Introduction to Vulnerability Scanning and Tools
One crucial phase in the penetration testing methodology may be vulnerability scanning. This post will go through what it is and some of the tools you may utilise.
What is a Vulnerability Assessment?
Sounds fancy, doesn’t it? Hold your horses however! You won’t be seeing green text scrolling down your screen while you hack into the mainframe just yet.
So, what exactly is a vulnerability assessment? Well, it is an in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand exploitation.
In simpler terms like you and I can understand, it essentially means you scan the network for known security weaknesses and recognize, measure and classify security vulnerabilities found in the systems, networks and communication channels.
Additionally, it identifies, quantifies and ranks possible vulnerabilities to threats in a system. It also assists security professionals in securing the network by identifying security loopholes or vulnerabilities before attackers can exploit them.
Many systems today can be exploited directly with little or no skill when a machine is discovered to have a known vulnerability.
A vulnerability in a system may be used to:
Identify weaknesses that could be exploited
Predict the effectiveness of additional security measures in protection information resources from attack
Search network segments for IP enabled devices and enumerate systems, OS’s and apps to identify vulnerabilities
How Does Vulnerability Scanning Work?
In short and simple terms, they use a database of known vulnerabilities to check for weaknesses. The scanning platform or software scans the computer against the Common Vulnerability and Exposures (CVEs) index and security bulletins provided by the vendor.
Vulnerability scanners are capable of identifying a ton of information including:
The OS version running
IP and TCP/UDP ports listening
Apps installed
Accounts with weak credentials
Files and folders with weak permissions
Default services and apps that might have to be uninstalled
Errors in the security configuration of common apps
Computers exposed to known or reported vulnerabilities
Missing patches and hotfixes
Weak network configs and misconfigured/risky ports
Different scanners accomplish these through different means. Some work better than others. Some scanners might look for signs such as registry entries in Windows to identify a specific patch or update while others may attempt to exploit a vulnerability on the target device.
Some example tools are as follows:
Nessus
OpenVAS
Nexpose
GFI LAN Guard
Retina
Core Insight
Limitations of Vulnerability Assessments
The following are some limitations of a vulnerability assessment:
The software is limited in its ability to detect vulnerabilities at a given point in time
The software must be updated when new vulnerabilities are discovered
An assessment does NOT measure the strength of security controls
Software itself is not immune to software engineering flaws that might lead to it missing serious vulnerabilities
Human judgement is needed to analyze the data after scanning for false positives and false negatives.
Vulnerability Scoring Systems and Databases
Vulnerabilities associated with network devices, servers and OS are well documented, patched by vendors or the community.
There is a difference in the severity of various vulnerabilities. Some may present little opportunities for an attacker, whereas others will allow for the complete takeover and control of a machine.
Scoring systems and vulnerability databases are used by security analysts to rank information system vulnerabilities and to provide a composite score of the overall severity and risk associated with identified vulnerabilities.
Vulnerability databases collect and maintain information about various vulnerabilities present in systems. Some of these are:
Common Vulnerability Scoring System (CVSS)
Common Vulnerabilities and Exposures (CVE)
National Vulnerability Databases (NVD)
Common Weakness Enumeration (CWE)
CVSS
The CVSS is an open standard used for assessing the severity of computer system security vulnerabilities. It is used to assign severity scores to vulnerabilities, allowing for prioritization of responses according to threats.
Scores are calculated based on a formula from several metrics which is a range from 0-10 with 10 being the most severe.
CVSS has three main metrics:
Base
Temporal
Environmental
The base metric is the most important as it assesses the exploitability of the vulnerability and its impact. Each metric is scored from 1-10.
The CVSS score is calculated by a vector string which represents the numerical score for each group in the form of a block of text. The CVSS calculator ranks the security vulnerabilities and provides the user with information on the overall severity and risk related to the vulnerability.
An example is:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
This focuses on the base score (3.1) and looks at each variable within the group. These are:
Access Vector (AV) – how an attacker would exploit the vulnerability, e.g. Network, Adjacent, Local or Physical
Access Complexity (AC) – how difficult it is to exploit the vulnerability, e.g. None, Low or High
Privileges Required – the level of access required to exploit the vulnerability, e.g. None, Low or High
User Interaction (UI) – whether user interaction is required for success, None or Required
Scope (S) – the ability for a vulnerability in one software component to impact resources in another, Changed or Unchanged
Confidentiality (C) – type of information disclosure that could occur should an attacker exploit the vulnerability. None, Low or High
Integrity (I) – type of information alteration that could occur should an attacker exploit the vulnerability. None, Low or High.
