Contents

CEH-Module5 - Vulnerability Analysis

Website Visitors:

What is Vulnerability

A vulnerability refers to a weakness in the design or implementation of a system that can be exploited to compromise the security of the system. It is frequently a security loophole that enables an attacker to enter the system by bypassing user authentication. There are generally two main causes for vulnerable systems in a network, software or hardware misconfiguration and poor programming practices. Attackers exploit these vulnerabilities to perform various types of attacks on organizational resources.

Cyber vulnerabilities can stem from coding errors, misconfigurations, outdated software, or flawed design, among other factors. When these vulnerabilities are exploited by attackers, it can lead to security breaches, data leaks, system compromise, or unauthorized access.

Vulnerability management involves identifying, assessing, prioritizing, and mitigating these weaknesses to reduce the risk of exploitation. This process typically includes regularly scanning systems for vulnerabilities, applying security patches and updates, implementing security best practices, and having proactive measures in place to address potential threats.

Examples of Vulnerabilities: HTTP, FTP, ICMP, SNMP, SMTP are insecure.

What is Vulnerability Research/Analysis

Vulnerability research or analysis involves the systematic examination of software, hardware, or systems to identify weaknesses, flaws, or vulnerabilities that could be exploited by attackers. This process aims to discover and understand potential security issues that could compromise the confidentiality, integrity, or availability of a system or data.

Researchers or analysts typically use various techniques, including code review, reverse engineering, fuzzing, penetration testing, and other methods to uncover vulnerabilities. Once identified, these vulnerabilities are documented, analyzed for their potential impact, and often reported to the respective vendors or developers responsible for the affected systems or software. The goal is to help fix these vulnerabilities before they can be exploited by malicious actors.

Once a vulnerability is discovered, researchers typically follow responsible disclosure practices. This involves notifying the affected parties (such as software developers or vendors) about the vulnerability, providing detailed information about the issue, and allowing them time to address and patch the vulnerability before making it public. This responsible approach aims to minimize the risk of exploitation while still ensuring that the issue is addressed and fixed.

Vulnerability research plays a crucial role in improving the overall security posture of software and systems by identifying and addressing weaknesses before they can be exploited by malicious actors.

Resources for Vulnerability Research

Packet Storm (packetstormsecurity.com)

Dark Reading | Security | Protect The Business

Trend Micro | Cybersecurity Solutions for Home

Security Magazine | The business magazine for security executives

Pentestmag

Microsoft Security Response Center

Vulnerability scoring and databases

NVD - National Vulnerability Database Home (nist.gov)

What is Vulnerability Assessment

Vulnerability assessment is a systematic process used to identify, quantify, and prioritize vulnerabilities within systems, networks, applications, or infrastructures. Its primary goal is to detect and categorize weaknesses that could potentially be exploited by attackers.

The assessment typically involves several steps:

  1. Identification: This phase involves identifying assets, such as hardware, software, configurations, and network components, to understand the scope of the assessment.

  2. Scanning and Discovery: Using specialized tools, automated scanners, or manual inspection, the system is scanned for known vulnerabilities. This involves checking for missing security patches, misconfigurations, weak passwords, or other issues that could be exploited.

  3. Analysis and Evaluation: Once vulnerabilities are identified, they’re analyzed to determine their severity and potential impact on the system or organization.

  4. Risk Prioritization: Vulnerabilities are prioritized based on factors such as their severity, potential impact, exploitability, and the value of the affected assets.

  5. Remediation Recommendations: Finally, a report is generated that outlines the identified vulnerabilities along with recommendations for remediation. This report guides organizations on how to address and mitigate the vulnerabilities to strengthen their security posture.

Vulnerability assessments are conducted regularly to proactively identify weaknesses and reduce the risk of security breaches. They are a fundamental part of an organization’s overall cybersecurity strategy, helping to prevent potential attacks and safeguard sensitive information.

