Chapter 4 Vulnerability Identification PDF

EXAM OBJECTIVES »» Understanding vulnerabilities in your targets »» Performing vulnerability scans and analyzing res...

EXAM OBJECTIVES »» Understanding vulnerabilities in your targets »» Performing vulnerability scans and analyzing results »» Mapping vulnerabilities to exploits »» Learning the types of weaknesses in specialized systems Chapter 4 Vulnerability Identification A fter performing active and passive reconnaissance, the next step in phase two of the CompTIA PenTest+ penetration testing process is vulnerability identification. In this step, you scan targets for vulnerabilities. Once you understand the vulnerabilities that exist within your targets, you can then focus on using the vulnerabilities to exploit the systems — phase three of the penetra- tion testing process. But let’s not get ahead of ourselves. In this chapter, we look at the vulnerability discovery process to take when performing a penetration test. Vulnerability scanning itself is considered a passive assessment because you are not actually trying to exploit the system when doing the vulnerability scan. With the vulnerability scan, you are simply looking to identify the weaknesses within the system. Understanding Vulnerabilities A vulnerability is a weakness within the system that can be discovered and exploited in order to compromise the security of the system and potentially gain full access to the system. CHAPTER 4 Vulnerability Identification 109 A number of vulnerability testing tools facilitate automation of vulnerability assessments across multiple systems by performing a vulnerability scan. The pur- pose of the vulnerability scan in the penetration testing process is to report on these vulnerabilities and give recommendations on how to fix or remediate them. As a penetration tester, you will perform vulnerability scans to identify vulnera- bilities so that you can then focus on exploiting those vulnerabilities to gain access to the systems. Types of vulnerability scans A number of considerations need to be made when performing a vulnerability scan, such as the type of credentials you should use to perform the scan and what type of scan you should perform. A number of different types of scans can be performed, and each scan serves a different purpose. When you perform a scan with a vulnerability scanning tool, generally you select the type of scan to perform (also known as the scanning method) by choosing a scan template. Figure 4-1 shows the types of scan tem- plates, and thus, scan types, you can choose in the open-source vulnerability scanner, Nessus. FIGURE 4-1: Choosing a vulnerability scan type in Nessus. Following is a list of some of the common vulnerability scan types offered by scanning software: »» Discovery scan: A discovery scan is a type of vulnerability scan that is used to discover systems on the network by performing a ping scan and then a port scan on those targets to discover ports that are open. A discovery scan is not a 110 PART 1 Planning and Information Gathering full vulnerability scan that looks for vulnerabilities; it is used to find systems on the network. »» Full scan: Considered an aggressive scan, a full scan will perform many different tests to identify vulnerabilities in the system. For example, a vulner- ability scanner will use a large number of plug-ins to perform different types of vulnerability checks such as checking for security issues with Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP) services, checking for SuSE Linux and Ubuntu security issues, and checking for web server and Windows vulnerabilities to name a few. »» Stealth scan: If the organization that hired you to perform the penetration test does not want to inform the security team of your presence, you may want to perform what is known as a stealth scan. With stealth vulnerability scans great effort is put into the scanning techniques to avoid detection by the security team. Some of the techniques used to avoid detection are not scanning the full IP range sequentially, or scanning ports sequentially, and using multiple source IP addresses to perform the scan. »» Compliance scan: If you are an organization that is governed by regulations due to the industry you are in or your business practices, you may have to perform vulnerability scans on a regular basis to show compliance with those regulations. For example, any organization storing credit card information must follow Payment Card Industry Data Security Standard (PCI DSS) require- ments for vulnerability scans. These requirements include the following: Both internal and external scans must be performed. External scans must be approved by an approved scanning vendor (ASV). Vulnerability scans should be run quarterly and after any major change to the environment. If critical vulnerabilities are found, they must be remediated and then a new scan performed to validate the remediation steps have removed the vulnerability. The PenTest+ certification exam objectives make reference to a TCP connect scan as a vulnerability scan. You can perform a TCP connect scan with the nmap -sT command. (For more about TCP connect scans, see Chapter 3.) Note that many vulnerability scanners such as Nessus will also allow you to do a TCP connect port scan on the target system to identify ports that are open and what service is opening that port. Credentialed versus non-credentialed scans When performing a vulnerability scan on the target systems, you should perform the scan multiple times — at least once as an anonymous user (a non-credentialed CHAPTER 4 Vulnerability Identification 111 user) and once as a user with administrative credentials (a credentialed user). The reason for this is you want to get different views of the what the system looks like — a view of what someone unknown would see if that person performed a vulnerability scan, as well as a view from the perspective of an administrative account. When performing the vulnerability assessment as a non-credentialed user (some- one not logged-in as a user), you are going to see limited information, because in order to retrieve configuration information of a system, you typically must be an administrator of that system. As a non-credentialed user you will be able to see some of the vulnerabilities, such as ports open and maybe patches missing, but you will not see information such as the password policies configured, group membership, and other configuration settings that a vulnerability scanner may be able to retrieve. You could perform the vulnerability scan as a credentialed user — meaning you log on using a user account of the system whether it is an administrative account or a non-administrative account. If you perform the vulnerability assessment as a credentialed user with an administrative account, you will get as much informa- tion as possible about the configuration of the system including vulnerabilities related to user accounts (having an account called “administrator”) and group membership (having too many users in the administrators group), missing patches, and password policy configuration settings. The exact details depend on the vulnerability scanner you use. For the PenTest+ certification exam, remember that using an unauthenticated (non-credentialed) account allows the pentester to discover information the hacker would see; however, it’s important to also remember that using an unau- thenticated account will not collect as much detail as using a logon account (a credentialed account) with administrative privileges. Application scans Not only are there vulnerability scanners for systems, there are also scanners for applications. These application vulnerability scanners are designed to perform an analysis on application code and indicate any security issues with the code. Application scanning tools can be used to perform an audit on an application. There are two types of application audit tools: »» Dynamic analysis: A dynamic analysis tool is used to assess vulnerabilities in an application by analyzing the behavior of the application while it is running. It is important to note that with dynamic analysis you are not reviewing the source code, but the results of how the application responds to input. Dynamic code analysis is typically performed in a black-box penetration test. 112 PART 1 Planning and Information Gathering CONTAINER SECURITY AND VIRTUALIZATION Many organizations today take advantage of virtualization technology, which enables the organization to share the hardware resources of a single system (such as RAM, CPU, and hard disk space) with virtual machines running on that system. Each virtual machine is an emulated computer that runs its own operating system and applications, but uses hardware from the real computer (known as the host system). The benefit of virtualization is that you are able to run separate systems on the one physical system, making better use of resources without needing multiple physical computers. The next generation of virtualization technology is containers. A container is like a virtual machine except that it does not have its own operating system — the container shares the hardware and operating system code with the host system, thus enabling it to have a smaller footprint on the system. When performing a vulnerability scan of systems on a network, be aware that some sys- tems may be running on virtual machines or containers. Depending on the configura- tion of the virtualization environment, you may not be able to communicate with some of the virtual machines and containers if they are not connected to the network. Administrators may have the virtual machines configured to network with one another, but not the real network, which would mean that your scan would not discover those virtual machines and their vulnerabilities. In this scenario, you may have to connect your own virtual machine to the private virtual machine network in order to do a