Unit3 - Subjective Questions

Credentialed Scans (Authenticated):
In this method, the scanner logs into the target system using valid credentials to check for vulnerabilities from the inside.

• Advantages:
  • Higher Accuracy: Can detect missing patches, configuration issues, and client-side software vulnerabilities.
  • Fewer False Positives: Better context allows the scanner to rule out superficial warnings.
  • Resource Efficiency: Uses less network bandwidth compared to probing services externally.

Non-Credentialed Scans (Unauthenticated):
The scanner probes the target from the outside, simulating a black-box attack where the attacker has no prior access.

• Advantages:
  • Real-world Perspective: Simulates an external attacker's view.
  • Speed: Generally faster to set up as it doesn't require account management.
  • Testing Perimeters: Excellent for testing firewalls, load balancers, and external service exposures.

Logical Vulnerabilities are flaws in the design and implementation of an application that allow an attacker to misuse the application's logic to achieve malicious goals. Unlike technical vulnerabilities (like SQLi or XSS), the code may function syntactically correctly, but the process is flawed.

Examples:

• Price Manipulation: Changing a hidden form field to buy a 1.
• Workflow Bypass: Skipping the payment step in a checkout process to reach the shipping confirmation.

Difficulty in Detection:
Automated tools rely on pattern matching and known signatures (e.g., sending a quote character to test for SQL errors). Logic flaws are unique to the specific business context of the application. A scanner does not understand that skipping 'Step 3' is illegal in a specific business workflow; only a human tester understanding the business rules can identify this.

False Positive:

• Definition: The scanner reports a vulnerability that does not actually exist.
• Impact: Wastes time and resources during remediation.
• Handling: The tester must verify the finding manually (validation) to ensure it is real before including it in the final report.

False Negative:

• Definition: The scanner fails to detect a vulnerability that actually exists.
• Impact: Creates a false sense of security, leaving the system exposed to attacks.
• Handling: Relying solely on one tool causes this. Testers should use multiple tools, perform manual testing, and ensure scanning signatures are up to date.

Conclusion: A high-quality analysis involves filtering out false positives to maintain credibility and hunting for false negatives to ensure security.

CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. It provides a standardized score from 0.0 to 10.0.

Key Metric Groups:

1. Base Metrics: Represents the intrinsic qualities of a vulnerability (e.g., Attack Vector, Attack Complexity, Privileges Required).
2. Temporal Metrics: Characteristics that change over time (e.g., Exploit Code Maturity, Remediation Level).
3. Environmental Metrics: Characteristics unique to a specific user's environment.

Role in Analysis:

• Prioritization: Helps IT teams decide which vulnerabilities to patch first (e.g., Critical vs. Low).
• Risk Assessment: Provides a quantitative measure of risk.
• Standardization: Allows different tools and organizations to speak a common language regarding severity.

The IDLE Scan (using the -sI flag in Nmap) is a stealth technique that allows an attacker to scan a target without sending packets from their own IP address, framing a 'zombie' host instead.

Mechanism:

1. Identify Zombie: The attacker finds a machine with a predictable IP ID sequence and low traffic (idle).
2. Probe Zombie: The attacker checks the zombie's current IP ID.
3. Spoof Packet: The attacker sends a SYN packet to the target, spoofing the IP address of the zombie.
4. Target Response:
   • If the port is OPEN, the target sends a SYN/ACK to the zombie. The zombie, not expecting this, sends a RST and increments its IP ID.
   • If the port is CLOSED, the target sends a RST to the zombie. The zombie ignores it, and the IP ID remains static.
5. Check Zombie: The attacker probes the zombie again. If the IP ID has incremented by 2, the target port is open. If it incremented by 1, the port is closed.

Result: The target logs the zombie's IP, not the attacker's.

Covering tracks is essential to maintain persistence or avoid legal/administrative consequences during a test (though in ethical hacking, this is simulated or used to test incident response).

Techniques:

1. Log Manipulation: Modifying, deleting, or corrupting system logs (e.g., /var/log/auth.log, Event Viewer logs) to remove evidence of entry.
2. File Timestamp Modification (Timestomp): Changing the 'Last Access' or 'Create' times of malicious files to match system files, making them blend in.
3. Disabling Auditing: Turning off auditing services (like auditd in Linux) temporarily during the attack execution.
4. Hiding Files/ADS: Using Alternate Data Streams (ADS) in NTFS to hide tools behind legitimate files, or using hidden directories (dot files) in Unix.
5. Tunneling/Steganography: Exfiltrating data or hiding command and control traffic within legitimate protocols (DNS, ICMP) or images.

