Vulnerability Analysis
Chapter 8: Identifying and Analyzing Threats,
Vulnerabilities, and Exploits
Identifying and Analyzing Threats, Vulnerabilities, and Exploits
Identifying and Analyzing Threats, Vulnerabilities, and Exploits
Review an organization’s historical data to identify past incidents from threats.
Vulnerability Analysis
Vulnerability analysis, sometimes called vulnerability scanning, is the act of
determining which security holes and vulnerabilities may be applicable to
the target network.
In order to do this, we examine identified machines within the target
network to identify all open ports and the operating systems and
applications the hosts are running (including version number, patch level,
and service pack).
In addition, we compare this information with several Internet vulnerability
databases to ascertain what current vulnerabilities and exploits may be
applicable to the target network.
5
Host-Based Vulnerability Analysis Tools
Host-Based Vulnerability Analysis Tools
Also called Policy Checkers, These tools tell the Security Administrator
whether the settings on the computer are consistent with your Security
Policies.
These tools check:
actual password policy usage
systems services available
unused accounts
auditing logs
similar security-related functions.
6
Host-Based Vulnerability Analysis Tools
This category of tools effectively locks down critical systems
They perform security checks such as password checking, policy verification,
file share status
They check configuration of services, such as HTTP, FTP, NFS, looking for
incorrect trust relationships
7
Host-Based Vulnerability Analysis Tools
These programs can locate sniffers and backdoor programs on your systems
They can detect risky user behavior, such as:
Weak passwords
Remote control applications
Modems (which may not be authorized)
Sharing of hard drive/file sharing
8
NMAP
9
Nmap
Nmap ("Network Mapper") is a free open
source utility for network exploration or
security auditing.
It was designed to rapidly scan large
networks, although it works fine against
single hosts.
Nmap uses raw IP packets in novel ways to determine what hosts are available
on the network, what services (application name and version) those hosts are
offering, what operating systems (and OS versions) they are running, what type
of packet filters/firewalls are in use, and dozens of other characteristics.
Port Scanning is used to determine what ports (or similar protocol abstraction) of
a host are listening for connections. These ports represent potential
communication channels.
Mapping their existence facilitates the exchange of information with the host,
and thus it is quite useful for anyone wishing to explore their networked
10
environment, including hackers.
Nmap
A typical Nmap scan is shown. The only Nmap arguments used in this example are -A, to
enable OS and version detection, -T4 for faster execution, and then the two target hostnames.
11
Nmap Features
Flexible: Supports dozens of advanced techniques for mapping out networks
filled with IP filters, firewalls, routers, and other obstacles.
This includes
many port scanning mechanisms (both TCP & UDP)
OS detection
version detection
ping sweeps
Powerful: Nmap has been used to scan huge networks of literally hundreds
of thousands of machines
Portable: Most operating systems are supported, including Linux, Microsoft
Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD,
Sun OS, Amiga, and more.
12
Port Scanning
• Learning remote OS versions can be an extremely valuable network
reconnaissance tool, since many security holes are dependent on OS version.
• For instance, if you do a penetration test and find port 53 open. You could
check to see if they are running a vulnerable version of bind.
• Nmap’s most fundamental feature is port scanning.
Point Nmap at a remote machine, and it might tell you that ports 25/tcp, 80/tcp,
and 53/udp are open. Using its nmap-services database of more than 2,200
well-known services, Nmap would report that those ports probably correspond
to a mail server (SMTP), web server (HTTP), and name server (DNS)
respectively.
13
Nmap in the News
US President George W. Bush visited the NSA headquarters at Fort Meade in
January 2006. A wall-sized status screen in the background displays the latest
versions of Nmap. Pictures were printed in the February 6, 2006 edition of
Newsweek (article) and the Jan 27 Washington Post (article). And giant screen in
the background displays the latest versions of open source tools, including
Nmap, Snort, Ethereal, Kismet, and Metasploit.
http://www.insecure.org/nmap/images/wash-post-nsa.jpg
14
Microsoft Baseline Security Analyzer
15
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) is a software tool released by
Microsoft to determine security state by assessing missing security updates
and less-secure security settings within Microsoft Windows, Windows
components such as Internet Explorer, IIS web server, and products Microsoft
SQL Server, and Microsoft Office macro settings.
Security updates are determined by the current version of MBSA using the
Windows Update Agent present on Windows computers since Windows 2000
Service Pack 3.
The less-secure settings, often called Vulnerability Assessment (VA) checks,
are assessed based on a hard-coded set of registry and file checks.
MBSA 2.3 is the latest version of Microsoft’s free security and vulnerability
assessment scan tool for administrators, security auditors, and IT
professionals.
16
Microsoft Baseline Security Analyzer
In November 2013 MBSA 2.3 was released. This release adds support for
Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012
R2.
