Vulnerability Assessment: How quickly assess networks

February 27, 2019 | Views: 3454

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Network security assessment

Today we going to speak about how quickly execute security scanning and assessment of big networks, which tools we will need and in which cases it may be required.

In which cases do we need to scan big networks

Some compliance’s like PCI DSS or HIPAA may require to execute security scans against huge networks and subnets, including testing of isolated environment and network segmentation at all. This process may require lots of time but here all will depend on your experience and tools set of course.

Main reason of such activities – identify live hosts, find open ports and available services for possible outdated versions, vulnerabilities or services which communicate through not encrypted protocols as this is critical in such compliance’s and user data can be at risk, our main aim here to reduce such risks.

Testing approach

Such kind of scans / tests usually done under the model of so called white box when you have access to internal network or if speak about external – your targets were specified by the customer and there no need in any additional research and targets finding.

Tools

As this is mostly network scanning project, here we going to use tools for network security analysis:

  • arp-scan
  • masscan
  • nmap
  • OpenVAS (optional)
  • Hydra
  • Dirb
  • Nikto

From our list you can find out that we going to use only free and open source software mostly. ARP scan require for proper check of network segmentation and isolation of critical subnetworks, dirb and nikto will help us to work out web applications, network level security issues we’ll identify with help of nmap.

Recon

First we’ll need to identify live hosts in our network (internal or external):

$ nmap -sn -T5 192.168.0.0/24

To not waste our time for inactive host, we going to filter them out and work only with live hosts. On next step we going to identify open ports and grab banners, output will make in grapable format:

Scanning & Vulnerabilities finding

$ nmap -sV -T4 -F 192.168.0.1 192.168.0.3 192.168.0.15 --script banner -oG /tmp/nmap-banners.txt

The same action we can do in case if have loads of live hosts but with masscan:

$ masscan 192.168.0.0/24 -p0-5000 --banners -oG /tmp/masscan-banners.txt

After we have results of those scan, on next step we can do following:

  • Apply nmap vulnerability scan (nmap -sV -p <ports> <hosts> -T4 –script vuln)
  • Apply Dirb for web apps (dirb http://192.168.0.15 as example) to find sensitive files & directories
  • Use Nikto for some simple web security checks (nikto -host http://192.168.0.15 as example)
  • Finally we’ll need to check network isolation with arp-scan (segmentation also can be checked with nmap as well)

In case if any services with authentication will be discovered we going to use hydra. As example of such services – ssh, rdp, ftp, samba, telnet, databases and others… Hydra here can help us much with brute force attacks execution. By the way – this attacks you also can do with nmap, though I can’t say anything about who will do this faster, but both those tools are effective and popular among penetration testers.

To check internally for available devices/segmentation we can use following arp-scan command:

$ arp-scan --interface=eth0 --localnet

By changing adapters on your machine you may check each subnet.

Automated Vulnerability Assessment Solutions

In the end – we can also cover nearly the same checks (and in several cases even more) with help of solutions like OpenVAS or Nessus. But Nessus for free available only as home edition and not for commercial purpose, so our choice will stop on OpenVAS.

This is fully automated vulnerability scanner which will execute discovery scans, identify open ports and find actual vulnerabilities or misconfiguration issues. The only thing – it also requires targets to be inserted and here you can do the same thing as we’ve done at the beginning – first identify live hosts, add them to OpenVAS and launch vulnerability scan.

Here we were doing vulnerability assessment, not penetration testing, please don’t miss use approaches as they are different as well as techniques of execution. Vulnerability assessment mainly runs as white box activity with already identified scope and if speak about penetration testing and black box approach – in this situation we may know only company name or company website url for example.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 294 / December 14, 2019
How do I Get MTA Certified?
Views: 892 / December 12, 2019
How much does your PAM software really cost?
Views: 1343 / December 10, 2019
How Do I Get into Android Development?
Views: 1722 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel