Vulnerability

A bug or flaw or a state of being exposed which leads to a critical

hacking attack from the Hacker is called Vulnerability.

Vulnerability Research
It is the process by which security flaws in technology are identified.
Vulnerability research does not always involve reverse engineering, code
analysis, etc. Performing vulnerability research against technology pre-release
enables technology vendors to provide their customers with higher quality
products and higher levels of trust and security.

List of vulnerability research websites

● securityfocus.com
● vulnerability-lab.com
● us-cert.gov
● packetstormsecurity.com
● nvd.nist.gov
● cvedetails.com

Vulnerability Analysis
Vulnerability analysis is the process of defining, identifying, classifying
and prioritizing vulnerabilities in computer systems, applications or network
infrastructure. This phase allows the organization to perform security
assessment with the necessary knowledge, awareness and risk background to
understand the threats and react appropriately.
Attackers perform vulnerability analysis to identify security loopholes in
the target organization's network or communication infrastructure. Attackers
take advantage of identified vulnerabilities to perform further exploitation of
that target network.
The vulnerability scanner (software) compares details about the target
attack surface to a database of information about known security vulnerabilities
in services and ports, anomalies in packet construction, and potential paths to
exploitable programs or scripts.

www.hackerschool.in
Objectives
● Identify vulnerabilities ranging from critical design flaws to simple
misconfigurations.
● Document the vulnerabilities so that the developers and networks
administrators can easily identify and reproduce the findings.
● Create guidance to assist network administrators and developers with
remediating the identified vulnerabilities

Types of vulnerability Assessments

• External Scans • Host assessment
• Internal Scans • Network assessment
• Environment Scans • Database assessment

Common types of Vulnerabilities

● Missing data encryption
● SQL injection
● Buffer-overflow
● Missing authentication for critical functions
● Missing authorization
● Unrestricted upload of dangerous file types
● Cross-site request forgery
● Download of codes without integrity checks
● Weak passwords
● Path/Directory traversal

List of network vulnerability scanners

● Nessus
● GFI LanGuard - Scans both Hardware & Software Vulnerabilities.
● Qualys guard - Works both on LAN & WAN
● Saint
● Nexpose - Paid and free solution available from Offensive security
● Core impact - Scanner and Exploit framework
● OpenVAS

Types of Vulnerability Assessment Reports

● Technical Report - Includes detailed description related to vulnerabilities
found on the target computer(s)
● Non-Technical Report - Brief report on vulnerabilities found on the target
computer(s). This report includes graphs and charts that are easy to
understand the risk.

www.hackerschool.in
CVE (Common Vulnerabilities and Exposures)
CVE is a dictionary of standardized identifiers for common software
vulnerabilities and exposures. CVE IDs, i.e., CVE-2018-1002100 which are
assigned by CVE Numbering Authorities from around the world, ensures
confidence when used to share information about a unique software or firmware
vulnerability, provides a baseline for tool evaluation, and enables data
exchange. CVE IDs act as a benchmark for evaluating security services

CVSS (Common Vulnerability Scoring System)

CVSS is a published standard that provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities. Its
quantitative model ensures accurate measurement while enabling users to see
the underlying vulnerability characteristics that were used to generate the
scores. The National Vulnerability Database (NVD) provides CVSS scores for
almost all known vulnerabilities. CVSS assessment consists of three metrics for
measuring vulnerabilities
1. Base Metrics: It represents the inherent qualities of a vulnerability
2. Temporal Metrics: It represents the features that keep on changing
during the lifetime of a vulnerability.
3. Environmental Metrics: It represents the vulnerabilities that are based
on a particular environment or implementation.

Each metrics sets a score from 1-10, ten being the most severe. CVSS
score is calculated and generated by a vector string, which represents the
numerical score for each group in the form of a block of text. CVSS calculator
is developed to rank the security vulnerabilities and provide the user with
overall severity and risk related to the vulnerability.

www.hackerschool.in
 INDEX
S. No. Practical Name Page No.
1 Performing vulnerability assessment using the Nessus 1
Vulnerability Scanner
2 Performing vulnerability assessment using the Nmap- vulners 8

THIS DOCUMENT INCLUDES ADDITIONAL PRCTICALS WHICH MAY OR MAY NOT BE COVERED
DURING CLASSROOM TRAINING. FOR MORE DETAILS APPROACH LAB COORDINATORS
 Practical 1: Performing vulnerability assessment using the
Nessus Vulnerability Scanner.
Description: In this practical we will learn how to get a Nessus activation key,
downloading, installing and setting up Nessus to perform vulnerability assessment on
the target system. And also learn, after performing the assessment, how to generate
vulnerability assessment reports in different formats.

