Vulnerability Assessment: Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now for our second session
00:00
>> on vulnerability assessments,
00:00
>> we're going to talk about the idea
00:00
of mapping out the network.
00:00
The reason we map the network is to figure
00:00
out where our desirable servers are.
00:00
The ones that make good targets,
00:00
so we'll talk about that.
00:00
Then we'll also talk about conducting assessments,
00:00
not necessarily just of the network of systems,
00:00
but specifically of applications.
00:00
One of the things that we do
00:00
when we conduct vulnerability scans,
00:00
as I mentioned in the last section, we want to learn.
00:00
I want to find out about the network.
00:00
I want to find out where the desirable servers are.
00:00
I want to find out what operating system
00:00
those servers are running.
00:00
I want to find out if they're patched.
00:00
All that falls under
00:00
the category of foot printing the network.
00:00
There are lots of tools out there.
00:00
We'll look at an NMAP readout in just a minute.
00:00
But what I'm looking for as we said before,
00:00
is to determine what weaknesses exist.
00:00
Now, just because we found an apparent weakness,
00:00
doesn't guarantee it can be exploited.
00:00
But we start by seeing what's out there.
00:00
Now, when we think about the network discovery,
00:00
which we would use a tool called NMAP forum.
00:00
What I'm looking to do ideally,
00:00
is to figure out your IP addressing scheme,
00:00
find out where certain services are being run.
00:00
What servers run in the Kerberos distribution center.
00:00
What servers run in DNS?
00:00
Those are some of the servers that are
00:00
most desirable in the network.
00:00
Your domain controllers, your KDC, DNS servers.
00:00
These are the ones that a
00:00
denial-of-service attack can
00:00
>> render the network unusable.
00:00
>> Then DNS, I can do
00:00
so much more damage when
00:00
I learn where your DNS server is.
00:00
Now once I find where these desirable servers are,
00:00
by foot printing the network,
00:00
I then want to fingerprint the system
00:00
to find out what operating system it's running.
00:00
We footprint the network,
00:00
we fingerprint the operating system.
00:00
The way I fingerprint to determine
00:00
what operating system a machine is running is
00:00
I will send different types
00:00
of packets to that machine and see how it responds.
00:00
Every operating system handles
00:00
the TCP-IP suite a little bit differently.
00:00
What is your system?
00:00
How does it respond when there's a SYN packet
00:00
sent to a port that isn't open?
00:00
How do you respond to an act if there had
00:00
been no SYN and SYN ACK before?
00:00
Basically, I'm testing how your system responds to
00:00
unusual types of traffic and
00:00
how that system responds is
00:00
going to give me a good indication.
00:00
Sometimes not just of the operating system,
00:00
but all the way to
00:00
the service pack level or even patch level.
00:00
Some common tools,
00:00
SYN scanning like I said,
00:00
I'm going to send a SYN packet
00:00
and when that system how it
00:00
responds but also how it responds if I send
00:00
a SYN packet to an unopened port or closed port.
00:00
TCP connect scanning is where
00:00
we're actually making that full connection.
00:00
Then looking at the parameters
00:00
of that connection might help me.
00:00
Like I said, a SYN scanning is when you
00:00
get an ACK without a SYN and SYN ACK first.
00:00
I wanted to also mention
00:00
Christmas scanning or Christmas tree scanning.
00:00
This is sending a packet with every flag set to one.
00:00
Now that would never happen in the real world because
00:00
there are actually some contradictory fields here.
00:00
But the packet's said to be lit up
00:00
like a Christmas tree with all the flags set to one.
00:00
I'm looking for what error response I get
00:00
back from your computer and that will let me
00:00
know what your operating system is or it will at least
00:00
help me in the direction of figuring that out.
00:00
Now, this is NMAP and you can get
00:00
quite a bit of information from NMAP.
00:00
Now I'll tell you on the exam,
00:00
it's not like they're going to ask you to look at
00:00
an NMAP or readout make a diagnosis of the network.
00:00
But what you can see is in
00:00
this case they're looking at a particular host,
00:00
131, 130, 13,
00:00
13, so you can see that in NMAP window.
00:00
You can see that you get to determine what type of
00:00
commands or what type of packets are sent.
00:00
We can do a ping sweep which says we're
00:00
going to ping 131, 130,
00:00
13.13, 13.14,
00:00
13.15, and just
00:00
determine where hosts are on the network.
00:00
You can see down below that we see
00:00
what ports are running on that system.
00:00
Again, you can find out
00:00
right to the point where you know
00:00
exactly what operating system
00:00
and you can see the second line from the bottom.
00:00
Operating system guess is Linux and
00:00
then the version number as well.
00:00
That gives us a lot of good information.
00:00
Usually the vulnerability assessment is the first step
00:00
of pen testers journey and an attacker as well.
00:00
I'm going to get my list of information,
00:00
figure out what vulnerabilities exist so that I can
00:00
then increase the attack strategy
00:00
and actually begin an active attack.
00:00
Now usually, when we talk about pen testing,
00:00
let's assume we're talking about pen testing
00:00
a system or the network.
00:00
But certainly, we can pen test and
00:00
assess vulnerabilities for web applications as well.
00:00
Web applications are particularly
00:00
vulnerable because their access through
00:00
the web and we don't have
00:00
as many restrictions on who can access the service.
00:00
The whole point of making these applications
00:00
available across the web is so
00:00
that we can have numerous users
00:00
>> and have access be easy.
00:00
>> It's really important that we
00:00
need to test their applications
00:00
and make sure that they're assessed before we
00:00
do put these services and these apps out there.
00:00
Now, one of the biggest concerns
00:00
when we're talking about applications
00:00
particularly database applications and forms that we
00:00
would allow users input is
00:00
our biggest concern in that case, is code injection.
00:00
We're familiar with the phrase garbage in, garbage out.
00:00
We want to make sure that our applications
00:00
don't allow garbage to come in.
00:00
What we scan is we scan these fields to make
00:00
sure there's proper input validation in place,
00:00
making sure that people aren't
00:00
entering information or not able
00:00
to enter information that
00:00
might hurt the back-end database.
00:00
We're more testing to make sure our applications
00:00
conduct input validation,
00:00
the term is called fuzzing.
00:00
There's fuzzing software out there that will do that.
00:00
Basically, scanning the application to
00:00
determine are there places where
00:00
we don't have input validation or any
00:00
>> other known flaws?
00:00
>> Essentially when we're scanning
00:00
an application for vulnerability,
00:00
you can think of that term as fuzzing.
00:00
In this section, we talked
00:00
about mapping out the network to find
00:00
our desirable servers and services and then we
00:00
also talked about applications scanning,
00:00
specifically looking for issues
00:00
like a lack of input validation.
Up Next