Overview of vulnerability scanning, Open Port / Service Identification, Banner / Version Check, Traffic

Probe, Vulnerability Probe, Vulnerability Examples, OpenVAS, Metasploit. Networks Vulnerability

Scanning - Netcat, Socat, understanding Port and Services tools - Datapipe, Fpipe, WinRelay,
Network Reconnaissance – Nmap, THC-Amap and System tools. Network Sniffers and Injection tools
– Tcpdump and Windump, Wireshark, Ettercap, Hping Kismet

Vulnerability Scanning – what is it? Vulnerability Scanning is the art of using one computer to
look for weaknesses in the security of another computer - so that you can find and fix the weaknesses in
your systems before someone else finds that there is a security weakness and decides to break in. It’s a
bit like a shop keeper making sure all the doors and windows are closed and locked, the money is in the
safe and the alarm is set, before closing up for the evening.
CONS
1. It allows early detection and handling of known security problems.
2. A new device or even a new system may be connected to the network without authorisation.
3. A vulnerability scanner helps to verify the inventory of all devices on the network.
PROS
1. Snapshot only.
2. Human judgement is needed.

THE ARCHITECTURE OF VULNERABILITY SCANNERS In general, a vulnerability scanner is made up of four

main modules, namely, a Scan Engine, a Scan Database, a Report Module and a User Interface.

1. The Scan Engine executes security checks according to its installed plug-ins, identifying system
information and vulnerabilities. It can scan more than one host at a time and compares the results
against known vulnerabilities.

2. The Scan Database stores vulnerability information, scan results, and other data used by scanner. The
number of available plug-ins, and the updating frequency of plug-ins will vary depending on the
corresponding vendor. Each plug-in might contain not only the test case itself, but also a
vulnerability description, a Common Vulnerabilities and Exposures (CVE) 2 identifier; and even fixing
instructions for a detected vulnerability. Scanners with an "auto-update" feature can download and
install the latest set of plug-ins to the database automatically.

3. The Report Module provides different levels of reports on the scan results, such as detailed technical
reports with suggested remedies for system administrators, summary reports for security managers,
and high-level graph and trend reports for executives. 4. The User Interface allows the administrator
 to operate the scanner. It may be either a Graphical User Interface (GUI), or just a command line
interface.

TYPES OF VULNERABILITY SCANNER Vulnerability scanners can be divided broadly into two groups:
network-based scanners that run over the network, and host-based scanners that run on the target
host itself.

A number of open source freeware or commercial vulnerability scanners are available for download or
trial.
The following are examples:
1. Network-based scanners
a. Port scanners
b. Network vulnerability scanners
c. Web server scanners
d. Web application vulnerability scanners
2. Host-based scanners
a. Host vulnerability scanners
b. Database scanners

OPEN PORT SERVICE IDENTIFICATION When used in construction or engineering, the term "firewall" means what
it seems to mean: a wall capable of withstanding fire. It evokes something impenetrable, like a sheet of steel or a brick wall. However, in
computer networking the term "firewall" means something porous. Like the strainer a chef pours his soup stock through, a firewall stops all
the bones (bad stuff), but lets all the broth (good stuff) through -- at least, in theory.

But how does a firewall know what's bad, and what's good? How can it tell whether a data packet contains an attack, or information you've
been eagerly awaiting? It can't. The firewall just follows a set of rules, often referred to as policy, that you define. You're the one who
categorizes types of network traffic as "good" or "bad."

Reading that, you might moan, "Argh! This box was supposed to solve my security problems! Now it's waiting for me to tell it what to do!
What do I do?" Nowadays, next generation firewalls (NGFW) allow you to make policies using many attributes, including ports and services,
users and groups, and even by defining granular access policies to specific network applications (using something referred to as application
control). However, the primary mechanism firewalls used to rely on for allowing or denying network traffic is ports and services. So, a good
first step in managing your firewall is to get a quick and dirty understanding of how ports work, and what a given port is used for. This
knowledge provides you a starting point for figuring out what Internet traffic to permit through the firewall, and what to deny.

Now that I know about ports, what should I do?

1. Look at your Firebox log entries, learn which fields indicate ports, and monitor your network traffic to see what hits your
system daily from the outside Internet. Compare anything unusual with a list of abused ports.
2. Learn how to manually allow and deny services and ports on your Firewall, and get used to adjusting them frequently.
3. Establish a regular time (at least twice a month) when you scan your network to find all open ports. Close anything you
can. If in doubt, block the port. The worst that can happen is an angry co-worker saying, "I can't listen to Internet radio!"
Fifty such complaints are more desirable than one successful virus or Trojan horse.
4. Once you get familiar with allowing and denying outside-in access to network ports, consider also egress filtering, which
means controlling inside-out access from your network as well. Egress filtering furthers protect you from client-based
network attacks.
Ports are a foundational building block of the Internet, and thus, of Internet security. Have fun researching them. The more you learn, the
smarter your firewall configuration will become. With a little practice, you'll get it looking less like Swiss cheese, and more like the steel
barrier "firewall" implies.

VERSION CHECK
1) -sV (Version detection)
2) -allports (Don't exclude any ports from version detection)
3) -version-intensity (Set version scan intensity)
4) -version-all (Try every single probe)
5)- version-trace (Trace version scan activity)

TRAFFIC PROBE
1) High-Speed Traffic Processing
2) Network Traffic Measurement
3) Network Intrusion Detection