Vulnerability Scanning

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 20

Vulnerability Scanning

Vulnerabilities are weaknesses or flaws present in a software or hardware of a system.


Difference:
Threat Vulnerability Risk

Threats have the potential to Vulnerability refers to a weakness Cyber risk is the intersection of
steal or damage data, disrupt in your hardware, software, or assets, threats, and
business, or create harm in procedures. It’s a gap through vulnerabilities. It’s the potential
general. which a bad actor can gain access for loss, damage, or destruction of
to your assets. In other words, an asset when a threat takes
threats exploit(takes advantage advantage of a vulnerability.
of) vulnerabilities. Threats + Vulnerability = Risk
Vulnerability Scanning

· Vulnerability scanning is a security technique used to identify security weaknesses in a


computer system.

· Vulnerability scanning can be used by individuals or network administrators for security


purposes, or it can be used by hackers attempting to gain unauthorized access to computer
systems.

· The result of a vulnerability scan is a list of all the systems found and identified on the network,
highlighting any that have known vulnerabilities that may need attention.
Vulnerability scanning

• This is an integral component of a vulnerability management program, which has one overarching
goal – to protect the organization from breaches and the exposure of sensitive data.

• Two big challenges related to traditional vulnerability assessment – knowing what to scan and
knowing when to scan.

• Vulnerability scanning lets you take a proactive approach to close any gaps and maintain strong
security for your systems, data, employees, and customers.
Vulnerability Scanning

• Scanners use predefined tests to identify vulnerabilities (also called vulns for short).

• If the scanner lacks a test (or the test is inadequate), then it may produce a false negative, where a
vulnerability exists on a system but the scanner does not report it.

• A scanner might also lack a test because a vulnerability has not been publicly disclosed (commonly
called a zero-day vulnerability) or the scanner’s developers are unaware of it. They represent a gap in
knowledge between the attacker and defender.

• If the scanner has a poorly written test, then it may produce a false positive, where a vulnerability does
not exist on a system but the scanner reports it as vulnerable. This produces undue worry about the
risk of a system and waste time as administrators must follow up to manually confirm or disconfirm the
vulnerability.
Vulnerability Scanning

For example, a network scan must first identify “live” hosts that respond to traffic,
then use network probes to determine the host’s operating system,
then enumerate services available on the host,
and then identify details about each service.
Open Port/Service Identification

• A port is basically a way to help systems identify, establish and transmit data from one side to the other.
• Ports are an integral part of the Internet's communication model. They are the channel through which applications
on the client computer can reach the software on the server.
• The design and operation of the Internet is based on the Internet Protocol Suite, commonly also called TCP/IP.
• Network services are referenced using two components - a host address and a port number.
• There are 65536 distinct and usable port numbers.
• Some examples of service ports used are HTTP (port 80), FTP (port 21), and SMTP (port 25), telnet (port 23) etc.
• Virtual ports” can be “open” (used) or “closed” (free).
• An open port refers to a TCP or UDP port number that is actively accepting packets. In other words, behind it is a
system that is receiving communication. A closed port, on the other hand, rejects or ignores packets.
• Port “opened” when server is listening for a message.
• Attackers can easily exploit weaknesses in the applications listening on a port.
Open Port/Service Identification

• A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of
finding an active port.

• The majority of uses of a port scan are not for attacks, but for simple probes to determine services available
on a remote machine.

• Services do not always run on default Ports. If a port is open (used) it can be listening on any number in the 1-
65535 range.

• Once a port is running on a certain number, we can’t run other services on that same port.

• Relying purely on port numbers and services to identify vulnerabilities is unreliable and indeterminate.
Banner/Version Check

•A banner is simply the text that is displayed by a host that provides details such as the type and
version of software running on the system or server.
•The screen displays the software version number and other system information on the network
sever, giving the cyber criminals an advantage in cyber attacks.