Common Vulnerability Terminology

CWE: CWE typically stands for the Common Weakness Enumeration, a list of software and hardware weaknesses that can make systems vulnerable to security threats. These weaknesses are categorized and used by cybersecurity professionals to identify, mitigate, and prevent vulnerabilities in software and hardware.

CVE: CVE stands for Common Vulnerabilities and Exposures. It’s a publicly disclosed list of cybersecurity vulnerabilities found in software or hardware and it is maintained by MITRE.org. Each vulnerability is assigned a unique identifier (CVE ID) along with a detailed description of the issue. This standardized identification helps security professionals, vendors, and users to reference and discuss vulnerabilities across different platforms and tools. The CVE IDs are used in security advisories, patches, and discussions about specific vulnerabilities.

From NVD website CVE is defined as:

“A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).”

Difference between CWE and CVE

A breakdown of the difference between CWE (Common Weakness Enumeration) and CVE (Common Vulnerabilities and Exposures):

CWE (Common Weakness Enumeration):

  • Purpose: CWE is a community-developed list of common software and hardware weaknesses.
  • Focus: It categorizes and describes common types of weaknesses that can lead to security vulnerabilities in systems.
  • Usage: It’s used as a reference to identify, prevent, and mitigate weaknesses during software development, testing, and security analysis.
  • Example: Buffer overflow, SQL injection, use of insecure cryptography are some CWE examples.

CVE (Common Vulnerabilities and Exposures):

  • Purpose: CVE is a dictionary of publicly disclosed cybersecurity vulnerabilities.
  • Focus: It provides a standardized naming scheme to uniquely identify security vulnerabilities.
  • Usage: CVE IDs are used to reference and discuss vulnerabilities across different platforms, making it easier to share information about security issues.
  • Example: CVE-2022-12345 might refer to a specific vulnerability found in a software application.

In summary, CWE categorizes and describes weaknesses, while CVE provides unique identifiers for specific vulnerabilities. CWE focuses on types of vulnerabilities, while CVE assigns unique IDs to individual instances of vulnerabilities. Both CWE and CVE are essential tools used in cybersecurity to identify, discuss, and address security weaknesses and vulnerabilities in systems and software.

CVSS: The Common Vulnerability Scoring System (CVSS) is a standardized method used to assess and communicate the severity of security vulnerabilities. It provides a numerical score to represent the potential impact and exploitability of a vulnerability. The CVSS score consists of three metric groups:

  1. Base Score: This part evaluates the intrinsic qualities of a vulnerability, such as how it might impact confidentiality, integrity, and availability. It also considers factors like attack complexity and required privileges for exploitation.

  2. Temporal Score: It reflects the current state of a vulnerability by considering aspects like exploit availability, remediation level, and report confidence.

  3. Environmental Score: This part allows organizations to customize the score based on their specific environment and circumstances, considering factors like the importance of the affected asset and the mitigations in place.

CVSS scores range from 0.0 to 10.0, where a higher score indicates a more severe vulnerability. These scores assist organizations in prioritizing their response to vulnerabilities, focusing on those that pose the most significant risks to their systems and data.

CVSS Ratings:

Here’s a breakdown of the National Vulnerability Database (NVD) severity ratings for Common Vulnerability Scoring System (CVSS) versions 2.0 and 3.0:

CVSS 2.0 Severity Ratings (NVD Mapping)

CVSS Score Range Severity Rating
0.0 - 3.9 Low
4.0 - 6.9 Medium
7.0 - 10.0 High

CVSS 3.0 Severity Ratings (NVD Mapping)

CVSS Score Range Severity Rating
0.0 None
0.1 - 3.9 Low
4.0 - 6.9 Medium
7.0 - 8.9 High
9.0 - 10.0 Critical

These severity ratings are used by the NVD to categorize vulnerabilities based on their CVSS scores. They help organizations and users gauge the potential impact and prioritize their responses to vulnerabilities based on their severity.

