2.3 Information gathering & Vulnerability scanning: Vulnerability scanning Flashcards
Vulnerability Scanning: what is it?
The process of assessing a computer, server, network, or application for known weaknesses:
● System weaknesses
● Report
● Recommendations
Vulnerability Lifecycle: what is a vulnerability?
Any weakness in a system that can be exploited by a threat actor to gain unauthorized access to a computer system
Vulnerability Lifecycle: what are the different attack surface - things that you can target for an attack (3)?
▪ Client
▪ Server
▪ Network device
Vulnerability Lifecycle: what is the Vulnerability Lifecycle (5) and describe each phase?
1/ Discover: identify vulnerability, create exploit
2/ Coordinate: report vulnerability, generate the CVE
3/ Mitigate: release CVE, create patch
4/ Manage: deploy patch, test system
5/ Document: record results, lessons learned
Vulnerability Lifecycle: what is a Unknown (Zero-Day) Vulnerability?
Any unpublished vulnerability somebody has discovered and has not yet made known to the manufacturer
Vulnerability Scans: what is vulnerability scanning?
A specialized type of automated scan for hosts, systems, and networks to determine the vulnerabilities that exist on a given system
Vulnerability Scans: what are the vulnerability scanning tools(5)?
▪ OpenVAS
▪ Nessus
▪ QualysGuard
▪ Nexpose
▪ Nmap
Vulnerability Scans: what are the different vulnerability scanning types (2) and explain each of them?
▪ Credentialed Scan: Uses an authorized user or administrator’s account credentials to be performed. Credentialed scans are usually performed by the network defenders and cybersecurity analysts
▪ Non-Credentialed Scan: Conducted when the vulnerability scanner does not have valid user or admin login credentials
Vulnerability Scans: what are the different scanning types (4)?
▪ Discovery Scan
▪ Full Scan
▪ Stealth Scan
▪ Compliance Scan
Vulnerability Scans: what is a discover scan?
The least intrusive type of scan and can be as simple as conducting a ping sweep
Vulnerability Scans: what is a full scan?
A full scan gets easily detected by network defenders and cybersecurity analysts
Vulnerability Scans: what is a stealth scan?
Conducted by sending a SYN packet and then analyzing the response (= SYN/ACK, RST)
Vulnerability Scans: how not to be detected when doing a stealth scan?
Evading Detection:
o Slow down scans
o Break into individual scans
o Mask true source
Vulnerability Scans: what is a compliance scan?
● Used to identify vulnerabilities that may affect compliance with regulations or policies
● Example: PCI-DSS scan
Vulnerability Scans: explain what Nmap is doing?
▪ A great tool for mapping out the network, finding open ports, running services, and the basic versioning of each service
▪ Nmap Scripting Engine (NSE): Conducts basic vulnerability scanning using Nmap
Vulnerability Scans: explain what Nessus is doing and what information can you retrieve from this scan?
Used to scanning the target network and then create a report of the vulnerabilities, missing patches, and misconfigurations that exist
Vulnerability Scans: explain what Nexpose is doing?
A vulnerability scanner made by Rapid7
Vulnerability Scans: explain what QualysGuard is doing?
Another commercially available vulnerability scanner
Vulnerability Scans: explain what OpenVAS is doing?
An open-source vulnerability scanner
Vulnerability Scans: explain what Nikto is doing?
Open-source web server scanner that performs comprehensive tests against web servers such as utdated server software, misconfigurations, and known vulnerabilities in web servers and web applications
Vulnerability Scans: what topics should you consider while scanning and explain why (6)?
o Time: Not all scans will take the same amount of time
o Protocols: Each protocol scanned will take time and resources
o Network Topology
o Bandwidth Limitations: The location of the scan depends on your engagement goals and the type of asset you are scanning
o Query Throttling: Reduces the number of queries launched by the scanner at a given time
o Fragile Systems: Determine any fragile or non-traditional systems that could be affected by vulnerability scanning activities