How To: Use the Microsoft Baseline Security Analyzer
https://msdn.microsoft.com/en-us/library/ff647642.aspx
https://www.microsoft.com/en-us/download/details.aspx?id=7558
17
GFI LANguard™
18
GFI LANguard
GFI LANguard™ is the awardwinning network and security
scanner used by over 20,000
customers. GFI LANguard scans
your network and ports to detect,
assess and correct security
vulnerabilities with minimal
administrative effort.
As an administrator, you have to deal separately with problems related to
vulnerability issues, patch management and network auditing, at times using
multiple products. However, with GFI LANguard these three cornerstones of
vulnerability management are addressed in one package. We give you a
complete picture of your network set-up and help you to maintain a secure
network state faster and more effectively
19
GFI LANguard
GFI LANguard scans your network and ports to detect, assess and correct
security vulnerabilities with minimal administrative effort.
As an administrator, you have to deal separately with problems related to
vulnerability issues, patch management and network auditing, at times using
multiple products.
With GFI LANguard these three cornerstones of vulnerability management are
addressed in one package.
GFI LANguard gives you a complete picture of your network set-up and help
you to maintain a secure network state faster and more effectively.
http://www.gfi.com/
GFI LANguard
Vulnerability Management
GFI LANguard performs network scans using vulnerability check databases
based on OVAL and SANS Top 20, providing over 15,000 vulnerability
assessments when your network, including any virtual environment, is
scanned.
GFI LANguard allows you to analyze the state of your network security and
take action before it is compromised.
The latest version detects machines that are vulnerable to infection by the
Conficker worm as well as identifying machines that have been infected.
GFI LANguard
Patch Management
When a network scan is complete, GFI LANguard’s Patch Management gives
you what you need to effectively deploy and manage patches on all machines
across different Microsoft operating systems and products in 38 languages.
Not only can you automatically download missing Microsoft security updates,
but you can also automatically deploy the missing Microsoft patches or servicepacks throughout your network at the end of scheduled scans.
GFI LANguard
Network Auditing
GFI LANguard’s Network Auditing tells you all you need to know about your
network by retrieving hardware information on memory, processors, display
adapters, storage devices, motherboard details, printers, and ports in use.
Using baseline comparisons you can check whether any hardware was added
or removed since the last scan.
GFI LANguard will identify and report unauthorized software installations and
provide alerts or even automatically uninstall unauthorized applications.
OpenVAS
31
OpenVAS
OpenVAS is a vulnerability scanner that was forked from the last free
version of Nessus after Nessus went proprietary in 2005. It continues to
grow, with more than 23,000 tests as of November 2011. OpenVAS
plugins are written in the same NASL language used by Nessus.
http://sectools.org/tag/new/
OpenVAS (Open Vulnerability Assessment System[1], initially GNessUs)
is a framework of several services and tools offering a vulnerability
scanning and vulnerability management solution.
The actual security scanner is accompanied with a daily updated feed of
Network Vulnerability Tests (NVTs), over 20,000 in total (as of January
2011).
All OpenVAS products are Free Software. Most components are licensed
under the GPL.
The latest version is 4.0.0, released March 2011
32
OpenVAS
33
Nessus®
34
Nessus
The Nessus® vulnerability scanner is the world-leader in active scanners,
featuring high-speed discovery, configuration auditing, asset profiling,
sensitive data discovery and vulnerability analysis of your security
posture. (Vendor quote)
Nessus scanners can be distributed throughout an entire enterprise,
inside DMZs and across physically separate networks.
Nessus is supported by a world renowned research team and has the
largest vulnerability knowledge base, making it suitable for even the most
complex environments.
35
Nessus
Nessus is one of the most popular and capable vulnerability scanners,
particularly for UNIX systems. It was initially free and open source, but
they closed the source code in 2005 and removed the free "Registered
Feed" version in 2008. It now costs $1,200 per year, which still beats
many of its competitors. A free “Home Feed” is also available, though it is
limited and only licensed for home network use.
Nessus is constantly updated, with more than 46,000 plugins. Key
features include remote and local (authenticated) security checks, a
client/server architecture with a web-based interface, and an embedded
scripting language for writing your own plugins or understanding the
existing ones. The open-source version of Nessus was forked by a group
of users who still develop it under the OpenVAS name.
http://sectools.org/tag/vuln-scanners/
36
Nessus
Nessus Licensing
Commercial organizations that use the Nessus vulnerability scanner must
purchase a ProfessionalFeed subscription to scan their network, obtain
support, updates to their database of vulnerability checks and compliance
auditing.
Each ProfessionalFeed costs $1,200 per year per Nessus scanner and
can be purchased from Tenable's ProfessionalFeed Partners or directly
from Tenable's E-commerce site.
Nessus Home Page: http://www.nessus.org/
37
Nessus
Tenable offers a
hardened, web-based
appliance for easy
deployment and
operation of Nessus.
