MCC CIS270 - Lesson 5a

by Admin -
- 8 minutes

Lesson 5a - Vulnerability Management and Scanning

Key Takeaways - Lesson 5

  • Risk requires an asset, vulnerability, and threat
  • One way to reduce risk is to minimize vulnerabilities
  • Vulnerability management - process of identifying, prioritizing, and addressing vulnerabilities in our environment
  • Vulnerability scanner - performs automated scans for vulnerabilities 
    • Adjustable sensitivity allows us to tune result accuracy
    • Credentialed scans enable scanners to log in and check system locally (instead of only externally)
    • Placement matters - the location of the scanner impact the information it can clean
  • Common Vulnerability Scoring System (CVSS) computes approximate severity for vulnerabilities. Inputs are:
    • Attacker Vector (AV) - location in relation to targeted vulnerability
    • Attack Complexity (AC) - intricacy of exploiting vulnerability
    • Privileges Required (PR) - privileges need to carry out exploit
    • User Interaction (UI) - whether exploitation requires user interaction
    • Confidentiality (C), Integrity (I), and Availability (A) - the "impact" metrics
  • Penetration testing - different from vulnerabilities scanning in that it uses the focused efforts of human attackers
    • Yields different, sometime much enhanced information
    • Human creativity can unearth interesting weaknesses
    • Requires extra planning
      • Scope and rules of engagement (ROE)
      • Allowed and disallowed tactics
      • Duration
      • Off-limits systems
      • Approval from leadership
      • Waivers, etc.
  • NIST has a good publication

Commands Demonstrated

Find all the hosts on our network. We use nmap here because it's much faster than Nessus for host discovery. We then filter the output to just IP addresses, and will use those for the Nessus scans.
sudo nmap -n --top-ports 48 -T4 -PO 10.0.11.0/24 10.0.13.0/24 10.0.17.0/24 10.0.19.0/24 10.0.101.0/24 10.0.103.0/29 10.0.107.0/29 | tee nmap_output

###   sudo    - run as administrator
###   nmap    - the command itself
###   -n      - don't perform any DNS lookup (slows things down)
###   --top ports 48     - scan for only the 48 most-common ports (default is 1000, much slower)
###   -T4     - scan aggressively (scale of 0-5; 3 is the default)
###   -PO     - this scan doesn't look for typical TCP/UDP ports. It looks for the presence of ICMP, TCP, UDP, and other protocols themselves. Helps identify hosts which may not response to pings.
###   10.0.11.0/24...    - We already know our network ranges, so we scan those 
###   | tee nmap_output  - We redirect the output to tee. The tee command prints the output so we can see it, and also saves it to a file named nmap_output

cat nmap_output | grep -oE "10\.0\.[0-9]{1,3}\.[0-9]{1,3}$"

###   cat nmap_output - simply outputs the contents of the file
###   | grep   - sends the output of cat as input to grep
###   -oE      - o means only print matches (by default grep prints the full line whenever there's a match.
###             - E let's us use fancier regular expressions
###   "10\.0\.[0-9]{1,3}\.[0-9]{1,3}$"
###      - 10\.0\. matches "10.0." (the \. tells grep not to treat the periods as syntax
###      - [0-9]{1,3}\. matches the numeral 0-9, repeated 1-3 times (0-999), followed by a period
###      - [0-9]{1,3}$ matches the same, except no period since it's the end of the IP address.
###      - $ means "end of this line"

Here's a quick recon demonstration. We slowly determine which hosts are up on the network, using decoys and evasion mechanisms. Then we scan those hosts (slowly) for more info.
sudo nmap -n -sn --data-length 32 -T2 --randomize-hosts -D"10.0.19.75,10.0.19.81" 10.0.101.0/27 10.0.19.0/27 10.0.103.0/29 | tee hosts_up
###     - -n skips DNS resolution
###     - -sn skips port scan
###     - --data-length 32 appends 32 random bytes to each message
###     - -T2 slows down attack to reduce detection
###     - --randomize-hosts randomizes order IPs are scanned
###     - -D"10.0.19.75,10.0.19.81" spoofs scans from these IPs too
###     - 10.0.101.0/27 10.0.19.0/27 10.0.103.0/29 we restrict rangess to save time

cat hosts_up | grep -o "10.*$" > targets

###     - cat outputs file contents
###     - grep -o "10.*$" matches everything starting with "10" to end of line
###     - > places the output (a list of IPs) in a file

sudo nmap -n -Pn -sSV -O --data-length 32 -T2 --randomize-hosts -D"10.0.19.75,10.0.19.81" -iL targets
###     - -n skips DNS resolution
###     - -Pn skips ping scan
###     - -sSV performs stealth port scan and service version detection
###     - -O attempts OS detection
###     - --data-length 32 appends 32 random bytes to each message
###     - -T2 slows down scan to reduce detection and congestion
###     - --randomize-hosts randomizes order IPs are scanned
###     - -D"10.0.19.75,10.0.19.81" spoofs scans from these IPs too
###     - -iL targets reads in the file (targets) we made previously