Vulnerability Scanning
Vulnerability Scanning
Vulnerability Scanning
Threats have the potential to Vulnerability refers to a weakness Cyber risk is the intersection of
steal or damage data, disrupt in your hardware, software, or assets, threats, and
business, or create harm in procedures. It’s a gap through vulnerabilities. It’s the potential
general. which a bad actor can gain access for loss, damage, or destruction of
to your assets. In other words, an asset when a threat takes
threats exploit(takes advantage advantage of a vulnerability.
of) vulnerabilities. Threats + Vulnerability = Risk
Vulnerability Scanning
· The result of a vulnerability scan is a list of all the systems found and identified on the network,
highlighting any that have known vulnerabilities that may need attention.
Vulnerability scanning
• This is an integral component of a vulnerability management program, which has one overarching
goal – to protect the organization from breaches and the exposure of sensitive data.
• Two big challenges related to traditional vulnerability assessment – knowing what to scan and
knowing when to scan.
• Vulnerability scanning lets you take a proactive approach to close any gaps and maintain strong
security for your systems, data, employees, and customers.
Vulnerability Scanning
• Scanners use predefined tests to identify vulnerabilities (also called vulns for short).
• If the scanner lacks a test (or the test is inadequate), then it may produce a false negative, where a
vulnerability exists on a system but the scanner does not report it.
• A scanner might also lack a test because a vulnerability has not been publicly disclosed (commonly
called a zero-day vulnerability) or the scanner’s developers are unaware of it. They represent a gap in
knowledge between the attacker and defender.
• If the scanner has a poorly written test, then it may produce a false positive, where a vulnerability does
not exist on a system but the scanner reports it as vulnerable. This produces undue worry about the
risk of a system and waste time as administrators must follow up to manually confirm or disconfirm the
vulnerability.
Vulnerability Scanning
For example, a network scan must first identify “live” hosts that respond to traffic,
then use network probes to determine the host’s operating system,
then enumerate services available on the host,
and then identify details about each service.
Open Port/Service Identification
• A port is basically a way to help systems identify, establish and transmit data from one side to the other.
• Ports are an integral part of the Internet's communication model. They are the channel through which applications
on the client computer can reach the software on the server.
• The design and operation of the Internet is based on the Internet Protocol Suite, commonly also called TCP/IP.
• Network services are referenced using two components - a host address and a port number.
• There are 65536 distinct and usable port numbers.
• Some examples of service ports used are HTTP (port 80), FTP (port 21), and SMTP (port 25), telnet (port 23) etc.
• Virtual ports” can be “open” (used) or “closed” (free).
• An open port refers to a TCP or UDP port number that is actively accepting packets. In other words, behind it is a
system that is receiving communication. A closed port, on the other hand, rejects or ignores packets.
• Port “opened” when server is listening for a message.
• Attackers can easily exploit weaknesses in the applications listening on a port.
Open Port/Service Identification
• A port scan is a process that sends client requests to a range of server port addresses on a host, with the goal of
finding an active port.
• The majority of uses of a port scan are not for attacks, but for simple probes to determine services available
on a remote machine.
• Services do not always run on default Ports. If a port is open (used) it can be listening on any number in the 1-
65535 range.
• Once a port is running on a certain number, we can’t run other services on that same port.
• Relying purely on port numbers and services to identify vulnerabilities is unreliable and indeterminate.
Banner/Version Check
•A banner is simply the text that is displayed by a host that provides details such as the type and
version of software running on the system or server.
•The screen displays the software version number and other system information on the network
sever, giving the cyber criminals an advantage in cyber attacks.
Banner grabbing is an enumeration technique, which is designed to determine the brand, version,
operating system, web server or other relevant information about a particular service or application
running on its open ports.
Banner/Version Check
• System administrators usually remove or change banners to make them less
verbose.
• An intruder/hacker can use banner grabbing in order to find network hosts that
are running versions of applications and operating systems with known exploits.
• This information may be used by an administrator to catalog the system, or by an
intruder to narrow down a list of applicable exploits.
• To prevent this, network administrators should restrict access to services on their
networks and shut down unused or unnecessary services running on network
hosts.
Banner/Version Check
Example: One could establish a connection to a target web server using Netcat,
then they can send an HTTP request. The response will typically contain information
about the service running on the host.
Some examples of service ports used for banner grabbing are
· Hyper Text Transfer Protocol (HTTP) – port 80
· File Transfer Protocol (FTP) – port 21
· Simple Mail Transfer Protocol (SMTP) – port 25
Tools commonly used to perform banner grabbing are Telnet, nmap, zmap and
Netcat.
TRAFFIC PROBE
➢ Some security bugs can’t be identified without sending a payload that exploits a suspected
vulnerability. These types of probes are more accurate and they rely on direct observation
based on port numbers or service banners.
➢ But they also carry more risk of interrupting the service, because the test payload must be
trying to either produce or take advantage of an error in the service’s code.
VULNERABILITY PROBE
• The malicious user sends HTML code through any vulnerable field with a purpose to change the website’s
design or any information that is displayed to the user.
• Data that is being sent during this type of injection attack may be very different. It can be few HTML tags that
will just display the sent information.
• Also, it can be the whole fake form or page. When this attack occurs, the browser usually interprets malicious
user data as legit and displays it.
VULNERABILITY EXAMPLES
· Command injection attacks are possible when an application passes unsafe user
supplied data (forms, cookies, HTTP headers etc.) to a system shell (command line
interface).
· This vulnerability can have many consequences, like disclosure of a user's session
cookies that could be used to mimic the victim, or, more generally, it can allow the
attacker to modify the page content seen by the victims.
· This injection allows the attacker to send a malicious HTML page to a victim. The
targeted browser will not be able to distinguish the trusted part from the malicious
parts and consequently will execute all like a trusted part in the victim system.
VULNERABILITY EXAMPLES
• SQL injection
· SQL injection is a code injection technique that might destroy your
database.
· SQL injection is the placement of malicious code in SQL statements, via web page
input.
· SQL injection usually occurs when you ask a user for input, like their
username/user id, and instead of a name/id, the user gives you an SQL statement
that you will unknowingly run on your database.
• Buffer overflow
· A buffer overflow occurs when a program attempts to write more data to a fixed
length block of memory, or buffer, than the buffer is allocated to hold.
· Since buffers are created to contain a defined amount of data, the extra data can
overwrite data values in memory addresses adjacent to the destination buffer unless
the program includes sufficient bounds checking to flag or discard data when too much
is sent to a memory buffer.
· Most bugs arise from mistakes and errors made in either a program's source code
or its design, or in components and operating systems used by such programs.