Ethical Hacking 2024-2025 PDF
Document Details
Uploaded by DashingWombat9609
Abdelmalek Essaâdi University
2024
Youssef SBAYTRI
Tags
Summary
This document provides an introduction to ethical hacking, explaining what it is and why it's necessary. It also highlights the required technical and non-technical skills for ethical hackers, and compares and contrasts ethical hacking and penetration testing. The document also outlines various hacking methodologies such as CEH, Cyber Kill Chain, and MITRE ATT&CK.
Full Transcript
Abdelmalek Essaadi University Ethical Hacking GCyB - II Pr. Youssef SBAYTRI 2024-2025 Content I-Introduction II- Footprinting/Information gathering III- Scanning and Enum...
Abdelmalek Essaadi University Ethical Hacking GCyB - II Pr. Youssef SBAYTRI 2024-2025 Content I-Introduction II- Footprinting/Information gathering III- Scanning and Enumeration IV- Vulnerability Analysis V- Systems Hacking VI- Networks Hacking 2 I- Introduction 3 1. What is Hacking ? The activity of getting into someone else's computer system without permission in order to find out information or do something illegal. [https://dictionary.cambridge.org/dictionary/english/hacking] Is the use of unconventional or illicit means to gain unauthorized access to a digital device, computer system or computer network. [https://www.ibm.com/topics/cyber- hacking] Refers to unauthorized access of a system or network, often to exploit a system’s data or manipulate its normal behavior. [https://www.cyber.gov.au/threats/types- threats/hacking] Is the act of identifying and then exploiting weaknesses in a computer system or network, usually to gain unauthorized access to personal or organizational data. [https://www.kaspersky.com/resource-center/definitions/what-is-hacking] 4 2. What is Ethical Hacking ? Ethical hacking refers to the use of hacking techniques for defensive or protective purposes. Ethical /“white hat” hackers, use their skills to test the security of computer systems, networks, or applications, etc. The term 'ethical hacking' is usually used interchangeably with 'penetration testing’; however, they refer to two distinct activities that have different purposes and legal implications. Penetration testing, “Pentesting”, is the practice of simulating a cyber attack on a computer system, network, or application to identify vulnerabilities. Pentesting is usually done by security professionals at the request of an organization and with their explicit permission. Both penetration testing and ethical hacking are considered legal as long as they are done with the permission and knowledge of the system owner. 5 2. What is Ethical Hacking ? Key Differences Between Ethical Hacking and Penetration Testing Ethical Hacking Pentesting Less defined scope of work Well defined defined scope of work Ethical hacking utilizes any attack vector to breach a system The attack vectors are defined more specifically before testing. Have visibility to organization's infrastructure Provided with limited/no information of organization's infrastructure Not a requirement for compliance frameworks Required for some compliance frameworks An Ethical hacker should have detailed knowledge of TTP A pentesters need to have sound knowledge of the (Tactics, Techniques, and Procedures) and various tools to dedicated domain or specific area for conducting imitate the steps of a cybercriminal pentesting. No mandatory requirement to be an expert in report writing Pentesting comes with fool-proof report writing. 6 3. Why Ethical Hacking is necessary? If you know the enemy and know yourself, you need not For that reason organization recruit ethical hacker to: fear the result of a hundred of battles. Prevent hackers from gaining access to the If you know yourself but not the enemy, for every victory organization’s information systems. gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will Identify and assess vulnerabilities in systems to succumb in every battle. evaluate their potential security risks. Provide adequate preventive measures in order to avoid security breaches Assess and harden the organization’s security posture. Enhance security awareness at all levels. 7 4. What are the required skills of Ethical Hacker It is essential for an Ethical hacker to acquire some technical and non technical skills to become an expert ethical hacker and to use this knowledge in a lawful manner. Technical Skills Profound familiarity with leading operating environments such as Windows, Linux, and MacOS. In-depth knowledge of networking concepts, technologies, and related hardware and software. The knowledge of security areas and related issues. Non-Technical Skills The ability to quickly learn and adapt new technologies. A strong work ethic and good problem solving and communication skills. Commitment to an organization’s security policies. An awareness of local standards and laws. 8 5. Hacking Methodology Learning the hacking methodologies and frameworks helps ethical hackers understand the phases involved in hacking attempts along with the tactics, techniques, and procedures used by real hackers. This knowledge further helps them in strengthening the security infrastructure of their organization. In this course, we will present various hacking methodologies such as: EC-Council CEH methodology. Cyber Kill Chain methodology. MITRE attack framework. 9 5-1. CEH hacking Methodology The CEH hacking methodology follows the same process as that of an attacker, and the only differences are in its hacking goals and strategies. This methodology helps ethical hackers understand the various phases followed by real hackers in order to achieve their objectives. Footprinting System Hacking Gaining Access Scanning Escalating privileges Enumeration Maintaining Access Vulnerability analysis Clearing Logs 10 5-1. CEH hacking Methodology Footprinting/Reconnaissance: This phase involves an attacker collecting extensive information about the target before initiating an attack. Scanning and Enumeration: is used to determine active hosts, open ports, and unnecessary services on designated Vulnerability Analysis: Attackers use vulnerability analysis to find and exploit security gaps in the target's network and systems. Gaining Access/Exploitation: Attackers use gathered information in previous phase, along with techniques such as password cracking and the exploitation of vulnerabilities, to gain access to the target system. Escalating Privileges: In this stage, the attacker endeavors to elevate their privileges to a higher level by exploiting known system vulnerabilities to escalate user privileges. Maintaining access/Post-Exploitation: At this phase, the hacker has penetrated the system, positioning them to either upload or download files and establish mechanisms to facilitate subsequent access. Additionally, the compromised system may serve as a launchpad from which the hacker can conduct scans and exploit other systems. Clearing Logs: To evade detection, attackers often erase evidence of security compromise by modifying or deleting system logs using specific log-wiping utilities, thereby obliterating all traces of their activity. 11 5-2. Cyber Kill Chain Methodology The cyber kill chain is a framework developed 1 by Lockheed Martin to secure cyberspace based on the concept of military kill chains. Gathering email addresses, 2 personal information, etc. According to this methodology, cyberattacks 3 might occur in seven different phases, from Coupling exploit with backdoor into deliverable payload reconnaissance to the final accomplishment of the objective. Delivering weaponized bundle to 4 the victim via email, usb, etc. An understanding of cyber kill chain 5 Exploiting a vulnerability to methodology helps security professionals to execute code on victim’s system leverage security controls at different stages Installing malware on the asset of an attack and helps them to prevent the 6 attack before it succeeds. 