CEH13 Notes – Module 05: Vulnerability Analysis

Vulnerability assessment solutions are important tools for information security management as they identify all potential security weaknesses before an attacker can exploit them. There are different approaches and solutions available to perform a vulnerability assessment. Selecting an appropriate assessment approach plays a major role in mitigating the threats that an organization faces.

This section outlines the various approaches, solutions, and tools used to perform a vulnerability assessment.

Comparing Approaches to Vulnerability Assessment There are four types of vulnerability assessment solutions: product-based solutions, service-based solutions, tree-based assessment, and inference-based assessment. 

▪ Product-Based Solutions Product-based solutions are installed in the organization’s internal network. They are installed either on a private or non-routable space or in the Internet-addressable portion of an organization’s network. If they are installed on a private network (behind the firewall), they cannot always detect outside attacks. 

▪ Service-Based Solutions

Service-based solutions are offered by third parties, such as auditing or security consulting firms. Some solutions are hosted inside the network, while others are hosted outside the network. A drawback of this solution is that attackers can perform network vulnerability scans from the Internet/external network.

▪ Tree-Based Assessment

In a tree-based assessment, the auditor selects different strategies for each machine or component of the information system. For example, the administrator selects a scanner for servers running Windows, databases, and web services but uses a different scanner for Linux servers. This approach relies on the administrator to provide a starting piece of intelligence, and then to start scanning continuously without incorporating any information found at the time of scanning.

▪ Inference-Based Assessment In an inference-based assessment, scanning starts by building an inventory of the

protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

Types of Vulnerability Assessment Tools There are six types of vulnerability assessment tools: host-based vulnerability assessment tools, application-layer vulnerability assessment tools, depth assessment tools, scope assessment tools, active and passive tools, and location and data-examination tools. 

▪ Host-Based Vulnerability Assessment Tools The host-based scanning tools are appropriate for servers that run various applications, such as the Web, critical files, databases, directories, and remote accesses. These host-based scanners can detect high levels of vulnerabilities and provide required information about the fixes (patches). A host-based vulnerability assessment tool identifies the OS running on a particular host computer and tests it for known deficiencies. It also searches for common applications and services.

▪ Depth Assessment Tools

Depth assessment tools are used to discover and identify previously unknown vulnerabilities in a system. Generally, tools such as fuzzers, which provide arbitrary input to a system’s interface, are used to identify vulnerabilities to an unstable depth. Many of these tools use a set of vulnerability signatures to test whether a product is resistant to a known vulnerability or not.

▪ Application-Layer Vulnerability Assessment Tools

Application-layer vulnerability assessment tools are designed to serve the needs of all kinds of operating system types and applications. Various resources pose a variety of security threats and are identified by the tools designed for that purpose. Observing system vulnerabilities through the Internet using an external router, firewall, or webserver is called an external vulnerability assessment. These vulnerabilities could be external DoS/DDoS threats, network data interception, or other issues. The analyst performs a vulnerability assessment and notes vulnerable resources. The network vulnerability information is updated regularly into the tools. Application-layer vulnerability assessment tools are directed towards web servers or databases.

▪ Scope Assessment Tools

Scope assessment tools provide an assessment of the security by testing vulnerabilities in the applications and operating system. These tools provide standard controls and a reporting interface that allows the user to select a suitable scan. These tools generate a standard report based on the information found. Some assessment tools are designed to test a specific application or application type for vulnerability.

▪ Active and Passive Tools

Active scanners perform vulnerability checks on the network functions that consume resources on the network. The main advantage of the active scanner is that the system administrator or IT manager has good control of the timing and the parameters of vulnerability scans. This scanner cannot be used for critical operating systems because it uses system resources that affect the processing of other tasks.

▪ Location and Data Examination Tools Listed below are some of the location and data examination tools:

o Network-Based Scanner: Network-based scanners are those that interact only with the real machine where they reside and give the report to the same machine after scanning.

o Agent-Based Scanner: Agent-based scanners reside on a single machine but can scan several machines on the same network.

o Proxy Scanner: Proxy scanners are the network-based scanners that can scan networks from any machine on the network.

o Cluster scanner: Cluster scanners are similar to proxy scanners, but they can simultaneously perform two or more scans on different machines in the network.