vulnerability scan or look to vulnerability scanners that can have an agent installed in the virtual machines to be scanned. »» Static analysis: For a static analysis, you are given the source code to the application and you must review the code, looking for vulnerabilities in the way the application is written. You can perform the code review manually or automate it with a static code analysis tool. Static analysis is typically per- formed in a white-box penetration test, and you do not run the application code. For the PenTest+ certification exam, remember that dynamic analysis tools mon- itor the behavior of the software while the software is running, while static analy- sis tools analyze the code of the application without running the software. CHAPTER 4 Vulnerability Identification 113 Vulnerability scan considerations As a penetration tester, you must make a number of considerations when plan- ning your vulnerability scan. In this section, you learn some of the most important considerations to make and their importance to the penetration tester. Timing of the scans When planning the scope of the penetration test and specifically the vulnerability scan, it is important to plan the optimum time to perform the scan. Performing a vulnerability scan can put stress on the network and the systems being tested, so be sure to perform the test during times when users will not experience the nega- tive effects of the test. At the same time, you want to be sure that the systems and devices that need to be tested are available on the network when you run the vul- nerability scan. Protocols used When performing a vulnerability scan, you typically choose the types of vulnera- bilities to check for such as SMTP vulnerabilities, SNMP vulnerabilities, or web server vulnerabilities. It is important to understand the protocols and applications that are being used by the organization so that you can use the appropriate plug- ins to detect vulnerabilities with the protocols. Network topology When performing a vulnerability scan, you should have a network topology dia- gram to help you understand where your target systems exist. As a penetration tester you typically perform your own discovery of targets. Many vulnerability scanners will have host discovery features that can help locate devices on the net- work and build a network topology for you. Understanding the network topology of the customer’s network will ensure that you do not scan network segments that are not in the scope of the penetration test. For example, the customer may want the main network scanned, but not any of the remote networks or branch offices. Bandwidth limitations When scoping out the vulnerability scan, be sure to determine if there are any limitations on bandwidth because the vulnerability scan will generate a lot of net- work traffic. If there are bandwidth limitations, check to see if there are specific times in the day that have more bandwidth available for you to perform the vul- nerability scan, as you could impact business operations if you over-consume the network bandwidth of critical systems. 114 PART 1 Planning and Information Gathering Query throttling One of the techniques used to ensure that your vulnerability scan does not have a negative effect of overloading the systems and network is to throttle the queries that are sent from the vulnerability scanner software. To “throttle the queries” means that you are able to reduce (or increase) the frequency of the calls coming from the vulnerability scanner. This ensures that the systems are not overbur- dened with a number of queries at once, but at the same time it will increase the amount of time it takes to perform the vulnerability scan. Fragile systems/non-traditional assets When performing the penetration test, be aware of fragile systems and non- traditional systems connected to the network such as Internet of things (IoT) devices. A vulnerability scan could have a negative effect on a fragile system or IoT device, such as causing it to become unresponsive or even crash during the vul- nerability scan. It is a common practice to create a test system out of an image of the production system and perform some trial runs on the test system to see how it responds. It is common for companies to be running older, unsupported operating systems because the system is running a critical application that is not compatible with newer operating systems. Due to the fact that these systems are running older operating systems that are most likely not patched, it could make them less stable when being scanned. As a pentester, it is important to identify those systems before scanning them so that you can perform test scans on non-production cop- ies of the system. Performing a Vulnerability Scan Now that you understand some of the different types of vulnerability scans and some of the considerations that should be made when performing a vulnerability scan, let’s take a look at how to perform a vulnerability scan. We’ll perform a vulnerability scan using Nessus (www.tenable.com/products/ nessus), which is an open-source vulnerability scanner that you can use to scan systems and networks and identify vulnerabilities with the hosts on the network. Nessus is not the only example of an open-source vulnerability scanner; you could also use OpenVAS or Qualys Community Edition. Our focus will be on Nessus, however, as it is one of the more common vulnerability scanners and one you are expected to know for the PenTest+ certification exam. CHAPTER 4 Vulnerability Identification 115 Installing Nessus The first step to using Nessus is to install it. Nessus offers two versions, or edi- tions: Nessus Professional and Nessus Essentials. Nessus Professional is a paid- for commercial edition that enables you to perform a scan of unlimited IP addresses either external or internal. Nesses Essentials is a free non-commercial version that enables you to scan up to 16 IP addresses. For this walk-though, we will download the Essentials version. To download Nes- sus, follow these steps: 1. From Kali Linux, start Firefox (first button on the toolbar on the left) and navigate to https://www.tenable.com/products/nessus. 2. Under the Nessus Essentials category, click the Download button. You are prompted for registration information such as your name and email address. This is the email address Nessus will send an activation code to. 3. Fill in the form and click Register. 4. Click the Download button to download Nessus Essentials. 5. Locate the download link for the AMD64 version for Debian/Kali Linux, as shown in Figure 4-2, and click the link to download it. FIGURE 4-2: Download the 64-bit Kali Linux edition. 6. In the pop-up menu that appears, choose Save File and then click OK. You can check the progress of the download by clicking the Downloads button in the top-right corner of the toolbar. 116 PART 1 Planning and Information Gathering 7. While the file is downloading, check your email for the activation code and record the code here: _____________________________________________________ 8. After the file has been downloaded, launch a terminal window and type the following commands: cd Downloads ls -al You should see the file that was downloaded for Nessus. 9. To install Nesses Essentials, type the following command (where x.x.x is the version number of your specific download), as shown in Figure 4-3: dpkg -i Nessus-x.x.x-debianx_amd64.deb After installation has completed, instructions appear at the bottom of the screen that direct you to use the nessusd start command to start Nessus, and then to go to a browser and navigate to https://localhost:8834 in order to use Nessus. First, let’s check the status of Nessus to see if it is running or not. FIGURE 4-3: Installing Nessus on Kali Linux. 10. Type the following command to see whether Nessus is currently stopped (not running): service nessusd status 11. To start Nessus and then check its status, use the following commands, as shown in Figure 4-4: service nessusd start service nessusd status 12. Now that Nessus is running, switch to the web browser and type https://127.0.0.1:8834 to use the web interface of Nessus. The web interface will ask what edition of Nessus you would like to use. CHAPTER 4 Vulnerability Identification 117 FIGURE 4-4: Starting the Nessus daemon. 13. Select Nessus Essentials and then click Continue. You are then asked for your name and email information so that an activation code can be sent to you. 14. Enter your information and then click Email. If you already have an activation code you can click the Skip button. 15. Enter the activation code for Nessus Essentials that was sent to your email address (see Figure 4-5). You will need to create an administrator account for Nessus that you will use to log on to Nessus. 16. Enter the username and password you wish to use to log on and run Nessus. I set mine to the following: Username: administrator Password: Pa$$w0rd Setup will then download and compile the plug-ins, which are used to scan for different types of vulnerabilities. This will take quite a bit of time, so do not close or reboot the system. After the initialization phase, you will then receive a Welcome to Nessus Essentials screen where it asks you to enter the IP addresses of hosts to discover on the network. 17. We are not going to do a discovery scan at this time, so click the Close button. 