7 Command channel for remote manipulation of victim Perform actions to achieve 12 intended objectives 5-3. MITRE ATT&CK Framework MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. MITRE ATT&CK comprises three collections of tactics and techniques, called Enterprise, Mobile, and ICS (Industrial Control Systems), as each collection is represented in a matrix form. MITRE ATT&CK tactics and techniques for Enterprise from https://attack.mitre.org/ 13 5-3. MITRE ATT&CK Framework MITRE ATT&CK tactics and techniques for Enterprise 14 5-3. MITRE ATT&CK Framework MITRE ATT&CK tactics and techniques for Enterprise 15 6. Laws and Regulations Laws are a system of rules and guidelines that are enforced by a particular country or community to govern behavior. Ethical hacking involves probing systems, which can sometimes resemble malicious activity. Without proper understanding of laws, ethical hackers risk unintentionally breaking laws. Many industries are governed by specific cybersecurity regulations, such as PCI-DSS, HIPAA, etc. Ethical hackers must be aware of these regulations to ensure that their tests meet industry standards and do not expose the organization to non-compliance risks. Compliance with laws and regulations enhances the credibility/reputation of ethical hackers and penetration testers, thereby rendering them more reliable to clients. 16 6. Laws and standards This section provides an overview of the main laws and their associated penalties related to cybersecurity in the United States , European Union, and Morocco. United States Computer Fraud and Abuse Act. [https://www.justice.gov/jm/jm-9-48000-computer-fraud] California Consumer Privacy Act (CCPA). [https://oag.ca.gov/privacy/ccpa] European Union Directive 2013/40 - Attacks against information systems. [https://eur-lex.europa.eu/eli/dir/2013/40/oj] General Data Protection Regulation (GDPR) [https://gdpr-info.eu/] Morocco Law No. 07-03, Moroccan Cybercrime Law. [https://www.dgssi.gov.ma] Law No. 09-08, Morocco's law governing privacy and data protection. [https://www.dgssi.gov.ma] [https://www.cndp.ma/loi-09-08/] 17 6-1. Directive 2013/40/EU The Directive aims to harmonize the criminal laws of the Member States concerning attacks on information systems by establishing uniform definitions of criminal offenses and corresponding sanctions. It seeks to enhance cooperation among national competent authorities, including police and specialized law enforcement, as well as relevant EU bodies such as Eurojust, Europol's European Cyber Crime Centre, and the European Union Agency for Cybersecurity (ENISA). 18 6-1. Directive 2013/40/EU Examples of Criminal penalties under Directive 2013/40. Article 3: Member States shall take the necessary measures to ensure that, when committed intentionally, the access without right, to the whole or to any part of an information system, is punishable as a criminal offence where committed by infringing a security measure, at least for cases which are not minor. Article 4: Member States shall take the necessary measures to ensure that seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor. Article 9. 2: Member States shall take the necessary measures to ensure that the offences referred to in Articles 3 to 7 are punishable by a maximum term of imprisonment of at least two years, at least for cases which are not minor. 19 6-2. CFAA The Computer Fraud and Abuse Act (CFAA) is the leading federal anti-hacking legislation. It prohibits unauthorized computer access. Examples of Criminal penalties under the CFAA. Offense Penalties (Prison Sentence) Obtaining National Security Information First conviction: Up to 10 years; Second conviction: Up to 20 years Accessing a Computer to Defraud and Obtain Value First conviction: Up to five years; Second conviction: Up to 10 years Accessing a Computer and Obtaining Information First conviction: Up to one year; Second conviction: Up to 10 years Intentionally Damaging by Knowing Transmission First conviction: Up to 10 years; Second conviction: Up to 20 years Trafficking in Passwords First conviction: Up to one year; Second conviction: Up to 10 years Extortion Involving Computers First conviction: Up to five years; Second conviction: Up to 10 years 20 6-3. Law No. 07-03 Law 07-03, or “Moroccan Cybercrime Law”, aimed to address various aspects of cybercrime and establish legal frameworks for offenses related to information systems and data processing. The law introduced measures addressing unauthorized access, data interference, system sabotage, and other cyber-related activities. It established legal grounds for prosecuting cyber intrusions, hacking, identity theft, and other cyber offenses, with defined penalties for convicted individuals. 21 6-3. Law No. 07-03 Examples of Criminal penalties under the law No. 07-03. Section 607-3: The act of fraudulently accessing "all or part of an automated data processing system" is punishable by one to three months of imprisonment and a fine of 2000 to 10,000 dirhams, or only one of these two penalties. Section 607-5: The act of Intentionally disrupting or falsifying the operation of an automated data processing system is punishable by one to three years of imprisonment and a fine of 10 000 to 20,000 dirhams, or only one of these two penalties. Section 607-6: The act of fraudulently introducing data into an automated data processing or fraudulently deteriorating, deleting, or modifying the data it contains, its processing mode, or its transmission is punishable by one to three years of imprisonment and a fine of 10 000 to 200,000 dirhams, or only one of these two penalties. 22 II- Footprinting and reconnaissance 23 1. Concepts Footprinting constitutes the preparatory phase (First phase), in which an ethical hacker gathers maximum information about the target organization's infrastructure, assets, and personnel Gathered information is then used to identify the easiest way to break through the organization's security perimeter. To obtain more relevant results Ethical hackers should gather more information about the target to increase the probability of a successful attack. 24 2. Footprinting types Footprinting can be classified into two methodologies: passive and active. Passive Footprinting : is the process of collecting information about the target without direct interaction. This form of footprinting is the least invasive, and it is the least likely to be detected by the target. Active Footprinting : gathering information about the target with direct interaction, like detect open ports, web pages, services, and identify exploitable weaknesses. These actions may show up in logs, monitoring systems, or affect bandwidth utilization of the target. 25 3. Types of gathered information Organization information Network information System information Employee details Domain & sub-domains OS Telephone numbers Networks blocks Location of servers (Web, Branch and locations details Network topology, trusted Database, DNS, MAIL, etc.) Partners of the organization routers, and firewalls Publicly available email IP addresses of the systems addresses News articles, press releases, and related documents Whois records Usernames and passwords DNS records 26 4. Footprinting techniques Footprinting methods Through Search Through Web Through Social Through Through Through Social Through Email Through Whois Through DNS Engines Services Networking sites Website Network Engineering 27 4-1. Footprinting through search engines Search engines can be used to collect information about a target, such as technology platforms, employee details, login pages, and so on; this information helps the attacker in performing social engineering and other types of advanced system attacks. Search engines offer advanced search operators, known as Advanced Google Hacking Techniques, that could be exploited to create complex queries for finding, filtering, and sorting specific information about the target. Advanced Google Hacking Techniques is the process of collecting information about the target without direct interaction. 28 4-1. Footprinting through search engines Google has a powerful technique known as Google Dorking, which enables advanced searches on the platform by employing various operators. 29 4-1. Footprinting through search engines Some types of sensitive information on public servers that can be extracted using advanced Google search operators include: Error messages revealing sensitive data Files containing passwords Sensitive directories Pages with login portals Pages disclosing network or vulnerability information, such as IDS or firewall logs or configuration files Security advisories and server vulnerabilities Software version information Web application source code Hidden web pages, such as those for intranet and VPN 30 4-1. Footprinting through search engines Google Dorking query Example: Find text files containing email addresses with associated passwords filetype:txt intext:@gmail.com intext:password Reveal log files containing usernames allintext:username filetype:log Find potentially sensitive documents not intended for public distribution “Not for Public Release” + “Confidential” ext:pdf | ext:doc Looking for pages that contain the phrase “password” and have “index of” in the title intitle:”index of” password Searches for PHPInfo pages that may reveal sensitive information about the PHP configuration and version ext:php intitle:phpinfo() "php version Looking for RSA private keys that may have been inadvertently exposed. intext:"BEGIN RSA PRIVATE KEY” 31 4-1. Footprinting through search engines Google Hacking Database [https://www.exploit-db.com/google-hacking-database] The Google Hacking Database is a repository of search queries used that exploit specific Google search features to uncover publicly available but potentially exposed sensitive data. GHDB was created to serve as a resource for security researchers to understand how various "Google Dorks" can find sensitive information, discover vulnerable systems, and provide data that can be used for cybersecurity diagnosis and testing. 