▪ Nessus Essentials Source: https://www.tenable.com Nessus Essentials is an assessment solution for identifying vulnerabilities, configuration issues, and malware, which can be used to penetrate networks. It also helps ethical hackers perform vulnerability, configuration, and compliance assessment. It supports various technologies such as OSes, network devices, hypervisors, databases, tablets/phones, web servers, and critical infrastructure. Features: o High-speed asset discovery o Vulnerability assessment o Malware and botnet detection o Scanning and auditing virtualized and cloud platforms

▪ GFI LanGuard Source: https://www.gfi.com

GFI LanGuard scans for, detects, assesses, and rectifies security vulnerabilities in a network and its connected devices. This is done with minimal administrative effort. It scans the operating systems, virtual environments, and installed applications through vulnerability check databases. It enables analysis of the state of network security, identifies risks, and offers solutions before the system can be compromised. Features: o Patch management for operating systems and third-party applications o Vulnerability assessment o A Web reporting console o Track latest vulnerabilities and missing updates o Integration with security applications o Network device vulnerability checks o Network and software auditing o Support for virtual environments

▪ OpenVAS Source: https://www.openvas.org OpenVAS is a framework of several services and tools that offer a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Network’s commercial vulnerability management solution, developments from which have been contributed to the open-source community since 2009. The actual security scanner is accompanied by a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total.

Features: o SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL) o A full HTTP proxy support o Checks for outdated server components o Saves reports in plain text, XML, HTML, NBE or CSV o A Template engine to easily customize reports o Scans multiple ports on a server, or multiple servers via input file o LibWhisker’s IDS encoding techniques o Identifies installed software via headers, favicons, and files o Host authentication with Basic and NTLM o Subdomain guessing o Apache and cgiwrap username enumeration o Scan tuning to include or exclude entire classes of vulnerability checks o Guesses credentials for authorization realms (including many default ID and password combinations)

▪ Qualys Vulnerability Management Source: https://www.qualys.com Qualys VM is a cloud-based service that gives immediate, global visibility into where IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps to continuously identify threats and monitor unexpected changes in a network before they turn into breaches. Features: o Agent-based detection Also works with the Qualys Cloud Agents, extending its network coverage to unscannable assets.

o Constant monitoring and alerts

When VM is paired with Continuous Monitoring (CM), InfoSec teams are proactively alerted about potential threats, so problems can be tackled before they turn into breaches.

o Comprehensive coverage and visibility Continuously scans and identifies vulnerabilities for protecting IT assets on-premises, in the cloud, and at mobile endpoints. Its executive dashboard displays an overview of the security posture and gives access to remediation details. VM generates custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors.

o VM for the perimeter-less world

As enterprises adopt cloud computing, mobility, and other disruptive technologies for digital transformation, Qualys VM offers next-generation vulnerability management for these hybrid IT environments whose traditional boundaries have been blurred.

o Discover forgotten devices and organize the host assets

Qualys can help quickly determine what is running in different parts of the network—from the perimeter and corporate network to virtualized machines and cloud services. It can also identify unexpected access points, web servers, and other devices that can expose the network to attack.

o Scan for vulnerabilities everywhere, accurately and efficiently

Scan systems anywhere from the same console, including the perimeter, the internal network, and cloud environments.

o Identify and prioritize risks

Qualys, using trend analysis, Zero-Day, and Patch impact predictions, can identify the highest business risks.

o Remediate vulnerabilities

Qualys’s ability to track vulnerability data across hosts and time produces interactive reports that provide a better understanding of the security of the network.

AI-Powered Vulnerability Assessment Tool: Equixly Source: https://equixly.com

Equixly is an advanced AI-powered tool designed specifically for vulnerability assessment with a focus on securing APIs. It uses AI and ML to identify and eliminate blind spots, thereby ensuring robust protection against potential threats.

Key Features of Equixly for vulnerability management are as follows: ▪ AI-Driven Vulnerability Detection Equixly uses machine-learning algorithms to scan and identify vulnerabilities within APIs, ensuring that no potential threats are overlooked. ▪ Automated Threat Analysis

This tool automates the process of analyzing threat data, enabling quicker identification and response to emerging security risks.

▪ Real-Time Security Monitoring

It provides continuous monitoring of API environments, and offers real-time updates and alerts regarding potential vulnerabilities.

▪ Adaptive Learning

Machine-learning models continuously learn from new data, improving the accuracy and efficiency of vulnerability detection over time.

AI-Powered Automated Vulnerability Scanner: SmartScanner Source: https://www.thesmartscanner.com

SmartScanner is an AI-powered automated vulnerability scanner designed to enhance website security. Advanced ML algorithms are used to monitor websites continuously for potential vulnerabilities and threats.

