Vulnerability Assessments
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Vulnerability assessments.
00:00
The learning objectives for this lesson are to
00:00
define the different vulnerability assessment approaches,
00:00
to explore various vulnerability analysis methods,
00:00
and to evaluate different types
00:00
of vulnerability analysis tools.
00:00
Let's get started. When we're
00:00
talking about vulnerability analysis,
00:00
what we're trying to do is find the bugs or holes,
00:00
or vulnerabilities before an attacker does so
00:00
this lesson is geared towards showing you
00:00
the many different ways that we can do that.
00:00
Sometimes it's going to deal with source code,
00:00
sometimes it's going to deal with networks,
00:00
but they're all trying
00:00
to achieve the same goal and that's
00:00
finding a vulnerability before an attacker does.
00:00
I also want to note that
00:00
penetration testing is a subset of this,
00:00
where we would engage
00:00
either an internal team such as a red team or
00:00
a third party company to simulate
00:00
an attack on our environment
00:00
the way an attacker might do.
00:00
Some of the areas of this lesson are
00:00
specific to penetration testing,
00:00
and when we get to those areas,
00:00
I'll let you know that these are
00:00
specific to a penetration test.
00:00
We're going to get started with a static analysis.
00:00
This is when we manually review source code
00:00
looking for any errors or bugs,
00:00
and we can also use
00:00
software to help us automate this process,
00:00
but the key is we're looking at the source code
00:00
itself and not the application while it's in use.
00:00
But a dynamic analysis is when the application is in use.
00:00
We will be able to go
00:00
through and see if there are any issues with
00:00
the program or the system and collect data that way.
00:00
A side-channel analysis is when we inspect
00:00
a system or the software while it's running,
00:00
but we do this by analyzing the data that it produces.
00:00
A good example of this would be to use
00:00
a sniffer to capture network traffic from
00:00
an application so that we can see
00:00
what information that app is putting onto the network.
00:00
Reverse engineering is when we deconstruct software,
00:00
but sometimes hardware to see how it functions.
00:00
When malware is being deconstructed
00:00
to see what exploits are included with it,
00:00
this is a good example of reverse engineering.
00:00
We can also do a wireless vulnerability scan.
00:00
This is to help us look for
00:00
any misconfigurations we might have,
00:00
but we can also use it to find our signal coverage.
00:00
Oftentimes people think that
00:00
the wireless signal stops where
00:00
the walls of the building stop, but that's not the case.
00:00
We want to find out how far beyond
00:00
the building does our wireless signal emanate.
00:00
But a wireless vulnerability scan can also
00:00
help us to find any areas of
00:00
our network that might be vulnerable to
00:00
common attacks such as Reaver or Krack.
00:00
We can also do a software composition analysis
00:00
and this is when we're
00:00
inspecting the source code of an app
00:00
but we're looking for the open-source components that
00:00
we might have included with it
00:00
and they themselves may have vulnerabilities.
00:00
Oftentimes when you're coding,
00:00
you might include third-party libraries.
00:00
If those third-party libraries
00:00
haven't been properly checked,
00:00
they may have their own vulnerabilities
00:00
and then when we include those with our app,
00:00
we're introducing those into our application.
00:00
Fuzzing is a black-box testing method that
00:00
it on purpose injects malformed data into an application.
00:00
The purpose of this is to
00:00
see how the application is going to handle it.
00:00
Is it going to reveal sensitive information?
00:00
Is it going to cause the application to crash?
00:00
We need to find these things out ahead of
00:00
time because fuzzing tools
00:00
are very common for attackers
00:00
to launch against web apps,
00:00
and we need to do this ahead of time.
00:00
Pivoting is one of those items that's
00:00
specific to a penetration test
00:00
and this is once an attacker has
00:00
exploited one particular system on a network,
00:00
they will use that to target others,
00:00
but the goal is to move closer to
00:00
their own goal inside that network.
00:00
For example, maybe a workstation
00:00
was compromised because of a phishing attack,
00:00
but the end goal for this attacker is
00:00
to get to the Active Directory.
00:00
So they will pivot to another target that is
00:00
closer in the network to that Active Directory server.
00:00
Post exploitation and persistence are also
00:00
examples of parts of a penetration test.
00:00
The post exploitation is when the attacker will
00:00
use additional work to ensure that they are
00:00
maintaining their access and also
00:00
to get additional data or resources on the network.
00:00
Whereas persistence is ensuring that they are able
00:00
to stay in the environment and remain undetected.
00:00
Once an attacker gets in,
00:00
they've exploited a particular vulnerability,
00:00
and they're on a device.
00:00
They want to ensure that they have
00:00
another way into the network.
00:00
In case that one vulnerability is ever patched,
00:00
they want to make sure they have
00:00
another way of getting in.
00:00
That would be an example of persistence.
00:00
Let's talk about some vulnerability analysis tools.
00:00
First, we have the protocol analyzer.