32 4-2. Footprinting through web services Web services such as Social networks, people search services, financial services, and job portals, provide valuable insights into a target's infrastructure details, physical location, and personnel details, etc. Using the information collected from distinct web services, an attacker can develop a strategy to breach the target organization’s network and launch sophisticated attacks. This section aims to familiarize with: Finding the target company’s top-level domains, subdomains, and geographical location using searchdns.netcraft.com or Sublist3r. People Search on Social Networking Sites like LinkedIn, Facebook or Instagram utilizing tools like instantusername.com or sherlock. People search on people search services like jobs portal like dice.com or indeed.com. Searches for connected devices using Shodan or Censys. 33 4-2. Footprinting through web services Searching for sub-domains of microsoft.com utilizing Netcraft or Sublist3r. 34 4-2. Footprinting through web services Searching for username with instantusername.com or sherlock. 35 4-2. Footprinting through web services Example of gathering important details about a target company from dice.com 36 4-2. Footprinting through web services Searching for devices using Shodan search queries. 37 Please refer to the accompanying PDF document for more additional queries and examples. 4-3. Website footprinting Website footprinting entails the analysis of a target organization's website to extract useful information. Examining the target website can reveal details such as: The specific software and its versions in use The operating system and its associated scripting platforms Subdirectories and their parameters Filenames, paths, database field names, or queries Employed technologies Contact information and CMS (Content Management System) specifics 38 4-3. Website footprinting Attackers use tools like: Burpsuite , Zaproxy, Wappalyzer, CentralOps, Website Informer, etc. to view http headers information. Web spider tools such as Web Data Extractor, or SpiderFoot to collect specific information like employee names, email addresses, etc. Mirroring tools such as HTTrack or Cyotek WebCopy to download the entire structure of a website to a local directory. This technique has the following benefits: Spend more time in viewing and analyzing the website for vulnerabilities and loopholes Finding valuable information from the mirrored copy without multiple requests to the webserver 39 4-4. Email footprinting Email footprinting can be conducted by tracking email communications, during which hackers attempt to collect information from email headers and use email tracking tools. Attackers track emails to gather Information about a target recipient, such as IP addresses, geolocation, browser and Header OS details, to build a hacking strategy and perform social engineering and other attacks. Email tracking tools, such as eMailTrackerPro and Mailtrack, allow an attacker to track an email and extract information, such as sender identity, mail server, sender’s IP address, and location. 40 4-5. Whois and DNS footprinting Whois footprinting helps in gathering domain information such as information regarding the owner of an organization, its registrar, registration details, its name server, and contact information. Whois databases are maintained by Regional Internet Registries and contain personal information of domain owners Domain name details Contact details of domain owners Domain name servers NetRange When a domain was created Expiry records Last updated record Whois services such as whois.domaintools.com or whois-webform.markmonitor.com/whois can help perform Whois lookups. 41 4-5. Whois and DNS footprinting Attackers perform DNS footprinting to gather information about DNS servers, DNS records, and the types of servers used by the target organization. This information helps attackers identify the hosts connected in the target network and further exploit the target organization. DNS footprinting helps in determining the following records about the target DNS: A: Points to a host’s IP address MX: Points to domain’s mail server NS: Points to host’s name server CNAME: Canonical naming allows aliases to a host SOA: Indicate authority for a domain SRV: Service records PTR: Maps IP address to a hostname RP: Responsible person HINFO: Host information record includes CPU type and OS TXT: Unstructured text records Attackers use DNS interrogation tools such as securitytrails.com, DNSdumpster.com, or dnsrecon to perform DNS footprinting. 42 4-5. Whois and DNS footprinting Attackers perform DNS footprinting to gather information about DNS servers, DNS records, and the types of servers used by the target organization. This information helps attackers identify the hosts connected in the target network 43 4-6. Footprinting through social engineering Social engineering is a non-technical process in which an attacker misleads a person (authorized user ) into providing confidential information inadvertently. Although social engineering attacks may differ in techniques and goals, they all follow the same four-stage cycle. The obtained information through social engineering may include: Credit card details usernames and passwords security products in use OS and software versions network layout information The confidential information will then used in malicious purposes such as: Gaining unauthorized access to the system Industrial espionage Network intrusion Fraud 44 4-6. Footprinting through social engineering Gathering information in social engineering can be performed in many ways, such as: Eavesdropping: Unauthorized listening of conversations or reading of messages, tis the interception of any form of communication, such as audio, video, or text. Shoulder surfing: Secretly observing the target to gather critical information such as passwords, personal identification number, account numbers, and credit card information. Dumpster Diving: Looking for treasure in someone else's trash, It involves the collection of phone bills, contact information, financial information, operations-related information etc. from the target company’s trash bins, printer trash bins, user desk for sticky notes, etc. Impersonation: Pretending to be a legitimate or authorized person and using the phone or other communication medium to mislead targets and trick them into revealing information 45 4-6. Footprinting through social engineering Example of social engineering attack scenario using Impersonation technique An attacker selects a target company and uses social media, company's website or job portals to gather information about the IT support team and their methods of communication with employees. The attacker calls an employee claiming to be from the IT support team. The attacker states they are following up on reported system errors or security patches that need immediate attention. The attacker then asks the employee to provide remote access to their computer to "resolve" the issues. 