📔
eCPPTv2 Notes
  • About
  • 1-System Security
    • Architecture Fundamentals
      • Security Implementations
      • References
    • Assembler Debuggers and Tool Arsenal
      • Compiler
      • NASM
      • Tool Arsenal
      • References
    • Buffer Overflow
      • Finding Buffer Overflows
      • Exploiting Buffer Overflow
      • Security Implementations
      • References
    • Shellcoding
      • Types of Shellcode
      • Encoding of Shellcode
      • Debugging a Shellcode
      • Creating our First Shellcode
      • More Advanced Shellcode
      • Shellcode and Payload Generators
      • References
    • Cryptography and Password Cracking
      • Cryptography Hash Function
      • Public Key Infrastructure
      • Pretty Good Privacy (PGP)
      • Secure Shell (SSH)
      • Cryptographic Attack
      • Security Pitfalls
      • Windows 2000/XP/2k3/Vista/7/8 Passwords
      • References
    • MALWARE
      • Techniques Used by Malware
      • How Malware Spreads
      • Samples
      • References
  • 2-Network Security
    • Information Gathering
      • Search Engines
      • Social Media
      • Infrastructures
      • Tools
      • References
    • Scanning
      • Detect Live Hosts and Ports
      • Service and OS detection
      • Firewall/IDS Evasion
      • References
    • Enumeration
      • NetBIOS
      • SNMP
      • References
    • Sniffing and MitM Attacks
      • What is Sniffing
      • Sniffing in Action
      • Basic of ARP
      • Sniffing Tools
      • Man in the Middle Attacks
      • Attacking Tools
      • Intercepting SSL Traffic
      • References
    • Exploitation
      • Vulnerability Assessment
      • Low Hanging Fruits
      • Exploitation
      • References
    • Post Exploitation
      • Privilege Escalation and Maintaining Access
      • Pillaging / Data Harvesting
      • Mapping the internal network
      • Exploitation through Pivoting
      • References
    • Anonymity
      • Browsing Anonymously
      • Tunneling for Anonymity
      • References
    • Social Engineering
      • Types of Social Engineering
      • Samples of Social Engineering Attacks
      • Pretexting Samples
      • Tools
      • References
  • 3-Powershell for Pentesters
    • Introduction
      • Why PowerShell ?
      • References
    • PowerShell Fundamentals
      • Cmdlets
      • Modules
      • Scripts
      • Objects
      • References
    • Offensive PowerShell
      • Downloading & Execution
      • Obfuscation
      • Information Gathering & Recon
      • Post-Exploitation With Powershell
      • References
Powered by GitBook
On this page

Was this helpful?

  1. 2-Network Security
  2. Exploitation

Vulnerability Assessment

5.1. Vulnerability Assessment

The vulnerability assessment phase is aimed at building a list of the vulnerabilities present on target systems. The penetration tester has to carry out a vulnerability assessment on each target found in the previous steps.

The next phase, exploitation, will walk through this list to exploit the systems, because the bigger the list, the greater the chance of exploiting in scope assets.

There are 2 ways of carry out a vulnerability assessment, manually or using automated tools.

Vulnerability assessment tools are scanners that send probes to the target systems in order to detect whether a host has some well known vulnerabilities.

Once the vulnerability scan is complete, the scanner will deliver a report that the pen-tester can use in the exploitation phase.

Although automated scanners are able to perform a significant number of probes, it is extremely important to properly configure them. One of the ways we do this is by leveraging the information collecting in the previous steps.

If you do not configure them properly, the scanner(s) will blindly perform all of their probes, therefore, executing probes that do not even apply to the target or target system technologies.

This would increase the chances of both crashing services and would also take more time than necessary.

Most of the time, this phase is completed by using both automated scanners and manual inspection

Automated tools can help carry out a penetration test, however, they cannot perform a penetration test on their own.

5.1.1. Vulnerability Scanners

A vulnerability assessment, in the same manner as a penetration test, can be carried out both locally and remotely.

Checking one or more systems for all the known vulnerabilities would be infeasible, so penetration testers can use a vulnerability scanner to help streamline the process.

Please take into consideration that this is a very loud process and therefore, if stealth is a necessity for a pen-test, vulnerability scanners are probably not the best idea.

Scanners use a database of known vulnerabilities to detect the vulnerabilities of a system.

Scanners perform their probes on:

  • Daemons listening on TCP and UDP ports

  • Configuration files of OS, software suites, network devices, etc

  • Windows registry entries

The purpose is to find vulnerabilities and misconfigurations.

The scanner's vendor keeps the tools and its database up to date with both new security checks and vulnerability signatures. The newer the database updates, the better and more relevant the scan results will be.

5.1.2. Nessus

It is composed of 2 components: a client and a server. We will use the client to configure the scans, while we will use the server to actually perform the scanning process and report the results back to the client.

The client component offers a web interface to interact and configure your scans.

The server component performs the scan by sending probes to systems and applications, collecting the responses and matching them against its vulnerability database.

You can run both components on the same machine, therefore making it both a simple and effective configuration for a home network or a lab environment.

Every vulnerability scanner roughly performs the same steps during a scan. The first step is determining if the target hosts are alive and subsequently, which ports are open on them. In order to do that, the vulnerability scanner performs a port scan to test for open ports on the system(s). The more accurate the port scan, the more useful the results of the scanner will be.

For every port found, the vulnerability scanner will send special probes to determine which application (name and version) is running on them.

For each detected service (also known as daemon), the scanner queries its database looking for known vulnerabilities.

When configuring the scanner, you can configure which vulnerabilities you want to check. This highly depends upon the type of Pen-test you are running, the scope of the engagement and the agreements with you particular client.

Example:
  You can configure a scanner to ignore the OS vulnerabilities and test only known we servers vulnerabilities.

Then the scanner send probes to verify if the vulnerability actually exists. This phase is, however, highly prone to false positives as some probes could be too mild to effectively identify a real vulnerability.

PreviousExploitationNextLow Hanging Fruits

Last updated 4 years ago

Was this helpful?

There are a great deal of vulnerability scanners out there, such as (OpenVAS)[], (Nexpose)[], or (GFI LAN Guard)[]. Although they are all valid tools, in the next sections, we will utilize (Nessus)[]

(Nessus)[] is a complex and powerful vulnerability assessment tool that lets you scan ports, find running services, and assess vulnerabilities on the remote server.

http://www.openvas.org/
http://www.rapid7.com/products/nexpose/index.jsp
http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard
http://www.tenable.com/products/nessus
http://www.tenable.com/products/nessus