Back to Subject

Unit 3 - Notes

INT245 6 min read

Unit 3: Vulnerability Scan

1. Introduction to Vulnerability Scanning

Vulnerability scanning is the automated process of identifying security flaws within a network, system, or application. Unlike penetration testing, which exploits vulnerabilities to prove a breach, scanning focuses on identification, classification, and prioritization of weaknesses.

Key Objectives

  • Identification: Detecting known security exposures (CVEs), missing patches, and misconfigurations.
  • Compliance: Ensuring systems adhere to regulatory standards (PCI-DSS, HIPAA, GDPR).
  • Risk Assessment: Quantifying the potential impact of identified risks using metrics like CVSS.

2. Types of Scans

Vulnerability scans vary based on the target, the level of access, and the intensity of the scan.

A. Credentialed vs. Non-Credentialed Scans

  1. Non-Credentialed (Unauthenticated) Scan:
    • Perspective: Mimics an external attacker with no internal access.
    • Scope: Scans for open ports, protocols, and services visible from the outside.
    • Limitation: Cannot see missing local patches or client-side software vulnerabilities. It tends to generate more false positives.
  2. Credentialed (Authenticated) Scan:
    • Perspective: Mimics a trusted insider or compromised account.
    • Scope: Log into the system to check registry keys (Windows), package versions (Linux), file permissions, and configuration files.
    • Benefit: Provides the most accurate data with fewer false positives.

B. Intrusive vs. Non-Intrusive Scans

  1. Non-Intrusive (Safe):
    • Identifies vulnerabilities by checking version numbers and responding to handshake requests without executing malicious payloads.
    • Use Case: Production environments where stability is critical.
  2. Intrusive (Dangerous):
    • Attempts to exploit the vulnerability to verify its existence (similar to a mini-penetration test).
    • Risk: Can crash services, reboot servers, or corrupt databases.

C. Network vs. Agent-Based Scans

  1. Network-Based: A central scanner reaches out across the network to scan targets. Requires firewall rules to allow the scanner access.
  2. Agent-Based: A small software agent is installed on the target host. It scans locally and reports back to the server. Useful for laptops and roaming devices not always on the corporate network.

3. Scanning Tools

A penetration tester must be proficient with industry-standard automated tools.

A. General Purpose Vulnerability Scanners

  • Nessus (Tenable): The industry standard. Uses a proprietary database of plugins to detect vulnerabilities. Excellent for configuration auditing and patch verification.
  • OpenVAS (Greenbone): The most popular open-source alternative to Nessus.
  • Nexpose (Rapid7): Integrates tightly with Metasploit, allowing testers to validate scans by attempting automated exploitation.
  • Qualys: A cloud-based vulnerability management solution widely used in enterprise environments.

B. Web Application Scanners

  • OWASP ZAP (Zed Attack Proxy): Open-source tool for finding vulnerabilities in web apps. Operates as a "Man-in-the-Middle" proxy.
  • Burp Suite Professional: The gold standard for web app testing. Includes an automated scanner that checks for SQL Injection, XSS, and logic flaws.
  • Nikto: A command-line scanner that checks for dangerous files/CGIs, outdated server software, and version-specific problems.

C. Network Discovery & Enumeration

  • Nmap (Network Mapper): While primarily a port scanner, Nmap includes the NSE (Nmap Scripting Engine) which can detect vulnerabilities.
    • Example Command: nmap -sV --script=vuln <target_ip>

4. Scanning Logical Vulnerabilities

Logical vulnerabilities (or Business Logic Flaws) differ from technical vulnerabilities (like Buffer Overflows or SQL Injection). They occur when an application functions technically correctly but allows an attacker to manipulate the workflow in unintended ways.

Characteristics of Logical Vulnerabilities

  • Not detectable by signatures: Automated scanners often miss these because there is no specific "malformed packet" to detect.
  • Context-dependent: Requires understanding the business rules of the application.