National Vulnerability Database - NVD

The National Vulnerability Database (NVD) is a comprehensive repository of information on vulnerabilities found in software, firmware, hardware, and other aspects of information technology systems. It’s maintained by the National Institute of Standards and Technology (NIST), a part of the United States Department of Commerce.

The NVD serves as a central source for standardized vulnerability information and provides:

  1. Vulnerability Descriptions: Detailed descriptions of known vulnerabilities, including their nature, how they can be exploited, potential impacts, and possible solutions or workarounds.

  2. CVE Identifiers: Each vulnerability listed in the NVD is assigned a unique identifier called a CVE (Common Vulnerabilities and Exposures) number. This identification system helps in referencing and tracking vulnerabilities across various platforms and databases.

  3. Severity Ratings: Vulnerabilities are assessed using the Common Vulnerability Scoring System (CVSS), providing a standardized way to measure the severity of a security flaw.

  4. Affected Products: Information about the software, hardware, or systems affected by a particular vulnerability.

  5. Updates and Changes: Regular updates are made to the database as new vulnerabilities are discovered, and existing ones are patched or mitigated.

The NVD collects vulnerability information from various sources, including security researchers, vendors, and public disclosures. This information is standardized and made publicly available to help organizations and individuals in understanding, assessing, and mitigating security risks in their systems and software. It’s a valuable resource used by cybersecurity professionals, software developers, and organizations worldwide to stay informed about potential threats and take necessary actions to secure their IT infrastructure.

Vulnerability Management Life Cycle

The vulnerability management lifecycle involves a structured approach to managing vulnerabilities in a system or network. It typically comprises several stages:

  1. Identification: This phase involves discovering, recognizing, and cataloging vulnerabilities in systems, software, or networks. It can involve automated scanning tools, manual assessments, security advisories, or intelligence feeds.

  2. Prioritization: Once vulnerabilities are identified, they are ranked or prioritized based on their severity, potential impact, and exploitability. This step helps in focusing resources on addressing the most critical issues first.

  3. Assessment: In-depth evaluation of vulnerabilities to understand their characteristics, potential impact on the organization, and potential methods of exploitation. This phase may involve penetration testing, vulnerability exploitation simulations, or risk assessments.

  4. Remediation: Implementing solutions to mitigate or fix the vulnerabilities. This could involve applying patches, software updates, configuration changes, or deploying additional security controls to reduce the risk of exploitation.

  5. Verification: After applying fixes, it’s crucial to verify that the remediation efforts were successful and that the vulnerabilities are effectively mitigated without introducing new issues or disruptions.

  6. Monitoring and Review: Continuously monitoring systems for new vulnerabilities, reassessing previously identified vulnerabilities, and reviewing the effectiveness of the vulnerability management program. This step helps in adapting strategies to evolving threats and technologies.

The lifecycle is iterative, as new vulnerabilities constantly emerge, and the process needs to be repeated to ensure ongoing security.

Post Assessment Phase

The post-assessment phase of a vulnerability assessment is a crucial step that ensures the effective implementation of remediation efforts and ongoing monitoring. It involves reviewing the assessment report, prioritizing vulnerabilities, assigning remediation tasks, and tracking progress towards resolving identified weaknesses.

Key activities in the post-assessment phase:

  1. Review and Analysis:

    a. Thoroughly review the vulnerability assessment report, ensuring understanding of identified vulnerabilities, severity levels, and associated risks.

    b. Identify any potential false positives or anomalies in the scan results that require further investigation.

    c. Analyze the overall risk profile of the organization based on the identified vulnerabilities and their potential impact.

  2. Prioritization and Assignment:

    a. Prioritize vulnerabilities based on their severity level, potential impact, and criticality to the organization’s operations.

    b. Assign remediation tasks to specific teams or individuals responsible for addressing the identified vulnerabilities.

    c. Establish clear deadlines for completing remediation tasks to ensure timely and effective risk mitigation.