46 5. OSINT Framework Having previously discussed various footprinting tools, including TheHarvester, Shodan, Sherlock, dnsrecon, etc. Many additional tools exist that cannot all be enumerated. An excellent resource that encompasses the main tools utilized in information gathering is the OSINT Framework OSINT Framework is an open source intelligence gathering framework, that focused on collecting information from free tools or resources. OSINT framework includes a simple web interface that lists various tools arranged by category, and it is shown as a tree structure on the web interface. [https://osintframework.com/] 47 6. Footprinting Countermeasures Some of the footprinting countermeasures to prevent or offset information disclosure: People Encourage employees to use pseudonyms when posting on blogs, groups, and forums. Regularly hold security awareness training to inform employees about various social engineering risks and tricks. Avoid sharing personal locations or travel plans on social media platforms Make sure critical information, such as strategic plans, product data, or sales forecasts, is not visible on notice boards or office walls. Deactivate or remove accounts of ex-employees from the organization’s system. Ensure the details shared with Internet registrars are sanitized to mask the organization's direct contact information Restrict the employees’ access to social media sites from the company’s network 48 6. Footprinting Countermeasures Process implement security policies, including information security and password guidelines, to control what information employees can disclose to third parties. Minimize the amount of information shared on the website or across the Internet Do not share sensitive information in press releases, annual reports, or product catalogs. Use privacy services for Whois lookup database, to keep your contact details private and secure. Request archive.org to delete the website’s historical data from their archive database. Store critical documents like business plans and proprietary documents offline to prevent unauthorized access. 49 6. Footprinting Countermeasures Technology (Services, Software, Configurations) Configure web servers to avoid information leakage. Employ footprinting methods to identify and remove publicly exposed sensitive data. Block search engine caching and use anonymous registration services. Separate internal and external DNS, restricting zone transfers to authorized servers. Disable directory listings on web servers. Protect sensitive data through encryption and password security. Disable unnecessary protocols. Use a layered and defense-in-depth approach [https://www.giac.org/paper/gsec/2233/overview-defense-in-depth-layer-tcp-ip- model/103817] Conceal IP addresses by deploying a VPN or using a secure proxy. Configure mail servers to reject messages from anonymous senders 50 III- Scanning and Enumeration 51 Content Scanning Concepts Host discovery Port and service discovery OS discovery Evading techniques Network Enumeration 52 1. Concepts Network scanning refers to a set of procedures used for identifying: Active machines in a network and OS running on a target machine. The ports along with their respective services running on each device/system. IP addresses that can be accessed over the network. Network scanning is one of the components of intelligence gathering which can be used by an attacker to create a profile of the target organization. In the scanning phase of an attack, the attacker tries to find various ways to penetrate into a target system. 53 2. Objectives Discover the network’s live hosts and open ports of the live hosts. These ports are used to determine the optimal entry points into the system. Discover the OS and system architecture of the target. An attacker can formulate an attack strategy based on the OS’s vulnerabilities. Discover the services running/listening on the target system. Doing so gives the attacker an indication of the vulnerabilities (based on the service) that can be exploited for gaining access to the target system. Identify specific applications or versions of a particular service. 54 3. Scanning types Port scanning: Port scanning is the process of identifying open ports and services on a target system by sending a series of probing messages. This technique involves connecting to or querying TCP and UDP ports to determine whether services are active or in a listening state. Host Scanning: Host scanning refers to the identification of active hosts and their corresponding IP addresses within a network. This method involves probing the network to discover operational devices, facilitating the mapping of active network components. Vulnerability Scanning: Vulnerability scanning involves detecting the presence of known weaknesses in a system by identifying its exploitable vulnerabilities. 55 4. TCP communication flags The TCP header includes several flags that control data transmission across a TCP connection. To manage connections between hosts, TCP utilizes six control flags: SYN, ACK, FIN, RST, PSH, and URG. Each flag is represented by a 1-bit size, resulting in a total of 6 bits for the flags section. A flag is activated when its value is set to '1’.”. 56 4. TCP communication flags @MAC Dest @MAC Src 00 40 07 03 04 2b 02 60 8c e8 02 91 08 00 45 00 Protocole Type (08 00=IPV4; 86 dd=IPV6) 00 2c 14 ee 00 00 3c 06 85 7a 93 d2 5e 63 93 d2 Layer 4 Protocole(06=TCP; 0f=UDP) 5e 5c 10 a4 09 e7 42 0c 56 01 00 00 00 00 60 02 40 00 c1 29 00 00 02 04 05 b4 ************************************************** @IP Src: 93.d2.5e.63 147.210.94.99 (931001 0011128+16+3=147) @IP Dest: 93.d2.5e. 5e 147.210.94.92 Src Port: 10 a4 4260 Dest Port: 09 e7 2535 Sequence Number: 42 0c 56 01 Acquitement Number: 00 00 00 00 60 02 0110 000000 000010 (header size:0110; Reserved: 000000; URG|ACK|PSH|RST|SYN|FIN:000010) SYN=1 57 4. TCP communication flags SYN: The synchronisation flag is used as a first step in establishing a three-way-handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set. ACK: The acknowledgment flag is used to acknowledge the successful receipt of a packet. FIN: It is used to end a connection, and no further data exchange will happen. URG: It represents an urgent pointer. If it is set, then the data is processed urgently. PSH: The push flag is somewhat similar to the URG flag and tells the receiver to process these packets as they are received. RST: If it is set, then it requests to restart a connection. 58 5. Scanning tools In the domain of cybersecurity, effective network scanning is crucial for identifying vulnerabilities and ensuring the security of networks and systems. Numerous tools are available, each with unique features and capabilities. In this course, we will present the three essential network scanning tools: Metasploit Framework [https://www.metasploit.com/]. Nmap ("Network Mapper") [https://nmap.org/]. Zenmap [https://nmap.org/]. 59 5-1. Metasploit Metasploit is an open-source framework that offers a comprehensive infrastructure, resources, and tools for conducting penetration tests and extensive security audits. It encompasses features for scanning open ports, detecting live hosts, identifying operating systems, and enumerating services. Metasploit provides three distinct techniques for network scanning : Uses Nmap to perform scans within Metasploit Ex: nmap -sS 192.168.1.5 Runs Nmap directly from Metasploit and stores the results in the Metasploit database for easier reference and analysis. Ex: db_nmap -sS 192.168.1.0/24 Metasploit provides various auxiliary modules to scan networks such as: TCP Port Scan: auxiliary/scanner/portscan/tcp Ping Sweep (Host Discovery): auxiliary/scanner/discovery/icmp_ping 60 IP Range Scan: auxiliary/scanner/discovery/iprange 5-1. Metasploit Using nmap and db_nmap in Metasploit: 61 5-1. Metasploit Using portscan auxiliary Metasploit 62 5-1. Metasploit Using portscan auxiliary Metasploit 63 5-2. Zenmap Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform free and open source application which aims to make Nmap easy and more accessible for users who prefer a visual interface. To install Zenmap in kali: sudo apt install zenmap Zenmap retains all the functionality of Nmap. Zenmap comes with several built-in profiles (refers to a set of predefined scanning configurations or parameters used to perform network scans), but users can also create custom ones. Profiles allow users to quickly execute different types of scans without needing to manually input a set of options or flags every time. 64 5-2. Zenmap Example of Creating a New Zenmap Profile name: IP fragment. Command: Nmap –sS –p 80 –f Description: SYN scan targeting port 80, utilizing the -f option in Nmap to fragment packets during the scan. 65 5-2. Zenmap To display the description of each profile, the profile should be selected and edited; subsequently, the description will appear. 