan internal and external
networks for vulnerabilities that could be exploited by attackers.
3. Compliance Audits: OpenVAS can be used to ensure compliance with security
standards and regulations by identifying issues related to configuration, patching, and
network security.
4. Penetration Testing Support: Security professionals use OpenVAS as part of a
penetration test to identify potential attack vectors before conducting manual testing.

Advantages of OpenVAS:

1. Free and Open-Source: OpenVAS is available at no cost, making it an attractive

option for organizations with limited budgets.
2. Comprehensive Vulnerability Database: It has an extensive and regularly updated
database of vulnerability tests, ensuring thorough coverage.
3. Customizable: OpenVAS allows users to tailor their scans based on specific needs,
making it flexible for different use cases.

Disadvantages of OpenVAS:

1. Complex Setup: Setting up and configuring OpenVAS can be more complex

compared to commercial tools, requiring technical expertise.
2. Performance: OpenVAS may take longer to complete scans compared to some
commercial vulnerability scanners, especially in large environments.
3. False Positives: Like many scanners, OpenVAS may produce false positives,
requiring manual verification to ensure the vulnerabilities are real.

11. Vulnerability scan: Nexpose

Key Features of Nexpose:
1. Real-Time Monitoring: Continuously monitors assets for new vulnerabilities and
threats.
2. Vulnerability Prioritization: Uses a Real Risk Score to prioritize vulnerabilities
based on risk.
3. Integration with Metasploit: Directly integrates with Metasploit for vulnerability
exploitation testing.
Use Cases of Nexpose:
1. Vulnerability Management: Identifies and prioritizes vulnerabilities across
networks and systems.
2. Compliance Auditing: Ensures systems meet standards like PCI DSS and HIPAA.
3. Penetration Testing Support: Aids penetration testing by discovering
vulnerabilities for further exploitation.
Advantages of Nexpose:
1. Comprehensive Coverage: Scans networks, apps, and cloud environments.
2. Risk-Based Approach: Prioritizes vulnerabilities based on exploitability and asset
importance.
3. Automation: Supports automated scans and workflows to reduce manual effort.
 Disadvantages of Nexpose:
1. Cost: Being a commercial tool, it can be expensive for small organizations.
2. Resource-Intensive: Can consume significant resources during large scans.
3. Complex Setup: May require expertise for configuration and optimal use.

12. Vulnerability scan: Saint cloud

SAINT (now part of Fortra) is a cloud-based vulnerability management and penetration
testing tool that helps organizations identify and mitigate security risks across their IT
environments. It supports cloud-based as well as on-premises vulnerability scanning.
Key Features of SAINT Cloud:
1. Cloud-Based Vulnerability Scanning: Provides scalable, on-demand vulnerability
scanning directly from the cloud, reducing infrastructure overhead.
2. Penetration Testing Capabilities: In addition to vulnerability scanning, it includes
features for simulating attacks to test the exploitability of identified
vulnerabilities.
3. Compliance Reporting: Offers built-in compliance checks for standards like PCI
DSS, HIPAA, and SOX, making it easy to ensure regulatory compliance.
Use Cases of SAINT Cloud:
1. Cloud and Network Security: Scans cloud environments and on-prem networks to
identify vulnerabilities and misconfigurations.
2. Penetration Testing: Assists security teams in testing the real-world impact of
vulnerabilities through exploitation features.
3. Compliance Auditing: Ensures that systems are aligned with various regulatory
standards by scanning for compliance issues.
Advantages of SAINT Cloud:
1. Cloud-Based: No need for on-prem infrastructure, providing scalability and
flexibility.
2. All-in-One Solution: Combines vulnerability scanning and penetration testing in
one platform.
3. Detailed Reporting: Offers actionable reports tailored for both technical and non-
technical stakeholders.
Disadvantages of SAINT Cloud:
1. Cost: Being a cloud-based commercial tool, it may be costly for smaller
organizations.
2. Learning Curve: Some features, particularly the penetration testing tools, require
technical expertise to use effectively.
3. Resource-Intensive: Depending on the scope of the scan, it may take time and
resources to complete large-scale assessments.
13. Identification of specific vulnerabilities
 Configuration problems in case of the FTP servers.
 Exploits pertaining to apache web servers and Microsoft IIS.
 Potential security problems also can be well managed with the same.

 Hacker can well access the internal network with ease.

 Sophisticated attacker can read and consider possibly the leak.
 Detection of known CGI along with the DNS, FTP and mail vulnerabilities.
  Detect the wireless devices.
14. Web application attack
A web application attack targets vulnerabilities in web applications to compromise
security, data integrity, or user privacy. These attacks exploit weaknesses in the
application’s code, configuration, or underlying infrastructure to gain unauthorized
access, steal sensitive information, or disrupt services.
4
1. Cross-Site Scripting (XSS):
o Description: XSS occurs when an attacker injects malicious scripts into web
pages viewed by users. This can lead to session hijacking, data theft, or
defacement.
o Example: An attacker inserts a JavaScript payload into a comment section,
which runs in the browsers of users viewing the page.
2. SQL Injection (SQLi):
o Description: SQL injection involves inserting malicious SQL queries into
input fields to manipulate the database, allowing attackers to view, modify, or
delete data.
o Example: An attacker enters '; DROP TABLE users; -- into a login form,
potentially deleting the users' table from the database.
3. Injection Attacks:
o Description: This broader category includes any type of attack that injects
malicious data into an application, which is then executed by the server. This
can include command injection, XML injection, etc.
o Example: Command injection can occur when an attacker inserts shell
commands into an input field, executing them on the server.
4. Automated Threats:
o Description: Automated threats use scripts or bots to exploit vulnerabilities in
web applications at scale. These attacks can target multiple sites or exploit
known vulnerabilities.
o Example: Bots may continuously try to log in to a web application using
stolen credentials (brute force attacks).
5. File Path Traversal:
o Description: This attack allows attackers to access files and directories outside
the intended directory. It often exploits insufficient input validation.
o Example: An attacker may use ../ sequences to access sensitive files on the
server (like /etc/passwd).
6. Command Injection:
o Description: Command injection occurs when an application passes unsafe
user input to a system shell. Attackers can execute arbitrary commands on the
server.
o Example: An attacker sends input that appends a shell command to a
legitimate command executed by the server.