Scan Results Verification - Paiet/Tech-Journal-for-Everything GitHub Wiki
Scan Results Verification
-
Analyze reports from a vulnerability scan
-
Review and interpret scan results
- Identify false positives
- Why do we get false positives?
- Insufficient access/permission to verify vuln
- Plug-in error/mistake
- Why perform the scan if we have to verify the results or check for FPs?
- The scan is meant to point you in the direction of possible issues
- They get things right a lot
- How do we verify?
- If scan says "Patch missing", check that the patch is missing
- If scan says, "Possible SQLi", then throw some sqli at the app
- Don't be afraid to get expert help
- DBAs
- Dev
- Net admins
- etc.
- DEMO: Use Metasploit to verify VSFTPD
- Looks at OpenVAS scan for Metasploitable
- Click on vuln for vsftpd backdoor
- Follow link to http://www.securityfocus.com/bid/48539
- Check "Exploit" tab
- See that there is a Metasploit module
- Fire up Metasploit
- Search for vsftpd
- Use found module
- Set RHOST to Metasploitable IP
- Run exploit
- Whoami
- Why do we get false positives?
- Identify exceptions
- Make a record of any exceptions and why they're exceptions
- If possible, remove exceptions from scans
- Prioritize response actions - Validate results and correlate other data points
- Identify false positives
-
Compare to best practices or compliance
-
Reconcile results
- Cross reference scan results with...
- Logs
- SIEM(Security Information and Event Management)
- Configuration Management systems
- Cross reference scan results with...
-
Review related logs and/or other data sources
- App specific logs
- Any other monitoring systems
-
Determine trends
- Types of trends
- Overall trends in vulnerabilities
- New vulns
- Existing vulns age
- Remediation time of vulns
- Overall trends in vulnerabilities
- Types of trends