1 / 16

Vulnerability Analysis

Vulnerability Analysis. Offensive Security. Vulnerability Analysis. Finding the flaws leveraged by attacker Host/service misconfiguration Poorly designed application Human errors? Scoping Breadth – Giant corporate networks Depth – Tools Tools may run for a very long time.

carolynm
Download Presentation

Vulnerability Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerability Analysis Offensive Security

  2. Vulnerability Analysis • Finding the flaws leveraged by attacker • Host/service misconfiguration • Poorly designed application • Human errors? • Scoping • Breadth – Giant corporate networks • Depth – Tools • Tools may run for a very long time Offensive Security

  3. Three Types of Vulnerabilities • Common Configuration Errors • Directory listing enabled on a webserver • Default Configurations • Default password/no password • Well-known System/Software Flaws • MS08-067 (RPC Server Vulnerability) Offensive Network Security

  4. Rating Vulnerabilities • Often rated one of the following… • Low • Medium • High • Critical • A number of base metrics define vulnerability rating • Higher scores == more critical Offensive Network Security

  5. Vulnerability Rating Metrics • Attack Vector • Network, Adjacent, Local, Physical • The more remote, the higher the score • Attack Complexity • Low – special conditions do not exist, attack is successfully repeatable • High – success depends on conditions beyond attacker’s control • Privileges Required • None – Attacker can perform the attack unauthorized • Low – Only basic user privileges are required for the attack • High – Significant, often administrative, permissions are required Offensive Network Security

  6. Vulnerability Rating Metrics • User Interaction • None – the system can be exploited without user interaction • Required – successful exploitation requires a user to take some action • Scope • Unchanged – exploiting a vulnerability will only allow access to the vulnerable component • Changed – exploiting a vulnerability will allow access beyond the vulnerable component • Confidentiality Impact • High – total loss of confidentiality (ex. Password is exposed) • Low – some loss of confidentiality • None – no loss of confidentiality Offensive Network Security

  7. Vulnerability Rating Metrics • Integrity Impact • High – complete loss of integrity, attacker is able to modify files • Low – can modify data, but modification may not have a direct impact • None – no loss of integrity • Availability Impact • High – total loss of availability, attacker can fully deny access • Low – reduced performance or availability interruptions • None – no impact to availability Offensive Network Security

  8. Vulnerability Scanner • Automates the process of looking for vulnerabilities • Many include port scanners • Most vulnerability scanners include… • Vulnerability DB • User configuration tool • Scanning engine • Knowledge base of current scan • Results repository Offensive Security

  9. Nmap NSE • NSE • -sV • --script • https://nmap.org/nsedoc/ Offensive Security

  10. Nessus • 1998, used to be open source • Uses a client/server technology • Can conduct testing from different locations • Can scan multiple OSs Offensive Security

  11. Nessus Plugins • Each vulnerability check is based on a small program, aka plugin • Each plugin conducts one check on a target system • Thousands of plugins available • Make up the Nessus Vulnerability Database • 110,198 at last check • Downloadable from https://www.tenable.com/plugins/index.php • http://static.tenable.com/documentation/Tenable_Products_Plugin_Families.pdf Offensive Network Security

  12. Nessus Is Not Free…kinda • Nessus Essentials • Nessus Professional • $,$$$/year • But there’s a 7 day free trial • Trial is limited to 16 addresses Offensive Network Security

  13. Openvas • Open source vulnerability scanner • Part of Greenbone Networks’ commercial vulnerability management solution • Similar to Nessus Offensive Security

  14. Setting up Openvas apt install openvas openvasmd --create-user=admin --role=Admin openvasmd --user=admin --new-password=admin openvas-setup openvas-start Offensive Security

  15. NVT Feed • NVT – Network Vulnerability Test • Public feed maintained by Greenbone for OpenVAS • Currently more than 50,000 NVTs • Extras -> Feed Status • Keep these up to date Offensive Network Security

  16. Nikto • Web vulnerability scanner • Checks for • Bad files/apps • Over 1250 outdated versions of servers • Version specific problems • Robots.txt • Interesting file names • Not quite dirbuster Offensive Security

More Related