Network Vulnerability Assessment E-Book

Network Vulnerability Assessment

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor:Rohit RajkumarContent Development Editor:Ronn KurienTechnical Editor:Mohd Riyan KhanCopy Editor:Safis EditingProject Coordinator:Jagdish PrabhuProofreader: Safis EditingIndexer:Rekha NairGraphics:Tom ScariaProduction Coordinator: Shantanu Zagade

First published: August 2018

Production reference: 1300818

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78862-725-2

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Sagar Rahalkar is a seasoned information security professional having 12 years experience in various verticals of IS. His domain expertise is in Cybercrime investigations, Forensics, AppSec, VA/PT, Compliance, IT GRC etc. He has a master's degree in computer science and several certifications such as Cyber Crime Investigator, CEH, ECSA, ISO 27001 LA, IBM AppScan Certified, CISM, and PRINCE2. He has been associated with Indian law enforcement agencies for around 4 years dealing with cybercrime investigations and related training. He has received several awards and appreciations from senior officials of the police and defense organizations in India. He has also been a reviewer and author for various books and online publications.

About the reviewer

Dattatray Bhat has 18+ years of rich experience in Information Security, Cyber Security, Data Privacy, Governance, Compliance, ITIL Framework and Infrastructure Management. A keen strategist with expertise in developing Information Security, Cyber Security strategy in alignment with Business Strategy translating security into business terms and ensuring security is a business enabler for the organization. Developed Information Security, Cyber Security Frameworks, Security Operations Centers for large complex organization. Expertise in building different platforms secure configuration documents based on industry best practices.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Network Vulnerability Assessment

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Vulnerability Management Governance

Security basics

The CIA triad

Confidentiality

Integrity

Availability

Identification

Authentication

Authorization

Auditing

Accounting

Non–repudiation

Vulnerability

Threats

Exposure

Risk

Safeguards

Attack vectors

Understanding the need for security assessments

Types of security tests

Security testing

Vulnerability assessment versus penetration testing

Security assessment

Security audit

Business drivers for vulnerability management

Regulatory compliance

Satisfying customer demands

Response to some fraud/incident

Gaining a competitive edge

Safeguarding/protecting critical infrastructures

Calculating ROIs

Setting up the context

Bottom-up

Top-down

Policy versus procedure versus standard versus guideline

Vulnerability assessment policy template

Penetration testing standards

Penetration testing lifecycle

Industry standards

Open Web Application Security Project testing guide

Benefits of the framework

Penetration testing execution standard

Benefits of the framework

Summary

Exercises

Setting Up the Assessment Environment

Setting up a Kali virtual machine

Basics of Kali Linux

Environment configuration and setup

Web server

Secure Shell (SSH)

File Transfer Protocol (FTP)

Software management

List of tools to be used during assessment

Summary

Security Assessment Prerequisites

Target scoping and planning

Gathering requirements

Preparing a detailed checklist of test requirements

Suitable time frame and testing hours

Identifying stakeholders

Deciding upon the type of vulnerability assessment

Types of vulnerability assessment

Types of vulnerability assessment based on the location

External vulnerability assessment

Internal vulnerability assessment

Based on knowledge about environment/infrastructure

Black-box testing

White-box testing

Gray-box testing

Announced and unannounced testing

Automated testing

Authenticated and unauthenticated scans

Agentless and agent-based scans

Manual testing

Estimating the resources and deliverables

Preparing a test plan

Getting approval and signing NDAs

Confidentiality and nondisclosure agreements

Summary

Information Gathering

What is information gathering?

Importance of information gathering

Passive information gathering

Reverse IP lookup

Site report

Site archive and way-back

Site metadata

Looking for vulnerable systems using Shodan

Advanced information gathering using Maltego

theHarvester

Active information gathering

Active information gathering with SPARTA

Recon-ng

Dmitry

Summary

Enumeration and Vulnerability Assessment

What is enumeration?

Enumerating services

HTTP

FTP

SMTP

SMB

DNS

SSH

VNC

Using Nmap scripts

http-methods

smb-os-discovery

http-sitemap-generator

mysql-info

Vulnerability assessments using OpenVAS

Summary

Gaining Network Access

Gaining remote access

Direct access

Target behind router

Cracking passwords

Identifying hashes

Cracking Windows passwords

Password profiling

Password cracking with Hydra

Creating backdoors using Backdoor Factory

Exploiting remote services using Metasploit

Exploiting vsftpd

Exploiting Tomcat

Hacking embedded devices using RouterSploit

Social engineering using SET

Summary

Assessing Web Application Security

Importance of web application security testing

Application profiling

Common web application security testing tools

Authentication

Credentials over a secure channel

Authentication error messages

Password policy

Method for submitting credentials

OWASP mapping

Authorization

OWASP mapping

Session management

Cookie checks

Cross-Site Request Forgery

OWASP mapping

Input validation

OWASP mapping

Security misconfiguration

OWASP mapping

Business logic flaws

Testing for business logic flaws

Auditing and logging

OWASP mapping

Cryptography

OWASP mapping

Testing tools

OWASP ZAP

Burp Suite

Summary

Privilege Escalation

What is privilege escalation?

