360° Vulnerability Assessment with Nessus and Wireshark: Identify, evaluate, treat, and report threats and vulnerabilities across your network (English Edition)

CHAPTER 1

Fundamentals of 360° Vulnerability Assessment

Introduction

Nowadays, everything is connected, and more and more personal and corporate devices blend together. If before there was a perimeter where only known and approved devices were allowed to enter corporations, today, this possibility almost does not exist. In fact, corporate devices tend to have a higher level of protection and security than those aimed at the domestic market, and moreover, it is much more common for corporate devices to have updates, including security updates, for much longer. This situation occurs not only because people have their private equipment in use in the company but also because companies themselves buy non-corporate products that connect to the network. We use meeting room televisions that have apps, home security cameras, network-controlled air conditioning and solar energy equipment, coffee machines, and even printers; in short, countless devices that do not have corporate-level protection within companies and that have internal applications. We can find smartwatches, cell phones, digital assistants, laptops, tablets, modems, home and business automation systems, and many other devices for personal use. Added to these facts, almost everything can now be done online; paying bills and taxes, shopping, watching TV, communicating with the whole world, and even using a digital assistant such as Google Assistant and Amazon Echo. Talking about virtual assistants, many people simply put their entire schedule and control their entire home or office through these devices. There are many challenges for the security analyst, and this book will help day-by-day with tools and methods that will organize and support the work.

Structure

In this chapter, we will discuss the following topics:

The importance of a security environment

The power of tools

The Penetration Test Execution Standard

Objectives

This chapter introduces the importance of a security environment, showing the dangerous aspects of reality and the difficulty of designing security. This chapter will be presented the Wireshark and Nessus, powerful tools for any Information Technology Security Professional. We shall conclude the chapter with the basics of the Penetration Test Execution Standard (PTES), one of the most important testing and vulnerability analysis methods today.

The importance of a security environment

All the convenience that technology has brought has the other side of this story is the fact that devices can present vulnerabilities in some way. There is no perfect device, and even if the device is very well built, there is still the issue of vulnerabilities in the infrastructure that connects to it.

How much personal, corporate, and sensitive information is filled and stored daily. In the office, for the passport, for purchases, in communication software (e-mail and video call), in the pharmacy, on social media, for telephone operators, providers, and for banks. Countless institutions have already had cyber incidents, and with data privacy legislation expanding, companies are obliged to report and admit their problems with information leakage, which is only part of the problems.

It is almost impossible not to have in an everyday e-mail some kind of phishing e-mail (e-mail that looks real but was prepared by cyber criminals) asking to deliver some information officially unsolicited. It is very common to receive SMS and instant messaging applications with malicious links or with some kind of extortion, even calls from criminals trying to take advantage.

It is important that all infrastructures, each phase of the connection, whether the physical, application, or services, are prepared to maintain control of all accesses, identifying connections and accesses, giving the correct permission to the user, and maintaining records of these accesses. The operator, the service provider, and the customer; the company that developed the system, the hosting provider, the security solutions, and, mainly, the owner of the service and/or application.

On the one hand, operators try to work to improve access control, websites with their databases are increasingly adhering to anti-fraud systems; on the other hand, people are still not prepared enough to use technologies safely and, there is still much need for improvements in secure software development and appropriate security practices in enterprises.

After improving your Web application defenses, it is time to improve your operating system’s defenses. Ideally, both sides (customer and supplier) follow an improvement process. However, the collaboration of the end customer is very complex, especially if it is a home user.

Information security should be part of our daily lives as if they were food. It is part of who we are and influences the way we live. In a company, this concern is even greater. The lives of many people depend on companies, whether they are employees, customers, suppliers, partners, and so on.

A well-managed environment must be worked with well-defined rules. When it comes to vulnerability assessment with the aim of defending a business, or even a person, the adoption of security frameworks will make the analyst’s life much easier. Having a sequence of steps to carry out an analysis eliminates wasted time with tests and makes operations more effective. Hardly a security analyst has enough time to produce extensive research; that is why following a framework and adapting it to the maturity level of the business will facilitate the organization and even the adoption of information security tools.

A security environment also presupposes that there is complete knowledge about the devices and in which environment they are inserted. This is essential to delimit a scope of action. It is not possible to keep monitoring the entire universe; it would be irrational from a time or financial cost point of view.

It is important that the analyst understands the infrastructure components and their interrelationships, such as switches, routers, firewalls, IPS, Wi-Fi network structure, proxies, infrastructure servers (such as DNS, Web, database, and application servers), and so on. It is also important to keep in mind the use of Port mirroring or cable tap to conduct the analysis, as any evaluation that is made cannot interfere with the business and the routine of the companies.