66 5.3. NMAP NMAP: Nmap ("Network Mapper") is a security scanner for network exploration and hacking. Nmap includes many mechanisms for port scanning, OS detection, services detection (application name and version), ping sweeps, and so on. [https://nmap.org/] Host discovery techniques Port and Service Discovery techniques Service Version Discovery techniques Nmap Scan Time Reduction Techniques OS Discovery techniques IDS and Firewall Evasion Techniques 67 6. Host discovery techniques Host Discovery TCP SYN TCP ACK IP Protocol UDP Ping ICMP Ping ARP Scan Ping Ping Ping 68 6-1. Host discovery techniques TCP SYN Ping: is a host discovery technique that probes ports to check their status and identify firewall rules. Using Nmap, an attacker initiates a three-way handshake by sending a TCP SYN flag to the target host. Upon receiving the SYN, the target responds with an ACK flag, confirming its activity. The attacker then terminates the connection by sending an RST flag. Empty TCP SYN packet Host is active ACK packet RST nmap -sn -PS TargetIP -sn : Disable port scan 69 6-1. Host discovery techniques TCP ACK Ping: In the TCP ACK ping technique, the attackers send an empty TCP ACK packet to the target host directly. Since there is no prior connection between the attacker and the target host, after receiving the ACK packet, the target host responds with an RST flag to terminate the request. The reception of this RST packet at the attacker’s end indicates that the host is active. Empty TCP ACK packet Host is active RST packet nmap -sn -PA TargetIP 70 6-1. Host discovery techniques UDP Ping: Attackers send UDP packets to the target host, and a UDP response means that the target host is active. If the target host is offline or unreachable, various error messages such as host/network unreachable or TTL exceeded could be returned. UDP Ping UDP Reponse Host is active nmap -sn -PU TargetIP 71 6-1. Host discovery techniques ICMP Ping: Nmap sends an ICMP “echo request” packet to the target IP addresses, expecting an “echo reply” in return from available hosts. ICMP Echo Request ICMP Echo Reply nmap -sn -PE TargetIP 72 6-1. Host discovery techniques IP Protocol Ping: TCP SYN This technique tries to send different packets using different IP protocols, hoping to get a response indicating that a host is online. attackers send different probe packets of different IP protocols (ICMP, IGMP, TCP, or UDP) to the target host; any response from any probe indicates that a host is online. ICMP, IGMP, TCP, and UDP Host is active Any Reponse nmap -sn -PO TargetIP 73 6-1. Host discovery techniques ARP Ping: In the ARP ping scan, the ARP packets are sent for discovering all active devices in the IPv4 range. attackers send ARP request probes to the target host, if they receive any ARP response, then the host is active. ARP request probe ARP Reponse Host is active nmap -sn -PR TargetIP 74 6-1. Host discovery techniques Host Discovery summary Scan type Command Request Response Advantages TCP SYN Ping nmap -sn -PS TargetIP Empty TCP SYN ACK response Host is active Utilized to check if the host is operational request No response Host is inactive without establishing a connection TCP ACK Ping nmap -sn -PA TargetIP Empty TCP ACK RST response Host is active Enhances the probability of evading request No response Host is inactive firewalls UDP Ping nmap -sn -PU TargetIP UDP Request UDP response Host is active Identifies hosts located behind firewalls that Error Messages Host is inactive enforce strict TCP filtering. ICMP Ping nmap -sn -PE TargetIP ICMP ECHO ICMP ECHO reply Host is active Effective for detecting active devices and Request No response Host is inactive verifying if ICMP messages successfully pass through a firewall. Does not function on Windows-based networks IP Protocol Ping nmap -sn -PO TargetIP IP ping requests Any response Host is active Using different IP protocols increase the using different IP No response Host is inactive chance of receiving response indicate that protocole (ICMP, a host is active IGMP, TCP, UDP) ARP Ping nmap -sn -PR TargetIP ARP request probe ARP response Host is active More efficient and precise than other host No response Host is inactive discovery techniques. Useful for system discovery, where one may need to scan large address space. 75 7. Port and Service discovery techniques Port Scanning Full open Half-open Inverse TCP TCP Maimon Scan Scan Scan UDP Scan Flag Scan XMAS Scan FIN Scan Null Scan 76 7.1. Port and Service discovery techniques Full-open/TCP Connect scan completes a three-way handshake with the target host. In this scan, the attacker initiates a three-way handshake by sending a SYN packet, which the target responds to with a SYN+ACK. The attacker then completes the handshake by sending an ACK. Subsequently, the attacker sends an RST packet to terminate the connection. This method is highly detectable and can be easily filtered. SYN packet (Port n) SYN + ACK packet ACK RST nmap -sT -v TargetIP 77 7.1. Port and Service discovery techniques Half-open scan (Stealth Scan) The stealth scan resets the TCP connection before completing the three-way handshake, leaving it half-open. The attacker transmits a SYN packet to the target on the specified port. If the port is open, the server replies with a SYN/ACK; if closed, the server responds with an RST. The attacker then sends an RST to terminate the connection before it is fully established. SYN + (Port n) SYN + ACK packet (port is open) RST nmap -sS -v TargetIP 78 7.1. Port and Service discovery techniques Inverse TCP Flag scan: The attacker sends TCP probe packets with specific flags (FIN, URG, PSH) or no flags. An open port results in no response, while a closed port returns an RST from the host. If there is no flag set, it is known as NULL scanning. If only the FIN flag is set, it is known as FIN scanning. if all of FIN, URG, and PSH are set, it is known as Xmas scanning. Probe Packet (FIN/URG/PSH/NULL) No response (if port is open) 79 7.1. Port and Service discovery techniques Xmas scan: In a Xmas scan, the attacker sends a TCP frame with FIN, URG, and PUSH flags. No response indicates an open port, while a closed port returns an RST. FIN + URG + PSH No response (if port is open) RST (if port is closed) nmap -sX -v TargetIP 80 7.1. Port and Service discovery techniques TCP Maimon scan: This technique, similar to NULL, FIN, and Xmas scans, uses a FIN/ACK probe. Typically, an RST response indicates a closed port, but in many BSD systems, a dropped packet suggests the port is open. FIN/ACK Probe No response (if port is opened) RST (if port is closed) ICMP unreachable (if port is filtered) nmap -sM -v TargetIP 81 7.1. Port and Service discovery techniques UDP scan: UDP port scanning involves sending UDP packets to target ports and analyzing the responses to determine if the ports are open, closed, or filtered. No Response indicates the port may be open or filtered, while an ICMP "Port Unreachable" indicates the port is closed. UDP Packet Port(n) No response (if port is open) ICMP port unreachable (if port is closed) nmap -sU -v TargetIP 82 7.1. Port and Service discovery techniques Service version detection helps attackers to obtain information about the running services and their versions on a target system. By obtaining accurate service version numbers, an attacker can determine which exploits the target system is vulnerable to. 83 7-2. OS discovery Host discovery techniques used to identify active devices in a network. To exploit the target, it is highly essential to identify the OS running on the target machine. Attackers can use various scripts in the Nmap Script Engine for performing OS discovery on the target machine. For example, in Nmap, smb-os-discovery is an built-in script used for collecting OS information on the target machine through the SMB protocol. nmap –script smb-os- discovery.nse TargetIP 84 8. Evading techniques Though firewalls and IDSs can prevent malicious traffic (packets) from entering a network, attackers can manage to send intended packets to the target by evading an IDS or firewall through the following techniques: Packet Fragmentation Source Port Manipulation IP Address Decoy Idle Zombie Scan MAC Address Spoofing Randomizing Host & bad Checksums 85 8-1. Packet Fragmentation Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, the IDS and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU and network resource consumption, the configuration of most IDS cause them to skip fragmented packets during port scans. nmap –sS -f TargetIP 86 8-2. Source Port Manipulation Source port manipulation refers to manipulating actual port numbers with common port numbers in order to evade an IDS or firewall. The main security misconfigurations occur because of blindly trusting the source port number: It occurs when a firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc. Nmap uses the -g or --source-port options to perform source port manipulation. nmap –sS –g 80 TargetIP 87 