118 PART 1 Planning and Information Gathering FIGURE 4-5: Entering the activation code for Nessus. Running Nessus Now that you have Nessus installed and running, you are ready to perform vul- nerability scans on hosts on the network. Remember that the Nessus Essentials edition is limited to 16 hosts, as it is used for personal and educational purposes. If you don’t have Nessus running, please launch it now. After Nessus starts, notice at the top of the Nessus main screen there are two tabs: Scans and Settings, as shown in Figure 4-6. »» Scans: The Scans page allows you to see your past vulnerability scans and run a new scan. »» Settings: The Settings page allows you to modify the configuration of Nessus such as the number of hosts and ports that are scanned at the same time. This is where you can modify settings to improve the performance of the scan or throttle the scan. Follow these steps to run a vulnerability scan on a system: 1. In the top-right corner of the screen, click the New Scan button. A list of scan templates appears, as shown in Figure 4-7. Each template represents a different type of scan that uses different plug-ins to perform the scan. CHAPTER 4 Vulnerability Identification 119 FIGURE 4-6: The Nessus main screen. FIGURE 4-7: Choosing a scan template. Following are some common types of scans you can do with Nessus: Host discovery: The host discovery template is used to discover live systems on the network and open ports on those systems. Basic network scan: The basic network scan template allows you to perform a vulnerability scan on systems using default settings and pre-defined plug-ins that determine the types of checks the scan will do. Advanced scan: The advanced scan template is similar to the basic network scan only it allows you to customize what plug-ins the scan uses (which determines the vulnerabilities to check for). Malware scan: The malware scan template scans remote Windows and Linux systems to see if there is malware present on the systems. Web application tests: The web application tests template is used to assess common vulnerabilities found in websites. 120 PART 1 Planning and Information Gathering Internal PCI network scan: This scan template is an example of a compliance template you can use if your organization must perform vulnerability scans to satisfy compliance to regulations. In this example, the Internal PCI Network Scan template is designed to perform vulnerability scans that are compliant with PCI DSS regulations. 2. Choose Advanced Scan as the template. 3. In the New Scan page, fill in the name of the scan, description, and targets as follows: Name: First Scan Description: My first vulnerability scan Targets: IP address of target system to scan 4. Click the Credentials tab at the top of the screen. The Credentials tab, shown in Figure 4-8, is where you can add usernames and passwords that you would like Nessus to use to connect to remote systems (credentialed scans). It is important to run the scan without credentials to see what a hacker would see, but then run another scan and supply administrative credentials to retrieve as much detail of the system as possible. This gives you different perspectives. FIGURE 4-8: Credentials can be supplied to perform a scan within a security context. CHAPTER 4 Vulnerability Identification 121 For example, to add the credentials of an administrator account for Windows, you would click the link button that appears next to the Windows option. A screen would then appear asking you for the username and password to use to connect to Windows systems. In this example, we are not going to supply credentials. 5. Click the Plugins tab at the top of the screen. A plug-in is a software component that allows the checking of a certain type of vulnerability on a system. For example, there are web server plug-ins that check for common vulnerabilities on web servers. The important point here is that if you know your target is a certain type of system, you can speed up the vulnerability scan by disabling plug-ins that you know will not work on a target. For example, if the target is a Windows system, there is no point in running plug-ins for Linux or Unix. To disable a plug-in. you simply click the green Enabled button and it will disable that plug-in. Note in Figure 4-9 that I have the AIX Local Security Checks plug-in disabled. FIGURE 4-9: Plug-ins specify the types of checks to perform. 6. Once you have ensured the correct plug-ins are enabled or disabled, click the Save button. After the scan has been created you should see it in the list of scans. 122 PART 1 Planning and Information Gathering 7. To run the scan, click the Launch button that appears to the right of the scan (it looks like a play icon). After launching the scan, you should see two green arrows moving in a circle to show that the scan is currently running. Wait until the scan completes. 8. Once the scan has completed, you can then view the scan results by clicking on the scan. We will take a look at the scan results in “Analyzing Vulnerability Results” later in this chapter. For the PenTest+ certification exam, remember that Nessus and OpenVAS are examples of open-source vulnerability scanners that look for vulnerabilities on a system or network. Using other vulnerability scanners When you look at the scanning templates available within Nessus, you may notice that there is a template to test for common vulnerabilities on a web server. When it comes to assessing the security of web servers, two additional tools can be used as well: Nikto and SQLmap. Nikto Nikto (https://tools.kali.org/information-gathering/nikto) is a web application vulnerability scanner that comes with Kali Linux. It is a command- line tool that can be used to assess the security of different websites that are in the scope of the penetration test. To get a list of parameters for Nikto, you use the nikto --help command. To use Nikto, you use the following the command: nikto -h 192.168.67.134 -p 80 -o nikto_scan -F txt In this example, Nikto will perform a web vulnerability scan on the system with the IP address of 192.168.67.134 on port 80. Nikto will also store the results in an output file called nikto_scan in the format of a plain text file. SQLmap Because most web applications connect to a database to display the data that exists in the database, it is important that you test your web applications against common SQL injection attacks. SQLmap (http://sqlmap.org) is another CHAPTER 4 Vulnerability Identification 123 open-source penetration testing tool that you can use to perform SQL injection attacks. You learn more about SQL injection attacks in Chapter 7, but I want to mention this tool now, as it is a tool you can use to check for SQL injection vulnerabilities. To use SQLmap, you first must identify a page in your web application that dis- plays data and note the URL. Then, you can use the following command to retrieve the underlining database information of the website: sqlmap -u http://urlofpage/page.php?id=2 --dbs After executing the SQLmap command with the --dbs parameter, you should see information about the underlining database, such as the type of database system it is and the database name if SQL injections are successful. After obtaining the database name, you can then try to retrieve the list of tables from the database with the following command: sqlmap -u http://urlofpage/page.php?id=2 -D databasename --tables This should give you a list of table names that exist in the database if the applica- tion is vulnerable to SQL injection attacks. Once you have a list of the table names, you can then display information about those tables such as the columns that exist in a table. To get a list of column names from a table, use the following command: sqlmap -u http://urlofpage/page.php?id=2 -D databasename -T tablename --columns You could then retrieve data from a single column, or retrieve the data that is stored in the entire table with the following command: sqlmap -u http://urlofpage/page.php?id=2 -D databasename -T tablename --dump Analyzing Vulnerability Results Now that you have performed the vulnerability scan, it is time to look at the results generated by Nessus to see what vulnerabilities exist on the system you scanned. From the Nessus scanner URL (https://127.0.0.1:8834), go to “My Scans” and then click the link to your scan, which in our case is called First Scan. The details are displayed, as shown in Figure 4-10. 124 PART 1 Planning and Information Gathering FIGURE 4-10: Viewing the vulnerability scan results. The first thing you may notice is that the list of hosts that were scanned is dis- played on the left side of the screen. When you look at the scanned host with the IP address of 192.168.67.134, you can see a summary of the vulnerabilities in both the bar chart in the middle of the screen and the pie chart on the right side of the screen in the area under Scan Details. If you want to look at the vulnerabilities that were found, you can either click the hyperlinked number in the bar chart that shows the number of vulnerabilities that exist, or select the Vulnerabilities tab at the top, as shown in Figure 4-11. FIGURE 4-11: Viewing the list of vulnerabilities for a host. CHAPTER 4 Vulnerability Identification 125 The severity of the vulnerability is based on a measurement known as the Com- mon Vulnerability Scoring System (CVSS) base score. The CVSS base score ranges from 0 to 10, with zero being a low scoring vulnerability (not a serious problem), and 10 being a critical scoring vulnerability (a serious vulnerability). The different levels of vulnerabilities that are displayed within Nessus include the following: »» Low: A low rating vulnerability is of a low priority and does not present a serious security issue. Low rating vulnerabilities have a CVSS base score ranging from 0.0 to 3.9. »» Medium: A medium rating vulnerability is of a medium priority and could present a security issue. Medium rating vulnerabilities have a CVSS base score ranging from 4.0 to 6.9. »» High: A high rating vulnerability is of a high priority and presents a serious security issue. High rating vulnerabilities have a CVSS base score ranging from 7.0 to 9.9. »» Critical: A critical rating vulnerability is of utmost priority and presents a very serious security issue that should be dealt with immediately. Critical rating vulnerabilities have a CVSS base score of 10. If you wish to see the details of the vulnerability, you can click on the vulnerability to go to a page that gives some background on what the security issue is with the vulnerability. In Figure 4-12 notice that I am looking at the details of a critical vulnerability for security bulletin MS17-010. FIGURE 4-12: Reading the details of a specific vulnerability. 