Vulnerability Scanning

CHAPTER 6

CYBERSECURITY ANALYSIS - UCC 1

Class Objectives
Vulnerability scanning is an inspection of the potential points of exploit on a computer or
network to identify security holes. 
Continuous monitoring is a risk management approach to cybersecurity that maintains an
accurate picture of an agency's security risk posture, provides visibility into assets, and leverages
use of automated data feeds to quantify risk, ensure effectiveness of security controls, and
implement prioritized remedies

CYBERSECURITY ANALYSIS - UCC 2

 Vulnerability Scanning
Vulnerability scanning is an inspection of the potential points of exploit on a
computer or network to identify security holes.
A vulnerability scan detects and classifies system weaknesses in computers,
networks and communications equipment and predicts the effectiveness of
countermeasures. A scan may be performed by an organization’s IT department
or a security service provide, possibly as a condition imposed by some authority.
An Approved Scanning Vendor (ASV), for example, is a service provider that is
certified and authorized by the Payment Card Industry (PCI) to scan payment
card networks. Vulnerability scans are also used by attackers looking for points
of entry.
Running a vulnerability scan can pose its own risks as it is inherently intrusive on
the target machine’s running code. As a result, the scan can cause issues such as
errors and reboots, reducing productivity.
CYBERSECURITY ANALYSIS - UCC 3
Executing a Scan
There are two approaches to vulnerability scanning, authenticated
and unauthenticated scans.
In the unauthenticated method, the tester performs the scan as an
intruder would, without trusted access to the network. Such a scan
reveals vulnerabilities that can be accessed without logging into the
network.
In an authenticated scan, the tester logs in as a network user,
revealing the vulnerabilities that are accessible to a trusted user, or
an intruder that has gained access as a trusted user.

CYBERSECURITY ANALYSIS - UCC 4

Nessus
Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities
and Exposures architecture for easy cross-linking between compliant security tools. Nessus
employs the Nessus Attack Scripting Language (NASL), a simple language that describes
individual threats and potential attacks.
Significant capabilities of Nessus include:
• Compatibility with computers and servers of all sizes.
• Detection of security holes in local or remote hosts.
• Detection of missing security updates and patches.
• Simulated attacks to pinpoint vulnerabilities.
• Execution of security tests in a contained environment.
• Scheduled security audits.
The Nessus server is currently available for Unix, Linux and FreeBSD. The client is available for
Unix- or Windows-based operating systems.

CYBERSECURITY ANALYSIS - UCC 5

Nessus Architecture

CYBERSECURITY ANALYSIS - UCC 6

CYBERSECURITY ANALYSIS - UCC 7
This is the general settings page, which provides space for name and description of the scan.
Scan created in this page can be used for immediate or scheduled action.
Targets can be specified as a single IPv4 or IPv6 address or a Range of IPv4 or IPv6 addresses.
Addresses can also be uploaded using the CIDR or netmask notation to specify IPv4 Subnets
Nessus also use various predetermined plugins, some of these plug-ins are classified as dangerous. The analyst can
use the “safe check” feature to avoid launching dangerous attacks.

CYBERSECURITY ANALYSIS - UCC 8

CYBERSECURITY ANALYSIS - UCC 9
OpenVAS (Open Vulnerability Assessment System)

OpenVAS is a framework of several services and tools offering a

comprehensive and powerful vulnerability scanning and vulnerability
management solution. The actual security scanner is accompanied
with a regularly updated feed of Network Vulnerability Tests (NVTs),
over 50,000 in total.
All OpenVAS products are Free Software and is a remnant of the last
free Nessus version prior to 2005 . Most components are licensed
under the GNU General Public License (GNU GPL).

CYBERSECURITY ANALYSIS - UCC 10

OpenVAS

CYBERSECURITY ANALYSIS - UCC 11

 OpenVAS - Features
OpenVAS Scanner
 Many target hosts are scanned concurrently
 OpenVAS Transfer Protocol (OTP)
 SSL support for OTP (always)
 WMI support (optional)
 
 
OpenVAS Manager
 OpenVAS Management Protocol (OMP)
 SQL Database (sqlite) for configurations and scan results
 SSL support for OMP (always)
 Many concurrent scans tasks (many OpenVAS Scanners)
 Notes management for scan results
 False Positive management for scan results
 Scheduled scans

CYBERSECURITY ANALYSIS - UCC 12

 Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers
for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of
over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration
items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed
web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Included in the Kali Linux distribution.

To conduct a scan against a web server, you specify the IP with the –host <ip address> option enabled.
Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious
in log files or to an IPS/IDS.
Note: there is no need to be an expert on any of the identified vulnerability scanners here. All distribution
operates is practically similar.

CYBERSECURITY ANALYSIS - UCC 13

Nikto- Features
 SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's
 Perl/NetSSL)
 Full HTTP proxy support
 Checks for outdated server components
 Save reports in plain text, XML, HTML, NBE or CSV
 Template engine to easily customize reports
 Scan multiple ports on a server, or multiple servers via input file (including nmap output)
 Easily updated via command line
 Identifies installed software via headers, favicons and files
 Host authentication with Basic and NTLM
 Subdomain guessing

CYBERSECURITY ANALYSIS - UCC 14

Reviewing and Interpreting Scan Results
Vulnerability name
Overall severity
Detailed description
Solution
References
Output
Port/hosts
Risk information

CYBERSECURITY ANALYSIS - UCC 15

Report Generation
This is an important part of incident response process and it also
critical for vulnerability management.
Ensure that the scanner you are using is able to generate useful
report of some kind.
Some common formats include PDF, HTML and CSV formats.
Reports can be created by Automatically or Manually.