8-2. Source Port Manipulation 88 8-3. IP Address Decoy IP address decoy technique refers to generating or manually specifying the IP addresses of decoys in order to evade an IDS or firewall It appears to the target that the decoys as well as the host(s) are scanning the network This technique makes it difficult for the IDS or firewall to determine which IP address was actually scanning the network and which IP addresses were decoys Nmap has two options for decoy scanning: nmap –D RND:Number_rnd_IP TargetIP nmap –D IP1_,IP_2,IP_3 TargetIP 89 8-3. IP Address Decoy 90 8-4. Idle Zombie Scan The idle zombie scan is a unique scanning technique that allows attacker to exploit an idle system (zombie machine) and use it to scan a target system. The scan works by exploiting the predictable IP sequence ID generation employed by some systems. sudo nmap -sI ZombieHost TargetIP 91 8-4. Idle Zombie Scan Explanation of Idle scan when a port is open. RST, Seq ID =X+2 RST, Seq ID =X SYN/ACK SYN/ACK The attacker sends a forged SYN packet The attacker sends another The attacker sends a SYN/ACK to from the zombie to the target, which replies SYN/ACK to the zombie, and the the zombie, which, not expecting the with a SYN/ACK to the zombie. Since the zombie's RST packet shows an IP ID packet, responds with an RST, zombie was not expecting this, it responds increased by two from the first step. including its IP ID. with an RST, incrementing its IP ID. 92 8-4. Idle Zombie Scan Example of Idle scan Which port do you think is open 138 or 139? 93 8-5. MAC Address Spoofing The MAC address spoofing technique involves spoofing a MAC address with the MAC address of a legitimate user on the network. Attackers use the --spoof-mac Nmap option to set a specific MAC address for the packets to evade firewalls. nmap -sS -p80 –-spoof-mac trusted_MAC TargetIP Attacker can generates a random MAC address, using --spoof-mac 0, and attaches it to the packets in place of the original MAC address while performing host scanning. nmap -sS -p80 –-spoof-mac 0 TargetIP 94 8-6. Randomizing Host & bad Checksums The attacker scans the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall. The option used by Nmap to scan with a random host order is --randomize-hosts. This technique instructs Nmap to shuffle each group of 16384 hosts before scanning with slow timing options, thus making the scan less notable to network monitoring systems and firewalls. nmap –-randomize-hosts TargetIP The attacker sends packets with bad or bogus TCP/UPD checksums to the intended target to avoid certain firewall rule sets. TCP/UPD checksums are used to ensure data integrity. Sending packets with incorrect checksums can help attackers to acquire information from improperly configured systems by checking for any response. If there is a response, then it is from the IDS or firewall, which did not verify the obtained checksum. If there is no response or the packets are dropped, then it can be inferred that the system is configured. This technique instructs Nmap to send packets with invalid TCP, UDP, or SCTP checksums to the target host. The option used by Nmap is --badsum. nmap –-badsum TargetIP 95 8-7. Timing options The timing options allow hacker/scanner to control the speed and aggressiveness of the scans. These options can affect the likelihood of detection by IDS/firewalls. -T0 (Paranoid): This template is designed to minimize the risk of detection by slowing down the scan significantly. -T1 (Sneaky): This template is slower than normal and may be less likely to trigger intrusion detection systems. -T2 (Polite): This template slows down the scan even further to reduce network congestion and the chance of being detected. -T3 (Normal): This is the default timing template and strikes a balance between speed and stealth. -T4 (Aggressive): This template speeds up the scan by increasing the number of probes sent per second. -T5 (Insane): This template is the fastest but also the most aggressive, sending probes at a very high rate. 96 9. Summary of Nmap Scan Commands 97 9. Summary of Nmap Scan Commands 98 9. Summary of Nmap Scan Commands 99 10. Enumeration Enumeration is the process of extracting more detailed information about a system or network. In this phase, an attacker creates active connections with the system and sends directed queries to gain more information about the target. The attacker uses the information collected using enumeration to identify vulnerabilities in the system security, which help them exploit the target system. Enumeration Discover Identify Active Identify Shares and Misconfiguration & Identify Users & Groups Services/open Ports directories (ex: Printers) weaknesses (null session) 100 10. Enumeration A comprehensive list of commonly enumerated services and their associated port numbers is essential, as these ports are typically used in commands to interact with or extract information from the services. Protocol Port Description FTP 21 File Transfer Protocol, used for transferring files. SSH 22 Secure Shell, used for secure remote administration and file transfer. Telnet 23 Used for remote communication, unencrypted. SMTP 25 Simple Mail Transfer Protocol, used for sending emails. DNS 53 Domain Name System, used for resolving domain names to IP addresses. NetBIOS 137-139 Network Basic Input/Output System, used for LAN communication IMAP 143 Internet Message Access Protocol, used for email retrieval. SNMP 161, 162 Simple Network Management Protocol, used for network device management. Lightweight Directory Access Protocol, used for accessing/maintaining distributed directory LDAP 389 information services over a network. SMB 445 Server Message Block, used for file sharing over the network. MSSQL 1433 Microsoft SQL Server protocol. NFS 2049 Network File System protocol is used to mount file systems on a remote host over a network. RDP 3389 Remote Desktop Protocol, used for remote desktop access. 101 10. Enumeration Nmap and Metasploit are among the most commonly used tools for service enumeration. NMAP contains many Nmap Scripting Engine NSE scripts that could be utilized to enumerate distinct services. After identifying different services and their associated port in scanning phase, in enumeration phase, attacker use NSE script to extract more valuable information about such services. The Syntax that could be followed is: Nmap –p --script Example: Nmap –p 22 –script=ssh2-enum-algos 10.0.1.17 102 10. Enumeration Metasploit is one of the powerful tools used for enumeration. It provides many auxiliary modules specifically designed for this purpose, which are highly configurable and easy to use. These modules give the ability to retrieve service banners and perform user and credential enumeration. Metasploit includes modules for services like SNMP, NetBIOS, LDAP, NTP, SMB, MySQL and so on, which can enumerate user accounts and credentials associated with these services. 103 10-1. NetBIOS Enumeration NetBIOS (Network Basic Input/Output System) is a system The nbtstat utility in Windows displays that allows different computers on a local area network to NetBIOS over TCP/IP protocol statistics, communicate with each other. NetBIOS name tables for both the local NetBIOS name is a unique 16 ASCII character string used and remote computers, and the NetBIOS to identify the network devices over TCP/IP; 15 characters name cache. are used for the device name, and the 16th character is reserved for the service or name record type. The NetBIOS service listens on TCP port 139 as well as several UDP ports. NetBIOS uses UDP port 137,138, and TCP port 139. Attackers use the NetBIOS enumeration to obtain: The list of computers that belong to a domain The list of shares on the individual hosts in the network Policies and passwords 104 10-1. NetBIOS Enumeration From Kali Linux there are many tools that could be used to enumerate NetBIOS such as: Nmap nbstat.nse script, which allows attackers to retrieve the target’s NetBIOS names and MAC addresses. Nmap contains many others useful NSE scripts that can be used to discover and enumerate SMB services. nbtscan, which is used to query the NetBIOS name service for valid NetBIOS names Enum4linux: focuses on extracting user and group information, password policies, and share information from Windows systems through the SMB protocol. 105 10-4. MySQL Enumeration Example of using MySQL enumeration against metasploitable3 (Windows server 2008) using nmap nse scripts 106 10-4. MySQL Enumeration Example of using MySQL enumeration against metasploitable3 (Windows server 2008) using Metasploit framework. 