00:00
This is used to capture network traffic for analysis.
00:00
A common example of this is Wireshark or Tcpdump.
00:00
A network traffic analyzer
00:00
is a little different from a protocol analyzer,
00:00
but it's designed to analyze data captured by a sensor.
00:00
A good example of this is Zeek.
00:00
A port scanner looks for services that are
00:00
running on ports on a specific system.
00:00
We want to see if port 80 is open,
00:00
if port 443 is open,
00:00
but we can also scan to see if other ports were left
00:00
open that didn't intend
00:00
to be left open by the administrator.
00:00
A good example of a port scanner is Nmap,
00:00
and that's actually what's shown in the screen here.
00:00
HTTP interceptor; this will capture the HTTP or HTTPs
00:00
traffic between hosts and
00:00
the web server to inspect that data.
00:00
What we're trying to do is,
00:00
can we see any of
00:00
that information that maybe normally shouldn't be seen,
00:00
and are we able to use that
00:00
to help us exploit the server?
00:00
A good example of this software would be Burp Suite.
00:00
Next we have the SCAP scanner.
00:00
This uses SCAP to compare
00:00
a scanned device against SCAP baselines.
00:00
What we're trying to do is we
00:00
have our established SCAP baselines,
00:00
and we want to see where our systems
00:00
are in comparison to that.
00:00
The DoD SCAP scanner is a good example of this.
00:00
A vulnerability scanner will scan devices
00:00
for a database of known vulnerabilities,
00:00
some misconfiguration issues,
00:00
and any other numerous issues.
00:00
A good example of this is Nessus.
00:00
I highly recommend you
00:00
download Nessus and play with it because it will
00:00
really show you a lot of areas of
00:00
your network that maybe you
00:00
didn't think about that might need to be addressed.
00:00
Then we also have exploit
00:00
frameworks and these are a collection of
00:00
tools that are designed
00:00
for exploiting systems and software.
00:00
They have a large number
00:00
of exploits already built into them so that we
00:00
can exploit vulnerabilities and
00:00
the two most common are
00:00
Metasploit and PowerShell Empire but
00:00
these will both contain many ways to get
00:00
into many different types of
00:00
systems and different applications.
00:00
They also have password crackers.
00:00
These are designed to help us crack
00:00
passwords from a variety of sources,
00:00
and you might have hashes that are
00:00
collected from a Active Directory server,
00:00
you might have a wireless password hash,
00:00
but regardless, all of those need
00:00
to be cracked at some point.
00:00
>> You can use several methods to do this,
00:00
but the two most common would be
00:00
a brute force attack or a dictionary attack.
00:00
You can also do a combination attack of the two.
00:00
But a brute force will try
00:00
every possible combination of
00:00
whatever you've set it up to do.
00:00
It could be all numbers, all letters,
00:00
all uppercase letters, or however you set it up.
00:00
This is very time-consuming,
00:00
and for longer passwords this can
00:00
become very difficult and almost impossible to do.
00:00
That's why we have dictionary attacks as well.
00:00
There are large dictionary files available online of
00:00
the most common passwords that have
00:00
been captured through breaches.
00:00
This is typically the first method that is used.
00:00
But again there's another method where you can
00:00
even custom tailor the dictionary
00:00
to be specific to who you're targeting.
00:00
If you have information about them,
00:00
such as your parents' name,
00:00
children's name, birthdays,
00:00
that type of thing, that you
00:00
can feed in and then generate
00:00
a password list to make it more specific to a person.
00:00
But good examples of
00:00
password crackers are Hashcat and John the Ripper.
00:00
We also use Mimikatz,
00:00
which is not itself a password cracker,
00:00
but it's a very good tool for
00:00
being able to dump hashes from
00:00
Windows machines so that we can feed those into Hashcat.
00:00
Dependency management is when
00:00
we're evaluating the vulnerabilities in
00:00
third-party libraries and components
00:00
of software and hardware.
00:00
Now these items are specific to a penetration test.
00:00
When you have a penetration test you have
00:00
several components that are
00:00
outlining what you can and can't do.
00:00
We're going to start off with the scope of work.
00:00
What is allowed, what time are you allowed to do it,
00:00
and what are off-limits.
00:00
Some devices on the network
00:00
may be off-limits because if they
00:00
were to crash in the penetration test
00:00
it would do damage to the network,
00:00
and a company can't allow that.
00:00
You also want to be able to
00:00
know what time of day you're allowed to work.
00:00
Sometimes you may not want
00:00
those attacks to take place during business hours,
00:00
or you might not want them to take
00:00
place outside of business hours.
00:00
Next we have the rules of engagement.
00:00
This defines the manner in which
00:00
all of the assessments will occur.
00:00
It includes the type of testing that we're going to do.
00:00
We also need the contact information
00:00
of all parties involved,
00:00
and how the penetration testers are going to handle
00:00
any sensitive information that they
00:00
might come across while performing their test.