  3. Communication and Documentation:

    a. Communicate the vulnerability assessment findings and remediation plan to relevant stakeholders within the organization.

    b. Document the remediation plan in a clear and concise manner, including the identified vulnerabilities, assigned tasks, and deadlines.

    c. Update the asset inventory with any changes or additions discovered during the assessment process.

  4. Remediation and Implementation:

    a. Implement the assigned remediation tasks to address the identified vulnerabilities effectively.

    b. Verify the effectiveness of remediation measures to ensure the vulnerabilities have been resolved.

    c. Document the remediation process and outcomes for future reference.

  5. Continuous Monitoring and Reassessment:

    a. Continuously monitor the IT environment for new vulnerabilities and potential changes in risk profiles.

    b. Schedule regular vulnerability assessments to identify and address emerging vulnerabilities proactively.

    c. Review the remediation plan regularly to ensure it remains relevant and effective in addressing current threats.

Types of Vulnerability Assessments

Vulnerability assessments are a crucial aspect of cybersecurity, helping organizations identify and address weaknesses in their systems and networks before they can be exploited by attackers. Various types of vulnerability assessments are employed to target specific areas of an organization’s infrastructure. Here’s a comprehensive overview of the main types:

Assessment Type Description
Active Assessment Uses a network scanner to find hosts, services, and vulnerabilities
Passive Assessment Used to sniff the network traffic to discover present active systems, network services, applications, and vulnerabilities present
External Assessment Assesses the network from a hacker’s perspective to discover exploits and vulnerabilities that are accessible to the outside world
Internal Assessment Scans the internal infrastructure to discover exploits and vulnerabilities
Database Assessment Focuses on testing databases, such as MYSQL, MSSQL, ORACLE, POSTGRESQL, etc., for the presence of data exposure or injection type vulnerabilities
Wireless Network Assessment Determines the vulnerabilities in the organization’s wireless networks
Distributed Assessment Assesses the distributed organization assets, such as client and server applications, simultaneously through appropriate synchronization techniques
Credentialed Assessment Assesses the network by obtaining the credentials of all machines present in the network
Non-Credentialed Assessment Assesses the network without acquiring any credentials of the assets present in the enterprise network
Manual Assessment In this type of assessment, the ethical hacker manually assesses the vulnerabilities, vulnerability ranking, vulnerability score, etc.
Automated Assessment In this type of assessment, the ethical hacker employs various vulnerability assessment tools, such as Nessus, Qualys, GFI LanGuard, etc.
Network-based Assessment This method scans the entire network, including routers, switches, and firewalls, to identify vulnerabilities in network devices and protocols.
Host-based Assessment This approach focuses on individual computers, servers, and other endpoints within the network. It involves scanning each device’s operating system, applications, and software to identify vulnerabilities.
Application-based Assessment This type of assessment targets web applications and mobile apps to identify security flaws that could allow attackers to steal data, compromise user accounts, or disrupt application functionality.
API-based Assessment This method focuses on application programming interfaces (APIs), which are the interfaces that allow different applications to communicate with each other. It involves scanning APIs to identify vulnerabilities.
Wireless network Assessment This assessment targets wireless networks, including access points, routers, and client devices, to identify vulnerabilities that could allow attackers to intercept data, gain unauthorized access to the network, or disrupt network connectivity.
Database Assessment This type of assessment focuses on databases, which store critical organizational data. It involves scanning databases to identify vulnerabilities that could allow attackers to steal data, manipulate data, or disrupt database operations.
Physical security Assessment This assessment focuses on physical security measures, such as access control systems, security cameras, and physical barriers, to identify vulnerabilities that could allow unauthorized physical access to sensitive areas or assets.
Social engineering Assessment This assessment evaluates the organization’s susceptibility to social engineering attacks, which involve tricking employees into revealing sensitive information or taking actions that compromise security.
Supply chain Assessment This assessment focuses on the organization’s supply chain partners to identify vulnerabilities that could allow attackers to infiltrate the organization through third-party vendors or suppliers.
Configuration Assessment This assessment evaluates the configuration of systems, devices, and applications to ensure they are configured securely and in accordance with industry best practices. It identifies misconfigurations that could expose vulnerabilities.

