Vulnerability Scanning

In this article I am going to discuss the basics of Vulnerability Scanning i.e., what’s the big picture, what should be the scanning objective and how to conclude the findings.

Firstly we need to understand Vulnerability Assessment and when to perform Vulnerability Scanning.

Vulnerability Assessment (VA) is about finding weaknesses in an environment, design flaws and other security concerns that can cause the application to be exploited.

Vulnerability Scanning (VS)is part of the VA Life-cycle.

What is a VA Life-Cycle?

1. Creating Baseline: This is the preparation phase where a Penetration tester (PT) gathers information about the network, architecture, site operation etc. The PT also needs to understand the security controls, policies and standards followed by an organisation as part of this phase.
2. Vulnerability Scanning (VS): In this stage the PT carries out testing by using scanning tools where the target is scanned for misconfigurations, default settings etc. by probing each component in the architecture. At the end of testing, the findings are reported with all the detected vulnerabilities, scope and their priorities. More details on VS after the VA life-cycle.
3. Risk Assessment (RA): Once a VS report is generated it needs to go through RA with key stakeholders and assess the impacts, creating a roadmap to address the high impact issues, proposing controls and agreeing the mitigations.
4. Remediation: The Mitigations recommended in RA needs to be implemented/acted in this phase.
5. Verification: All the mitigations that were proposed should be implemented and now needs to be verified in this phase.
6. Monitor: Once the mitigations are implemented the environment needs to be monitored and reported for effectiveness of the controls.

What does a PT look for in a VS?

1. Banner Grabbing: Scan the system for any unwanted Open ports & services i.e., Port 21,FTP. Look for details around the OS i.e., OS type, version etc. The simplest way to do this running a NMap scan.
2. Look for Admin services: Once you run Nmap, one can find if there are any unnecessary admin services/tools open viz., Telnet, FTP, SSH etc.
3.  Default configurations: Once you identify admin pages, try out default login credentials. Most often then not defaults are not changed.
4. HTTP methods: Check if any potentially exploitable http methods are allowed by the server viz., Put, Delete etc.
5. Sensitive data in Code Comments: At times developers add sensitive information as part of code comments viz., user name/pwd for a database or information about database, servers etc. being used. This all helps a hacker in foot printing the target.

 

A word of caution it is illegal to run VS tools, without the consent from the system owner. So, please ensure you have the permission to perform VS as this step crosses the Legal boundary.

 

How to perform VS using Zed Attack Proxy (ZAP):

There are 2 major types of VS viz., Active Scan & Passive Scan.

Active Scan is where attacks viz., XSS, SQL Injection etc. are performed on the live/running system. Whereas Passive scan is about running VS in the background without altering the server responses i.e., packet sniffing, port scanning etc.

The Open Source tool from OWASP –  ZAP is quite handy for performing VS. There are free buggy applications provided by OWASP to perform your tests locally and learn more about VS. One such useful app is the OWASP Juice Shop Web Application. You can easily install it in a docker container and point your ZAP proxy to attack it viz., spidering, active attacks etc.

Spidering the target – Using ZAP or BurpSuite, one can spider the website to check all the Resources/URLs/Links in that website. Passively the responses are captured however the spidered information (links etc.) are fed to Active Scanning for launching web application attacks.

 

Fuzzing: ZAP has capability to perform fuzzing i.e., fuzz the inputs during a  request so that the website responses can be captured for different scenarios. To your surprise, response data reveals loads of information, so keep an eye..

 

Forced Browsing: As part of this capability, ZAP browses through directories and can reveal sensitive data. This is again an extension of spidering but it reveals much more extra information that spidering hasn’t revealed.

Man-In-The-Middle (MITM) Attack: ZAP is also quite a good proxy tool to test MITM attacks. All you need to do is follow the instructions to install ZAP certificate in your browser’s trusted chain and off you go to monitor and tinker the https traffic from your browser to the server. Once can modify the request payload to see how server responds to an unknown input.

 

A PT should also run website mirroring tools viz., Wget to download the entire site and test run offline to find vulnerabilities.

 

Next Steps:

Try ZAP Proxy hands-on (using a Virtual box and Kali Linux) and understand the basics of VS. At the end you would need to generate a VS report that should be reported to the senior management for next steps ie.,. planning for Risk assessment and mitigation as mentioned in above VA lifecycle.

Once you get your basics sorted, a good site to challenge your VS skills is the Vulnhub, recommend to try it.

#CyberSecurityForIntermediate #VulnerabilityScanning