Banner Grabbing (collecting banner information)

Banner grabbing is an enumeration technique, which is designed to determine the brand, version,
operating system, web server or other relevant information about a particular service or application
running on its open ports.
Banner/Version Check
• System administrators usually remove or change banners to make them less
verbose.
• An intruder/hacker can use banner grabbing in order to find network hosts that
are running versions of applications and operating systems with known exploits.
• This information may be used by an administrator to catalog the system, or by an
intruder to narrow down a list of applicable exploits.
• To prevent this, network administrators should restrict access to services on their
networks and shut down unused or unnecessary services running on network
hosts.
Banner/Version Check
Example: One could establish a connection to a target web server using Netcat,
then they can send an HTTP request. The response will typically contain information
about the service running on the host.
Some examples of service ports used for banner grabbing are
· Hyper Text Transfer Protocol (HTTP) – port 80
· File Transfer Protocol (FTP) – port 21
· Simple Mail Transfer Protocol (SMTP) – port 25

Tools commonly used to perform banner grabbing are Telnet, nmap, zmap and
Netcat.
TRAFFIC PROBE

•A probe is a program or a device inserted at a key juncture in a network for the


purpose of monitoring or collecting data about network activity.

•Need for Traffic probe:


1. Traffic probe is needed to measure and collect the data in largescale networks.
2. To capture and process data in today’s high-speed networks.
3. To detect abnormal behavior and malicious network traffic.
4. To analyze traffic from embedded network devices.
VULNERABILITY PROBE

➢ Some security bugs can’t be identified without sending a payload that exploits a suspected
vulnerability. These types of probes are more accurate and they rely on direct observation
based on port numbers or service banners.

➢ But they also carry more risk of interrupting the service, because the test payload must be
trying to either produce or take advantage of an error in the service’s code.
VULNERABILITY PROBE

• An easy-to-understand example of a vulnerability probe is an HTML injection check for a web


application.
• The essence of this type of injection attack is injecting HTML code through the vulnerable parts of the website.

• The malicious user sends HTML code through any vulnerable field with a purpose to change the website’s
design or any information that is displayed to the user.

• Data that is being sent during this type of injection attack may be very different. It can be few HTML tags that
will just display the sent information.

• Also, it can be the whole fake form or page. When this attack occurs, the browser usually interprets malicious
user data as legit and displays it.
VULNERABILITY EXAMPLES

• Vulnerabilities are everywhere, some vulnerabilities are


• within the software
• within the networking protocols
• within configuration settings
• within hardware architecture
• Or may be through social engineering.
VULNERABILITY EXAMPLES
• OS command injection
· Command injection is an attack in which the goal is execution of arbitrary
commands on the host operating system via a vulnerable application.

· Command injection attacks are possible when an application passes unsafe user
supplied data (forms, cookies, HTTP headers etc.) to a system shell (command line
interface).

· In this attack, the attacker-supplied operating system commands are usually


executed with the privileges of the vulnerable application.
VULNERABILITY EXAMPLES
• HTML injection
· It is a type of injection issue that occurs when a user is able to control an input
point and is able to inject arbitrary HTML code into a vulnerable web page.

· This vulnerability can have many consequences, like disclosure of a user's session
cookies that could be used to mimic the victim, or, more generally, it can allow the
attacker to modify the page content seen by the victims.

· This injection allows the attacker to send a malicious HTML page to a victim. The
targeted browser will not be able to distinguish the trusted part from the malicious
parts and consequently will execute all like a trusted part in the victim system.
VULNERABILITY EXAMPLES
• SQL injection
· SQL injection is a code injection technique that might destroy your
database.

· SQL injection is the placement of malicious code in SQL statements, via web page
input.

· SQL injection usually occurs when you ask a user for input, like their
username/user id, and instead of a name/id, the user gives you an SQL statement
that you will unknowingly run on your database.
• Buffer overflow
· A buffer overflow occurs when a program attempts to write more data to a fixed
length block of memory, or buffer, than the buffer is allocated to hold.

· Since buffers are created to contain a defined amount of data, the extra data can
overwrite data values in memory addresses adjacent to the destination buffer unless
the program includes sufficient bounds checking to flag or discard data when too much
is sent to a memory buffer.

· Exploiting a buffer overflow allows an attacker to control or crash the process or to


modify its internal variables. Buffer overflow always ranks high in the Common
Weakness Enumeration (CWE).
•Bugs in the software
· A software bug is an error, flaw, failure or fault in a computer program or system
that causes it to produce an incorrect or unexpected result, or to behave in
unintended ways.

· Most bugs arise from mistakes and errors made in either a program's source code
or its design, or in components and operating systems used by such programs.

You might also like