The specific type of vulnerability assessment chosen depends on the organization’s risk profile, assets, and compliance requirements. Regular vulnerability assessments are essential for maintaining a strong cybersecurity posture and mitigating the risk of cyberattacks.

Vulnerability Assessment Report Components

A vulnerability assessment report is a crucial document that outlines the identified vulnerabilities in an organization’s IT infrastructure. It provides a detailed overview of the vulnerabilities, their potential impact, and recommended remediation steps. The report should be comprehensive and easy to understand, enabling stakeholders to make informed decisions about risk management and security posture.

Key Components of a Vulnerability Assessment Report:

  1. Executive Summary: This section provides a concise overview of the assessment, including the scope, methodology, and key findings. It should highlight the most critical vulnerabilities and their potential impact on the organization.

  2. Assessment Overview: This section details the scope of the assessment, including the systems, networks, and applications that were scanned. It should also outline the methodology used for scanning and vulnerability analysis.

  3. Vulnerability Findings: This section provides a detailed list of all identified vulnerabilities, including their vulnerability ID, severity level, description, potential impact, and recommended remediation steps. Each vulnerability should be clearly explained and categorized based on its severity.

  4. Remediation Plan: This section provides a comprehensive plan for remediating the identified vulnerabilities. It should include specific tasks, timelines, and responsible parties for each vulnerability.

  5. Risk Assessment: This section assesses the overall risk posed by the identified vulnerabilities. It should consider the severity of the vulnerabilities, their potential impact, and the likelihood of exploitation.

  6. Conclusion: This section summarizes the key findings of the report and provides recommendations for ongoing vulnerability management. It should emphasize the importance of continuous monitoring and regular vulnerability assessments.

  7. Appendices: This section includes any additional information that may be relevant to the assessment, such as detailed vulnerability descriptions, scan logs, or remediation scripts.

Additional Considerations:

  1. Clear and Concise Language: The report should be written in clear and concise language that is easy to understand for both technical and non-technical audiences. Avoid using overly technical jargon and provide explanations for complex concepts.

  2. Prioritization: Clearly prioritize the vulnerabilities based on their severity and potential impact. This will help stakeholders focus on the most critical risks first.

  3. Actionable Recommendations: Provide actionable recommendations for remediating the identified vulnerabilities. These recommendations should be specific, achievable, relevant, and time-bound (SMART).

  4. Regular Updates: The report should be reviewed and updated regularly to reflect changes in the IT environment and new vulnerabilities that may emerge.

  5. Executive Communication: Share the report with key executives and stakeholders to ensure that they are aware of the identified risks and the plans for remediation.

By incorporating these components and considerations, organizations can create comprehensive and informative vulnerability assessment reports that effectively communicate risk and guide security decision-making.

OpenVAS (Open Vulnerability Assessment System)

OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability scanner used for discovering and managing vulnerabilities in systems and networks. To perform vulnerability analysis using OpenVAS:

Setting Up OpenVAS:

Installation:

  • Install OpenVAS on your system or use a pre-configured virtual appliance available through platforms like Kali Linux or others that come with OpenVAS pre-installed.

Initial Configuration:

  • Access the OpenVAS web interface using a browser by navigating to the URL where OpenVAS is running (usually on port 9392 or similar).
  • Follow the setup wizard to configure and initialize OpenVAS.

Performing Vulnerability Scans:

Create a Target:

  • Define the target to scan, which can be an IP range, specific IP addresses, or domain names.

Create a Scan Task:

  • Set up a scan task within OpenVAS, specifying the target(s) and the type of scan (e.g., full scan, fast scan, specific vulnerability checks).

Run the Scan:

  • Start the scan task and let OpenVAS analyze the specified targets for vulnerabilities.

Review Scan Results:

  • Once the scan is complete, review the results provided by OpenVAS. It will list the identified vulnerabilities along with their severity, description, and potential impact.