1- Identify MySQL version 107 10-4. MySQL Enumeration 2- Check potential login credentials for MySQL. 108 11. Network Scanning Countermeasures Configure firewall and IDS rules to detect and block probes. Use a custom rule set to lock down the network and block unwanted ports at the firewall. Run port scanning tools against hosts on the network to determine whether the firewall properly detects port scanning activity. Filter all ICMP message at the firewalls and routers. Ensure that the mechanisms used for routing and filtering at the routers and firewalls, respectively, cannot be bypassed using a particular source port or source routing methods available ports. Ensure that the router, IDS, and firewall firmware are updated to their latest releases/versions. Ensure that anti-scanning and anti-spoofing rules are properly configured. Encrypt all the network traffic using cryptographic network protocols such as IPsec, TLS, SSH, and HTTPS. Use multiple firewalls to provide a multi-layered depth of protection. Do not rely on IP-based authentication. Egress Filtering: Filter all outgoing packets with an invalid local IP address as the source address. 109 12. Enumeration Countermeasures Use firewalls and access control lists (ACLs) to limit access to services only to authorized users and systems. Remove or disable unnecessary services and ports to minimize potential attack surfaces. Use strong, complex passwords and multi-factor authentication (MFA) to protect services from unauthorized access. Monitor network traffic for unusual patterns or unauthorized access attempts and block malicious activities. Keep services and software up to date with the latest security patches to mitigate known vulnerabilities. Perform security assessments and penetration testing to identify and address vulnerabilities related to service enumeration. Separate sensitive systems and services from general network traffic to reduce exposure and potential enumeration. 110 IV- Vulnerability Analysis 111 1. What is a vulnerability ? Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat actors in various cyberattacks. The most common types of vulnerabilities include: Hardware or software misconfiguration: Default credentials, unnecessary ports/services opened, Improper access controls. Insecure design of network and application: firewalls or IDS not implemented securely, insecure Wi-Fi access points. Outdated or Unsupported Software/hardware: software/hardware no longer supported with security updates. Human factor vulnerability: Insider Threats, ex-employee, end-user carelessness/errors. Process Vulnerabilities: Weakness created by specific process controls(weak password, authentication via session hijacking, etc.). 112 2. Vulnerability classification Vulnerability Type Description Example Misconfiguration Misconfiguration is the most common vulnerability Insecure protocols, open ports, weak and is mainly caused by human error. encryption It allows attackers to break into a network and gain Unsecured root accounts unauthorized access to systems Application Flaws vulnerabilities in applications that could be exploited Buffer overflows, memory leaks, by hacker resource exhaustion, etc Poor Patch Management Unpatched software can make an application, Unpatched servers, unpatched server, or device vulnerable to various attacks firmware, unpatched OS. Design Flaws Logical flaws in the functionality of the system are Incorrect encryption and poor exploited by attackers to bypass the detection validation of data mechanism and acquire access to secure system Third-party Risks Third-party services can be have access to Vendor management, supply chain privileged systems and applications, through which risks, data storage, etc. financial information, employee data, etc. can be compromised 113 2. Vulnerability classification Vulnerability Type Description Example Default Failing to change the default settings while Many software applications and installations/Defautt deploying software or hardware allows the attacker devices come with pre-set usernames Configurations to guess the settings to break into the system and passwords (e.g., "admin" / "admin" or "root" / "toor"). Zero-Day Vulnerable These vulnerabilities in hardware/software that are PrintNightmare: This vulnerability, exploited by the attackers before being discovered in June 2021, affects the acknowledged and patched. Windows Print Spooler service, which manages the printing process on Windows systems. Legacy Platform refer to security weaknesses found in outdated or The WannaCry ransomware attack Vulnerabilities obsolete software and hardware systems that are no in 2017. Exploiting a vulnerability in longer actively maintained or supported by their Microsoft Windows XP, the developers ransomware affected over 200,000 computers across 150 countries. 114 3. Vulnerability Research Vulnerability research refers to the process of gathering information to identify and analyze potential weakness in a systems, network and software. It involves analyzing code, protocols, services, and configurations to identify vulnerabilities and design flaws that could leave a system, network or software susceptible to exploitation, attacks, or misuse. To maintain an advantage over attackers, ethical hackers must keep up with the most recently identified vulnerabilities and exploits. This involves vulnerability research, which includes: Identifying system design flaws and weaknesses that could enable attackers to compromise a system. Staying informed about new products and technologies and reading news related to current exploits. Exploring hacking websites (Deep and Dark web) for newly discovered vulnerabilities and exploits. Reviewing newly released alerts and updates for security systems. Information gathered during the footprinting and scanning phases enables ethical hackers to conduct extensive research to find vulnerabilities. 115 3. Vulnerability Research List of resources to conduct vulnerability research Vulnerability resource Official Website Microsoft Security Response Center (MSRC) https://msrc.microsoft.com CISA Cybersecurity Alerts & Advisories https://www.cisa.gov/news-events/cybersecurity-advisories The hacker news https://thehackernews.com/search/label/Vulnerability Packet Storm https://packetstormsecurity.com Dark Reading https://www.darkreading.com Security Magazine https://www.securitymagazine.com Digital Defense https://www.digitaldefense.com/vulnerability-research/ PenTest Magazine https://pentestmag.com Help Net Security https://www.helpnetsecurity.com 116 4. Vulnerability Scoring Systems and Databases Vulnerability scoring systems and databases are crucial tools for identifying, assessing, and managing cybersecurity vulnerabilities, ultimately improving an organization's overall security posture. They are used to rank information system vulnerabilities and to provide a composite score of the overall severity and risk associated with identified vulnerabilities. Vulnerability databases collect and maintain information about various vulnerabilities present in information systems. The common vulnerability scoring systems and databases are: Common Vulnerability Scoring System (CVSS) [https://www.first.org/cvss/], [https://nvd.nist.gov] Common Vulnerabilities and Exposures (CVE) [https://www.cve.org] National Vulnerability Database (NVD) [https://nvd.nist.org] Common Weakness Enumeration (CWE) [https://cwe.mitre.org] 117 4-1. The Common Vulnerability Scoring System (CVSS) The Common Vulnerability Scoring System (CVSS) is a standardized framework for assessing IT vulnerabilities, providing a quantitative model for consistent measurement and understanding of vulnerability characteristics. CVSS is widely used by industries, organizations, and governments for prioritizing remediation and evaluating vulnerability severity. By generating a numerical score that can be categorized as low, medium, high, or critical, CVSS aids organizations in effectively managing vulnerabilities. CVSS defines three metrics to measure vulnerabilities. Base Metrics. Temporal Metrics. Environmental Metrics. 118 4-1. The Common Vulnerability Scoring System (CVSS) The Base metrics The base metric represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It is composed of two sets of metrics: the Exploitability metrics and the Impact metrics. The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. The Impact metrics reflect the direct consequence of a successful exploit. 