00:00
Then it also describe
00:00
the report formats that are needed once the test is
00:00
concluded how these reports need to
00:00
be put together so they can be given to management.
00:00
Invasive versus non-invasive is
00:00
how far a test is allowed to go on systems.
00:00
Sometimes you might want to
00:00
show that a vulnerability is there,
00:00
but you might not want to have the testers exploit it,
00:00
because exploiting it could increase the risk that
00:00
a device may crash or it
00:00
may produce undesirable side effects.
00:00
We want to make sure that we have all
00:00
of that documented ahead of time,
00:00
that everyone knows how far they're allowed to go.
00:00
Then lastly we have our assets.
00:00
The company would ideally need to provide a list
00:00
of the devices that they
00:00
want the testers to perform a test.
00:00
But sometimes you also allow them to do a blind test
00:00
where the testers are
00:00
not given any information ahead of time,
00:00
so that it more closely
00:00
resembles what an attacker in the wild would do.
00:00
They don't really know what the inside
00:00
of your network looks like,
00:00
so if you really want to make sure
00:00
that it's as realistic as possible,
00:00
oftentimes we do blind tests.
00:00
But you want all of that
00:00
defined upfront in the document,
00:00
so that again, everyone is on the same page on this.
00:00
Because the ramifications of
00:00
doing something incorrectly,
00:00
attacking the wrong system,
00:00
taking a system down that is critical, are massive.
00:00
We want to make sure that all of that is defined
00:00
ahead of time and everyone knows what's going on.
00:00
But this also serves as
00:00
the typical get out of the jail free card,
00:00
where if you were caught
00:00
doing something that you have a way of saying,
00:00
"Look, I'm supposed to be doing this,
00:00
I'm allowed to do this," so that you don't end
00:00
up in a federal penitentiary.
00:00
We also want to make sure that we
00:00
have permissions and access.
00:00
Are there any materials that
00:00
we're going to need to provide to
00:00
the testers so they complete
00:00
their assessments such as ID badges?
00:00
Are we going to make sure they have
00:00
background checks ahead of time?
00:00
All of that needs to be documented as well.
00:00
We also want to have our facility considerations
00:00
taken into account.
00:00
Are the assessments going to be done on site?
00:00
Are we going to be doing
00:00
any physical penetration testing?
00:00
Which we'll go into the next item.
00:00
But if we're having people on-site to do things,
00:00
do they need to be escorted throughout the building?
00:00
Are they going to be working from one particular office,
00:00
or are we going to allow them more access to do things so
00:00
that it more closely
00:00
stimulates what an actual attack would look like?
00:00
Next we have our physical security considerations.
00:00
Are we assessing our physical security
00:00
in this particular assessment?
00:00
If so we need to make
00:00
sure we have that signed get out of jail free card.
00:00
It's so important to have this ahead of time,
00:00
because when you're physically breaking into a building,
00:00
whether you're picking the lock on the back door,
00:00
or you're trying to bypass cameras,
00:00
or any number of things.
00:00
Those things look like
00:00
what an actual burglar would be doing,
00:00
and a lot of people may misinterpret it.
00:00
Security guards may be calling the police.
00:00
If you're going to be doing
00:00
any physical security considerations
00:00
you want to make sure that
00:00
that get out of jail free card is really front
00:00
and center on this because it's really important.
00:00
It's equally important on the network side as well.
00:00
But with physical security so many things could go
00:00
wrong because people can see what's happening.
00:00
Whereas on a network assessment
00:00
it's a lot harder for people to
00:00
detect and see what's going on as opposed to someone
00:00
trying to pick the lock on a backdoor on a dark night.
00:00
Then afterwards we want to make sure we have
00:00
a consideration in for our rescan for corrections.
00:00
After the pen test has been performed,
00:00
we want the site to be able to perform a remediation.
00:00
After that remediation has been
00:00
performed on their network,
00:00
we will need to scan it again
00:00
to show that those remediations
00:00
actually solve the problems that we
00:00
identified in that penetration test.
00:00
Let's summarize. We went
00:00
over vulnerability analysis approaches,
00:00
and we also discussed vulnerability analysis methods
00:00
and analysis tools.
00:00
Then we discussed vulnerability analysis dependencies.
00:00
Let's do some example questions.
00:00
Question 1, which type of tool is used to capture HTTP
00:00
or HTTPS traffic between hosts to inspect or modify it?
00:00
An HTTP interceptor. Question 2,
00:00
blank describes how an attacker
00:00
uses a system that has already
00:00
been compromised to access
00:00
another within the same organization.
00:00
Pivoting. Question 3.
00:00
This type of analysis uses
00:00
vulnerability scanning while a system is running.
00:00
Dynamic analysis. Question 4.
00:00
Black box testing method that
00:00
purposely inputs malformed data.
00:00
Fuzz testing. Hope this lesson
00:00
was helpful for you, and I'll see you in the next one.
Up Next
Instructed By