Availability (A) – type of disruption that could occur should an attacker exploit the vulnerability. None, Low or High.
CVE
CVE is a publicly available and free to use list of standardized identifiers for common software vulnerabilities and exposures. It ensures confidence among parties when discussing or sharing information about a unique software or firmware vulnerability.
CVE provides a baseline for tool evaluation and enables data exchange for automation. CVE IDs provide a baseline for evaluating the coverage of tools and services so that users can determine which tools are the most effective and appropriate for their organization’s needs.
A CVE is one identifier for one vulnerability or exposure. There is one standardized description for each vulnerability or exposure. It is more of a dictionary than a database.
CVEs also allow a method for disparate databases and tools to speak the same language.
NVD
The NVD is a US government repository of standards-based vulnerability management data. It includes databases of security checklist references, security related software flaws, misconfigs, product names, and impact metrics.
NVD performs an analysis on CVEs that have been published to the CVE dictionary. They do NOT actively perform vulnerability testing. Instead, they rely on third parties to provide information.
CWE
CWE is a community-developed list of software and hardware weakness types. It includes almost 900 categories of weaknesses meaning it can be often employed as a baseline for weakness identification, mitigation and prevention.
Common Vulnerabilities
Typical examples of vulnerabilities can be classified based on the type of device being tested:
Endpoint vulnerabilities
Network vulnerabilities
Web application vulnerabilities
Some brief explanations of some are as follows:
Buffer Overflows
The way that apps run in a computer is by running their code in an allocated limited amount of memory. Buffer overflows occur when a program is manipulated into placing more data into an area than allocated.
This allows an attacker to access certain areas of memory where malicious code could be run. Buffer overflow vulnerabilities are responsible for many attacks.
Arbitrary Code Execution
This allows attackers to run malicious software in the target system. If allowed through a remote connection, it is extremely dangerous. An infamous example is the MS08-067 vulnerability which could allow remote code execution if an affected system received a specially crafted RPC request.
Injection Attacks
These occur when a malicious user can send commands via a web server to a backend system, bypassing security controls and fooling the backend into believing the request came from the server.
The most common example is SQL injection. Generally, it works by allowing a user to send malicious SQL queries to a database running on the backend. It is caused by improper input validation controls existing.
Cross Site Scripting
This is a common web vulnerability that allows a user to insert malicious code that is executed by a visitor accessing the page.
The aim is to trick a visitor into accessing a legitimate web site and executing malicious code placed there by a third party.
Privilege Escalation
This is an attempt to increase the level of access that an attacker has access when accessing a target system. This is a typical scenario of many attacks.
Often, attackers find themselves using a target machine with user level access. Increasing that level becomes a priority as it would allow them to run malicious software to the system.
A popular privilege escalation vulnerability was discovered in 2016 and it was named DirtyCOW. This was present in Linux for 9 years and allowed for attackers to gain administrative rights easily.
Missing Patches
One of the main objectives of vulnerabilities scanning is to identify those devices in the network that have well-known vulnerabilities that can be fixed by software patches.
Unfortunately, while this should be a routing task, it is often neglected – often due to a lack of resources. The consequence is that organizations are often running unpatched servers and workstations and as such are easy targets for attackers.
In addition to that, many companies may still be running unsupported operating systems such as Windows XP. As such, they are at significant risk of attack.
Insecure Protocol Use
Using older protocols in a network present a major security flaw. The original protocols of the TCP/IP suite were designed without security in mind and therefore they allow for access to plain data traversing a network.
Typical examples include HTTP, FTP and Telnet.
Zero-Day Vulnerabilities
A zero-day refers to a flaw in software that is unknown to the creator/vendor/developer. If identified by a hacker, the security hole can be exploited even before the vendor becomes aware of it.
In short, the defender has “zero-days” to prepare and try to mitigate the attack.
OWASP Top 10
The OWASP Top 10 is a list of the most popular vulnerabilities by type. It was recently updated in 2021, found here.
Some of the top 10 in further detail:
Injection
Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication
Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Sensitive Data Exposure
Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE)
XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Broken Access Control
Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Security Misconfiguration
Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Cross Site Scripting
Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript.
XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Insecure Deserialization
Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities
Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.
Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Insufficient Logging and Monitoring
Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