Horizontal versus vertical privilege escalation

Horizontal privilege escalation

Vertical privilege escalation

Privilege escalation on Windows

Privilege escalation on Linux

Summary

Maintaining Access and Clearing Tracks

Maintaining access

Clearing tracks and trails

Anti-forensics

Summary

Vulnerability Scoring

Requirements for vulnerability scoring

Vulnerability scoring using CVSS

Base metric group

Exploitability metrics

Attack vector

Attack complexity

Privileges required

User interaction

Scope

Impact metrics

Confidentiality impact

Integrity impact

Availability impact

Temporal metric group

Exploit code maturity

Remediation level

Report confidence

CVSS calculator

Summary

Threat Modeling

What is threat modeling?

Benefits of threat modeling

Threat modeling terminology

How to model threats?

Threat modeling techniques

STRIDE

DREAD

Threat modeling tools

Microsoft Threat Modeling Tool

SeaSponge

Summary

Patching and Security Hardening

Defining patching?

Patch enumeration

Windows patch enumeration

Linux patch enumeration

Security hardening and secure configuration reviews

Using CIS benchmarks

Summary

Vulnerability Reporting and Metrics

Importance of reporting

Type of reports

Executive reports

Detailed technical reports

Reporting tools

Dradis

KeepNote

Collaborative vulnerability management with Faraday v2.6

Metrics

Mean time to detect

Mean time to resolve

Scanner coverage

Scan frequency by asset group

Number of open critical/high vulnerabilities

Average risk by BU, asset group, and so on

Number of exceptions granted

Vulnerability reopen rate

Percentage of systems with no open high/critical vulnerability

Vulnerability ageing

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

The tech world has been taken over by digitization to a very large extent, and so it's become extremely important for an organization to actively design security mechanisms for their network infrastructures. Analyzing the vulnerabilities can be one of the best ways to secure your network infrastructure.

Network Vulnerability Assessment will initially start with network security assessment concepts, workflows, and architectures. Then, you will use open source tools to perform both active and passive network scanning. As you make your way through the chapters, you will use these scanning results to analyze and design a threat model for network security. In the concluding chapters, you will dig deeper into concepts such as IP network analysis, Microsoft services, and mail services. You will also get to grips with various security best practices, which help you build your network security mechanism.

By the end of this book, you will be in a position to build a security framework fit for an organization.

Who this book is for

This book is for security analysts, threat analysts, and any security professionals responsible for developing a network threat model for an organization. This book is also for any individual who is or wants to be part of a vulnerability management team and implement an end-to-end robust vulnerability management program.

What this book covers

Chapter 1, Vulnerability Management Governance, is about understanding the essentials of vulnerability management program from a governance perspective and introducing the reader to some absolute basic security terminology and the essential prerequisites for initiating a security assessment.

Chapter 2, Setting Up the Assessment Environment, will introduce various methods and techniques for setting up a comprehensive vulnerability assessment and penetration testing environment.

Chapter 3, Security Assessment Prerequisites, is about knowing the prerequisites of security assessment. We will learn what all planning and scoping are required along with documentation to perform a successful security assessment.

Chapter 4, Information Gathering, is about learning various tools and techniques for gathering information about the target system. We will learn to apply various techniques and use multiple tools to effectively gather as much information as possible about the targets in scope. The information gathered from this stage would be used as input to the next stage.

Chapter 5, Enumeration and Vulnerability Assessment, is about exploring various tools and techniques for enumerating the targets in scope and performing a vulnerability assessment on them.

Chapter 6, Gaining Network Access, is about getting insights on how to gain access to a compromised system using various techniques and covert channels.

Chapter 7, Assessing Web Application Security, is about learning various aspects of web application security.

Chapter 8, Privilege Escalation, is about knowing various concepts related to privilege escalation. The reader would get familiar with various privilege escalation concepts along with practical techniques of escalating privileges on compromised Windows and Linux systems.

