Vulnerability assessments are necessary for discovering potential vulnerabilities throughout the environment. There are many tools available that automate this process so that even an inexperienced security professional or administrator can effectively determine the security posture of their environment. Full exploitation of systems and services is not generally in scope for a normal vulnerability assessment engagement.
Systems are typically enumerated and evaluated for vulnerabilities, and testing can
often be done with or without authentication. Most vulnerability management and
scanning solutions provide actionable reports that detail mitigation strategies such as
applying missing patches, or correcting insecure system configurations.
Vulnerability identification allows you to do your homework. You will learn about what
vulnerabilities your target is susceptible to so you can make a more polished set of attacks.
Various operating systems tend to respond differently when sent particular
network probes because of the different networking implementations in use.
These unique responses serve as a fingerprint that the vulnerability scanner
uses to determine the operating system version and even its patch level. A
vulnerability scanner can also use a given set of user credentials to log into
the remote system and enumerate the software and services to determine
whether they are patched. With the results it obtains, the scanner presents a
report outlining any vulnerabilities detected on the system. That report can
be useful for both network administrators and penetration testers.
a vulnerability scanner can save you from having
to probe systems manually to determine their patch levels and vulnerabilities.
Whether you use an automated scanner or do it manually, scanning is
one of the most important steps in the penetration testing process; if done
thoroughly, it will provide the best value to your client
Server-side attacks are exploiting and finding vulnerabilities in services, ports,
and applications running on a server. For example, a web server has several attack
vectors. It is a server running an operating system and running various pieces of
software to provide web functionality. It has many open TCP ports. Each one of
these vectors could harvest a vulnerability that an attacker could exploit to get into
the system and obtain valuable information. Many protocols on servers are handled
through readable non-encrypted text.
Let's take a look at some tools
Nessus depends on vulnerability checks in the form of feeds in order to locate vulnerabilities on our chosen target. Nessus comes in two flavors of feeds: Home and Professional.
Home Feed: The Home Feed is for noncommercial/personal usage. Using Nessus in
a professional environment for any reason requires the use of the Professional Feed.
Professional Feed: The Professional Feed is for commercial usage. It includes
support and additional features such as unlimited concurrent connections and so on.
If you are a consultant and are performing tests for a client, the Professional Feed is
the one for you.
OpenVAS, the Open Vulnerability Assessment System, is an excellent framework that can
be used to assess the vulnerabilities of our target. It is a fork of the Nessus project. Unlike
Nessus, OpenVAS offers its feeds completely free of charge.
Webshag is a multi-threaded, multi-platform tool used to audit web servers.
Webshag gathers commonly useful functionalities for web servers such as port
scanning, URL scanning and file fuzzing. It can be used to scan a web server in
HTTP or HTTPS, through a proxy and using HTTP authentication (basic or digest).
In addition, Webshag can use IDS evasion capabilities aimed at making correlation
between requests more complicated. Webshag provides additional innovative capabilities such as retrieving the list of domain names hosted on a target machine as well as fuzzing using dynamically
generated filenames. Webshag can perform fingerprinting of web pages while being
resistant to content changes. This feature is designed as a false positive removal
algorithm aimed at dealing with "soft 404" server responses.
Vega is a security testing tool used to crawl a website and analyze page content to
find links as well as form parameters. Vega offers details about vulnerabilities found in the central display window as well as a summary page. These details can be copied into a final deliverable.