Cyber Security

MS.Vaishalee Joishar, Cyber Security Trainer

Computer Science & Engineering – Cyber Security
 CHAPTER-2
Systems Vulnerability Scanning
Basic Fundamental Concept
IP Address
• An Internet Protocol address (IP address) is a numerical label assigned to each
device (e.g., computer, printer) participating in a computer network that uses
the Internet Protocol for communication.
• An IP address serves two principal functions: host or network interface
identification and location addressing.
Two Version of IP address:-
IPv4 •IPv4 uses 32-bit for address
•. Example: 192.168.1.1

IPv6 •IPv6 uses 128-bit for address.

•Example:
2001:0db8:85a3:0000:0000:8a2e:0370:7334

• IP addresses are usually written and displayed in human-readable notations.

Cont…
MAC Address
• A media access control address (MAC address) is a unique identifier
assigned to network interfaces for communications on the physical
network segment.
• MAC addresses are used as a network address for most IEEE 802 network
technologies, including Ethernet, Wi-Fi & Bluetooth.
• It is also known as physical address or hardware address.
• The MAC address is a string of usually six sets of two-digits or characters,
separated by colons.
• For example,consider a network adapter with the MAC address
01:0a:95:9d:58:36.
Cont…
• DNS stand for “domain name system”.
• It converting human-readable website
name into computer-readable numerical IP
addresses.
For example:
• If you want to visit Google, then open
www.google.com into your web browser‘s
address bar instead of IP address. However,
your computer does not understand where
www.google.com is located.
• Behind the scenes, the internet and other
network use numerical IP addresses.
www.google.com is located at the IP
address 73.194.39.78 on the internet.
Overview of Vulnerability Scanning
Vulnerability
• Vulnerability is a weakness which allows
an attacker to reduce a system’s security.
• Vulnerability scanning usually refers to the
scanning of systems that are connected to
the Internet.
• It can also refer to system scanning or
audits on internal networks that are not
connected to the Internet in order to
assess the threat of malicious software.
• It is possible to know the basic security
measures when installing and managing
network a n d w e b s i t e s . b u t i t i s n o t
possible to catch all the vulnerabilities
reside in the network and websites.
Cont...
Classifications Of Vulnerability Scanners
Vulnerability originates from three sources: ​
• Vendor-originated: This includes software bugs, missing operating system
patches, vulnerable services, insecure default configurations, and web
application vulnerabilities.​​

• System administration-originated: This includes incorrect or unauthorized

system configuration changes, lack of password protection policies, and so on.​​

• User-originated:This includes sharing directories to unauthorized parties,

failure to run virus scanning software, and malicious activities, such as
deliberately introducing system backdoors.​​
Types Of Vulnerability Scanners
There are generally two types of vulnerability scanning tools:
1. Network-based scanning tool:
Network-based scanning tools send network traffic to various network hosts and
devices.
It with the goal of gathering information that will indicate whether those systems
have holes that can be exploited.
Example: OpenVAS, Wireshark, NMAP, Nikto etc.
2. Host-based scanning tool:
Host-based scanning tools are run on each host to scan for a wide range of
system problems.
It including unauthorized software, unauthorized accounts, unprotected logins,
weak passwords and inappropriate access permissions.
Example: OSSEC
Cont…
• The vulnerability scanners
provide you the automate
security auditing and play an
important role in your I T
security.
• The vulnerability scanners can
scan your network and
websites for up to thousands
of different security risks.
• It produces a list of those
vulnerabilities, and gives
steps on how to overcome or
reduce them.
Cont…
Cloud-Based Vulnerability Scanners
• Used to find vulnerabilities within cloud-based systems such as web
applications, WordPress, and Joomla.
Host-Based Vulnerability Scanners
• Used to find vulnerabilities on a single host or system such as an individual
computer or a network device like a switch or core-router.
Network-Based Vulnerability Scanners
• Used to find vulnerabilities in an internal network by scanning for open ports.
Services running on open ports determined whether vulnerabilities exist or not
with the help of the tool.
Database-Based Vulnerability Scanners
• Used to find vulnerabilities in database management systems. Databases are
the backbone of any system storing sensitive information. Vulnerability
scanning is performed on database systems to prevent attacks like SQL
False Negative

• The vulnerability scanners use predefined tests to i denti fy

vulnerabilities (also called vulns).
• If the scanner has insufficient test then the scanner does not report the
vulnerability exists on the system.
• It can be known as false negative.
False Positive