119 4-1. The Common Vulnerability Scoring System (CVSS) The Temporal metrics Temporal metrics will almost certainly change over time, it is used assess the following parameters: Maturity of exploit code: measure how usable a vulnerability is. The more accessible and reliable the exploit code, the higher the temporal score. Remediation availability: refers to the options for fixing a vulnerability. It assesses whether there is an official patch, temporary fix, or workaround available. If effective remediation is available, the risk associated with the vulnerability is considered lower. Report confidence: This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known 120 technical details. 4-1. The Common Vulnerability Scoring System (CVSS) The environmental metrics These metrics allow analysts to customize the CVSS score based on the importance of the affected IT asset to the organization, considering existing security controls and the factors of Confidentiality, Integrity, and Availability. 121 4-1. The Common Vulnerability Scoring System (CVSS) The metric ranges from 0 to 10, with 10 being the most severe. The CVSS score is calculated and generated by a vector string that represents the numerical score for each group in the form of a block of text. The CVSS calculator ranks security vulnerabilities and provides the user with information on the overall severity and risks related to the vulnerability. SEVERITY CATEGORY SCORE RANGE None 0.0 Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0 122 4-1. The Common Vulnerability Scoring System (CVSS) Example of calculating the CVSS score of a specific CVE ID (CVE-2024-8646) URL: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2024-8646&version=3.0 123 4-2. The Common Vulnerabilities and Exposures (CVE) CVE is a publicly available and free-to-use list of standardized identifiers for common software vulnerabilities and exposures. CVE use one Identifiers/ID for each vulnerability in the catalog. Cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities. CVE is more like a reference guide than a storage database, detailing vulnerabilities rather than just storing them. 124 4-2. The Common Vulnerabilities and Exposures (CVE) To search the CVE List for a specific CVE Record, use a CVE ID. [https://cve.mitre.org/cve/search_cve_list.html] To search by keyword, enter a keyword or multiple keywords separated by spaces. 125 4-3. National Vulnerability Database (NVD) The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics. The NVD performs an analysis on CVEs that have been published to the CVE Dictionary. NVD staff are tasked with the analysis of CVEs by aggregating data points from the description, references supplied, and any supplemental data that are publicly available. The NVD does not actively perform vulnerability testing; it relies on vendors, third party security researchers, and vulnerability coordinators to provide information that is used to assign these attributes. 126 4-3. National Vulnerability Database (NVD) 127 4-4. Common Weakness Enumeration (CWE) The Common Weakness Enumeration (CWE) is a system for categorizing software and hardware vulnerabilities and weaknesses. Sponsored by MITRE, with support from US-CERT and the U.S. Department of Homeland Security. CWE serves as a baseline for identifying, mitigating, and preventing weaknesses, and includes advanced search features for exploring weaknesses based on research, development, and architectural concepts. 128 5. Vulnerability Assessment Vulnerability Assessment is a systematic process of identifying and evaluating security vulnerabilities in computer systems, networks, and applications. It is a proactive approach to assess the weaknesses and potential risks that may exist within an organization’s technology infrastructure. The purpose of a vulnerability assessment is to discover vulnerabilities before they can be exploited by malicious actors. By identifying these weaknesses, organizations can take appropriate measures to mitigate or remediate them, thereby reducing the risk of unauthorized access, data breaches, or other security incidents. 129 5. Vulnerability Assessment The vulnerability management life cycle is a s follow: Vulnerability Pre-Assessment Phase Post Assessment Phase Assessment Phase Scope and Asset Vulnerability scan Risk Assessment identification Remediation Verification Monitoring 130 5-1. Pre-assessment phase The pre-assessment phase is a preparatory phase, which involves defining policies and standards, clarifying the scope of the assessment, designing appropriate information protection procedures, and identifying and prioritizing critical assets to create a good baseline for vulnerability management and to define the risk based on the criticality and value of each system. The following are the steps involved in creating a baseline: Identify and understand business processes Identify the applications, data, and services that support the business processes and perform code reviews Identify the approved software, drivers, and basic configuration of each system Create an inventory of all assets, and prioritize or rank the critical assets Understand the network architecture and map the network infrastructure Identify the controls already in place Understand policy implementation and practice standard compliance with business processes Define the scope of the assessment Create information protection procedures to support effective planning, scheduling, coordination, and logistics 131 5-2. Vulnerability assessment phase The vulnerability assessment phase refers to identifying vulnerabilities in the organization’s infrastructure, including the operating system, web applications, and web server. It helps identify the category and criticality of the vulnerability in an organization and minimizes the level of risk. The ultimate goal of vulnerability scanning is to scan, examine, evaluate, and report the vulnerabilities in the organization’s information system. Vulnerability scans can also be performed on applicable compliance templates to assess the organization’s Infrastructure weaknesses against the respective compliance guidelines. The following are the steps involved in assessment phase: Examine and evaluate the physical security Check for misconfigurations and human errors Run vulnerability scans using tools Select the type of scan based on the organization or compliance requirements Identify and prioritize vulnerabilities Identify false positives and false negatives Apply the business and technology context to scanner results Perform OSINT information gathering to validate the vulnerabilities Create a vulnerability scan report 132 5-2. Vulnerability assessment phase Type of Vulnerability assessment Assessment Type Description Active Assessment Uses network scanner to find hosts, services, and vulnerabilities Passive Assessment Used to sniff the network traffic to discover present active systems, network services, applications, etc. External Assessment Assesses the network from a hacker's perspective to discover exploits and vulnerabilities that are accessible to the outside world Internal Assessment Scans the internal infrastructure to discover exploits and vulnerabilities Host-based Assessment Conducts a configuration-level check to identify system configurations, user directories, etc. to evaluate the possibility of compromise Network-based Assessment Determines possible network security attacks that may occur on the organization's system Application Assessment Tests and analyzes all elements of the web infrastructure for any misconfiguration, outdated content, or known vulnerabilities 133 5-2. Vulnerability assessment phase Type of Vulnerability assessment Assessment Type Description Database Assessment Focuses on testing databases, such as MYSQL, MSSQL, etc. for the presence of data exposure or injection type vulnerabilities Wireless Network Assessment Determines the vulnerabilities in the organization’s wireless networks Distributed Assessment Assesses the distributed organization assets, such as client and server applications, simultaneously through appropriate synchronization techniques Credential Assessment Assesses the network by obtaining the credentials of all machines present in the network Non-Credential Assessment Assesses the network without acquiring any credentials of the assets present in the enterprise network Manual Assessment Assess manually the vulnerabilities, vulnerability ranking, vulnerability score, etc. Automated Assessment Employment of various tools such as Nessus, Qualis, etc. 134 5-3. Post assessment phase Risk assessment In the risk assessment phase, risks are identified, characterized, and c