Security: Vulnerability Scanning & Pen Testing - Paiet/Tech-Journal-for-Everything GitHub Wiki

  • Vulnerability scanning concepts

    • Vulnerability scanners give the ability to identify a variety of systems across the network.
    • Passively test security controls
      • Can be performed by PVSs or Passive Vulnerabilty Scanner
      • Passive scan does not locate wireless SSIDs that have be hidden
      • Active scan emit probes to the APs to locate them
    • Identify vulnerability
      • Classify
        • Low Importance
        • Medium Importance
        • High Importance
      • Types
        • SMB Detection
        • DCE Enumeration Detection
        • OS Identification
        • Open Ports
        • Open Systems
    • Identify lack of security controls
      • Types(Lack of)
        • Physical Controls
          • Locks
          • Fences
          • Man-traps
        • Access Controls
          • Data
          • Programs
          • Systems
          • Equipment
      • Potential Outcome
        • Intercepting Data
        • Accessing a remote host to steal, modifying data
        • Impersonation of a user/employee/contractor
        • Inserting communications
        • replaying communications
    • Identify common misconfigurations
      • Password Management
        • Weak passwords
        • Password reuse
        • Password Sharing
        • Shared Accounts
      • Unecessary Services
      • Disablng Firewall
    • Intrusive vs. non-intrusive
      • Intrusive
        • Remember that not all companies can afford downtime while a thorough vulernability scan is performed
        • Intrusive scans could introduce the possibility of downtime
        • destructive security auditing or intrusive scanning can yield more accurate results as the intent is to use the exact same methods an attack would use
        • Intrus
      • Non-intrusive
        • This technique usually employs simple scans such aa file systems, missing updates
    • Credentialed vs. non-credentialed
      • Credentialed scans can give acccess to more information
      • Non-credentialed scans give limited information
    • False positive
      • False negative = Incorrectly identified
        • Malicious traffic identified as legitimate
      • False positive = Incorrectly identified
        • Legitimate traffic identified as malicious
        • An IDS/IPS learning process will start with a lot of false positives intially then over time will be reduced as the process continues
      • True negative = Correctly identified
      • True positive = Correctly identified

  • Penetration testing concepts.

    • Active reconnaissance
      • This infomation gathering involves port scanning
      • This infomation gathering involves getting around or through the firewall by exploitation
      • In this type of information gathering, activities can be traced
    • Passive reconnaissance
      • This is information gathering using Open Source Intelligence (OSINT) or only using public resources
      • Used when information gathering activities have a requirement to not be detected
      • Can be difficult to perform as sometimes the only information that is available could be archives or outdated information
      • There is also semi-passive is information that will look like the regular network traffic and behavior, like querying public DNS records, inspecting metadata in published documemts.
    • Pivot
      • Pivoting is the unique technique of using an instance (also referred to as a 'plant' or 'foothold') to be able to "move" around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems
    • Initial exploitation 
      • - The intial exploit trys to find loophole in an application to grant access to the system the application is running on through **escalation of priviledge**

      • Access is gained through:

        • Command Line Interpreters (terminals, shells, Windows Command Prompt, PowerShell)
        • Rogue code execution
        • Physical Access
        • Command injection
        • Phishing
    • Persistence
      • A malicious party does not limit their attack to a two week time period. Instead, they watch and wait, looking for an opening in which to strike.
    • Escalation of privilege
    • White box testing
      • Software testing method in which the internal structure/ design/ implementation of the item being tested is known to the tester.
    • Grey box testing
      • Software testing method in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood.
    • Black box testing
      • Software testing method in which the internal structure/ design/ implementation of the item being tested is not known to the tester.
    • Pen testing vs. vulnerability scanning
      • Vulnerability Scanning seeks to identify and quantify the vulnerabilities and provide mitigation techniques
      • Pentesting tries to simulate the actions and attacker can use against an organization in order to exploit weaknesses that are found.