Vulnerability Identification & Analysis

Once you have collected information about your target, you’ll want to start thinking about how to use that information in your attack strategy. This is called vulnerability analysis and we’ll see that there are many resources to help you discover how to compromise a system.

Vulnerability testing is the process of discovering flaws in systems and applications which can be leveraged by an attacker. These flaws can range anywhere from host and service misconfiguration, or insecure application design. Although the process used to look for flaws varies and is highly dependent on the component being tested, some key principles apply to the process.

Nmap

Nmap or Network Mapper is a free and open-source tool that allows for network discovery and security auditing. Nmap can be used either offensively to probe and examine a target network, or defensively to help network administrators better understand their network structure and detect potential security risks. It can be installed on any operating system. Nmap can also be used to identify vulnerabilities by using the Nmap Scripting Engine (NSE). In Kali Linux, the directory for the NSE scripts can be found at /usr/share/nmap/scripts.

Before you use any specific scripts, you can and should use the -sC switch to have Nmap run some basic scripts on a target. This switch will run Nmap’s default “safe” scripts. Here is an example:

# nmap -v -T4 -sC -sV -p- 10.0.6.216 --open

To run a specific script from the /scripts directory, it’s important to try and specify the correct port/service for that script. Here’s an example:

# nmap -v -T4 -p 21 --script ftp-vsftpd-backdoor 10.0.6.216

Reference(s):

• Nmap.org
• Nmap Scripting Engine (NSE)

Nikto

Nikto is an open-source web scanner that performs over 6700 checks of outdated and potentially dangerous versions of servers. It is quick and easy to use and can potentially net you some results very quickly. You can use the -Help command to see all the available options, but here is the quickest way to perform a web application vulnerability scan using Nikto:

# nikto -h 10.0.6.216

Reference(s):

• CIRT.net
• Kali Tools – Nikto

OpenVAS

OpenVAS is one of the more popular vulnerability scanning tools. It is free and easily configurable in Kali Linux. Here are the commands to get OpenVAS up and running:

# apt-get update

# apt-get dist-upgrade

# apt-get install openvas

# openvas-setup

# openvas-start

Give it some time to start, after a few minutes you should be able to log in at the following location: https://127.0.0.1:9392.

Often you may forget to take note of the password for the admin account. If this happens you can try the following to create a new admin password.

# openvasmd --user=admin --new-password=letmein

Reference(s):

• OpenVAS.org
• Offensive Security – OpenVAS 8.0 Vulnerability Scanning

Nessus

Nessus is the go-to tool for enterprise vulnerability scans. Nessus is free (Nessus Home) for the first 16 IP addresses. However, you will need to fill out a short form (First Name, Last Name, and Email Address) to receive a free license. If you want more features, you can purchase a one-year Nessus Pro license for $2,990. There is also a trial option to try the Pro version for 7 days.

Reference(s):

• Nessus Essentials (Free)
• Nessus Pro ($2,990)