TestOut Ethical Hacker Pro - Chapter 7

Buffer overflows

A buffer is a temporary data storage area with limited space. Overflows occur when more data is attempted to be stored than the program was written for. Error checking should identify this problem. When overflow occurs, it can allow hackers to cause data to flow to other memory areas and to access database files or alter system files. System crashing or instability can also occur

Wireless network assessment

A hacker can access sensitive information even from outside a building by sniffing network packets that are transmitted wirelessly through radio waves. Generally, a hacker will obtain the SSID (the name assigned to the wireless network) through sniffing and use it to hack the wireless network without ever entering the building. These assessments analyze the network for patching errors, authentication and encryption problems, and unnecessary services.

Passive scanning

A passive scan tries to find vulnerabilities without directly interacting with the target network. The scan identifies vulnerabilities via information exposed by systems in their normal communications. You can set a scanner to scan constantly or at specific times.

Point in time

A scan can only obtain data for the time period when it runs. For example, some weaknesses may be exposed only when systems are operating at peak capacity, at certain times of day, or even at certain times of the year.

Service-based

A service-based solution entails hiring a professional, such as yourself, to provide a solution. This approach would involve using the vulnerability management life cycle. The professional would conduct the testing and solutions from outside the network. The risk of this approach is that an assessment based entirely from outside the network leaves potential for a hacker to gain access to the system.

Monitoring

After you have verified your work, move on to the post-assessment phase, which is also known as the recommendation phase. At this point, recommend ongoing monitoring and routine penetration testing to be proactive in protecting the organization and its customers or clients.

Active scanning

An active scan transmits to the nodes within a network to determine exposed ports and can independently repair security flaws. It can also simulate an attack to test for vulnerabilities and can repair weak points in the system.

Application

Application-level scans allow the ethical hacker to scrutinize completed applications when the source code is unknown. Every application should be examined for input controls and data processing.

A CVSS calculator can determine the risk and severity of a vulnerability based on the three metrics

Base - Denotes a vulnerability's unique characteristics. Temporal - Denotes the changeable attributes of a vulnerability. Environmental - Denotes vulnerabilities that are present only in certain environments or implementations.

Common Attack Pattern Enumeration & Classification (CAPEC)

CAPEC is a dictionary of known patterns of cyber attack used by hackers. Its website is capec.mitre.org.

Cybersecurity & Infrastructure Security Agency (CISA)

CISA is a government agency. Its website is cisa.gov.

Common Weakness Enumeration (CWE)

CWE is a community-developed list of common software security weaknesses. Its website is cwe.mitre.org.

Unpatched servers

Hackers gain access to data in a system through misconfigured or unpatched servers. Since servers are integral part of an organization's infrastructure, this vulnerability creates a central route for access to sensitive data and operations. Fixing bugs, patching, and simply updating software can block an attack.

Security vulnerability report

Here, you will find information on all the scanned devices and servers including open and detected ports, new vulnerabilities, and suggestions for remediation with links to patches.

Active assessment

In an active assessment, specifically created packets are sent to target nodes to determine the OS of the domain, the hosts, the services, and the vulnerabilities in the network. nmap is a useful tool for this assessment.

Inference-based

In an inference-based approach, you test and discover information as you go. You then adjust your scans according to the information you discover.

Nessus

Offers scanning on mobile devices and will let you know which devices are unauthorized or non-compliant. It also finds outdated versions of Apple IOS. Nessus highlights devices that have not connected for a period of time. It helps to overcome the difficulty of identifying network vulnerabilities when mobile devices are connecting and disconnecting between testing.

OpenVAS

OpenVAS is a vulnerability scanner that boasts more than 50, 000 vulnerability tests with daily updates. It is capable of various high-level and low-level internet and industrial protocols, as well as unauthenticated and authenticated testing.

Default usernames and passwords

Passwords should always be immediately changed after installation or setup. Passwords should always be kept secret.

Open services

Ports and services must be checked regularly to prevent unsecure, open, or unnecessary ports, which can lead to attacks on connected nodes or devices, loss of private information, or even denial of service.

Network Scanner

Provides an understanding of the use of a network. Network Scanner generates reports of security issues and vulnerabilities. These reports are autosaved and can be backed up to your web storage.

Retina CS for Mobile

Provides comprehensive vulnerability management for smartphones, mobile devices, and tablets. This program can scan, prioritize, and fix smartphone vulnerabilities. Then it analyzes and reports its findings from a centralized data warehouse.

Net Scan

Provides discovery through network and port scanning. Net Scan can find vulnerabilities, security flaws, and open ports in your network.

Qualys Vulnerability Management

Qualys Vulnerability Management is a cloud-based service that keeps all your data in a virtual private database. Qualys is easy to use and is capable of scanning large enterprises. Data is always encrypted during transit and at rest, so even though it is cloud-based, your data is secure; only their scanners reside in your network.

Remediation

Remediation refers to the steps that are taken regarding vulnerabilities, such as evaluating vulnerabilities, locating risks, and designing responses for the vulnerabilities. In this phase, you implement the controls and protections from your plan of action. Begin with the highest-impact and highest-likelihood security problems, then work through the lower-impact and lower-likelihood issues.

New vulnerabilities

Scans can only identify known vulnerabilities. This give an attacker that uses a new attack an advantage, as scans are written only for vulnerabilities that have been previously exploited.