Chapter 9, Maintaining Access and Clearing Tracks, is about maintaining access on the compromised system and cleaning up tracks using anti-forensic techniques. We will learn to make persistent backdoors on the compromised system and use Metasploit's anti-forensic abilities to clear the penetration trails

Chapter 10, Vulnerability Scoring, is about understanding the importance of correct vulnerability scoring. We will understand the need of standard vulnerability scoring and gain hands-on knowledge on scoring vulnerabilities using CVSS.

Chapter 11, Threat Modeling, is about understanding and preparing threat models. We will understand the essential concepts of threat modeling and gain practical knowledge on using various tools for threat modeling.

Chapter 12, Patching and Security Hardening, is about understanding various aspects of patching and security hardening. We will understand the importance of patching along with practical techniques of enumerating patch levels on target systems and developing secure configuration guidelines for hardening the security of the infrastructure.

Chapter 13, Vulnerability Reporting and Metrics, is about exploring various metrics which could be built around the vulnerability management program. The reader would be able to understand the importance, design and implement metrics to measure the success of the organizational vulnerability management program.

To get the most out of this book

It is recommended to have a PC with 8 GB RAM and a virtual system setup with Kali Linux installed on it. Kali Linux image file for VMware/VirtualBox/Hyper-V can be downloaded from https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-hyperv-image-download/.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/NetworkVulnerabilityAssessment_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Netcraft and then writes the output to file output.txt."

Any command-line input or output is written as follows:

root@kali:~# theharvester -d demo.testfire.net -l 20 -b google -h output.html

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Logs can be viewed by opening the Logs application located at Applications | Usual Applications | Utilities | Logs."

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Vulnerability Management Governance

Today's technology landscape is changing at an extremely fast pace. Almost every day, some new technology is introduced and gains popularity within no time. Although most organizations do adapt to rapidly changing technology, they often don't realize the change in the organization's threat landscape with the use of new technology. While the existing technology landscape of an organization might already be vulnerable, the induction of new technology could add more IT security risks in the technology landscape.

In order to effectively mitigate all the risks, it is important to implement a robust vulnerability management program across the organization. This chapter will introduce some of the essential governance concepts that will help lay a solid foundation for implementing the vulnerability management program. Key learning points in this chapter will be as follows:

Security basics

Understanding the need for security assessments

Listing down the business drivers for vulnerability management

Calculating ROIs

Setting up the context

Developing and rolling out a vulnerability management policy and procedure

Penetration testing standards

Industry standards

Security basics

Security is a subjective matter and designing security controls can often be challenging. A particular asset may demand more protection for keeping data confidential while another asset may demand to ensure utmost integrity. While designing the security controls, it is also equally important to create a balance between the effectiveness of the control and the ease of use for an end user. This section introduces some of the essential security basics before moving on to more complex concepts further in the book.

The CIA triad

Confidentiality, integrity, and availability (often referred as CIA), are the three critical tenets of information security. While there are many factors that help determine the security posture of a system, confidentiality, integrity, and availability are most prominent among them. From an information security perspective, any given asset can be classified based on the confidentiality, integrity, and availability values it carries. This section conceptually highlights the importance of CIA along with practical examples and common attacks against each of the factors.

Confidentiality

The dictionary meaning of the word confidentiality states: the state of keeping or being kept secret or private. Confidentiality, in the context of information security, implies keeping the information secret or private from any unauthorized access, which is one of the primary needs of information security. The following are some examples of information that we often wish to keep confidential:

Passwords

PIN numbers

Credit card number, expiry date, and CVV

Business plans and blueprints

Financial information

Social security numbers

Health records

Common attacks on confidentiality include:

Packet sniffing

: This involves interception of network packets in order to gain unauthorized access to information flowing in the network

Password attacks

: This includes password guessing, cracking using brute force or dictionary attack, and so on

Port scanning and ping sweeps

: Port scans and ping sweeps are used to identify live hosts in a given network and then perform some basic fingerprinting on the live hosts

Dumpster driving

: This involves searching and mining the dustbins of the target organization in an attempt to possibly get sensitive information

Shoulder surfing

: This is a simple act wherein any person standing behind you may peek in to see what password you are typing

Social engineering

: Social engineering is an act of manipulating human behavior in order to extract sensitive information

Phishing and pharming

: This involves sending false and deceptive emails to a victim, spoofing the identity, and tricking the victim to give out sensitive information

Wiretapping

: This is similar to packet sniffing though more related to monitoring of telephonic conversations

Keylogging

: This involves installing a secret program onto the victim's system which would record and send back all the keys the victim types in

Integrity

Integrity in the context of information security refers to the quality of the information, meaning the information, once generated, should not be tampered with by any unauthorized entities. For example, if a person sends X amount of money to his friend using online banking, and his friend receives exactly X