Penetration Testing with Kali Linux OffSec
|
|
demilitarized zone
(DMZ), 292 and public-facing services. 288 (NIST, 2022), https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator 289 (CGISecurity.com, 2008), https://www.cgisecurity.com/questions/falsepositive.shtml 290 (Red Hat, 2020), https://access.redhat.com/security/updates/backporting 291 (CGISecurity.com, 2008), https://www.cgisecurity.com/questions/falsenegative.shtml 292 (Wikipedia, 2021), https://en.wikipedia.org/wiki/DMZ_(computing) Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 166 The client’s intention is to get an overview of the security status of all systems that are accessible by an external attacker. In most cases, we get a list of IP addresses the client wants us to scan but occasionally, they want us to map all external accessible systems and services by ourselves. While a company should always know which of their systems are publicly accessible, it’s not always the case. As a result, we will often find externally exposed sensitive systems and services that the company is not aware of. On the other hand, there is the internal vulnerability scan where we have direct access to either a part of or the complete internal network of a client. When a client tasks us with this kind of vulnerability scan, we either get VPN 293 access or we perform the scan on-site. The intention is to get an overview of the security status of the internal network. It is important to analyze which vectors an attacker can use after breaching the perimeter. The next two scan types we will examine are authenticated and unauthenticated vulnerability scans. When we perform a vulnerability scan on a system without providing credentials, it is called an unauthenticated vulnerability scan. Unauthenticated scans are made to find vulnerabilities in remotely accessible services on a target. Therefore, they map the system with all open ports and provide us with an attack surface by matching the information to vulnerability databases as mentioned before. However, we get no information about local security flaws, such as missing patches, outdated software, or configuration vulnerabilities on the system itself. For example, in an unauthenticated vulnerability scan on a Windows target, we cannot determine if the system is patched against the HiveNightmare 294 vulnerability, which allows a unprivileged user to read sensitive system files. This is where authenticated scans come into play. Most scanners can be configured to run authenticated scans, in which the scanner logs in to the target with a set of valid credentials. In most instances, authenticated scans use a privileged user account to have the best visibility into the target system. The goal of authenticated vulnerability scans is to check for vulnerable packages, missing patches, or configuration vulnerabilities. We will perform both authenticated and unauthenticated scans in the next Learning Unit, but first, let’s discuss how to obtain accurate and conclusive results. 7.1.3 Things to consider in a Vulnerability Scan In this section, we will cover a few things we need to consider when planning and performing a vulnerability scan. In large engagements, we need to configure the vulnerability scanner carefully to get meaningful and relevant results. The first consideration we’ll discuss is the scanning duration. Depending on the scanning type and number of targets, the duration of an automated scan can vary greatly. Because external scans over the internet can be time consuming due to the number of hops and intermediate systems on the network route, it’s important that we plan accordingly if we have a large list of IP addresses. We also need to discuss target visibility. While it is easy to input an IP address and start the vulnerability scan, we often have to properly consider our targets. It’s important to determine if 293 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Virtual_private_network 294 (MSRC, 2021), https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 167 our targets are accessible without the need of any VPNs or permissions in a firewall. In most cases, a client providing a list of IP addresses for an external scan isn’t a cause for concern. But if we are single-handedly determining the attack surface of a client’s publicly accessible infrastructure, we need to understand that firewalls and other access restriction mechanisms, which could make systems and services inaccessible, might be in place. For example, an international client has several systems in multiple countries. They restrict access from all IP addresses outside of the country where each system is located. From our location, we are only able to access the systems located in our country while all others are inaccessible to us. Let’s also consider target visibility in an internal engagement. We need to think about our positioning in the network to get meaningful results, especially when we want to scan systems from other subnets. Keep in mind that firewalls, Yüklə Dostları ilə paylaş:
|