Common Logical Vulnerabilities

  1. Insecure Direct Object References (IDOR): Changing a URL parameter (e.g., user_id=100 to user_id=101) to access another user's data.
  2. Privilege Escalation: A lower-privileged user accessing admin functions by brute-forcing a URL (e.g., browsing directly to /admin/deleteUser).
  3. Race Conditions: Exploiting the time gap between checking a condition and executing an action (e.g., applying a single coupon code twice efficiently simultaneously).
  4. Parameter Tampering: Modifying price fields in an e-commerce cart (client-side) before submission (e.g., changing a laptop price from 1).

Scanning Strategy for Logical Flaws

Automation is limited here. The strategy involves:

  1. Spidering/Crawling: Mapping the entire application structure.
  2. Proxy Interception: Using tools like Burp Suite to pause traffic and modify parameters manually.
  3. State Analysis: Analyzing how the application handles session tokens and state transitions.

5. Analyzing Scanning Results

Once a scan is complete, the penetration tester must interpret the raw data.

A. Validation and Triage

  • False Positives: The scanner reports a vulnerability that does not exist.
    • Cause: The scanner relied on a version banner (e.g., Apache 2.2) but the system administrator backported security patches without changing the version number.
    • Action: Manual verification is required (Checking configurations or attempting a benign exploit).
  • False Negatives: The scanner fails to report a vulnerability that does exist.
    • Cause: Firewall blocked the scan, or the scanner lacked credentials.

B. Scoring and Prioritization (CVSS)

The Common Vulnerability Scoring System (CVSS) provides a numerical score (0.0 to 10.0) to reflect severity.

  1. Base Score: Intrinsic qualities of the vulnerability (constant over time).
    • Attack Vector (AV): Network vs. Local.
    • Attack Complexity (AC): High vs. Low.
    • Privileges Required (PR): None vs. Admin.
  2. Temporal Score: Changes over time.
    • Is exploit code available? Is a patch available?
  3. Environmental Score: Unique to the user's environment.
    • Is the server critical (Asset Value)? Is it exposed to the internet?

C. Reporting

Reports should be categorized into:

  • Executive Summary: High-level risk overview for management (Money/Brand impact).
  • Technical Report: Detailed findings, proof of concept (PoC), CVSS scores, and remediation steps for engineers.

6. Evading Detection and Covering Tracks

In a Red Team engagement or stealth penetration test, the goal is to scan without alerting the Blue Team (Defenders/IDS).

A. Evading Detection (Scanning Stealth)

  1. Timing and Speed:
    • Throttling: Slow down the scan speed to blend in with normal traffic.
    • Nmap Timing: nmap -T0 (Paranoid) or nmap -T1 (Sneaky).
  2. Fragmentation:
    • Splitting packets into smaller chunks to bypass signature-based detection systems that fail to reassemble packets before inspection.
    • Command: nmap -f <target>
  3. Decoys:
    • Sending packets from the real IP mixed with packets from spoofed IPs to confuse the firewall/IDS regarding the source of the attack.
    • Command: nmap -D RND:10 <target> (Uses 10 random decoys).
  4. Source Routing / Proxying:
    • Routing traffic through compromised hosts or TOR chains (proxychains) to hide the attacker's true IP.
  5. User-Agent Spoofing:
    • Web scanners identify themselves by default (e.g., "User-Agent: Nikto"). Changing this to a standard browser string (e.g., "Mozilla/5.0") can bypass basic WAF rules.

B. Covering Tracks (Post-Scan/Exploit)

If the tester gains access, they must remove evidence of their presence to maintain persistence or finalize the test cleanly.

  1. Log Manipulation:
    • Linux:
      • Clearing bash history: history -c or editing ~/.bash_history.
      • Modifying system logs: Cleaning entries in /var/log/auth.log or /var/log/syslog.
    • Windows:
      • wevtutil: A tool to clear specific event logs (Application, Security, System).
      • Command: wevtutil cl Security
  2. Timestomping:
    • Modifying the creation, access, and modification timestamps of malicious files to match legitimate system files, making them harder to find during forensic analysis.
  3. File Deletion:
    • Securely deleting tools uploaded during the test (using shred in Linux or sdelete in Windows) rather than standard delete commands, which leave magnetic remnants.
  4. Steganography:
    • Hiding communication or data exfiltration inside innocent-looking files (like images or audio) to evade Data Loss Prevention (DLP) systems.
Previous
Unit 2
Next
Unit 4