Part1: Download and Install Nessus Vulnerability Scanner

Step 1: Perform a simple google search to download Nessus Vulnerability Scanner or
click on the following link
● https://www.tenable.com/products/nessus/activation-code
● Choose Nessus Home edition and click on register now.

1|Page
www.hackerschool.in
Step 2: We will be redirected to the registration page, complete user registration and
click Register.
● Note: Provide a valid email address (you will receive Nessus Activation
Code).

Step 3: After registration, click on download.

Step 4: Select Linux version .deb package (32-bit or 64-bit based on your machine
compatibility). Click Agree to start the download.

2|Page
www.hackerschool.in
Step 5: In the terminal, locate the Downloads directory and execute the following
command.
• dpkg -i <package name>

Part 2: Nessus Configuration

Step 6: Execute the following command to start Nessus
● /etc/init.d/nessusd start

Step 7: On browser open https://127.0.0.1:8834/

3|Page
www.hackerschool.in
Step 8: Click on Advanced and Add Exceptions to display Nessus login screen.
Provide Username and Password (remember these credentials to Login to Nessus in
future).

Step 9: Enter Activation Code when prompted. Initialization process starts and takes
some time to complete.

4|Page
www.hackerschool.in
Step 10: Once registration is done. We can Login to Nessus (using your credentials
as created before).

Step 11: To perform a vulnerability scan, click on New Scan on the top-right corner
of the Nessus interface.

Step 12: Select the type of scan that we are intended to perform on the target
machine. In this case, let us choose Basic Network Scan.

5|Page
www.hackerschool.in
Step 13: Provide the necessary details (Name of your scan, IP address of the target
are mandatory) and save the profile.s

Step 14: We can see that the scan name is listed under My Scans tab. Click on the
play button to start the scan.

Step 15: Click on the scan to view identified vulnerabilities

6|Page
www.hackerschool.in
Step 16: Click on those vulnerabilities for detailed information regarding the risk.

● To document the results, click on the export button located on the top right
corner.

7|Page
www.hackerschool.in
 Practical 2: Performing vulnerability assessment using the
Nmap-vulners.
Description: In this practical we will learn how to clone nmap-vulners and vulscan
scripts from GitHub and perform vulnerability scanning using nmap tool with the
cloned scripts nmap-vulners and vulscan.
Prerequisites: git tool should be installed to clone tools from GitHub.

Step 1: This is one type of vulnerability identification scanning with nmap scripts. In
this scanning we download vulnerability data from online and add it to nmap tool to
identify vulnerabilities on target system. This will only give you possible
vulnerability details based on the version of software it identifies in the scanning.
● Let’s get into the practical, clone the vulnerability data and related nmap
scripts from the GitHub to your attacker machine by executing below steps.
● git clone https://github.com/scipag/vulscan.git

● git clone https://github.com/vulnersCom/nmap-vulners.git

8|Page
www.hackerschool.in
Step 2: we can see two directories with names vulscan and nmap-vulners created in
your system.

Step 3: Copy vulners.nse in nmap-vulners directory and complete vulscan directory

to /usr/share/nmap/scripts/ location, because while performing nmap script scan
nmap by default it will take scripts from the above path, so to make our work simple
we move the downloaded scripts to that path. Execute the below command on
terminal to move files.
● mv nmap-vulners/vulners.nse vulscan/ /usr/share/nmap/scripts/

9|Page
www.hackerschool.in
Step 4: To perform vulnerability scanning by using the scripts, execute below steps.
● nmap -sV --script vulners <targetIP>

10 | P a g e
www.hackerschool.in
 ● nmap -sV --script vulscan <targetIP>

● These scans will give vulnerability details, CVE details, reference link and
vulnerability severity rating etc.

11 | P a g e
www.hackerschool.in