VULNERABILITY

ASSESSMENT AND
PENETRATION TESTING

Hiral Patel
@gisacouncil
Vulnerability
In very simple words, It is a Weakness in the
system that can compromise confidentiality,
integrity and availability of the system.
It can exist due to various reasons, such as
programming errors, design flaws,
misconfigurations, outdated software, weak
passwords, or inadequate security controls.
Attackers actively seek out vulnerabilities to gain
unauthorized access, steal sensitive information,
disrupt services, or carry out other malicious
activities.
Types of Vulnerability
Software Vulnerabilities Configuration Vulnerabilities
Present in software applications, operating
Improper configuration or setup of systems,
systems, or libraries result from
applications, or network devices.
programming mistakes, poor coding
Example: Default or weak passwords,
practices, or inadequate security testing.
unnecessary services enabled, lack of access
Examples: buffer overflows, SQL injection,
controls, or misconfigured permissions can
cross-site scripting (XSS), or insecure
create security vulnerabilities.
deserialization.

Network Vulnerabilities
Human-Induced Vulnerabilities
Weaknesses in network infrastructure,
protocols, or configurations that can be Because of lack of awareness, Human can fail
exploited to gain unauthorized access or to follow security best practices
disrupt network services. Example: clicking on malicious links or
Examples: open ports, weak encryption attachments, falling for phishing scams, sharing
protocols, misconfigured firewalls, or confidential information on social media
unpatched network devices.
Vulnerability
Vulnerability metrics are standardized measures used to assess
and quantify the characteristics of security vulnerabilities in
software, systems, or networks. These metrics help security

metrics professionals and organizations better understand the severity,

impact, and risk associated with each vulnerability.

NVD NVD stands for the National Vulnerability Database. It is a U.S. government-funded
repository that serves as a comprehensive catalog of information about software
vulnerabilities. NVD is operated by the National Institute of Standards and Technology
(NIST) and is a part of the National Cybersecurity FFRDC (Federally Funded Research and
Development Center) program. The database collects and disseminates information on
known vulnerabilities in various software products, including their descriptions, severity
scores, and recommended mitigation strategies.
CVSS The Common Vulnerability Scoring System (CVSS) is an open set of standards
used to assess a vulnerability and assign a severity on a scale of 0 to 10. The NVD
provides CVSS ‘base scores’ which represent the innate characteristics of each
vulnerability. The severity ratings as per CVSS v3.1 specifications are:

Severity Base Score

None 0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0
 WHAT IS PENETRATION TESTING?
In simple words, actually exploiting that weakness that is found in vulnerability
assessment is called penetration testing.

it's quite possible that our activities could have triggered an alarm on the security systems of the target system. The incident response
team may already be in action, tracing all the evidence that may lead back to us. Based on the agreed penetration testing contract terms, Step: 6 Covering Tracks
we need to clear all the tools, exploits, and backdoors that we uploaded on the target during the compromise.

So far, it has taken a lot of effort to gain a root/administrator or level access into our target system. Now, what if the administrator
of the target system restarts the system? All our hard work will be in vain. In order to avoid this, we need to make a provision for Step: 5 Maintaining Access:
persistent access into the target system so that any restarts of the target system won't affect our access.

Quite often, exploiting a vulnerability on the target gives limited access to the system. However, we would
want complete root/administrator level access into the target in order to gain most out of our exercise. This Step:4 Privilege Escalation
can be achieved using various techniques to escalate privileges of the existing user.

Gaining Access to this target system involves exploiting one or many of the vulnerabilities
found during earlier stages and possibly bypassing the security controls deployed in the Step 3 - Gaining Access
target system (such as antivirus, firewall, IDS, and IPS).

Allows us to know what the exact services running on the target system (including
types and versions) are and other information such as users, shares, and DNS entries. Step 2 - Enumeration
Enumeration prepares a clearer blueprint of the target we are trying to penetrate.

The more you know about your target, the more the chances are Step 1 - Information
that you find the right vulnerabilities and exploits to work for you. Gathering/ Reconnaissance
 TYPES OF
PENETRATION TESTING
 WHITE BOX TESTING
MEANING
The internal workings of the target system are fully known to the testers. This includes
having access to network configurations, architecture diagrams, source code, and other
comprehensive data.

ADVANTAGE
permits a comprehensive and in-depth analysis of the system. Testers are able to identify
particular weaknesses.

DISADVANTAGE
It might not accurately simulate real-world situations where adversaries lack this degree of
in-depth expertise
 BLACK BOX TESTING
MEANING
The target system is unknown to the testers beforehand. They have the same amount of
information going into the assessment as an outside attacker would.

ADVANTAGE
Mimics a realistic attack scenario and offers a novel viewpoint on possible weaknesses

DISADVANTAGE
Lack of knowledge about internal systems may prevent all vulnerabilities from being
found.
 GRAY BOX TESTING
MEANING
Gray box testing is a type of penetration testing that combines elements of both black box
and white box testing. In gray box testing, the testing team has partial knowledge of the
target system.

ADVANTAGE
Strikes a balance between detailed knowledge and a realistic attack scenario. Can be
efficient in targeting critical areas.

