Chapter 4
OpenVAS
A security tool for conducting port scanning, OS identification, and vulnerability assessments. A client computer (*nix or Windows) must connect to the server to perform the tests.
Prowler
framework designed as a scalable and repeatable method of acquiring measurable data related to the security readiness of your organization's cloud infrastructure
Nessus
A network-vulnerability scanner available from Tenable Network Security.
Pacu
AWS exploitation framework Pacu in 2018. Pacu is open source and has a modular architecture based on common syntax and data structure to allow for simple expansion of its features
Passive enumeration techniques are used to gain information about the target without interfacing with or interrogating the target directly
Active enumeration techniques involve interfacing directly with the target system. Port scanning is one of the most widely used active scanning techniques and uses any number of tools and techniques directly against a target to discover open ports and available services.
Aircrack-ng
An open source tool for penetration testing many aspects of wireless networks. It's used primarily for its ability to audit the security of WLANs through attacks on WPA keys, replay attacks, deauthentication, and the creation of fake access points,
Arachni
Arachni is a Ruby-based, modular web app scanner with a special focus on speed. Unlike many other scanners, Arachni performs many of its scans in parallel, enabling the app to scale to large test jobs without sacrificing performance.
Burp Suite
Burp Suite is an integrated web application testing platform. Often used to map and analyze a web application's vulnerabilities, Burp offers seamless use of automated and manual functions when finding and exploiting vulnerabilities.
Arachni can perform audits for vulnerabilities including SQL injection, cross-site request forgery (CSRF), code injection, LDAP injection, path traversal, file inclusion, and XSS.
Despite being fairly performant, Arachni has few requirements to operate. It needs only a target URL to get started and can be initiated via a web interface or command line.
fuzzer called American Fuzzy Lop (AFL) crashing a targeted application.
Fuzzers don't always generate random inputs from scratch. Purely random generation is known to be an inefficient way to fuzz systems. Instead, they often start with an input that is pretty close to normal and then make lots of small changes to see which ones seem more effective at exposing a flaw.
oclHashcat
Hashcat also supports the following attack modes: • Brute-force attack • Combinator attack • Dictionary attack • Hybrid attack • Mask attack • Rule-based attack
responder
In the Windows environment, the Link-Local Multicast Name Resolution (LLMNR) protocol or NetBIOS Name Service (NBT-NS) can be used to query local computers on a LAN if a host is unable to resolve a hostname using DNS
Microsoft SDL Fuzzers
Microsoft has dropped support and no longer provides these applications for download.
Its real power, however, lies in its multitude of features for vulnerability identification, misconfiguration detection, default password exposure, and compliance determination. The standard installation includes the Nessus server, which will coordinate the vulnerability scan, generate reports, and facilitate the vulnerability management feature. It can reside on the same machine as the Nessus web client or can be located elsewhere on the network.
Nessus Credentials Nessus compliance checks with the Tenable AWS Best Practice Audit options displayed
Reaver
Reaver takes advantage of a vulnerability that exists in access points that use the Wi-Fi Protected Setup (WPS) feature
Software assessment tools and techniques
Software vulnerabilities are part of the overall attack surface, and attackers waste no time discovering what flaws exist—in many cases using the techniques we'll describe shortly.
The main advantage of dynamic analysis is that it tends to be significantly faster and requires less expertise than alternatives. It can be particularly helpful for code that has been heavily obfuscated or is difficult to interpret
The biggest disadvantage is that dynamic analysis doesn't reveal all that the software does, but simply all that it did during its execution in the sandbox.
Qualys
The company currently provides several cloud-based vulnerability assessment and management products through a Software as a Service (SaaS) model. For internal scans, a local virtual machine conducts the assessment and reports to the Qualys server. Figure 4-15 shows a QualysGuard dashboard with various options under the vulnerability management module.
Dynamic Analysis
This method doesn't really care about what the binary is, but rather what the binary does. Referred to as dynamic analysis, this method often requires a sandbox in which to execute the malware. This sandbox creates an environment that looks like a real operating system to the software and provides such things as access to a file system, network interface, memory, and anything else the software might need.
Wireless Assessment Tools
Tools used to detect the presence of wireless networks, identify the security type and configuration, and try to exploit any weaknesses in the security to gain unauthorized access to the network
Reverse engineering is the detailed examination of a product to learn what it does and how it works. In this approach to understanding what software is doing, a highly skilled analyst will either disassemble or decompile the binary code to translate its 1's and 0's into either assembly language or whichever higher level language it was created in
When reverse engineering binary code, we can translate it into assembly language using a tool called a disassembler. This is the most common way of reversing a binary. In some cases, we can also go straight from machine language to a representation of source code using a decompiler
Scout Suite
With support for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, the tool enables security teams to determine the security posture of their cloud assets. It works by managing the interactions with could assets via the platform API, gathering information to make determinations of potentially vulnerable configurations. The results can be easily prepared for manual inspection or follow-up orchestration because of its structured format.
OWASP Zed Attack Proxy (ZAP)
__ is an open-source web application security scanner. ▪ It is intended to be used by both those new to application security as well as professional penetration testers. ▪ The tool can be used during web application development by web developers or by experienced security experts during penetration tests to assess web applications for vulnerabilities.
Fuzzing
a technique used to discover flaws and vulnerabilities in software by sending large amounts of malformed, unexpected, or random data to the target program in order to trigger failures.
Web Application Scanners
are automated scanning tools that scan web applications, normally from the outside, and from the perspective of a malicious user. Like other vulnerability scanners, they will scan only for vulnerabilities and malware for which plug-ins have been developed
Nikto
is a web server vulnerability scanner whose main strength is finding vulnerabilities such as SQL and command-injection susceptibilities, XSS, and improper server configuration. Although Nikto lacks a graphical interface as a command-line-executed utility, it's able to perform thousands of tests very quickly and provides details on the nature of the weaknesses it finds.
Peach Fuzzer
powerful fuzzing suite that's capable of testing a wide range of targets. Peach uses XML-based modules, called pits, to provide all the information needed to run the fuzz
Cloud Infrastructure Assessment Tools
several fantastic tools are now available to assess cloud host vulnerabilities caused by misconfigurations, access flaws, and custom deployments. Many of these tools automate monitoring against industry standards, compliance checklists, regulatory mandates, and best practices to prevent common issues such as data spillage and instance takeover.
nslookup
t enables us to resolve the IP address corresponding to a fully qualified domain name (FQDN) of a host. Depending on the situation, it is also possible to do the inverse (that is, resolve the IP address of an FQDN). it is possible to fully interrogate the target server and obtain other record data, such as Mail Exchange (MX) for e-mail or Canonical Name (CNAME).
Static Analysis
technique meant to help identify software defects or security policy violations and is carried out by examining the code without executing the program (hence the term static).
hping
useful enumeration tool that enables users to craft custom packets to assist with the discovery of network flaws, or it can be used by attackers to facilitate targeted exploit delivery
Prowler offers a fair amount of configuration to allow the tool programmatic access via the Amazon API. Additionally, the AWS CLI will have to be installed on the machine or instance running the tool. Prowler allows for the definition of custom checks, but by default it ships with the following best practice test configurations, or "groups
• Identity and Access Management • Logging • Monitoring • Networking • CIS Level 1 • CIS Level 2 • Forensics • GDPR • HIPAA
The most common types of vulnerabilities that scanners look for are listed here
• Outdated server components • Misconfigured server • Secure authentication of users • Secure session management • Information leaks • Cross-site scripting (XSS) vulnerabilities • Improper use of HTTPS