126 PART 1 Planning and Information Gathering Below the description section is a solution section that describes how to fix the issue. This is important information for a penetration tester, as you need to give remediation steps for the vulnerabilities that are found. In Figure 4-13 you can see that the fix is to patch the system. FIGURE 4-13: Viewing the remediation steps to a vulnerability. After reading the description of the security vulnerability, you can also find important information on the right side of the screen. Under the Plugin Details section, you can see the severity of vulnerability and the type of vulnerability. In the example shown earlier in Figure 4-12, you can see that I have found a remote vulnerability, which means that a hacker can exploit this vulnerability from a remote system. Below the Plugin Details section is the Risk Information section. In this section, you will see the risk factor (low, medium, high, or critical), plus you can see the CVSS base score of the vulnerability. Remember that this score is from 0 to 10, and the higher the number, the more serious a vulnerability it is (more on the score in a bit). Mapping vulnerabilities to exploits Below the Risk Information section is an important section for the penetration tester: Vulnerability Information. In this section, shown in Figure 4-14, you can see if exploits are available for this vulnerability. This information is important for the penetration tester, as you will want to know if you can exploit this vulner- ability with ease. CHAPTER 4 Vulnerability Identification 127 FIGURE 4-14: Determining if exploits exist for a vulnerability. Below the Vulnerability Information section is a section labeled “Exploitable With.” This section informs penetration testers what tool they can use to exploit the vulnerability. In the example shown in Figure 4-15, notice that the vulnerabil- ity is exploitable with Metasploit, and specifically with MS17-010 EternalBlue. This is a keyword you can search in Metasploit to find the exploit to use to com- promise the system using this vulnerability (which we do in Chapter 5). FIGURE 4-15: Determining what exploit to use. A list of links follows in the Reference Information section. You can click these links to learn more about each vulnerability. At this point, I would make a note to try to exploit the system with the EternalBlue exploit and then I would go back to the vulnerabilities list in Nessus and look at the details of other vulnerabilities to see how those can be exploited. 128 PART 1 Planning and Information Gathering For the PenTest+ certification exam, be prepared to know the process of leverag- ing information from a vulnerability scan to prepare for exploitation. Be familiar with how to find the exploit to use to leverage a vulnerability, as illustrated in the previous discussion. Understanding the CVSS base score The Common Vulnerability Scoring System (CVSS) is a standard vulnerability scoring system used by vulnerability scanners to identify the severity of the vulnerability. A CVSS base score can be a number from 0 to 10, with 0 being the least severe, and 10 being the most severe. A number of metrics are used to calculate the CVSS base score of a vulnerability. Figure 4-16 displays an example of the CVSS base vectors that are used to calculate the base score. Notice that the CVSS base score vectors are divided into the three parts: the version, the metrics used to calculate the exploitability of the vulnera- bility, and the metrics used to calculate the impact of the vulnerability. FIGURE 4-16: CVSS base score metrics. Let’s break down the CVSS base score vectors so that you are able to calculate the CVSS base score on your own. Exploitability metrics Three metrics are used to calculate the exploitability of the vulnerability: access vector (AV), attack complexity (AC), and authentication (Au). ACCESS VECTOR (AV) The AV metric is used to measure how the hacker executes the exploit. For exam- ple, does the hacker have to have physical access to the system, or is the vulner- ability exploited from a remote network (which is more serious)? The values of the AV metric are listed in Table 4-1. ATTACK COMPLEXITY (AC) The AC metric is used to describe how easy or difficult it is to exploit the vulner- ability. Table 4-2 lists the values of the AC metric. CHAPTER 4 Vulnerability Identification 129 TABLE 4-1 Values of the Access Vector (AV) Metric Value Description Score Local (L) The attacker must have physical access to the vulnerable system or a local 0.395 account. Adjacent The attacker must be connected to the LAN in order to exploit the vulnerability. 0.646 Network (A) Network (N) The attacker can exploit the vulnerability from a remote network and does not 1.0 need to be on the same physical LAN. TABLE 4-2 Values of the Attack Complexity (AC) Metric Value Description Score High (H) Special conditions need to be met in order to exploit the vulnerability. For example, 0.35 a race condition must exist within the application. Medium (M) Some conditions need to be met in order to exploit the vulnerability. For example, 0.61 the system may need a specific configuration that may be uncommon. Low (L) Exploiting this vulnerability is not difficult as there are no special requirements for 0.71 the exploit to work and the system is widely available. AUTHENTICATION (AU) The Au metric is used to specify how many times the attacker would need to authenticate to the system to exploit the vulnerability. An exploit that does not require authentication would be very bad and would increase the CVSS score, while an exploit that requires the attacker to authenticate multiple times makes the exploit a little harder. Table 4-3 lists the values of the Au metric. TABLE 4-3 Values of the Authentication (Au) Metric Value Description Score Multiple (M) The attacker is required to authenticate two or more times when performing the 0.45 exploit. Single (S) The attacker is required to authenticate only once while exploiting the vulnerable 0.56 system. None (N) The attacker is not required to authenticate to the system in order to exploit the 0.704 vulnerability. 130 PART 1 Planning and Information Gathering Impact metrics Impact metrics are used to identify what the impact is of the exploit being per- formed on the confidentiality, integrity, and availability of systems and their data. CONFIDENTIALITY (C) The C metric is used to measure the impact on confidentiality of information if the vulnerability is exploited. Table 4-4 lists the values of the C metric. TABLE 4-4 Values of the Confidentiality (C) Metric Value Description Score None (N) Exploiting the vulnerability presents no impact to confidentiality. 0.0 Partial (P) Exploiting the vulnerability causes disclosure of some of the data on the system, 0.275 but not all. Complete (C) Exploiting the vulnerability causes total disclosure to all data on the system. 0.660 INTEGRITY (I) The I metric describes the impact on the integrity of the system if the vulnerabil- ity is exploited. Table 4-5 lists the values of the I metric. TABLE 4-5 Values of the Integrity (I) Metric Value Description Score None (N) Exploiting the vulnerability presents no impact on the integrity of the system. 0.0 Partial (P) Exploiting the vulnerability allows the attacker to modify some of the data on the 0.275 system, but not all. Complete (C) Exploiting the vulnerability allows the attacker to modify any data on the system. 0.660 This is a total loss of integrity. AVAILABILITY (A) The A metric identifies whether exploiting the vulnerability causes the system and its data to become unavailable. Table 4-6 lists the values of the A metric. Now that you understand the metrics and their meaning, you can calculate the CVSS score with the formulas that follow. You first need to calculate the exploit- ability subscore, then calculate the impact subscore. Once those subscores are known, you can calculate the CVSS base score. CHAPTER 4 Vulnerability Identification 131 TABLE 4-6 Values of the Availability (A) Metric Value Description Score None (N) Exploiting the vulnerability causes no impact on availability. 0.0 Partial (P) Exploiting the vulnerability causes loss in system functionality or reduced 0.275 performance. Complete (C) Exploiting the vulnerability causes total loss of the system. 