The analyst must understand a lot of kinds of vulnerabilities and threats that vulnerabilities can exploit. It is necessary to have knowledge about how malware such as ransomware, crypto lockers, zero-day attacks, and so on.

The power of tools

In this book, two great tools will be discussed: Wireshark and Nessus.

Wireshark was developed by Gerald Combs in 1997 under the name Ethereal. In 2006 the project changed its name to Wireshark.

Wireshark is a network analyzer. It can read packets from the network, decode them and present them in an easy-to-understand format. It is a widely used tool for error analysis, for system administrators, and for network architecture; it is also used as a network intrusion detection system and capture of specific and proprietary protocols. For Wi-Fi and IoT networks, Wireshark is a powerful tool capable of providing a large amount of information. Because of the wide capacity with filters already in its capture, Wireshark becomes a great ally of the security analyst. Figure 1.1 shows how Wireshark provides information for the security analyst, helping in troubleshooting and network analysis:

Figure 1.1: Wireshark

So far, it is open source and is able to read, process, and analyze files captured from other tools. More information at: https://www.wireshark.org/

Nessus is an industry-standard tool when it comes to vulnerability assessment. Project Nessus was started by Renaud Deraison in 1998 as a free remote security scanner. On October 5, 2005, Tenable Network Security, a company co-founded by Renaud Deraison, changed Nessus 3 to a proprietary (closed source) license. Figure 1.2 shows the Nessus vulnerability assessment tool with the available options, helping security analysts with Pentesting and vulnerability search.

Figure 1.2: Nessus scanning options

It currently has two versions, the essential one, which is free and has a verification limit of 16 Ips, and the professional one, which is unlimited, can be used anywhere, has a configuration evaluator, and presents results in real-time. Nessus evaluates each IP with a large number of tests on different types of devices. For more information: https://www.tenable.com/products/nessus.

The Penetration Test Execution Standard

The Penetration Testing Execution Standard (PTES) is a methodology developed by a team of information security professionals. The PTES forms a complete and up-to-date standard. In addition to guiding security professionals, it also provides information for companies on what to expect from a penetration test and guides them in defining the scope and negotiating projects. It covers what, when, and how.

Microsoft itself recommends using this methodology at https://docs.microsoft.com/en-us/azure/architecture/framework/security/monitor-test

The PTES consists of two main parts that complement each other. Pentest guidelines describe the main sections and steps of a penetration test, whereas the technical guidelines discuss the specific tools and techniques to use at each step. We can find more in http://www.pentest-standard.org/index.php/Main_Page

The PTES describes penetration testing in seven main sections:

The PTES consists of seven main sections. They cover everything related to a penetration test—from initial communication, through the communication phase of the final report, through the intelligence gathering, threat modeling, vulnerability analysis, exploitation, and post-exploitation phases. Throughout the test, there is always the testers’ technical security knowledge coupled with business understanding. Finally, for the report, there is the formatting of the information that represents all the processes described in a way that provides value to the customer.

The following are the sections defined by the methodology as the basis for performing penetration tests:

Pre-engagement interactions

Intelligence gathering

Threat modeling

Vulnerability analysis

Exploitation

Post-exploitation

Reporting

Pre-engagement interactions

During the pre-engagement phase, the security analyst, together with the client, must understand the risks, objectives, and expectations. With this, the best vulnerability analysis strategy must be analyzed, defining the test scope and costs. It is at this stage that the confidentiality terms are signed between the parties’ Non-Disclosure Agreement (NDA).

As a vulnerability analysis strategy, the white box (with all information on infrastructure, services, database, applications, and so on that are within the scope of the analysis), the black box (without any information, simulating an attacker external), or something in between can be chosen.

Intelligence gathering

The security analyst starts the process of gathering information about the targets whose scope is in the document agreed in Phase 1, including employees, facilities, systems, and so on. Everything that may be relevant and that can help identify vulnerabilities.

A very important point is the use of collection with the OSINT framework, open-source intelligence; in it, there are a multitude of details for open sources of information. The security analyst must gather as much intelligence information as possible from the organization and from potential targets for exploitation.

Depending on the type of analysis agreed upon, the security analyst may need access to different levels of information about the organization; the level of information will be defined by the nature of the analysis, always with the aim of discovering vulnerabilities and entry points into the environment.