Nmap (Network Mapper):

• Primary Function: Network discovery and security auditing.
• Type: Port scanner.
• Usage: Used primarily to identify live hosts, open ports, operating systems, and service versions. It answers "What is running here?"
• Strengths: Speed, stealth options, scripting engine (NSE).

Nessus:

• Primary Function: Vulnerability assessment.
• Type: Vulnerability Scanner.
• Usage: Used to scan identified services against a massive database of known vulnerabilities (CVEs). It answers "Is what is running here vulnerable?"
• Strengths: Comprehensive reporting, compliance auditing, detailed remediation steps.

Relationship: Nmap is often used first to map the attack surface, followed by Nessus to deep-scan the identified surface.

Fragmentation Scanning:
This technique involves splitting the TCP header of a probe packet into several smaller IP fragments.

How it works:

• In Nmap, the -f flag splits packets into 8-byte chunks.
• The TCP header is spread across multiple packets.

Evasion Mechanism:

• Packet Filtering Bypass: Stateless firewalls or simple packet filters often make decisions based on the header information (ports, flags) contained in the first packet. If the critical header information is pushed to the second fragment, the firewall might let the first one through (looks harmless) and subsequent ones through (assuming they are part of an established stream).
• IDS Assembly: An Intrusion Detection System (IDS) must reassemble the fragments to see the signature. If the IDS is overwhelmed or configured poorly, it may fail to reassemble and thus fail to detect the scan signature.

Decoys are a technique used to obscure the source of a scan by flooding the target with scan packets from multiple spoofed IP addresses alongside the attacker's real IP.

Nmap -D Option:

• Command: nmap -D RND:10 target_ip (uses 10 random decoys) or nmap -D decoy1,decoy2,ME target_ip.
• Function: Nmap sends scan packets appearing to come from the decoy IPs.
• Result: The target's Intrusion Detection System (IDS) or firewall logs show simultaneous scans from multiple IP addresses. The administrator sees a 'crowd' of scanners and cannot easily distinguish the real attacker's IP from the fake ones. This makes attribution and blocking difficult without blocking legitimate traffic.

Timing controls are crucial for evasion. Rapid scanning triggers IDS alerts and rate-limiting firewalls. Slow scanning blends in with background noise, making detection difficult.

Nmap Timing Templates (-T):

1. Paranoid (-T0): Extremely slow. Sends one packet every 5 minutes. Used to bypass strict IDS.
2. Sneaky (-T1): Sends packets every 15 seconds.
3. Polite (-T2): Slows down to consume less bandwidth and avoid crashing targets.
4. Normal (-T3): The default dynamic timing.
5. Aggressive (-T4): Faster; assumes a reliable network. Commonly used in CTFs or internal tests.
6. Insane (-T5): Very fast; waits only 0.3 seconds for response. Can lose accuracy.

For evasion, -T0 and -T1 are preferred. For efficiency, -T4 is standard.

Burp Suite is a leading tool for web application security testing.

1. Burp Scanner (Professional Version):

• Function: An automated vulnerability scanner that crawls the application and injects payloads to test for vulnerabilities like XSS, SQL Injection, and command injection.
• Analysis: It analyzes the HTTP responses to determine if an injection was successful based on error messages, time delays, or reflected input.

2. Burp Intruder:

• Function: A semi-automated fuzzing tool.
• Usage: It allows the tester to take a specific HTTP request, define payload positions (e.g., username field, cookie, URL parameter), and iterate through a list of payloads (wordlists).
• Scanning Context: It is used to brute-force login credentials, fuzz for logical vulnerabilities, and enumerate identifiers.

Non-Intrusive Scans:

• Definition: These scans identify vulnerabilities without exploiting them or causing service disruption. They rely on version checking and configuration analysis.
• Example: Running Nmap with version detection (-sV) or a basic Nessus scan without 'dangerous plugins' enabled.
• Usage: Best for production environments where stability is critical.

Intrusive Scans:

• Definition: These scans attempt to exploit the vulnerability to verify its existence. They may crash the service or modify data.
• Example: Running Metasploit exploits, Denial of Service checks, or brute-force attacks.
• Usage: Used in staging environments or during specific penetration testing windows where the goal is to prove the impact of a vulnerability.

Steganography is the art and science of hiding information (covert text, files, or code) within other non-secret text or data (like images, audio, or video files) so that the existence of the message is concealed.

Usage in Covering Tracks/Exfiltration:

1. Hiding Tools: An attacker might hide a malicious script inside a seemingly harmless JPEG image on a web server. The IDS ignores the image, but the attacker extracts the script later.
2. Data Exfiltration: Instead of sending sensitive data out in clear text (which DLP systems might catch), the attacker embeds the stolen data into audio files or images and downloads them. To the network monitor, it looks like a user downloading media files.
3. Command and Control: Hiding commands in social media images or DNS packets to avoid detection.

