Chapter 4

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

OpenVAS

A security tool for conducting port scanning, OS identification, and vulnerability assessments. A client computer (*nix or Windows) must connect to the server to perform the tests.

Prowler

framework designed as a scalable and repeatable method of acquiring measurable data related to the security readiness of your organization's cloud infrastructure

Nessus

A network-vulnerability scanner available from Tenable Network Security.

Pacu

AWS exploitation framework Pacu in 2018. Pacu is open source and has a modular architecture based on common syntax and data structure to allow for simple expansion of its features

Passive enumeration techniques are used to gain information about the target without interfacing with or interrogating the target directly

Active enumeration techniques involve interfacing directly with the target system. Port scanning is one of the most widely used active scanning techniques and uses any number of tools and techniques directly against a target to discover open ports and available services.

Aircrack-ng

An open source tool for penetration testing many aspects of wireless networks. It's used primarily for its ability to audit the security of WLANs through attacks on WPA keys, replay attacks, deauthentication, and the creation of fake access points,

Arachni

Arachni is a Ruby-based, modular web app scanner with a special focus on speed. Unlike many other scanners, Arachni performs many of its scans in parallel, enabling the app to scale to large test jobs without sacrificing performance.

Burp Suite

Burp Suite is an integrated web application testing platform. Often used to map and analyze a web application's vulnerabilities, Burp offers seamless use of automated and manual functions when finding and exploiting vulnerabilities.

Arachni can perform audits for vulnerabilities including SQL injection, cross-site request forgery (CSRF), code injection, LDAP injection, path traversal, file inclusion, and XSS.

Despite being fairly performant, Arachni has few requirements to operate. It needs only a target URL to get started and can be initiated via a web interface or command line.

fuzzer called American Fuzzy Lop (AFL) crashing a targeted application.

Fuzzers don't always generate random inputs from scratch. Purely random generation is known to be an inefficient way to fuzz systems. Instead, they often start with an input that is pretty close to normal and then make lots of small changes to see which ones seem more effective at exposing a flaw.

oclHashcat

Hashcat also supports the following attack modes: • Brute-force attack • Combinator attack • Dictionary attack • Hybrid attack • Mask attack • Rule-based attack

responder

In the Windows environment, the Link-Local Multicast Name Resolution (LLMNR) protocol or NetBIOS Name Service (NBT-NS) can be used to query local computers on a LAN if a host is unable to resolve a hostname using DNS

Microsoft SDL Fuzzers

Microsoft has dropped support and no longer provides these applications for download.

Its real power, however, lies in its multitude of features for vulnerability identification, misconfiguration detection, default password exposure, and compliance determination. The standard installation includes the Nessus server, which will coordinate the vulnerability scan, generate reports, and facilitate the vulnerability management feature. It can reside on the same machine as the Nessus web client or can be located elsewhere on the network.

Nessus Credentials Nessus compliance checks with the Tenable AWS Best Practice Audit options displayed

Reaver

Reaver takes advantage of a vulnerability that exists in access points that use the Wi-Fi Protected Setup (WPS) feature

Software assessment tools and techniques

Software vulnerabilities are part of the overall attack surface, and attackers waste no time discovering what flaws exist—in many cases using the techniques we'll describe shortly.

The main advantage of dynamic analysis is that it tends to be significantly faster and requires less expertise than alternatives. It can be particularly helpful for code that has been heavily obfuscated or is difficult to interpret

The biggest disadvantage is that dynamic analysis doesn't reveal all that the software does, but simply all that it did during its execution in the sandbox.

Qualys

The company currently provides several cloud-based vulnerability assessment and management products through a Software as a Service (SaaS) model. For internal scans, a local virtual machine conducts the assessment and reports to the Qualys server. Figure 4-15 shows a QualysGuard dashboard with various options under the vulnerability management module.

