Vulnerability Identification & Analysis
Once you have collected information about your target, you’ll want to start thinking about how to use that information in your attack strategy. This is called vulnerability analysis and we’ll see that there are many resources to help you discover how to compromise a system.
Vulnerability testing is the process of discovering flaws in systems and applications which can be leveraged by an attacker. These flaws can range anywhere from host and service misconfiguration, or insecure application design. Although the process used to look for flaws varies and is highly dependent on the component being tested, some key principals apply to the process.
Nmap or Network Mapper is a free and open-source tool that allows for network discovery and security auditing. Nmap can be used either offensively, to probe and examine a target network, or defensively to help network administrators better understand their network structure and detect potential security risks. It can be installed on any operating system. Nmap can also be used to identify vulnerabilities by using the Nmap Scripting Engine (NSE). In Kali Linux, the directory for the NSE scripts can be found at /usr/share/nmap/scripts.
Before you use any specific scripts, you can and should use the -sC switch to have Nmap run some basic scripts on a target. This switch will run Nmap’s default “safe” scripts. Here is an example:
# nmap -v -T4 -sC -sV -p- 10.0.6.216 --open
To run a specific script from the /scripts directory, it’s important to try and specify the correct port/service for that script. Here’s an example:
# nmap -v -T4 -p 21 --script ftp-vsftpd-backdoor 10.0.6.216
Nikto is an open-source web scanner that performs over 6700 checks of outdated and potentially dangerous versions of servers. It is quick and easy to use and can potentially net you some results very quickly. You can use the -help command to see all the available options, but here is the quickest way to perform a web application vulnerability scan using Nikto:
# nikto -h 10.0.6.216
OpenVAS is one of the more popular vulnerability scanning tools. It is free and easily configurable in Kali Linux. Here are the commands to get OpenVAS up and running:
# apt-get update
# apt-get dist-upgrade
# apt-get install openvas
Give it some time to start, after a view minutes you should be able to log in at the following location: https://127.0.0.1:9392.
Often you may forget to take note of the password for the admin account. If this happens you can try the following to create a new admin password.
# openvasmd --user=admin --new-password=letmein
Nessus is the go-to tool for enterprise vulnerability scans. Nessus is free (Nessus Home) for the first 16 IP addresses. However, you will need to fill out a short form (First Name, Last Name, and Email Address) to receive a free license. If you want more features, you can purchase a one-year Nessus Pro license for $2,390. There is also a trial option to try the Pro version for 7 days.