0.660 To calculate the exploitability subscore and the impact subscore use these formulas: Exploitability = 20 * AV * AC * Au Impact = 10.41 * (1-(1-C)*(1-I)*(1-A)) Once you have the impact calculated, you also need to calculate what is known as the f(Impact) value, as this value is used in the base score calculation. The f(Impact) will be 0 if Impact is 0, otherwise f(Impact) will equal 1.176. f(Impact) = 0 if Impact = 0, 1.176 otherwise. Once you know the value of Exploitability, Impact, and f(Impact), you can then calculate the CVSS base score with the following formula: BaseScore = roundToOneDecimal(( (0.6*Impact) + (0.4*Exploitability)-1.5) * f(Impact)) You are not expected to remember the formulas to calculate the CVSS base score for the PenTest+ certification exam, but you do need to understand the format of the base score and identify the metrics: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C. Prioritizing activities Once you have a list of vulnerabilities, the challenge is to prioritize which vulner- abilities get the focus and need remediation first. There is no concrete answer to this, but there are some common considerations used to determine which vulner- abilities to remediate first. Severity level One of the first techniques you could use to determine which vulnerabilities get the highest priority is to base your activities on the CVSS base score. You could 132 PART 1 Planning and Information Gathering focus on remediation steps for critical vulnerabilities before looking to remediate high, medium, and low severity level vulnerabilities. Vulnerability exposure In addition to the severity level, you could look at the vulnerability exposure, meaning how exposed is this vulnerability? If the vulnerable system is a system only available to a small network segment and is not available to systems on the guest network or the Internet, then maybe this vulnerability is not a priority. Maybe instead you prioritize vulnerabilities that are exposed to systems that exist on the guest network or on the Internet, which would make it available to hackers outside your network. This is just an example of how exposure can help you prioritize what vulnerabili- ties to deal with right away. You typically want to address vulnerabilities inside the network as well because there may be threat actors within the internal net- work you wish to protect against, such as disgruntled employees or guests on the network. Criticality of the system Another factor that could affect the priority of the vulnerability fix is the type of system on which the vulnerability exists, and if the vulnerability exposes sensitive information to untrusted sources. For example, if the vulnerability is found on a database server and it could allow access to sensitive company data stored in the databases, then maybe this vulnerability gets a higher priority over others. The key point to remember is that when assessing vulnerabilities, the systems should have a criticality level assigned to them. Statement of work One final consideration is to ensure that the statement of work (SOW) has specified under what circumstances the penetration testers should halt the penetration test and report a vulnerability to the security team of the company. Although the point of the penetration test is to find vulnerabilities on systems, there may be specific vulnerabilities that warrant an immediate remediation before continuing the pen- etration test. As you learn in Chapter 2, this information should be specified in the SOW, and the penetration testing team made aware of the circumstances. Considerations for analyzing scan results When analyzing the results of your vulnerability scan, you should make a number of considerations to better understand how the results affect your organization and its security posture. CHAPTER 4 Vulnerability Identification 133 Asset categorization The first consideration is the asset categorization — how critical is the system that has vulnerabilities? If it is a critical system, you may want to prioritize remedia- tion on that system over a non-critical system. Systems could also be assigned categories such as internal or external. An internal system is inside the network and cannot be reached by a system on the Internet. An external system is typically a system that is located in the company demilitarized zone (DMZ) and is reachable from the Internet. It would make sense to have pri- ority on remediation to external systems as an attacker on the Internet can reach that system. Other examples of categories that can be assigned to systems are Financial, Operational, or Production Control. Each category of system would have a priority level assigned to it, which you would take into consideration when ana- lyzing the vulnerability results. Adjudication Another consideration is adjudication — making a decision on whether the vulner- ability discovered is a false positive. Although false positives with vulnerability scanners do not happen often, it is possible. Be sure to review the results and val- idate the results. Prioritization of vulnerabilities Prioritization of vulnerabilities is one of the biggest considerations to make with the vulnerability scan results. You can use the criteria discussed in “Prioritizing activ- ities” earlier in this chapter to put priority on remediation. When it comes to prioritizing the vulnerability, however, a number of considerations must be made, such as what type of vulnerability is it and what system it applies to. Generally speaking, if the vulnerability exploits confidentiality, integrity, or availability (CIA; our three goals of security), then that vulnerability would typically take priority. For example, if you had to prioritize vulnerabilities found in a web application where one vulnerability was an invalid certificate and the second vulnerability was a password found in the HTML source code, the invalid certificate would have the highest risk as it is a violation of confidentiality (the certificate is there to encrypt communication, but it is now invalid). As another example, if a web application was found to be vulnerable to both SQL injection attacks and cross-site scripting attacks, the SQL injection would be the higher risk vulnerability because it could be responsible for allowing access to sensitive data in a database or even allowing the hacker to delete data (a violation of availability). 134 PART 1 Planning and Information Gathering You can expect questions on the PenTest+ certification exam that ask you to deter- mine the higher risk vulnerability. These are tricky questions, but remember to ask yourself which one violates confidentiality, integrity, or availability (CIA). The one that does should be the higher risk vulnerability. Common themes Vulnerability scanners look for two main issues. First, the vulnerability scanner is designed to identify vulnerabilities with the system and make observations about the configuration of the system. Second, the vulnerability scanner is designed to identify a lack of best practices being followed. For example, the vulnerability scanner may identify that you have too many administrative accounts, or that you do not have a password policy configured. Following are some common vulnerabilities, observations, and lack of best prac- tices that are typically found when performing a vulnerability scan on unsecure systems: »» Missing patches: One of the most common vulnerabilities reported are missing software patches. These could be operating system patches or patches for software running on the system. »» Admin accounts: Many vulnerability scanners check to see how many administrative accounts exist on the system and report back if there are too many (typically more than two accounts). »» Default configuration: Vulnerability scanners will report on default configu- ration settings that have not been modified that should be modified. »» Default permissions: You may get notified that the permissions configured for folders are not following best practices. For example, if the default Windows permissions are left unchanged (such as giving everyone read access), you may receive a recommendation to change it. »» Certificate issues: When scanning web applications, the vulnerability scanner will check the certificate used to encrypt communication and let you know if there are issues with the certificate. »» Web application vulnerabilities: Vulnerability scanners will let you know if there are vulnerabilities with the web application such as whether it is vulnerable to a cross-site scripting (XSS) attack or a cross-site request forgery (XSRF) attack. (You learn about these attacks in Chapter 7.) CHAPTER 4 Vulnerability Identification 135 Attacks and Weaknesses in Specialized Systems A vulnerability is a weakness in a product that can be leveraged by the penetration tester and the hacker to compromise systems. An important point to remember when performing a penetration test is that in addition to assessing the security of the computers and servers, a number of different devices and products need to be tested as well. Mobile devices Be sure to assess the security of mobile devices and ensure that organizations are following security best practices, such as autolocking devices, password-protecting devices, encrypting storage, and maintaining remote-wipe capabilities. Attacks There are a number of attacks against mobile devices, but here are three you are expected to know for the PenTest+ certification exam: »» Reverse engineering: Reverse engineering of mobile applications allows you to understand a mobile application better. Dynamic analysis may not be possible due to encryption, but you can analyze the binary code using static anal- ysis tools. »» Sandbox analysis: Sandboxing is when applications being tested are run in an isolated environment that emulates the environment in which the application was designed to run. »» Spamming: Spamming refers to the sending of unsolicited messages to people. Vulnerabilities There are a number of common vulnerabilities on mobile devices that you should check for: »» Insecure storage: An insecure storage vulnerability is when the development team assumes application code will not have access to the data stored on the device. Ensure that strong encryption is used on the device and that the device has not been rooted. 