The key features of SmartScanner include: ▪ Supervised and Unsupervised ML: SmartScanner analyzes vast amounts of data using both supervised and unsupervised ML algorithms. This allows it to learn the patterns of benign and malicious activities, allowing it to distinguish between them.

▪ Baseline Establishment: AI models in SmartScanner establish baselines of normal behavior for each website it monitors. These baselines were then used to identify deviations that may indicate potential threats.

▪ Anomaly Detection: SmartScanner employs anomaly detection algorithms to flag activities that deviate from established baselines. This helps to identify and alert suspicious behaviors in real time.

▪ Real-time Analytics and Response: The AI-driven systems in SmartScanner provide real-time analytics of the websites it monitors. It can automatically respond by quickly mitigating the identified threats, thereby reducing the risk of successful attacks.

Additional AI-powered Vulnerability Assessment Tools ▪ CodeDefender Source: https://codedefender.ro CodeDefender is an AI-powered vulnerability assessment tool that helps organizations automatically detect, prioritize, and fix security vulnerabilities in their code bases. It integrates existing security tools to provide a comprehensive vulnerability-management solution.

▪ Corgea Source: https://corgea.com

Corgea is an AI-powered platform that automatically generates and deploys security fixes for vulnerabilities detected in software code. It leverages machine-learning models to analyze vulnerability data and write secure code patches, thereby reducing the manual effort required by security teams.

▪ Fluxguard Source: https://fluxguard.com

Fluxguard employs AI algorithms to automatically scan and detect vulnerabilities across diverse IT infrastructures, including networks, applications, and systems. It utilizes ML to conduct a behavioral analysis of network traffic and system interactions and identifies anomalous behaviors that could indicate potential vulnerabilities or attacks.

▪ DryRun Security Source: https://www.dryrun.security

DryRun Security is a vulnerability assessment and penetration-testing platform that uses AI and automation to identify and validate security weaknesses in web applications and infrastructure.

▪ Pentest Copilot Source: https://copilot.bugbase.ai The Pentest Copilot is an AI-powered penetration-testing assistant that helps security teams conduct more efficient and effective vulnerability assessments. It automates various penetration-testing tasks, from reconnaissance to exploitation, and provides actionable insights for prioritizing and remediating identified vulnerabilities.

▪ Beagle Security Source: https://beaglesecurity.com

Beagle Security is a comprehensive web application security testing platform that combines automated scanning and manual penetration testing. It uses AI and ML to detect a wide range of vulnerabilities, including the top 10 OWASP risks, and provides detailed reports to help organizations improve their application security.

▪ Hackules Source: https://hackules.com

Hackules is an AI-powered vulnerability assessment and penetration-testing platform that helps organizations identify and mitigate security weaknesses in their web applications and infrastructures. It uses advanced techniques such as NLP and ML to provide accurate and actionable security insights.

▪ Coderbuds Source: https://coderbuds.com

CoderBuds are AI-driven code security platforms that help developers and security teams detect, prioritize, and fix vulnerabilities in their codebases. Its AI algorithm is integrated seamlessly with mainstream development tools, and CoderBuds conducts automated vulnerability scans, performs comprehensive risk assessments, and offers tailored remediation recommendations.

The command scans the URL www.certifiedhacker.com for potential vulnerabilities using the Nikto web server scanner. nikto -h www.certifiedhacker.com ▪ `nikto`: This command invokes Nikto, a web server scanner that performs comprehensive tests against web servers for potential vulnerabilities.

▪ `-h www.certifiedhacker.com`: This option specifies the target URL (www.certifiedhacker.com) to scan for vulnerabilities. Nikto will perform various checks and tests against the specified URL to identify potential security issues and vulnerabilities.

▪ `nikto`: This command invokes Nikto. ▪ `-h http://testphp.vulnweb.com`: This option specifies the target URL (http://testphp.vulnweb.com) to scan for vulnerabilities.

▪ `-o output.txt`: This option specifies the file where the scan results will be saved. In this case, the results will be saved in a file named "output.txt".

nmap -sV –script=vuln www.moviescope.com -oN output.txt ▪ `nmap`: This command invokes Nmap. ▪ `--script=vuln`: This option specifies the Nmap script to run, which focuses on vulnerability scanning.

▪ `www.moviescope.com`: This is the target URL where the vulnerability scan will be performed.