Prioritize and Mitigate:

  • Prioritize the vulnerabilities based on their severity ratings provided by OpenVAS. Focus on fixing critical and high-severity issues first.

Generate Reports:

  • OpenVAS usually offers report generation features. Create reports to document the vulnerabilities discovered, their severity, and suggested remediation steps.

Regular Scanning and Maintenance:

Schedule Regular Scans:

  • Set up regular scanning schedules to continuously monitor for new vulnerabilities or changes in the system’s security posture.

Address and Remediate Vulnerabilities:

  • Use the information provided by OpenVAS to patch, update, or mitigate the vulnerabilities found in your systems.

OpenVAS is a powerful tool, but it’s essential to interpret its results correctly and complement its findings with other security practices to ensure a robust and secure system or network.

Perform Vulnerability Scanning using Nessus

Nessus is an assessment solution for identifying vulnerabilities, configuration issues, and malware, which can be used to penetrate networks. It performs vulnerability, configuration, and compliance assessment. It supports various technologies such as OSes, network devices, hypervisors, databases, tablets/phones, web servers, and critical infrastructure.

Setting Up Nessus:

Installation:

  • Download and install Nessus from the Tenable website or use a pre-configured virtual appliance.

Initial Configuration:

  • Access the Nessus web interface by navigating to the URL where Nessus is running (usually on port 8834).
  • Follow the setup wizard to configure and initialize Nessus, setting up administrative credentials and other necessary settings.

Performing Vulnerability Scans:

Create a new Policy:

  • Create a new policy and add the credentials set.

Create a New Scan:

  • In the Nessus web interface, navigate to the “Scans” tab and click on “New Scan.”
  • Configure the scan settings:
    • Targets: Define the targets to scan, such as IP addresses, ranges, or domains.
    • Scan Policy: Select a predefined scan policy or create a custom policy specifying the types of vulnerabilities to check.
    • Schedule: Set up a scan schedule if needed.

Start the Scan:

  • Once the scan settings are configured, start the scan task. Nessus will begin scanning the specified targets for vulnerabilities based on the chosen policy.

Review Scan Results:

  • After the scan completes, review the results in the Nessus interface. It will display identified vulnerabilities along with severity ratings, descriptions, and potential solutions.

Prioritize and Remediate:

  • Prioritize the vulnerabilities based on their severity ratings provided by Nessus. Focus on addressing critical and high-severity issues first.

Generate Reports:

  • Nessus typically offers reporting capabilities. Generate reports summarizing the vulnerabilities found, their severity, and recommended actions for mitigation.

Regular Scanning and Maintenance:

Scheduled Scans:

  • Set up recurring scans to continuously monitor for new vulnerabilities or changes in the system’s security posture.

Address Vulnerabilities:

  • Use the information provided by Nessus to apply patches, updates, or other mitigations for the vulnerabilities identified in your systems.

Nessus is a robust tool, but combining it with other security practices ensures a comprehensive approach to safeguarding your systems or networks.

OpenVAS and Nessus are two softwares for running vulnerability assessments.

Perform Web Servers and Applications Vulnerability Scanning using CGI Scanner Nikto

Nikto is an open-source web server scanner used for performing comprehensive security audits on web servers. It’s designed to detect potential vulnerabilities, misconfigurations, outdated software, and other security issues within web servers and web applications.

Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files and HTTP server options; it will also attempt to identify installed web servers and software.

nikto -h displays short help format and nikto -H shows full help format.

nikto -h https://www.google.com -Tuning x Here -h specifies the target and tuning value is set to x which means nikto will perform the scan with all tuning options enabled.

We can check for CGI directories using the -Cgidirs option. Use -Cgidirs all option in nikto command as shown below:

nikto -h https://www.google.com -Cgidirs all

We can also save the output to a file using -o fileName parameter. nikto -h https://www.google.com -o OutputFile -F txt

Your inbox needs more DevOps articles.

Subscribe to get our latest content by email.