Triaging is the process of sorting and prioritizing vulnerabilities found during a scan to determine the order of remediation.

Process:

1. Validation: Weed out false positives.
2. Contextualization: Determine if the vulnerability is actually exploitable in the specific environment (e.g., a vulnerability exists but is blocked by a firewall).

Prioritization Criteria:

• Severity (CVSS Score): High scores (9.0+) usually take precedence.
• Exploitability: Is there a public exploit available? Is it easy to automate?
• Asset Value: A vulnerability on a critical database is more urgent than one on a test server.
• Exposure: Is the system internet-facing or internal only?
• Business Impact: Will exploitation cause financial loss or reputational damage?

IP Spoofing:

• Definition: Generating IP packets with a forged source IP address to conceal the identity of the sender.
• Evasion: It allows scanners to hide their location. However, in TCP scanning, the response goes to the spoofed IP, so the attacker cannot see the result (blind scanning), unless they control the spoofed host or use techniques like Idle Scanning.

Source Routing:

• Definition: A technique where the sender specifies the route (list of routers) a packet should take through the network, rather than letting routers decide.
• Evasion: An attacker might specify a path that bypasses specific firewalls or intrusion detection sensors. They might route traffic through a trusted internal router to trick a firewall into accepting the packet as 'internal' traffic.
• Note: Most modern routers block source-routed packets due to security risks.

OpenVAS is a full-featured, open-source vulnerability scanner and manager.

Architecture Components:

1. OpenVAS Scanner: The core engine that executes the Network Vulnerability Tests (NVTs) against the target systems.
2. Greenbone Security Assistant (GSA): The web-based graphical interface for managing scans and viewing reports.
3. OpenVAS Manager: The central service that manages the scanner, schedules tasks, and stores results in a database (SQL).
4. NVT Feed: The database of Network Vulnerability Tests (signatures) that is updated regularly to detect new threats.

Usage: It is widely used as a cost-effective alternative to Nessus for continuous vulnerability management.

Active Scanning:

• Description: The scanner sends packets to the target system and analyzes the responses. It interacts directly with the target.
• Pros/Cons: highly detailed and accurate, but noisy and easily detected.
• Tool: Nmap (sends probes), Nessus (sends exploits/checks).

Passive Scanning:

• Description: The scanner listens to network traffic (sniffing) without sending any packets. It infers vulnerabilities and OS versions based on the traffic it sees.
• Pros/Cons: Completely stealthy and undetectable by the target, but provides limited information (cannot find open ports that aren't transmitting).
• Tool: Wireshark (packet analysis), P0f (passive OS fingerprinting).

Proxy Chains:

• Concept: Chaining multiple proxy servers together. Traffic goes from Attacker -> Proxy A -> Proxy B -> Proxy C -> Target.
• Evasion: The target sees the connection coming from Proxy C. If Proxy C is investigated, it points to Proxy B. This makes tracing the attack back to the source extremely difficult and time-consuming. Tools like proxychains in Kali Linux automate this.

Anonymizers (e.g., Tor):

• Concept: Using networks like The Onion Router (Tor) to bounce traffic through a distributed network of volunteer relays.
• Evasion: The traffic is encrypted and layered. The exit node (the last hop) is the only IP visible to the target. This provides a high level of anonymity, though it can be slow for intensive scanning.

While Metasploit is primarily an exploitation framework, it plays a vital role in the scanning phase.

Role in Scanning:

• Auxiliary Modules: Metasploit contains hundreds of 'auxiliary' modules designed for scanning, sniffing, and enumeration (e.g., auxiliary/scanner/smb/smb_version).
• Verification: Metasploit is often used to verify the results of a Nessus scan. If Nessus reports a vulnerability, the tester uses a Metasploit module to see if it is actually exploitable.

Difference from Nessus:

• Nessus: Broad coverage. Scans for thousands of vulnerabilities at once to generate a report. Focus is on discovery.
• Metasploit: Targeted depth. Scans for specific vulnerabilities to launch an attack. Focus is on exploitation.

Log Cleaning Scripts:
These are automated scripts designed to selectively remove entries related to the attacker's activities (IP address, user account used) from system logs while leaving legitimate user traffic intact.

Why deleting the whole file is poor practice:

1. Suspicion: An empty log file or a log file that suddenly disappears is a massive red flag to system administrators. It immediately indicates a breach.
2. Service Errors: Deleting a file that a service is currently writing to can cause the service (like syslog) to crash or hang, alerting admins.
3. Forensics: Simply unlinking (deleting) a file doesn't overwrite the data on the disk immediately. Forensic tools can often recover deleted files. Proper covering of tracks involves 'shredding' (overwriting) the data or selectively editing lines.