DISADVANTAGE
Still may not be as comprehensive as white box testing.
 BLIND TESTING
MEANING
A blind pen-test approach mimics the methods used by actual cybercriminals. This is accomplished
by giving the tester very little information prior to the test procedure. For example, before they
begin work, they might only be given the name of the company or the URL of the website.

ADVANTAGE
Tests the organization's ability to detect and respond to a real-world attack

DISADVANTAGE
May not uncover all vulnerabilities due to limited initial knowledge
 DOUBLE BLIND TESTING
MEANING
The details of the penetration test are unknown to the testers and the organization's security team.
This is kept confidential until the test begins.

ADVANTAGE
Provides a highly realistic assessment, as neither party has any knowledge of the test
details. Simulates a real-world attack scenario with no bias.

DISADVANTAGE
Requires careful planning and coordination between the testing team and the
organization.
 INTERNAL PENETRATION TESTING
MEANING
Focuses on assessing the security of an organization's internal network, systems, applications, and assets is
called internal penetration testing. It looks for flaws and vulnerabilities in the scenario where an attacker has
already gained access to the internal network. Internal penetration testing evaluates the security of internal
servers, workstations, databases, apps, and more by simulating the actions of an insider attacker, such as
workers, contractors, or people with authorized access.

ADVANTAGE
Simulates a real-world attack scenario where an insider or an attacker with some level of
internal access attempts to exploit vulnerabilities.

DISADVANTAGE
Focuses primarily on the internal network, which means it may not uncover vulnerabilities
in external-facing systems or cloud-based services.
 EXTERNAL PENETRATION TESTING
MEANING
Focused on evaluating the security of an organization's external-facing systems, networks, and
applications. Unlike internal penetration testing, which assumes an attacker has already gained
some level of access to the internal network, external penetration testing simulates an attack from
an external source, such as the Internet.

ADVANTAGE
Simulates real-world attack scenarios, providing a comprehensive assessment of an
organization's external security posture.

DISADVANTAGE
Focuses primarily on the external network, which means it may not uncover vulnerabilities
in internal systems.
 DIFFERENCE BETWEEN
VA (VULNERABILITY ASSESSMENT)
AND PT (PENETRATION TESTING)
In layman’s words, suppose a Thief intends to rob a house. To proceed with his robbery plan, he decides to do some
preliminary survey. During this survey, he notices that there is a window at the backside of the house which is often open
and easy to break. This step of identifying the vulnerable window is similar to vulnerability assessment.

After a few days, the Thief decides to put his plan into action. He goes to the house through the backside window that he
had discovered earlier during his preliminary survey (reconnaissance). This step, where he actively exploits the
vulnerability he found, is analogous to Penetration Testing.
Objective VA PT

The goal is to identify The goal is to actively

and prioritize security simulate real-world
vulnerabilities in cyberattacks on a target
systems, networks, or system to test the
effectiveness of security
Difference
applications. It aims to
create a comprehensive controls and measures in

VA and PT list of weaknesses, place and also includes the

misconfigurations, and assessment of the
potential entry points organization's ability to
for attackers detect and respond to
attacks.
 VA PT
Methodology
Automated or semi- Manual and active process
automated process that that involves ethical
scans and examines the hackers (pen testers)
target system for known attempting to exploit the
vulnerabilities found
Difference
vulnerabilities and common
misconfigurations. It uses during the vulnerability

VA and PT various security scanning assessment. It may use

tools and doesn't attempt both automated tools and
to exploit the identified manual techniques to
vulnerabilities. simulate real-world attack
scenarios.
 VA PT
Scope
Covers a broader scope, Focuses on specific, high-
focusing on identifying as priority vulnerabilities,
many vulnerabilities as simulating real-world
possible within the target attack scenarios that could
cause significant damage if
Difference
systems.
exploited.

VA and PT
 VA PT
Outcome
Comprehensive report Detailed report of the
listing all identified vulnerabilities successfully
vulnerabilities, their severity exploited, the methods
levels, and used, and the potential
impact on the
Difference
recommendations for
remediation. It does not organization's security. It

VA and PT involve exploitation or also includes

attempting to gain recommendations for
unauthorized access. remediation and
improving the overall
security posture.
 VA PT
Tools Used
Nessus, Nmap, OpenVAS, Metasploit Framework,
Nikto, Netsparker, Nmap, wireshark,
Burpsuite etc. Burpsuite, Aircrack-ng,
SQLmap, Hydra etc.

Difference
VA and PT
 Purpose of Conducting VAPT
on Regular Intervals
To warn business owners about the potential security loopholes and vulnerabilities
present in their network and internet-facing assets like web applications, Mobile
applications, APIs, Databases, endpoint devices, Network devices, servers, etc.
Helps to identify and prioritize security vulnerabilities, misconfigurations, and
weaknesses in systems, networks, and applications.
VA assists organizations in meeting regulatory requirements and security standards
by identifying and addressing vulnerabilities that could lead to data breaches or non-
compliance.
By regularly conducting vulnerability assessments, organizations can take proactive
measures to fix weaknesses before they can be exploited by malicious actors.
PT assesses the effectiveness of security controls, policies, and incident response
mechanisms. It helps to validate whether the security measures in place are
adequately protecting the organization's assets.
 Thank You
I hope it was useful.
Follow me on Linkedin for
more educational content