Vulnerabilities are weaknesses, and by reducing vulnerabilities, you can reduce risks. If you’re planning to take the SY0-501 version of the Security+ exam, you should understand of many of the common tools used for vulnerability assessments.
For example, can you answer this question?
Q. A penetration tester is running several tests on a server within your organization’s DMZ. The tester wants to identify the operating system of the remote host. Which of the following tools or methods are MOST likely to provide this information?
A. Banner grabbing
B. Vulnerability scan
C. Password cracker
D. Protocol analyzer
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
The overall goal of a vulnerability assessment is to assess the security posture of systems and networks. They identify vulnerabilities, or weaknesses, within systems, networks, and organizations, and are part of an overall risk management plan.
Vulnerability assessments can include information from a wide variety of sources. This includes reviewing security policies and logs, interviewing personnel, and testing systems. A vulnerability assessment typically includes the following high-level steps:
• Identify assets and capabilities.
• Prioritize assets based on value.
• Identify vulnerabilities and prioritize them.
• Recommend controls to mitigate serious vulnerabilities.
Many organizations perform vulnerability assessments internally. Organizations also hire external security professionals to complete external assessments.
Banner Grabbing
Banner grabbing is a technique used to gain information about remote systems and many network scanners use it. It is often used to identify the operating system along with information about some applications. If successful, the server returns a Hypertext Markup Language (HTML) banner providing information on the server. The banner might look something like the following:
<!DOCTYPE HTML PUBLIC“-//IETF//DTD HTML 2.0//EN”>
<html><head><title>501 Method Not Implemented</title></head><body>
<h1>Method Not Implemented</h1>
<p>GET to /index.html not supported.<br /></p>
<p>Additionally, a 404 Not Found error was encountered.</p><hr>
<address>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_ passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at 72.52.230.233 Port 80
</ address>
</body></html>
Most of this is formatting. However, the information in the address section provides a lot of information on the web server. It shows this is a Unix server running the Apache web server software along with additional information. The command-line tool Netcat can be used for banner grabbing.
Vulnerability Scanning
A key part of a vulnerability assessment is a vulnerability scan. Security administrators often use a vulnerability scanner to identify which systems are susceptible to attacks.
Unfortunately, vulnerability scanners aren’t perfect. Occasionally, they report a vulnerability when it doesn’t actually exist. In other words, the scan indicates a system has a known vulnerability, but the report is false. As an example, a vulnerability scan on a server might report that the server is missing patches related to a database application, but the server doesn’t have a database application installed.
This is similar to false positives in an intrusion detection system (IDS) where the IDS alerts on an event, but the event isn’t an actual intrusion. Similarly, an antivirus scanner can identify a useful application as malware, even though the application does not have any malicious code. False positives can result in higher administrative overhead because administrators have to investigate them.
Credentialed Versus Non-Credentialed
Vulnerability scanners can run as a credentialed scan using the credentials of an account, or as non-credentialed without any user credentials. Attackers typically do not have credentials of an internal account, so when they run scans against systems, they run non-credentialed scans.
Security administrators often run credentialed scans with the privileges of an administrator account. This allows the scan to check security issues at a much deeper level than a non- credentialed scan. Additionally, because the credentialed scan has easier access to internal workings of systems, it results in a lower impact on the tested systems, along with more accurate test results and fewer false positives.
It’s worth mentioning that attackers typically start without any credentials but use privilege escalation techniques to gain administrative access. This allows them to run a credentialed scan against a network if desired. Similarly, even though a credentialed scan is typically more accurate, administrators often run non-credentialed scans to see what an attacker without credentials would see.
Configuration Compliance Scanner
A configuration compliance scanner verifies that systems are configured correctly. They will often use a file that identifies the proper configuration for systems. When running the scan, the scanner will verify that systems have the same configuration defined in the configuration file. This is also known as configuration validation. Security administrators often configure these tools to use automation or scripting methods so that they automatically run on a set schedule.
As an example, Nessus, a vulnerability scanner developed by Tenable Network Security, uses plug-ins to perform configuration compliance scans. They currently have plug-ins used to perform against both Windows and Unix systems. Administrators can also create custom audit files to perform custom compliance configuration scans on Windows and Unix systems. AutoNessus is a free tool that can be used to automate Nessus scans.
Configuration compliance scans typically need to be run as credentialed scans. This helps ensure they can accurately read the configuration of systems during the scan.
Q. A penetration tester is running several tests on a server within your organization’s DMZ. The tester wants to identify the operating system of the remote host. Which of the following tools or methods are MOST likely to provide this information?
A. Banner grabbing
B. Vulnerability scan
C. Password cracker
D. Protocol analyzer
Answer is A. Banner grabbing is a technique used to gain information about a remote server and it will identify the operating system of the system in the demilitarized zone (DMZ).
A vulnerability scanner checks for vulnerabilities.
A password cracker attempts to discover passwords.
A protocol analyzer collects packets sent across a network and can be used to analyze the packets.
See Chapter 8 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on risk management tools.