136 PART 1 Planning and Information Gathering »» Passcode vulnerabilities: Look for weak passwords being used to gain access to the device. Many users like to use simple passcodes such as 1111 or 1234 to gain access to their devices. »» Certificate pinning: Certificate pinning refers to when you configure the application to only accept certificates for specific systems. »» Using known vulnerable components: Applications should ensure that any third-party components that are referenced are secure. Dependency vulner- abilities exist when an application uses a vulnerable third-party component. »» Patching fragmentation: Patching fragmentation refers to the practice of a company selectively choosing which patches to apply based on usage of a product. Patching fragmentation may leave the component vulnerable to an attack. »» Execution of activities using root: Many people try to root their devices — a process that is also known as jailbreaking the device. If a device is rooted, the storage encryption may be vulnerable and hackers may be able to obtain access to sensitive data. »» Overreach of permissions: Overreaching permissions refers to when an application requests more permissions than it needs to perform an activity on the device. Once the application has been approved for an activity, it has an access token to perform that action until you manually revoke the token. »» Biometrics integrations: Look for weaknesses in the biometric functionality of a mobile device. Check the ability of the device to be able to reject a false fingerprint in order to prevent access to sensitive data. »» Business logic vulnerabilities: There may be vulnerabilities in core business logic that is called upon by the mobile application. Be sure to understand any dependencies an application has and verify the code of these dependencies. Tools The following is a list of tools that can be used to test mobile devices and applications: »» Burp Suite: Burp Suite is a GUI tool that enables a pentester to test the security of a web application. Burp Suite includes many features, such as acting as a web proxy that allows the product to act as a man-in-the-middle (MiTM) between the web browser and the web server (much the same way as OWASP ZAP). It is also a web application security scanner that can scan a website for vulnerabilities and report on those vulnerabilities. Burp Suite can also perform a number of attacks to test how the web application holds up CHAPTER 4 Vulnerability Identification 137 against common attacks such as SQL injection, cross-site scripting (XSS), and parameter manipulation. »» Drozer: Drozer is a framework created by MWR Labs to assess the security of Android applications on an Android device. »» Mobile Security Framework (MobSF): MobSF is a security framework for mobile devices that automates static analysis, dynamic analysis, and malware analysis. »» Postman: Postman is an application that you can use to test RESTful APIs by enabling you to submit an HTTP request to the API and view the response. »» Ettercap: Ettercap is a free tool that can aid in MiTM attacks and enable you see all traffic sent between two systems. »» Frida: Frida is an application testing tool that enables you to intercept data sent and received by applications and then inject code of your own to see how the application responds. »» Objection: Objection is an exploration framework that works with Frida to explore areas of the mobile device. »» Android SDK tools: Software development kits (SDKs) are development and debugging tools that enable deep review and analysis of an application. In this case, you could use Android SDKs for analysis of software that runs on an Android device. »» ApkX: ApkX is a command-line tool used to decompile Android package files (.apk) written in Java. »» APK Studio: APK Studio is a suite of tools used to decompile Android applica- tions, edit the code, and then recompile the application. Cloud technologies Cloud resources are another potential source of weaknesses that can be exploited. It is common today for a company to host applications or virtualized servers in the cloud so that they can take advantage of the high availability and resiliency cloud technology offers. Attacks Cloud environments may be vulnerable to a number of common types of attacks. Some are similar to attacks you would find with on-premises environments as well: 138 PART 1 Planning and Information Gathering »» Credential harvesting: Credential harvesting occurs when an attack obtains the logon credentials of a user, such as via a phishing attack. It is a common technique used by attackers to gain access to cloud resources. »» Account takeover: Once the attacker knows the credentials of a user’s account, either from a phishing attack or spyware planted on the user’s system, the attacker can then take over the account. Once the attacker has control of the account, the attacker can then access data and services within the cloud. »» Privilege escalation: Like with on-premises environments, once attackers log in to the cloud, they may then look to perform privilege escalation where they exploit the system in a way that gives them administrator-level privileges. »» Metadata service attack: A metadata service attack occurs when attackers obtain information about the virtual machines (VMs) configured in the cloud. With this information the attacker can learn about the storage and network configuration of the VMs, which can aid in an attack. »» Misconfigured cloud assets: Misconfiguration is a big reason why systems are exploited in on-premises environments and also with cloud resources. The following are common areas of misconfiguration with cloud technologies: Identity and access management (IAM): Identity and access management (IAM) is the term used for the set of policies and technologies that work together to control what resources a user can access. Misconfiguration of IAM could allow users access to resources they should not be allowed to access. Federation misconfigurations: Federation services allows for single sign-on functionality with other organizations that your environment trusts. For example, you may be hosting a cloud application and want to give a third-party company access to the application. Using federation services you can link to the other company and give that company’s users access to the application (without you needing to build user accounts). In this scenario, users from the third-party company would log on with their normal credentials to access your cloud application. Misconfiguration of federation services could open your application or cloud environment up to unintended parties. Object storage: Applications may store their data as objects within a large repository. Failure to secure the repository could give unauthorized access to the data. Containerization technologies: Containers are a form of virtualization technology that enables a company to run applications within an isolated environment. Attacks against the containers could give access to the applications hosted in the container. CHAPTER 4 Vulnerability Identification 139 »» Resource exhaustion: Resource exhaustion attacks involve the attacker exploiting the environment in such a way that it causes the cloud service, VM, or application to crash, hang, or respond poorly. »» Cloud malware injection attacks: A malware injection attack occurs when the attacker gains access to the cloud and inserts malware as a module or VM that intercepts requests from the user and then performs malicious actions such as manipulating or stealing the cloud user’s data. »» Denial of service attacks: A denial of service (DoS) attack against a cloud resource can cause a cloud service, application, or VM to crash or perform poorly. »» Side-channel attacks: A side-channel attack occurs when information is exported off a system or environment using a method other than the normal channel of communication. With cloud computing, the threat is that an attacker could run a VM that steals information from shared hardware resources such as CPU cache of the hosting environment. »» Direct-to-origin attacks: Many web applications today use content delivery networks (CDNs) in which the website is cached on CDN servers that are spread throughout the world. This allows for faster response when users visit the site because they receive pages from the CDN server that is closest to them. The CDN servers are usually protected by web application firewalls (WAFs) and filter out any malicious requests. A direct-to-origin attack, also known as a D2O attack, is when the attacker figures out the IP address of the real website that sits behind the CDN servers and sends the request to the origin server. They want to do this because the origin server is not protected by the WAFs that are protecting the CDNs. For the PenTest+ certification exam, know the different types of attacks against cloud resources that are mentioned in this section. Tools Because applications are typically hosted in the cloud, one of the biggest tools used to understand vulnerabilities of cloud resources is using a software develop- ment kit (SDK). As mentioned earlier in this chapter, SDKs allow for deep review and analysis of an application. Internet of things (IoT) devices Internet of things (IoT) devices are devices that have technology built into them that help the device connect to the Internet. These devices are often forgotten about as they are not typically computing devices such as laptops, desktops, or 140 PART 1 Planning and Information Gathering servers. IoT devices include devices such as home appliances that have technology integrated into them such as light fixtures, thermostats, and security cameras. Because IoT devices run different communication protocols such as Bluetooth and Bluetooth Low Energy (BLE), the devices may be vulnerable to attacks caused by these protocols. BLE is a wireless communication protocol that is designed to con- sume less power than the original Bluetooth technology while still providing a similar range. There are a number of BLE attacks that have come out such as the Bluetooth Low Energy Spoofing Attack (BLESA), which allows two devices that had previously been paired to skip authentication when reconnecting after falling out of range. This allows an attacker to bypass the connection verification and send spoofed data to the device. Special considerations The following are some special considerations to keep in mind with IoT devices: »» Fragile environment: When testing IoT devices, the system may be fragile and could be affected by attack attempts, such as crashing the system. »» Availability concerns: If an IoT device is attacked, it is possible that due to the fragile nature of the device, it could crash. A crashed device would not be available to other systems and applications. »» Data corruption: Due to the fragile nature of some IoT systems, you may experience corruption of data especially if power loss is