1.4 Vulnerability Assessment
⚡ Prerequisites
Basic networks concepts and Cybersecurity
📕 Learning Objectives
Describe and recognize vulnerabilities, exposures reports and national vulnerability database submissions
Describe vulnerability management and perform research
Perform network auditing
🔬 Training list - PentesterAcademy/INE Labs
subscription required
Vulnerabilities
A vulnerability refers to a weakness, flaw, or gap in the system's security defenses that can potentially be exploited by malicious actors to compromise the confidentiality, integrity, or availability of the system's data or functionality. In other words, a vulnerability is a point of weakness that, if exploited, could lead to unauthorized access, data breaches, system malfunctions, or other undesirable outcomes.
Vulnerabilities can exist at various levels within an information system, including:
Software Vulnerabilities: These are weaknesses in software applications, operating systems, and other software components that can be exploited to gain unauthorized access or control over a system. Examples include buffer overflows, SQL injection, and cross-site scripting.
Hardware Vulnerabilities: Weaknesses in hardware components, such as microprocessors or network devices, that can be exploited to compromise system security. These vulnerabilities can sometimes be exploited through methods like side-channel attacks or physical tampering.
Configuration Vulnerabilities: Poorly configured systems can have security settings that are too permissive or leave unnecessary services running, increasing the attack surface and making it easier for attackers to gain access.
Human-Related Vulnerabilities: Human actions or behaviors, such as weak passwords, lack of security awareness, or social engineering, can create vulnerabilities that attackers exploit.
Network Vulnerabilities: Weaknesses in network protocols, firewalls, and other networking components that can be exploited to intercept or manipulate data as it traverses the network.
Physical Vulnerabilities: Weaknesses related to physical access to a system, such as unsecured server rooms or lack of proper access controls, which could allow unauthorized individuals to physically tamper with equipment.
Vulnerabilities are discovered through various means, including security research, penetration testing, and even accidental findings. Once identified, responsible organizations often work to develop and release patches or updates that fix these vulnerabilities, improving the system's security posture. Regular software updates, security audits, and best practices in system administration are crucial to minimizing the potential impact of vulnerabilities on information systems.
NVD (National Vulnerability Database) - a United States government repository of standards based vulnerability management data represented using the SCAP (Security Content Automation Protocol), maintained by NIST.
All vulnerabilities in the NVD have been assigned a CVE identifier.
🗒️ The CVE (Common Vulnerabilities and Exposures) program is a public glossary of vulnerabilities identified for specific code bases, software applications or open libraries, maintained by MITRE corporation. A unique CVE ID is primarily assigned by MITRE or by CNAs (CVE Numbering Authorities), allowing stakeholders, vendors and researchers to commonly identify unique or new exploits and vulnerabilities.
E.g.- high impact, critical vulnerabilities:
The CVSS (CVE Scoring System) is the method used to supply a qualitative measure of severity, consisting of three metric groups: Base, Temporal and Environmental.
Zero-day exploits are vulnerabilities exploits not yet found, used or reported by anyone, or discovered by attackers before the vendor's security team has become aware of it.
e.g.:
Scope, impact and usefulness will come down to business needs, along with the risk management and cybersecurity recommendations.
Risk Management includes vulnerability management. By doing a VA (Vulnerability Assessment), the pentester is going to define, identify, classify and prioritize security deficiencies in computer systems, applications, and network infrastructures. Some procedures to find vulnerabilities are:
Scanning
Asset Identification and Research
Fuzz Testing (input/handling validation)
🗒️ Nessus is a network vulnerability scanning tool. It can be hosted locally and used for Vulnerability Assessment.
Case Studies
Heartbleed
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Show accepted ciphersuites and compressors with nmap ssl-enum-ciphers script.
Detect OpenSSL Heartbleed bug vulnerable servers with nmap ssl-heartbleed script, or with Metasploit enumerate module.
exploit-db.com is useful too
❗ always check the exploit behavior before using it
search for
heartbleed
EternalBlue
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Widely used in the WannaCry ransomware attack.
The EternalBlue exploit developed by the NSA was leaked to public in 2017 (by Shadow Brokers hacker group).
Specific nmap smb-vuln-ms17-010 script
🔬 Check the Lab 2 - Eternal Blue here
BlueKeep
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka Remote Desktop Services Remote Code Execution Vulnerability.
The vulnerability was made public by Microsoft in May 2019 and affected Windows XP, Windows Vista, Windows 7, Windows Server 2008 & R2.
It allows access to a chunk of kernel memory, allowing the attacker to remotely execute arbitary code at the system level without authentication.
BlueKeep PoC's (Proof of Concepts) and exploits could be malicious in nature.
Log4J
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
nmap-log4shell- a NSE script for Apache Log4j RCE vulnerability discovery
Search for exploits from exploit-db.com or using a command line tool such as searchsploit
searchsploit - a command line search tool for Exploit-DB. A copy of Exploit Database can be used offline.
Last updated