CYBERSECURITY ANALYSIS - UCC 16

Reviewing and Interpreting Nessus Scan
Results

CYBERSECURITY ANALYSIS - UCC 17

CVSS Access Vector
The Common Vulnerability Scoring System can be used to determine the criticality of vulnerabilities.

CYBERSECURITY ANALYSIS - UCC 18

CVSS Access Complexity

CYBERSECURITY ANALYSIS - UCC 19

CVSS Authentication

CYBERSECURITY ANALYSIS - UCC 20

CVSS Confidentiality

CYBERSECURITY ANALYSIS - UCC 21

CVSS Integrity

CYBERSECURITY ANALYSIS - UCC 22

CVSS Authentication

CYBERSECURITY ANALYSIS - UCC 23

CVSS Data

CYBERSECURITY ANALYSIS - UCC 24

Interpreting CVSS Vectors

CYBERSECURITY ANALYSIS - UCC 25

Exploitability Score

CYBERSECURITY ANALYSIS - UCC 26

Impact Score

CYBERSECURITY ANALYSIS - UCC 27

Impact Function
If the impact score is 0, the impact function is 0.

Otherwise, the impact function is 1.176.

CYBERSECURITY ANALYSIS - UCC 28

Calculating Base Score

CYBERSECURITY ANALYSIS - UCC 29

Categorizing Base Scores

CYBERSECURITY ANALYSIS - UCC 30

Validating Scan Results
False positives

Documented exceptions

Informational results

Reconciliation with other data

CYBERSECURITY ANALYSIS - UCC 31

Identify False Positives

Identify False Positives

False positives with vulnerability scanners are frustrating because the effort
required to remediate a suspected issue might be resource intensive.
Identify Exceptions
Exceptions exist on your networks, no matter how you try to avoid them. The
software that monitors your network are sometimes generalist in nature, it is up
to your organization to put in compensating controls to fix those problems.

CYBERSECURITY ANALYSIS - UCC 32

 Continuous Monitoring
Even though continuous monitoring has been a part of the information security lexicon for several
years now, many security professionals are still wondering how to get started: What technologies
typically make up continuous monitoring infrastructure? What steps should you take to successfully
implement these types of security controls organization-wide?
Before implementing a model with specific technologies, you and your team should set high-level goals
and plan to achieve the following objectives with your continuous monitoring approach:
Measurement of security posture
Identification of deviations from expected control state
Visibility into asset condition
Automation wherever possible for evaluation and data reporting
Determination of ongoing controls' effectiveness
Facilitation of prioritized remediation activity
Alerting and audit support

CYBERSECURITY ANALYSIS - UCC 33

Trend Analysis

CYBERSECURITY ANALYSIS - UCC 34

Missing Patches

CYBERSECURITY ANALYSIS - UCC 35

Unsupported Software

CYBERSECURITY ANALYSIS - UCC 36

Buffer Overflows
Occur when an attacker manipulates a program into placing more data into an area of memory
than is allocated for that program’s use
May result in overwriting the instructions for other processes.
A buffer overflow condition exists when a program attempts to put more data in a buffer than
it can hold or when a program attempts to put data in a memory area past a buffer. In this case,
a buffer is a sequential section of memory allocated to contain anything from a character string
to an array of integers. (Owasp.org)

CYBERSECURITY ANALYSIS - UCC 37

Typical Attack Scenario

CYBERSECURITY ANALYSIS - UCC 38

Buffer Overflow

CYBERSECURITY ANALYSIS - UCC 39

Privilege Escalation
Seek to increase the level of access that an attacker has to a targeted system

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight
in an operating system or software application to gain elevated access to resources that
are normally protected from an application or user
Example: dirty COW ( dirty copy-on write) is an example

The Dirty COW vulnerability, which remained hidden for nine years,

allows attackers to gain root access to Android devices and linux systems.

CYBERSECURITY ANALYSIS - UCC 40

Arbitrary Code Execution

CYBERSECURITY ANALYSIS - UCC 41

Outdated SSL/TLS Versions

CYBERSECURITY ANALYSIS - UCC 42

Insecure Cipher Use

CYBERSECURITY ANALYSIS - UCC 43

Certificate Errors

CYBERSECURITY ANALYSIS - UCC 44

DNS Issues

CYBERSECURITY ANALYSIS - UCC 45

Internal IP Disclosure

CYBERSECURITY ANALYSIS - UCC 46

SQL Injection

CYBERSECURITY ANALYSIS - UCC 47

Cross-Site Scripting (XSS)

CYBERSECURITY ANALYSIS - UCC 48

CYBERSECURITY ANALYSIS - UCC 49
END of Chapter 6 Review
Vulnerability scanning is an inspection of the potential points of exploit on a computer or
network to identify security holes. 
Continuous monitoring is a risk management approach to cybersecurity that maintains an
accurate picture of an agency's security risk posture, provides visibility into assets, and leverages
use of automated data feeds to quantify risk, ensure effectiveness of security controls, and
implement prioritized remedies

CYBERSECURITY ANALYSIS - UCC 50