Dynamic Analysis

This method doesn't really care about what the binary is, but rather what the binary does. Referred to as dynamic analysis, this method often requires a sandbox in which to execute the malware. This sandbox creates an environment that looks like a real operating system to the software and provides such things as access to a file system, network interface, memory, and anything else the software might need.

Wireless Assessment Tools

Tools used to detect the presence of wireless networks, identify the security type and configuration, and try to exploit any weaknesses in the security to gain unauthorized access to the network

Reverse engineering is the detailed examination of a product to learn what it does and how it works. In this approach to understanding what software is doing, a highly skilled analyst will either disassemble or decompile the binary code to translate its 1's and 0's into either assembly language or whichever higher level language it was created in

When reverse engineering binary code, we can translate it into assembly language using a tool called a disassembler. This is the most common way of reversing a binary. In some cases, we can also go straight from machine language to a representation of source code using a decompiler

Scout Suite

With support for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, the tool enables security teams to determine the security posture of their cloud assets. It works by managing the interactions with could assets via the platform API, gathering information to make determinations of potentially vulnerable configurations. The results can be easily prepared for manual inspection or follow-up orchestration because of its structured format.

OWASP Zed Attack Proxy (ZAP)

__ is an open-source web application security scanner. ▪ It is intended to be used by both those new to application security as well as professional penetration testers. ▪ The tool can be used during web application development by web developers or by experienced security experts during penetration tests to assess web applications for vulnerabilities.

Fuzzing

a technique used to discover flaws and vulnerabilities in software by sending large amounts of malformed, unexpected, or random data to the target program in order to trigger failures.

Web Application Scanners

are automated scanning tools that scan web applications, normally from the outside, and from the perspective of a malicious user. Like other vulnerability scanners, they will scan only for vulnerabilities and malware for which plug-ins have been developed

Nikto

is a web server vulnerability scanner whose main strength is finding vulnerabilities such as SQL and command-injection susceptibilities, XSS, and improper server configuration. Although Nikto lacks a graphical interface as a command-line-executed utility, it's able to perform thousands of tests very quickly and provides details on the nature of the weaknesses it finds.

Peach Fuzzer

powerful fuzzing suite that's capable of testing a wide range of targets. Peach uses XML-based modules, called pits, to provide all the information needed to run the fuzz

Cloud Infrastructure Assessment Tools

several fantastic tools are now available to assess cloud host vulnerabilities caused by misconfigurations, access flaws, and custom deployments. Many of these tools automate monitoring against industry standards, compliance checklists, regulatory mandates, and best practices to prevent common issues such as data spillage and instance takeover.

nslookup

t enables us to resolve the IP address corresponding to a fully qualified domain name (FQDN) of a host. Depending on the situation, it is also possible to do the inverse (that is, resolve the IP address of an FQDN). it is possible to fully interrogate the target server and obtain other record data, such as Mail Exchange (MX) for e-mail or Canonical Name (CNAME).

Static Analysis

technique meant to help identify software defects or security policy violations and is carried out by examining the code without executing the program (hence the term static).

hping

useful enumeration tool that enables users to craft custom packets to assist with the discovery of network flaws, or it can be used by attackers to facilitate targeted exploit delivery

Prowler offers a fair amount of configuration to allow the tool programmatic access via the Amazon API. Additionally, the AWS CLI will have to be installed on the machine or instance running the tool. Prowler allows for the definition of custom checks, but by default it ships with the following best practice test configurations, or "groups

• Identity and Access Management • Logging • Monitoring • Networking • CIS Level 1 • CIS Level 2 • Forensics • GDPR • HIPAA

The most common types of vulnerabilities that scanners look for are listed here

• Outdated server components • Misconfigured server • Secure authentication of users • Secure session management • Information leaks • Cross-site scripting (XSS) vulnerabilities • Improper use of HTTPS


Set pelajaran terkait

Chapter 18: Management of Patients with Upper Respiratory Tract Disorders

View Set

Final Exam - Previous Exam Questions

View Set

Chapter 16.2 European History Terms

View Set