The most common intelligence-gathering techniques include the following:

Search engine queries

Public records

Domain Name searches /WHOIS Lookups

Social engineering

Internet Footprint—e-mail addresses, usernames, and social networks,

Infrastructure scans—inventory, port scanning, reverse DNS, and packet sniffing

Dumpster diving

Tailgating

Threat modeling

In this step, the security analyst studies all the information collected in the reconnaissance phase. This identifies likely vulnerabilities of the target according to the value of the organization’s assets and the target’s business model.

The most common areas to be mapped and identified are as follows:

Business assets

Organizational information

Employee data

Customer data

Technical data

Threats: identify and categorize internal and external threats

Internal threats: employees, managers, administrators (system, network, and server), developers, engineers, technicians, contractors, general users, and remote support.

External threats: business partners, competitors, contractors, suppliers, nation-states, organized crime, hacktivists, and script kiddies.

Identification of vulnerabilities

Vulnerability testing is the process of discovering flaws in systems and applications that could be taken advantage of by an attacker. In this stage, tests are carried out using automated tools in search of information about vulnerabilities and the best ways to exploit them.

Two forms of analysis are used: active and passive. In active analysis, a vulnerability scanner such as Nessus is used, for example, to carry out discoveries and inventories. In passive analysis, a traffic analyzer is used, such as Wireshark.

Once the vulnerabilities are identified, an analysis of security risks must be carried out through correlations, validations, manual tests, and research.

Exploration

The exploration stage is the moment when the security analyst gains access to a system or resources, going through security controls or even bypassing the restrictions that were previously evaluated, remembering that the security analyst will only go as far as was determined by the guidelines agreed in the initial scope.

Tests are performed using automated tools, such as Nessus, Wireshark, and Metaexploit, in search of information about vulnerabilities and the best ways to exploit them.

You should test for vulnerabilities found in your network, applications, and data. The objective is to know how far it is possible to enter the environment, identify high-value targets, and avoid detection.

The biggest challenge of this phase is to identify the shortest path of resistance in the organization without detection and with the greatest impact on the value of the organization.

Post-exploration

The purpose of the post-exploration phase is to determine the value of the compromised machine and retain control of the machine for later use.

The value of the machine is determined by the sensitivity of the data stored on it and the usefulness of the machine in further compromising the network.

In this phase, the identification and documentation of sensitive data is carried out; it should also document the methods used to obtain the accesses, identify configuration settings and relationships with other devices that can be used to gain additional access to new assets and, consequently, to the target machine later on. In cases where these methods differ from the agreed Rules of Engagement, the Rules of Engagement must be followed.

The security analyst must be able to determine the value of the impact of compromised systems and any value associated with sensitive data captured from previously provided information by the company.

Once the penetration testing recommendations are complete, the tester must clean the environment, reconfigure any access he has gained to penetrate the environment, and prevent future unauthorized access to the system by any means necessary.

Typical cleaning activities include the following:

removing all executables, scripts, and temporary files from compromised systems;

return the settings and parameters to their original value before the tests;

eliminating all backdoors and rootkits installed in the environment;

removing any user accounts created to connect to the compromised system.

Reports

The report is often considered the most critical aspect of a vulnerability assessment. It is the presentation of the test results, with recommendations on the vulnerability assessment, conclusions of the results achieved, and, most importantly, for the customer, the direction to correct flaws and eliminate or reduce the risks of exploiting these vulnerabilities.

The report should show exactly how the entry points were discovered in the intelligence gathering phase, including what was discovered through the OSINT framework as well as the threat modeling phase, as well as the respective ways to fix the security issues found during the exploration phase.

Report structure

The report is divided into two main sections to communicate the objectives, methods, and results of tests performed to various audiences. These sections are Executive Summary and Technical Report.

The Executive Summary

It is a report aimed at people related to the information security strategy, as well as members of the organization that may be impacted by identified/confirmed threats. Figure 1.3 provides more information about the assessment.

Figure 1.3: Task roadmap example (Source: pentest-standard.org)

The executive summary must contain most, if not all, of the following sections:

Background: This part details the terms identified in the pre-engagement section related to the risk and objectives of the analysis. If there has been a change in objectives during the course of the assessment, all changes should be listed in this section of the report. Change requests should be included in the report’s appendix and linked in this section.

Overall posture: This section should describe the operations in general, the systemic issues, the potential impact on the business, and the alignment with the goals established in the pre-engagement sessions.

Risk profile: The report should also have a useful overall security risk score. It might be inspired by methods such as ITIL, FAIR, or DREAD and looks like as shown in the following figure: