Vulnerability assessment is one of the steps of penetration testing. It can be described as the procedure where the penetration tester scans the system for vulnerabilities in order to gain access to the system. A vulnerability can be a weakness point, a failure even a miss-configured file that a pentester or an attacker can exploit to obtain unauthorised access to the system. Vulnerability scanning can be accomplished automatically via vulnerability assessment tools such as OpenVas, Nessus etc.
“ Be able to discover the vulnerabilities of your system before an attacker does ”
Vulnerability Assessment Steps
Vulnerability Assessment Vs Penetration Testing
The difference between VA and PT is that during the penetration testing you aim to gain unauthorised access to the system but during the vulnerability assessment you should bypass this step and proceed to the report. This point should be cleared on the contract between you and management before the test.
Common Vulnerabilities and Exposures (CVE® | http://cve.mitre.org/)
CVE can be described as an “index” of known security vulnerabilities. Using CVE’s identifiers you can easily search for the details of a specific vulnerability in different security databases. When you find a vulnerability during scanning procedure you can fast access a CVE database to read information about the vulnerability and information about countermeasures.
How CVE works
There is a unique identifier number (CVE-2016-8858)
All known vulnerabilities are saved to such database with informations like brief description, solution, relevant references.
OpenVas (Open Vulnerability Assessment System)
OpenVas is an open source vulnerability scanning tool. In this example we will use OpenVas to scan a target machine for vulnerabilities. We will also use two virtual machines in an isolated virtual environment. Our host machine will be a kali linux vm and we are going to scan a virtual machine with metasploitable framework which is by default full of vulnerabilities.
STEP 1 / Starting OpenVas Services
To Start OpenVas Services we can find it in Applications in the section of Vulnerability Analysis
STEP 2 / Loading OpenVas Interface
To load OpenVas Interface you should open iceweasel and type https://127.0.0.1:9392. By default OpenVas run on port 9392. For credentials you can use U:admin P:letmein
STEP 3 / Creating New Target
To perform a new scan we have to create our target first. To do that you can go to Targets through the Configuration button in the menu bar To create your target click on the star button.
A new window will open. Fill the fields according to needs of the assessment. In this example we will use the IP of the target machine manually.
STEP 4 / Creating New Task
Immediately after the creation of our target we will proceed to the task section in order to create a new task for our new target. To create a new task we have to move on the task section from the menu bar as the images illustrate. To create new task we should click on the star button.
The next move is to fill the fields with the necessary details. On the “Scan Targets” we choose the target that we have created before. Furthermore, for the purposes of this example we will choose the default OpenVas Scanner.
STEP 5 / Start Scanning
We almost finished. Now we can start scanning our target (click on the play button) and wait until it finish.
STEP 6 / Study the Results and Export your Report
When the scan will be completed you are able to see the details of each vulnerability that has been found during the scanning procedure. As you can see in the image below in our report there are a lot of critical vulnerabilities. This is because we scanned a vm with metasploitable framework which is by default a vulnerable machine. At this point your employer needs to read your own report not the exported report of OpenVas. So, the best practise is to write your own report listing your findings including suggestions and advices.
Keep in mind that Intrusion Detection Systems (IDS) can detect such activities.