• If the scanner has a poorly written test then scanner reports vulnerability
even if it does not exist on a system. It may produce a false positive.
• It wastes time as administrators must follow up to manually check the
vulnerability that is actually vulnerable or not.
Some of the free and very useful vulnerability scanners are:
• Netcat
• Socat
Zero-day Vulnerability
• Zero-day vulnerability refers to a
hole in software that is unknown
to the vendor.
• This security hole is then
exploited by hackers before the
vendor becomes aware and
hurries to fix it- this exploit is
called a zero day attack.
• Zero-day vulnerabilities are
particular dangerous because
they represent a gap in
knowledge between the attacker
and defender.
Common Vulnerabilities ​

SQL Injection (SQLi):​​

• Description: SQL injection is a code injection technique where an attacker
can insert malicious SQL statements into a query, potentially gaining
unauthorized access to a database.​​
• Prevention: Use parameterized queries or prepared statements, input
validation, and least privilege principles.​​

Cross-Site Scripting (XSS):​​

• Description: XSS involves injecting malicious scripts into web pages that
are viewed by other users. It can lead to the theft of sensitive information
or session hijacking.​​
• Prevention: Input validation, output encoding, and implementing secure
coding practices.​​
Cont... ​
Cross-Site Request Forgery (CSRF):​​
• Description: CSRF is an attack where a malicious website causes a user's
web browser to perform an unwanted action on a trusted site where the
user is authenticated.​​
• Prevention: Use anti-CSRF tokens, implement the Same Site attribute for
cookies, and ensure proper authentication.​​

Buffer Overflow:​​
• Description: Buffer overflow occurs when a program writes more data to a
block of memory, or buffer, than it was allocated for, leading to potential
code execution by an attacker.​​
• Prevention: Bounds checking, input validation, and using secure coding
practices.​​
Cont... ​
Security Misconfigurations:​​
• Description: Improperly configured settings, permissions, or default
configurations can expose sensitive information or provide unauthorized
access.​​
• Prevention: Regularly audit configurations, follow security best practices,
and minimize unnecessary services.​​

​Insecure Direct Object References (IDOR):​​

• Description: IDOR occurs when an application provides direct access to
objects based on user-supplied input, allowing unauthorized access to data.​​
• Prevention: Implement proper access controls, validate user input, and use
indirect references rather than direct references.​​
Open Port/Service Identification
• Some services are very insecure. Telnet (port 23) is famous for its lack of
encryption that leaks passwords.
• Hence Secure Shell (SSH) is widely accepted and reduced the presence of
telnet on the Internet.
• Services do not always run on default ports, hence the scanner must rely on
banners and “nudges” to produce a response from a listening port.
• Services do not always declare themselves. Telnet and SMTP (port 25)
services return text-based banners when receives request for connection. It
does not wait for particular incoming data on that connection.
• HTTP (port 80) will not respond for connection until the service receives a
request that contains data.
• This way, scanners may distinguish whether an HTTP or SMTP service is
listening on non-standard port.
Banner/ Version Check
• Some services declare information about themselves without receiving
particular data from a client.
Banner Grabbing:
• Banner grabbing is a technique used to gain information about a computer
system on a network and the services running on its open ports.
• Administrators can use this to take inventory of the systems and services on
their network.
• Tools commonly used to perform banner grabbing are Telnet, nmap, zmap and
Netcat.
Example:
• SSH command
• If you know the version of SSH and target operating system then it is very easy
for someone to compromise the host.
• System administrators usually remove or change banners to make them more
secure, but this doesn’t remove the vulnerability.
Probe
Ø In Computer Security, a probe is an attempt to gain access to a computer and
its files through a known or probable weak point in the computer system.
Ø A probe is an action taken or an object used for the purpose of learning or
collecting data about the state of the network.
Ø For example, an empty message can be sent simply to see whether the
destination actually exists. Ping is a common utility for sending such a probe.
Two Type of Probe

• Traffic Probe
• Vulnerability Probe
Traffic Probe
• Some services declare information about themselves without receiving
particular data from a client.
• But all services do not do that. However, lots of them will if you just ask.
• For example, a web service will not give response until it receives data from
the client.
• A valid HTTP request using the HEAD method will provide some useful
information like web server information, information about installed server
operating system etc. which can be useful to compromise the host.
• Traffic probes try to use valid requests. Because valid protocol messages are
less likely to crash or interrupt a service
• If a web server didn’t handle the HEAD method without crashing then the
chances of compromising increases. So this type of buggy service must need
to be fixed to lower the chances of compromising.
Vulnerability Probe
• Some security bugs cannot be identified without sending a payload that
exploits (using something to one’s own advantage) a suspected vulnerability.
• These types of probes are more accurate—they rely on direct observation not
only on port numbers or service banners.
• But they also carry more risk of interrupting the service, because the test
payload must be trying to either produce or take advantage of an error in the
service’s code.
• An easy-to-understand example of a vulnerability probe is an HTML injection
check for a web application.
• A snippet of HTML might look like <div id="search"><span
class="results">Results for ‘zombies'...</span>
• An attacker who exploits HTML injection vulnerability like this could steal data
from the user or damage the web site.
Cont…
Ø The hacker can take advantage of vulnerability to compromise the system or
network.
Ø The outcome may be to crash the software, causing a denial of service, or
retrieve data, like pulling usernames and passwords from a database, or
completely compromise the operating system by gaining root or
administrator access.
Ø Exploits take many shapes. It can be simple binary shellcode or clever bits of
text appended to URL parameters.
Ø Discovering vulnerability typically just means uncovering a software fault.
Ø Developing an exploit means taking advantage of that software fault to give
the attacker an advantage against the system.
TCP/IP Ports and Sockets

