Vulnerability Assessment
Last updated
Was this helpful?
Last updated
Was this helpful?
⚡ Prerequisites
Basic networks concepts and Cybersecurity
📕 Learning Objectives
Describe and recognize vulnerabilities, exposures reports and national vulnerability database submissions
Describe vulnerability management and perform research
Perform network auditing
🔬 Training list - PentesterAcademy/INE Labs
subscription required
🗒️ A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. When exploited, it results in a negative impact to confidentiality, integrity or availability.
Physical layer - e.g. people, physical controls, vaults, door locks, gates, fences, cameras, badge readers, etc. There can be vulnerabilities in those as well, exploited through social engineering techniques or hardware exploitation. for physical access.
Vulnerabilities on a computer comes from the operating system, systems and installed services, found by DevSec engineers, Security researchers, Pentesters, Software developers, Users.
- a United States government repository of standards based vulnerability management data represented using the SCAP (Security Content Automation Protocol), maintained by .
All vulnerabilities in the NVD have been assigned a CVE identifier.
🗒️ The program is a public glossary of vulnerabilities identified for specific code bases, software applications or open libraries, maintained by MITRE corporation. A unique CVE ID is primarily assigned by MITRE or by CNAs (CVE Numbering Authorities), allowing stakeholders, vendors and researchers to commonly identify unique or new exploits and vulnerabilities.
E.g. - high impact, critical vulnerabilities:
Description
Severity
References (Advisories, Solutions, Tools)
Weakness Enumeration
Known Affected Software Configurations
Scope, impact and usefulness will come down to business needs, along with the risk management and cybersecurity recommendations.
Risk Management includes vulnerability management. By doing a VA (Vulnerability Assessment), the pentester is going to define, identify, classify and prioritize security deficiencies in computer systems, applications, and network infrastructures. Some procedures to find vulnerabilities are:
Scanning
Asset Identification and Research
Fuzz Testing (input/handling validation)
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
❗ always check the exploit behavior before using it
search for heartbleed
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
The EternalBlue exploit developed by the NSA was leaked to public in 2017 (by Shadow Brokers hacker group).
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka Remote Desktop Services Remote Code Execution Vulnerability.
The vulnerability was made public by Microsoft in May 2019 and affected Windows XP, Windows Vista, Windows 7, Windows Server 2008 & R2.
It allows access to a chunk of kernel memory, allowing the attacker to remotely execute arbitary code at the system level without authentication.
BlueKeep PoC's (Proof of Concepts) and exploits could be malicious in nature.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Target IP:
10.2.28.13Fingerprint the application and exploit the found vulnerability
Research the vulnerability of BadBlue httpd 2.7 using various tools:
Google it
Stack-based buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier allows remote attackers to execute arbitrary code via a long query string.
searchsploit- a command line search tool for Exploit-DB. A copy of Exploit Database can be used offline.
This module exploits a stack buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier.
🗒️ The is the method used to supply a qualitative measure of severity, consisting of three metric groups: Base, Temporal and Environmental.
are vulnerabilities exploits not yet found, used or reported by anyone, or discovered by attackers before the vendor's security team has become aware of it. e.g.:
🗒️ is a network vulnerability scanning tool. It can be hosted locally and used for Vulnerability Assessment.
Show accepted ciphersuites and compressors with script.
Detect OpenSSL Heartbleed bug vulnerable servers with script, or with Metasploit enumerate module.
is useful too
Widely used in the .
Specific script
🔬 Check the
🔬 Check the
- a NSE script for Apache Log4j RCE vulnerability discovery
🔬
Search for exploits from or using a command line tool such as searchsploit
Use Metasploit to exploit the target using the
❗ Before running an exploit, ALWAYS check its to understand what it is doing❗
Use commands to find the flag
