Vulnerability Assessment - Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now for our next section or
00:00
second session on vulnerability assessments,
00:00
we're going to talk about the idea
00:00
of mapping out the network.
00:00
The reason we map the network is to figure
00:00
out where our desirable servers are,
00:00
the ones that make good targets. We'll talk about that.
00:00
Then we'll also talk about conducting assessments,
00:00
not necessarily just of the network or of systems,
00:00
but specifically of applications.
00:00
One of the things that we do
00:00
when we conduct vulnerability scans,
00:00
as I mentioned in the last section, we want to learn.
00:00
I want to find out about the network.
00:00
I want to find out where the desirable servers are.
00:00
I want to find out what operating system
00:00
those servers are running.
00:00
I want to find out if they're patched.
00:00
All that falls under
00:00
the category of footprinting the network.
00:00
There are lots of tools out there.
00:00
We'll look at an InMap readout in just a minute.
00:00
But what I'm looking for,
00:00
as we said before,
00:00
is to determine what weaknesses exist.
00:00
Now, just because we found an apparent weakness doesn't
00:00
guarantee it can be
00:00
exploited but we start by seeing what's out there.
00:00
Now, when we think about
00:00
the network discovery which
00:00
we would use that tool called InMap for,
00:00
what I'm looking to do ideally
00:00
is to figure out your IP addressing scheme,
00:00
find out where certain services are being run,
00:00
what server is running the Kerberos distribution center,
00:00
what server is running DNS?
00:00
Those are some of the servers that are
00:00
most desirable in the network.
00:00
Your domain controllers, your KDC, DNS servers.
00:00
These are the ones that a denial of
00:00
service attack can render the network unusable.
00:00
Then DNS, I can do
00:00
so much more damage when
00:00
I learn where your DNS server is.
00:00
Now once I find where these desirable servers are,
00:00
by footprinting the network,
00:00
I then want to fingerprint the system
00:00
to find out what operating system it's running.
00:00
We footprint the network,
00:00
we fingerprint the operating system.
00:00
The way I fingerprint to determine
00:00
what operating system a machine is running
00:00
is I will send different types
00:00
of packets to that machine and see how it responds.
00:00
Every operating system handles
00:00
the TCPIP suite a little bit differently.
00:00
What is your system?
00:00
How does it respond when there's a SYN packet
00:00
sent to a port that isn't open?
00:00
How do you respond to an act if there had
00:00
been no SYN and SYN act before?
00:00
Basically, I'm testing how your system
00:00
responds to unusual types of traffic,
00:00
and how that system response
00:00
is going to give me a good indication,
00:00
sometimes not just of the operating system,
00:00
but all the way to
00:00
the service pack level or even patch level.
00:00
But some common tools SYN scanning, like I said,
00:00
I'm going send a SYN packet and
00:00
when that system how it responds,
00:00
but also how it responds if I send
00:00
a SYN packet to an unopened port or closed port.
00:00
TCP connect scanning is
00:00
where we're actually making that full connection.
00:00
Then looking at the parameters
00:00
of that connection might help me.
00:00
Like I said, ACK scanning is when you
00:00
get an arc without a SYN and SYN ACK first.
00:00
I wanted to also mention
00:00
Xmas scanning or Xmas tree scanning.
00:00
This is sending a packet with every flag set to one.
00:00
Now, that would never happen in the real world because
00:00
there are actually some contradictory fields here.
00:00
But the packet is said to be lit up like
00:00
a Christmas tree with all the flags set to one and
00:00
I'm looking for what error response I get
00:00
back from your computer and that'll let me
00:00
know what your operating system is or will at least to
00:00
help me in the direction of figuring that out.
00:00
Now, this is Nmap and you can get
00:00
quite a bit of information from Nmap.
00:00
Now I'll tell you on the exam,
00:00
it's not like they're going to ask you
00:00
to look at an Nmap readout,
00:00
make a diagnosis of the network.
00:00
But what you can see is, in this case,
00:00
they're looking at a particular host,
00:00
131 130 13 13.
00:00
You can see that in the map window.
00:00
You can see that you get to determine what type of
00:00
commands or what type of packets are sent.
00:00
We can do a ping sweep which says,
00:00
we're going to ping 131 130 13.13,
00:00
then 13.14 13.15 and
00:00
just determine where hosts are on the network.
00:00
You can see down below that we see
00:00
what ports are running on that system.
00:00
Again, you can find out right to the point
00:00
where exactly what operating system.
00:00
You can see the second line from the bottom,
00:00
operating system guest is Linux and
00:00
then the version number as well.
00:00
Nmap gives us a lot of good information.
00:00
Usually, the vulnerability assessment is
00:00
the first step of a ping tester's journey,
00:00
and an attacker as well.
00:00
I'm going to get my list of information,
00:00
figure out what vulnerabilities exist so that I can
00:00
then increase the attack strategy
00:00
and actually begin an active attack.
00:00
Now, usually, when we talk about ping testing,
00:00
let's assume we're talking about ping testing
00:00
a system or the network.
00:00
But certainly, we can ping test and
00:00
assess vulnerabilities for web applications as well.
00:00
Web applications are particularly
00:00
vulnerable because they are accessed through the web.
00:00
We don't have as many restrictions
00:00
on who can access the service.
00:00
The whole point of making these applications
00:00
available across the web is so
00:00
that we can have numerous users and have access be easy.
00:00
It's really important that we
00:00
need to test our applications
00:00
and make sure that they're assessed before we
00:00
do put these services in these apps out there.
00:00
Now, one of the biggest concerns
00:00
when we're talking about applications,
00:00
particularly database applications and
00:00
forms that we would allow users input,
00:00
is our biggest concern in that case is code injection.
00:00
We're familiar with the phrase garbage in, garbage out.
00:00
We want to make sure that our applications
00:00
don't allow garbage to come in.
00:00
What we scan is we scan these fields to make
00:00
sure there's proper input validation in place,
00:00
making sure that people entering information or not able
00:00
to enter information that
00:00
might hurt the back-end database.
00:00
When we're testing to make sure our applications
00:00
conduct input validation,
00:00
the term is called fuzzing.
00:00
There's fuzzing software out there that will do that.
00:00
Basically, scanning the application to determine,
00:00
are there places where we don't have
00:00
input validation or any other known flaws?
00:00
Essentially, when we're scanning
00:00
an application for vulnerability,
00:00
you can think of that term as fuzzing.
00:00
In this section, we talked about mapping out
00:00
the network to find our desirable servers and services.
00:00
Then we also talked about application scanning,
00:00
specifically looking for issues
00:00
like a lack of input validation.
Up Next