Common Vulnerabilities and Exposures (CVE)

The CVE is a list of standardized identifiers for known software vulnerabilities and exposures. It is free to use, and it is publicly available at cve.mitre.org.

National Vulnerability Database (NVD)

The National Vulnerability Database (NVD) was originally created in 2000. It can be found at nvd.nist.gov.

Internal assessment

The ethical hacker can also be inside the network, testing the internal networks and systems.

Baselinecreation

The lifecycle starts by defining the effectiveness of the current security policies and procedures. You should establish any risks that may be associated with the enforcement of current security procedures and what may have been overlooked. Try to see what the organization looks like from an outsider's perspective, as well as from an insider's point of view. No organization is immune to security gaps. Work with management to set goals with start dates and end dates. Determine which systems to begin with, set up testing standards, get approval in writing, and keep management informed as you go.

Scan information

The name of the scanning tool, its version, and the network ports that have been scanned.

Misconfigurations

The primary cause of misconfiguration is human error. Web servers, application platforms, databases, and networks are all at risk of unauthorized access. Areas to check include outdated software, unnecessary services, external systems that are incorrectly authenticated, security settings that have been disabled, and debug enabled on a running application.

Target information

The target system's name and address are listed.

Verification

The verification phase helps the security analyst verify whether all the previous phases have been effectively executed. In this phase, you retest the systems for verification.

Vulnerability assessment

The vulnerability phase refers to identifying vulnerabilities in the organization's infrastructure, including the operating system, web applications, and web server. This is the phase where penetration testing begins.

Host-based assessment

This assessment focuses on all types of user risks, including malicious users and untrained users as well as vendors and administrators. Host-based assessment can also test the vulnerability of databases, firewalls, files, and web servers, as well as flag configuration errors.

Security vulnerability summary

This report covers every device or server that was scanned. It provides information on current security flaws and categories of vulnerabilities including severity level. It also lists resolved vulnerabilities.

Common Vulnerability Scoring System (CVSS)

This scoring system creates a way to organize and prioritize vulnerabilities that you look for and discover in your work as an ethical hacker. Because this scoring system is nationally and internationally recognized, using it will give you credibility when you present your findings and plan of action for remediation.

Results

This section provides a complete scanning report. It contains the following sub-topics: Target: this sub-topic includes each host's detailed information. Services: this sub-topic defines the network services by their names and ports. Classification: the origin of the scan can be found here. Assessment: the scanner's assessment of the vulnerability.

Product-based

This solution involves an organization purchasing a product and administering it from inside the network. The product functions inside the firewall. This would make it inaccessible from outside penetration. An organization could implement this type of solution hoping that it solves vulnerability issues.

External assessment

This type of assessment looks for ways to access the network infrastructure through open firewall ports, routers, web servers, web pages, and public DNS servers. It is external because it is working from the outside using public networks through the internet

Passive assessment

Using sniffer traces from a remote system, you can determine the operating system of the remote host as well as a list of the current network work. Wireshark is a common tool for this type of information gathering and analysis.

Tree-based

With a tree-based assessment, you have a preset plan for testing and scanning based on some previous knowledge of the system. You then choose specific modes of testing for each operating system and machine.

SecurityMetrics Mobile

Detects vulnerabilities in mobile devices. It can help you protect customers' data, avoid unwanted app privileges, mobile malware, device theft, connectivity issues, and threats to device storage and unauthorized account access. You can expect a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions.

Design flaws

Every operating system or device has bugs or defects in its design. Hackers take advantage of design flaws such as broken authentication and access control, cross-site scripting, insufficient logging and monitoring, and incorrect encryption.

Operating system flaws

Flaws in the OS can leave a system susceptible to malicious applications such as viruses, Trojan horses, and worms through scripts, undesirable software, or code. Firewalls, minimal software application usage, and regular system patches create protection from this form of attack.

Application flaws

Flaws in the validation and authorization of users present the greatest threat to security in transactional applications. This type of assessment evaluates deployment and communication between the server and client. It is imperative to develop tight security through user authorization and validation. Both open-source and commercial tools are recommended for this assessment.

Full Disclosure

Full Disclosure is a mailing list from nmap. Its website is seclists.org/fulldisclosure. This mailing list often shows the newest vulnerabilities before other sources.

Risk assessment

In this phase, you organize the results of your vulnerability testing according to risk level and then categorize by levels of sensitivity and access. You will need to create and present reports that clearly identify the problem areas, then produce a plan of action to address weaknesses, protect the information, and harden the systems.

Default settings

It is important to check default settings, especially for default SSIDs and admin passwords. If a company never changes the default admin passwords or the default SSID to combinations unique to the company, it is very simple for an attacker to gain access to the network.

JPCERT

JPCERT is Japan's CERT organization. It provides security alerts and Japanese Vulnerability Notes (JVN). The website is www.jpcert.or.jp/english/vh/project.html.

Nessus Professional

Nessus Professional is an assessment solution that resides on your network. This makes it more suitable for smaller organizations. It scans for known vulnerabilities, malware, and misconfigurations. Nessus also provides reporting and remediation, as well as ongoing monitoring.

Nikto

Nikto is a web server scanner. It tests for outdated versions of more than 1250 servers. It also scans for more than 6,000 files and programs that can be exploited. It checks for version-specific problems on more than 270 servers. It is important to note that this tool creates a large footprint by leaving a high volume of entries in the web servers log files.