Penetration Testing with Kali Linux OffSec
|
|
Vulnerability
Scanning . 277 Vulnerability scanners come in many different forms, from individual scripts that identify a single vulnerability to complex commercial solutions that scan for a broad variety. Automated vulnerability scanners can be invaluable for penetration testers as they help quickly establish a baseline on the target network before performing a more thorough manual testing analysis to get adequate coverage. Common types of vulnerability scanners are web application and network vulnerability scanners. In this Module, we will analyze automated network vulnerability scanning. We’ll begin with the theory behind vulnerability scanning and then use Nessus 278 and Nmap 279 to perform different kinds of vulnerability scans. 7.1 Vulnerability Scanning Theory This Learning Unit covers the following Learning Objectives: • Gain a basic understanding of the Vulnerability Scanning process • Learn about the different types of Vulnerability Scans • Understand the considerations of a Vulnerability Scan In this Learning Unit, we’ll discuss the theory behind vulnerability scanning. Before inspecting our tools, we need to outline the basic workflow of a vulnerability scanner and understand how it finds vulnerabilities. We will also review the different types and considerations of a vulnerability scan. 7.1.1 How Vulnerability Scanners Work Every vulnerability scanner has its own customized workflow but the basic process behind vulnerability scanning is implementation independent. The basic process of an automated vulnerability scanner can be described as: 1. Host discovery 277 (Wikipedia, 2021), https://en.wikipedia.org/wiki/Vulnerability_scanner 278 (Tenable, 2022), https://www.tenable.com/products/nessus 279 (Nmap, 2022), https://nmap.org Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 164 2. Port scanning 3. Operating system, service, and version detection 4. Matching the results to a vulnerability database The Host Discovery 280 tells the scanner if the target is up and responding. The scanner then uses various techniques to identify all open ports on the system and detect all remotely accessible services with corresponding versions. In addition, operating system detection will be done in this step. Based on all gathered information, the vulnerability scanner will then query a vulnerability database to match the found data to vulnerabilities. Examples for vulnerability databases are the National Vulnerability Database 281 and the Common Vulnerabilities and Exposures (CVE) program. 282 Most commercial vulnerability scanners also have the functionality to verify found vulnerabilities by attempting to partially or fully exploit them. This can significantly reduce missed vulnerabilities but can impact the stability of the service or system. Vulnerabilities are identified by the CVE system. 283 While this allows us to identify and find verified vulnerabilities, the CVE identifier provides no information about the severity of a vulnerability. The Common Vulnerability Scoring System (CVSS) 284 is a framework for addressing characteristics and severity of vulnerabilities. Each CVE has a CVSS score assigned. The two major versions are CVSS v2 285 and CVSS v3. 286 Both versions use a range from 0 to 10 to rate vulnerabilities with different severity labels. The following figure from the Yüklə Dostları ilə paylaş:
|