▪ `-oN output.txt`: This option specifies the file where the scan results will be saved. In this case, the results will be saved in a file named "output.txt"

Attackers can leverage AI-powered technologies to enhance and automate their vulnerability scanning tasks. With the aid of AI, attackers can effortlessly create and run custom vulnerability scanning scripts and identify potential vulnerabilities on targets. By developing such custom scripts, attackers can efficiently execute a series of vulnerability scanning and associated commands to identify potential vulnerabilities on targets. Using this script, an attacker can run fast, but comprehensive, Nmap scans followed by vulnerability scanning using Nikto against multiple IP addresses. For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Create a python script to run a fast but comprehensive Nmap scan on the IP addresses in scan1.txt and then execute vulnerability scanning using nikto against each IP address in scan1.txt”

The following Python script automates network scanning and vulnerability assessment tasks on the IP addresses listed in the scan1.txt file: 

import subprocess # Read the list of IP addresses from scan1.txt with open('scan1.txt', 'r') as file: ip_addresses = file.read().splitlines()

# Run Nmap scan on each IP address for ip in ip_addresses: 

subprocess.run(['nmap', '-T4', '-A', '-v', ip])

# Run Nikto vulnerability scan on each IP address subprocess.run(['nikto', '-h', ip]) 

▪ The script first reads the list of IP addresses from the scan1.txt file. ▪ It then iterates through each IP address and executes an Nmap scan with the specified options (in this case, -T4 for timing template and -A for aggressive scan) using the subprocess.run() function.

▪ After completing the Nmap scan, it proceeds to execute a Nikto vulnerability scan on each IP address using the subprocess.run() function again.

▪ The results of both scans will be displayed in the console output.

For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Perform a vulnerability scan on target url http://testphp.vulnweb.com with Skipfish and display the output file index.html in Firefox.”

The following command automates vulnerability scanning on the target URL using Skipfish and displays the output file in Firefox:

skipfish -o /tmp/skipfish_output http://testphp.vulnweb.com && firefox tmp/skipfish_output/index.html ▪ The script executes the skipfish command to perform a vulnerability scan on the target URL http://testphp.vulnweb.com.

▪ The -o /tmp/skipfish_output option specifies the output directory for storing the scan results.

▪ After completing the vulnerability scan, the script opens the output file index.html in Firefox using the firefox command.

In the vulnerability assessment process, once all the phases are completed, the security team will review the results and process the information to prepare the final report. In this phase, the security team will try to disclose any identified vulnerabilities, document any variations and findings, and include all these in the final report along with remediation steps to mitigate the identified risks.

A vulnerability assessment report is a comprehensive document that details the findings of a vulnerability assessment. This report includes information about identified security weaknesses, their potential impact, severity, and recommendations for remediation. The purpose of the report is to provide stakeholders with a clear understanding of the security posture of the assessed systems, applications, or networks and to guide them in taking corrective actions to mitigate risks. The report provides details of all the possible vulnerabilities with regard to the company’s security policies. The vulnerabilities are categorized based on severity into three levels: High, Medium, and Low risk. High-risk vulnerabilities are those that might allow unauthorized access to the network. These vulnerabilities must be rectified immediately before the network is compromised. The report describes different kinds of attacks that are possible given the organization’s set of operating systems, network components, and protocols. The vulnerability assessment report must include, but are not limited to, the following points: ▪ The vulnerability's name and its mapped CVE ID ▪ The date of discovery ▪ The score based on Common Vulnerabilities and Exposures (CVE) databases ▪ A detailed description of the vulnerability ▪ The impact of the vulnerability ▪ Details regarding the affected systems ▪ Details regarding the process needed to correct the vulnerability, including information patches, configuration fixes, and ports to be blocked.

▪ A proof of concept (PoC) of the vulnerability for the system (if possible) 

 In this module, we have discussed:

▪ Various types of vulnerabilities, the CVSS vulnerability scoring system, and databases

▪ The vulnerability-management life cycle and vulnerability research

▪ Vulnerability scanning, vulnerability analysis, and various types of vulnerability scanning techniques

▪ Various vulnerability assessment solutions, along with their characteristics

▪ Various tools that are used to test a host or application for vulnerabilities, along with the criteria and best practices for selecting the tool

▪ We concluded with a detailed discussion on how to analyze a vulnerability assessment report and how it discloses the risks detected after scanning the network

• In the next module, we will discuss the methods attackers, as well as ethical hackers and pen testers, utilize to hack a system based on the information collected about a target of evaluation; for example, footprinting, scanning, enumeration, and vulnerability analysis phases