The appliance is
available to all
Professional Feed
subscribers as a
VMware virtual image
and also available on a
variety of hardware
appliances.
Run the demo below.
http://cgi.tenablesecurity.com/demos/NessusIntroduction/NessusIntroduction.ht
ml
38
Security Vulnerability Tool Survey
SecTools.Org: Top 125 Network Security Tools
For more than a decade, the Nmap Project has been cataloguing the network
security community's favorite tools. In 2011 this site became much more dynamic,
offering ratings, reviews, searching, sorting, and a new tool suggestion form. This
site allows open source and commercial tools on any platform, except those tools
that we maintain (such as the Nmap Security Scanner, Ncat network connector,
and Nping packet manipulator).
We're very impressed by the collective smarts of the security community and we
highly recommend reading the whole list and investigating any tools you are
unfamiliar with. Click any tool name for more details on that particular application,
including the chance to read (and write) reviews. Many site elements are
explained by tool tips if you hover your mouse over them. Enjoy!
http://sectools.org/vuln-scanners.html
http://sectools.org/
Show link to class
39
Web Application Vulnerability Scanners
40
Web Application Vulnerability Scanners
Web Application Vulnerability Scanners are tools designed to
automatically scan web applications for potential vulnerabilities.
These tools differ from general vulnerability assessment tools in that
they do not perform a broad range of checks on a myriad of software
and hardware.
Instead, they perform other checks, such as potential field
manipulation and cookie poisoning, which allows a more focused
assessment of web applications by exposing vulnerabilities of which
standard VA tools are unaware.
41
Web Application Vulnerability Scanners
Commercial tools
Acunetix WVS by Acunetix
AppScan DE by IBM/Watchfire, Inc.
Hailstorm by Cenzic
N-Stealth by N-Stalker
NTOSpider by NTObjectives
WebInspect by HP/SPI-Dynamics
WebKing by Parasoft
elanize's Security Scanner by Elanize KG
MileScan Web Security Auditor by MileSCAN Tech
Free/OpenSource Tools
Grabber by Romain Gaucher
Grendel-Scan by David Byrne and Eric Duprey
Nikto by Sullo
Pantera by Simon Roses Femerling (OWASP Project)
Paros by Chinotec
Spike Proxy by Immunity (Now as OWASP Pantera)
WebScarab by Rogan Dawes of Aspect Security (OWASP Project)
Wapiti by Nicolas Surribas
W3AF by Andres Riancho
42
Acunetix
43
Acunetix
Acunetix Web Vulnerability Scanner : Commercial Web Vulnerability Scanner
Acunetix WVS automatically checks your web applications for vulnerabilities
such as SQL Injection, cross site scripting, and weak password strength on
authentication pages. Acunetix WVS boasts a comfortable GUI and an ability
to create professional website security audit reports.
insecure.org evaluation: http://sectools.org/web-scanners.html
Home page: http://www.acunetix.com/
44
Acunetix
Automatically detects SQL injection, cross site scripting and other web
vulnerabilities
SQL injection is a hacking technique which modifies SQL commands in order
to gain access to data in the database. Cross site scripting attacks allow a
hacker to execute a malicious script on your visitor´s browser. Acunetix Web
Vulnerability Scanner can check if your web application is vulnerable to both
of these attacks. More information about SQL injection and cross site scripting
at our web site security centre.
Other detected web vulnerabilities
CRLF injection attacks
Code execution attacks
Directory traversal attacks
File inclusion attacks
Authentication attacks
45
Acunetix
46
Acunetix
In depth checking for SQL
Injection, Cross Site Scripting
(XSS) and Other Vulnerabilities
Acunetix checks for all web
vulnerabilities including SQL
injection, Cross site scripting
and others.
SQL injection is a hacking
technique which modifies SQL
commands in order to gain
access to data in the database.
Cross site scripting attacks
allow a hacker to execute a
malicious script on your visitor’s
browser.
Detection of these vulnerabilities requires a sophisticated detection engine. Paramount to
web vulnerability scanning is not the number of attacks that a scanner can detect, but the
complexity and thoroughness with the scanner launches SQL injection, Cross Site scripting
and other attacks. Acunetix has a state of the art vulnerability detection engine which
quickly finds vulnerabilities with a low number of false positives.
47
Acunetix
Detects Google hacking
vulnerabilities
Google hacking is the term
used for a hacker trying to
find exploitable targets and
sensitive data by entering
queries in search engines.
The Google Hacking
Database (GHDB) contains
queries that identify
sensitive data such as
portal logon pages, logs
with network security
information, and so on.
Acunetix launches all the Google hacking database queries onto the crawled content
of your web site, to find any sensitive data or exploitable targets before a “search
engine hacker” does. The Google hacking feature is a unique, industry first feature.
48