• On a TCP/IP network every device must have an IP address.

• The IP address identifies the device e.g. computer.
• However an IP address alone is not sufficient for running network
applications, as a computer can run multiple applications and/or services.
• Just as the IP address identifies the computer, The network port
identifies the application or service running on the computer.
• The diagram below shows a computer to computer connection and
identifies the IP addresses and ports.
Cont…

 A socket is the combination of IP

address + port
 A connection between two
computers uses a socket.
Port Number Ranges and Well Known Ports

• A port number uses 16 bits and so can therefore have a value from 0 to
65535 decimal.

Port numbers are divided into ranges as follows:

Cont…
q Port numbers 0-1023 – Well known ports.
• These are allocated to server services by the Internet Assigned
Numbers Authority (IANA).
• e.g Web servers normally use port 80 and SMTP servers use port
25.
q Ports 1024-49151- Registered Port
• These can be registered for services with the IANA and should be
treated as semi-reserved.
• User written programs should not use these ports.
q Ports 49152-65535 - Dynamic Port
• These are used by client programs and you are free to use these
in client programs.
• When a Web browser connects to a web server the browser will
allocate itself a port in this range.
• Also known as ephemeral ports.
Number Assignment
20 File Transfer Protocol (FTP) Data Transfer
21 File Transfer Protocol (FTP) Command Control
22 Secure Shell (SSH) Secure Login
23 Telnet remote login service, unencrypted text messages
25 Simple Mail Transfer Protocol (SMTP) E-mail routing
53 Domain Name System (DNS) service
67, 68 Dynamic Host Configuration Protocol (DHCP)
80 Hypertext Transfer Protocol (HTTP) used in the World Wide Web
110 Post Office Protocol (POP3)
119 Network News Transfer Protocol (NNTP)
123 Network Time Protocol (NTP)
143 Internet Message Access Protocol (IMAP) Management of digital mail
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 HTTP Secure (HTTPS) HTTP over TLS/SSL
Port Scanning
Port scanner:
• Software designed to probe server or host for Open ports.
• Used by administrator to verify security policy.
• Used by attacker to identify running services on host.
Port scan:
• A process that sends a client request to server for finding active ports.
Open port:
• Host sends a reply indicating port is active.
Close port:
• Host sends a reply that connection will be denied.
Filtered:
• There was no reply from the host.
• Vulnerability can be with open ports or operating system of running
host.
Vulnerability Scanning vs. Penetration Testing​​
Cont...
Network Vulnerability Scanning - Netcat

Ø The Netcat performs function with a broad application to hacking and

network debugging: It reads and writes data for TCP and UDP connections.
Ø Netcat enables you to redirect shell commands across a network
Ø Netcat interacts directly with a TCP or UDP service.
Ø You can inspect the raw data sent by a service, manually interact with the
service, or redirect network connections with stdin, stdout.
Ø You can connect to text-based protocols like SMTP and HTTP, UDP services
like DNS, and even binary protocols.
Ø Netcat is often called the “Swiss Army knife” of hacking.
Uses of Netcat

Hackers have come up with hundreds of ways to use Netcat.

Some of the uses of Netcat are given here in detail:
• Obtain Remote Access to a Shell
• Perform Basic Port Scanning
• Identify more information about ports
• Communicate with UDP Services
• For IP Spoofing
• Hijack a Service
• Create Proxies and Relays
• Bypass Port Filters
Socat
Ø Socat is a clone of Netcat with extensive configuration options.
Ø It supports several protocols, from OpenSSL to proxies to IPv4 and IPv6.
Ø Socat uses word-based directives on the command line.
Ø Socat is part of the BSD ports collection and available as a package for most
Linux OS.
Socat’s command line follows a simple format, as follows:
Ø $ socat options address1 address2
Ø The options resemble common “dash letter” flags such as -d, -h, and -v.
Ø A basic address specification consists of a keyword, followed by a list of
parameters and behaviour options.