involved in the security testing. »» Data exfiltration: When exploiting IoT devices, look for ways to extract data off the device. Vulnerabilities IoT devices are prime targets for attackers because they typically have a number of vulnerabilities out of the box, including the following: »» Insecure defaults: You may find that the IoT device has insecure default settings such as protocols running, default accounts, and default ports open. »» Cleartext communication: IoT devices may be communicating with other network devices using an unencrypted channel. »» Hard-coded configurations: The configuration of the device could be hard-coded into the device, meaning that it cannot be changed. CHAPTER 4 Vulnerability Identification 141 »» Outdated firmware/hardware: The firmware on the device could be out of date. Always look to updating the firmware on IoT devices running within your business. »» Data leakage: Due to some of the communication protocols and unsecure configuration of the IoT device, it could be leaking data to unauthorized individuals. »» Use of insecure or outdated components: The IoT device itself may be following security best practices, but if it is using any third-party components, those components may not be following security best practices and as a result put the IoT device at risk. Data storage system vulnerabilities Networks today include data storage systems that are used to store data that is accessible to other systems and devices on the network. These storage systems may be on-premises or may exist in the cloud. A key point to remember about data storage systems is that if the devices are misconfigured, they could expose data to unauthorized individuals. Some examples of vulnerabilities to watch for with data storage systems are: »» Default/blank username/password: The device will most likely come with a default username and password, or a blank password. Be sure to review the configuration of the device and change as many of the default settings that you can to help secure the device. For example, it is recommended to change the username and password for the device as soon as possible. »» Network exposure: The storage device will typically run multiple protocols so that it can be accessed and administered from across the network. Review the protocols that are running and disable any unneeded protocols. Underlying software vulnerabilities You learn about software attacks and vulnerabilities in Chapter 7, but the objec- tives list these few vulnerabilities. More detail is presented in Chapter 7 on soft- ware vulnerabilities so be sure to check out that chapter. The following are some key reasons why software is vulnerable: »» Lack of user input sanitization: Input sanitization should be performed on any data that is entered into an application. Input sanitization occurs when the developer blocks or escapes any potential malicious characters in the data input in order to help prevent an attack against the system. 142 PART 1 Planning and Information Gathering »» Error messages and debug handling: Software applications sometimes do not debug or handle errors properly. You want to ensure that you trap errors and show generic error messages. Detailed error messages displayed by the application may help the attacker understand more about the environment and how to exploit it. »» Injection vulnerabilities: A common method to exploit a system is to perform an injection attack, where code is inserted as input that enables the attacker to control how the application executes. For example, attackers will use a single quote to manipulate SQL code. The single quote should be escaped (which means treat it as a single quote and not a special program- ming character). Management interface vulnerabilities Remote management interfaces are designed to allow administrators to remotely connect to devices from across the network and administer the device. Always check the protocols used by the remote management interface and research vul- nerabilities against that interface and protocols. For example, the Intelligent Plat- form Management Interface (IPMI) is known to have a vulnerability with the authentication process where a remote attacker is able to obtain the password hashes and crack those passwords offline. Vulnerabilities related to SCADA, IIoT, and ICS Supervisory Control and Data Acquisition (SCADA) is a set of hardware and software components that are designed to control industrial processes. SCADA systems are known to have vulnerabilities related to lack of updates being applied to the systems. This includes hardware updates, operating system patches, and application patches. Industrial Internet of things (IIoT) are components such as sensors and other instrumentation used within industrial industries to collect data that are con- nected together in a network environment. Like other IoT devices, these devices found in manufacturing environments may have vulnerabilities and are open to attack from across the network or Internet. Industrial Control Systems (ICSs) are known to have weaknesses involving lack of authentication and authentication protocols, older hardware, and unpatched operating systems that may be vulnerable to attacks. It should be noted that companies have a fear of patching IoT, SCADA, IIoT, and ICS equipment for fear of causing a production or operational outage. CHAPTER 4 Vulnerability Identification 143 Vulnerabilities related to virtual environments and containers Virtualization platforms and containers are common platforms for hosting serv- ers and applications today. With each of these technologies comes some common vulnerabilities: »» Virtual machine (VM) escape: VM escape is a common vulnerability with virtualization platforms where it is found that an attacker can run code within the VM and attack the host system. »» Hypervisor vulnerabilities: A weakness in the hypervisor of a host system could allow an attacker to attack each of the VMs running on the host system. »» VM repository vulnerabilities: A VM repository is a storage location for resources used by the virtualization environment. Resources may include guest VMs, VM templates, ISO files, and shared virtual disks. Vulnerabilities that exist with the repository environment may expose these resources to the attacker. »» Vulnerabilities related to containerized workloads: Another type of virtualized environment used to run applications are containers. Like a VM, a container allows an application to run in an isolated environment, but it shares the underlining operating system. A vulnerable container environment may allow an attacker to gain root-level access to the underlining host system. Be sure to check for vulnerabilities associated with the following types of special- ized systems as well: »» Embedded systems: An embedded system is a small computer that is included in other equipment to control that equipment. Examples of equip- ment that use embedded systems are home appliances, medical equipment, and vehicles. The biggest weakness of an embedded system is it is difficult to upgrade or patch the device, so there are typically many vulnerabilities. Another weakness of embedded systems is that the same types of devices generally have the same software and hardware. This makes it easy for a hacker to take advantage of attack replication (using the same attack method to get into all of the same types of devices). »» POS systems: One of the big vulnerabilities with point-of-sale (POS) systems is the fact that many companies are still using the default manufacturer password on the system. Like many of the other specialized systems listed here, a POS system is typically running an older operating system and has not been patched, which makes it vulnerable to attack. »» Biometrics: Biometrics refers to using the characteristics of an individual such as a retina scan, voice recognition, or a fingerprint to authenticate that person 144 PART 1 Planning and Information Gathering to a system. The biggest security concerns about biometrics is the security of the system that holds the database of characteristics used to authenticate. That system may be vulnerable to attack, which makes the biometric system vulnerable. »» Application containers: Application containers are mini virtual machines that have become a common technology to host applications. The biggest security issue with application containers are with the images used to load the software into the container. It is important that the image has been code reviewed and digitally signed by the creator to ensure the integrity of the image. »» RTOS: A real-time operating system (RTOS) is responsible for capturing events as they occur in real time and communicating those events between the hardware of the system and the applications running on the system. A common weakness with an RTOS is the messaging protocols used to communicate that an event occurred may lack security features such as validating the source of the message before sending it to the software or hardware. Another security concern with an RTOS is code injection attacks, in which the hacker injects a command into the system and it executes it real time, allowing the hacker to control the environment. Lab Exercises In these exercises, you install Nessus and perform a vulnerability scan on a Win- dows 7 and a Metasploitable2 VM. To complete these exercises, you will need a Kali Linux VM, a Windows 7 VM, and the Metasploitable2 VM. Remember that these exercises should be run on lab computers and not on production systems. Exercise 4-1: Download and install Nessus In this exercise, you download Nessus and install and configure Nessus Essentials. 1. From Kali Linux, start Firefox (first button on the toolbar on the left) and navigate to https://www.tenable.com/products/nessus. 2. Download and register the AMD64 Debian/Kali Linux edition. 3. After the file has been downloaded, launch a terminal window and type the following commands: cd Downloads ls -al CHAPTER 4 Vulnerability Identification 145 4. To install Nessus Essentials, type the following command (where x.x.x is the version number of your specific download): dpkg -i Nessus-x.x.x-debianx_amd64.deb 5. To start Nessus and then check the status, use the following commands: service nessusd start service nessusd status 6. Now that Nessus is running, switch to the web browser and type https://127.0.0.1:8834 to use the web interface of Nessus. The web interface will ask what edition of Nessus you would like to use. 7. Choose Nessus Essentials and click Continue. 8. Enter your information and then click the Email button (if you already have an activation code, you can choose Skip). 9. Enter the activation code for Nessus Essentials you received at your email address. 10. To create the Nessus user account, enter the following username and password: Username: administrator Password: Pa$$w0rd 11. Wait until the plug-ins download and compile (this will take a while). 12. At the Welcome to Nessus Essentials screen, click the Close button. 13. Leave the VM up for the next exercise. Exercise 4-2: Perform a vulnerability scan In this exercise, you perform a vulnerability scan of the Windows 7 VM. 1. If you are not already in the Nessus management tool, launch a browser and type https://127.0.0.1:8834 and log in with a username of “administrator” and a password of “Pa$$w0rd”. 2. Create a new Advanced Scan called Exer4-2 that scans the IP address of the Windows 7 system. 3. On the Plugins tab, disable all plug-ins (top-right corner) and then enable the following plug-ins: Backdoors Databases Brute force attacks Denial of Service 146 PART 1 Planning and Information Gathering DNS Settings Firewalls SMTP Problems FTP SMTP General Web Servers Misc. Windows Peer-to-Peer File Sharing Windows: Microsoft Bulletins RPC Windows: User Management Service Detection 4. Choose Save. 5. Launch the scan from the Scans list. 6. After the scan completes, review the results of the scan. How many critical vulnerabilities found? Enter that number here: ________. 7. List the critical vulnerabilities: ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ 8. Looking at each of the critical vulnerabilities, record how to exploit them: ________________________________________________________ ________________________________________________________ ________________________________________________________ ________________________________________________________ 9. Select the critical vulnerability for MS17-010 if it exists. What tool can be used to exploit this vulnerability? Write that tool here: _____________________________ 10. To save a report of this vulnerability scan, choose the Report drop-down in the top-right corner and choose PDF. CHAPTER 4 Vulnerability Identification 147 Exercise 4-3: Perform a web application vulnerability scan with Nessus In this exercise, you perform a web application vulnerability scan for the Metasploitable2 VM. 1. Log on to the Metasploitable2 VM with a username of “msfadmin” and a password of “msfadmin”. 2. Type ifconfig to record the IP address: _______________________________ 3. Go to the Kali Linux VM and create a new scan based on the Web Application Vulnerabilities template. 4. Give the scan the name Exer4-3 and scan the IP address of the Metasploitable VM. 5. When the scan completes, review the vulnerabilities that were found. 6. Select the vulnerability of Web Application Potentially Vulnerable to Clickjacking and read the description. 7. Scroll down under the description and notice a list of URLs that do not use clickjacking mitigation techniques. These are the URLs you would report. Reviewing Key Concepts This chapter highlights how to discover vulnerabilities with a system. Following is a quick review of some of the key points to remember from this chapter: »» You can use a vulnerability scanner to discover vulnerabilities on a system. »» Nessus and OpenVAS are examples of vulnerability scanners. »» Plug-ins are used to discover specific types of vulnerabilities. »» The type of vulnerability scan is determined by the template used when a vulnerability scan is created. »» As a penetration tester, know how you would determine how to exploit a vulnerability. When you look at the details of the vulnerability, pay attention to the Exploitable With section in the bottom-right corner of the page. »» Know that Nikto and SQLmap are also tools you can use to assess vulnerabili- ties on web servers. 148 PART 1 Planning and Information Gathering Prep Test 1. You would like to perform a complete vulnerability scan of a Windows server. What tool would you use? (A) Nikto (B) Nessus (C) SQLmap (D) Nmap 2. You have performed a vulnerability scan of a Windows system, but do not see the level of detail you were expecting in the scan results. What should you do? (A) Perform a Web Application Vulnerability scan (B) Perform an anonymous scan (C) Perform a port scan (D) Perform a credentialed scan 3. You would like to assess the security of a web application running on an intranet server. What tool would you use to perform the vulnerability scan? (A) Nikto (B) Hydra (C) theHarvester (D) Nmap 4. You are performing a vulnerability assessment of a web application that is connected to a database. What tool would you use to assess vulnerabilities with the web application? (A) Nmap (B) Hydra (C) theHarvester (D) SQLmap 5. You are creating a report that identifies the priority for remediation of the vulnerabilities found on systems. What two conditions could be used to determine the priority of the vulnerability? (Choose two.) (A) The port number (B) Criticality of system (C) Windows over Linux (D) WAF score (E) CVSS base score CHAPTER 4 Vulnerability Identification 149 6. You have performed a vulnerability scan of a critical system. Which of the following vulner- abilities reported present the highest risk to the system? (A) Password in HTML code (B) One administrator account (C) Certificate is invalid (D) Missing one week of patches 7. What type of analysis tool is used to monitor the behavior of the software while it is running? (A) Static analysis (B) Port analysis (C) SQL analysis (D) Dynamic analysis 8. You have performed a vulnerability scan of a system which has identified the system is vulnerable to SQL injection attacks and XSS attacks. Which vulnerability presents the higher risk? (A) SQL injection (B) XSS 9. Looking at the following CVSS base vector, what metric has the largest impact if the vulner- ability is exploited? CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N (A) Availability (B) Access vector (C) Integrity (D) Confidentiality 10. Looking at the following CVSS base vector, what level of access does the attacker need to the system in order to exploit the vulnerability? CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:N (A) Access to the LAN (B) Access from a remote network (C) No access (D) Local access to the system 150 PART 1 Planning and Information Gathering Answers 1. B. Nessus is an example of a vulnerability scanner and can perform a complete scan of the system. See “Performing a Vulnerability Scan.” 2. D. When performing a scan of a Windows system, you should configure the admin- istrator credentials on the scan so that the scanner can retrieve as much configura- tion information as possible. Review “Credentialed versus non-credentialed scans.” 3. A. Nikto is an example of a web application vulnerability scanner. It will check for common security issues with web applications such as misconfiguration or missing prevention techniques for known attacks against web servers. Check out “Using other vulnerability scanners.” 4. D. Because the web application is connected to a database, you should test for SQL injection vulnerabilities, which is what SQLmap does. Peruse “Using other vulnerability scanners.” 5. B, E. There are a number of conditions we use to prioritize the remediation of vulnerabilities, such as how critical the system or data is that is affected by the vulnerability, the CVSS base score (critical vulnerabilities get priority over medium or low, for example), and the exposure of the vulnerability (for example, a system connected to the Internet). Take a look at “Analyzing Vulnerability Results.” 6. C. Because the system is a critical system and appears to need encryption because a certificate was applied to the system, having an expired certificate would have a large impact on confidentiality; therefore, the certificate being invalid has the highest risk. See “Considerations for analyzing scan results.” 7. D. Dynamic analysis tools are used to monitor the behavior of software while the software is running. Review “Application scans.” 8. A. The SQL injection attack can be used to access sensitive information in a data- base (violation of confidentiality), it can be used to make unauthorized changes to the underlining data in the database (violation of integrity), or it could be used to delete critical data to the business (violation of availability), so it is considered the higher risk vulnerability. Check out “Considerations for analyzing scan results.” 9. C. Looking at the CVSS base vector, the last three elements of /C:N/I:C/A:N are showing the values of impacts on confidentiality, integrity, and availability (in that order). /C:N means confidentiality:none (no impact to confidentiality), /I:C means integrity:complete (impact on integrity to all data), and /A:N means availability:non (no impact on availability). Peruse “Understanding the CVSS base score.” CHAPTER 4 Vulnerability Identification 151 10. D. The AV:L at the beginning of the CVSS base vector indicates the access vector of local, meaning the attacker would need physical access to the system to exploit the vulnerability. Take a look at “Understanding the CVSS base score.” 152 PART 1 Planning and Information Gathering

Chapter 4 Vulnerability Identification PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue