03 - Performing Security Assessments
03 - Performing Security Assessments
03 - Performing Security Assessments
Outlines
3.1- Assess Organizational Security with Network Reconnaissance
Tools 3.2- Explain Security Concerns with General Vulnerability Types
3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts
Labs
Lab 1: Exploring the Lab Environment
Lab 2: Scanning and Identifying Network Nodes
Lab 3: Intercepting and Interpreting Network Traffic with Packet Sniffing Tools
Lab 4: Analyzing the Results of a Credentialed Vulnerability Scan
Security+ (SY0-601) 2
3.1- Assess Organizational Security with Network Reconnaissance Tools
3.2- Explain Security Concerns with General Vulnerability
Types 3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts
Security+ (SY0-601) 3
IPCONFIG, PING, AND
ARP
• The process of mapping out the attack surface is referred to as
network reconnaissance and discovery.
• Reconnaissance techniques are used by threat actors, but they can also be
used by security professionals to test their own security systems, as part of a
security assessment and ongoing monitoring.
• Topology discovery (or "footprinting") means scanning for hosts, IP ranges,
and routes between networks to map out the structure of the target network.
• Topology discovery can also be used to build an asset database and to identify
non-authorized hosts (rogue system detection) or network configuration
errors.
Security+ (SY0-601) 4
IPCONFIG, PING, AND ARP
(cont.)
• Basic topology discovery tasks can be accomplished using the command line
tools built into Windows and Linux.
• The following tools report the IP configuration and test connectivity on the local
network segment or subnet:
ipconfig—show the configuration assigned to network interface(s) in Windows.
ifconfig—show the configuration assigned to network interface(s) in Linux.
ping—probe a host on a particular IP address or host name using Internet Control
Message Protocol (ICMP), You can use ping with a simple script to perform a sweep of all
the IP addresses in a subnet.
arp—display the local machine's Address Resolution Protocol (ARP) cache. The ARP
cache shows the MAC address of the interface associated with each IP address the local
host has communicated with recently.
Security+ (SY0-601) 5
IPCONFIG, PING, AND ARP
(cont.)
• For more information about commands, including syntax usage, look up the
command in an online resource for Windows (docs.microsoft.com/en-
us/windows-server/administration/windows-commands/windows-commands)
or Linux (linux.die.net/man).
• In Linux, commands such as ifconfig, arp, route, and traceroute are deprecated
and the utilities have not been updated for some years, The iproute2 suite of
tools supply replacements for these commands
(digitalocean.com/community/tutorials/how-to-use-iproute2-tools-to-
manage- network-configuration-on-a-linux-vps).
Security+ (SY0-601) 6
ROUTE AND
TRACEROUTE
• The following tools can be used to test the routing configuration and
connectivity with remote hosts and networks:
route—view and configure the host's local routing table. Most end systems use a default
route to forward all traffic for remote networks via a gateway router.
tracert—uses ICMP probes to report the round trip time (RTT) for hops between the
local host and a host on a remote network, tracert is the Windows version of the tool.
traceroute—performs route discovery from a Linux host, traceroute uses UDP probes
rather than ICMP, by default.
pathping—provides statistics for latency and packet loss along a route over a
longer measuring period, pathping is a Windows tool; the equivalent on Linux is mtr.
Security+ (SY0-601) 7
IP SCANNERS AND
NMAP
• Scanning a network using tools such as ping is time consuming and non-
stealthy, and does not return detailed results.
• Most topology discovery is performed using a dedicated IP scanner tool.
• An IP scanner performs host discovery and identifies how the hosts
are connected together in an internetwork.
• The Nmap Security Scanner (nmap.org) is one of the most popular open-source
IP scanners.
• Nmap can use diverse methods of host discovery, some of which can operate
stealthily and serve to defeat security mechanisms such as firewalls and
intrusion detection.
Security+ (SY0-601) 10
SERVICE DISCOVERY AND
NMAP
• Having identified active IP hosts on the network and gained an idea of the
network topology, the next step in network reconnaissance is to work out which
operating systems are in use, which network services each host is running, and,
if possible, which application software is underpinning those services.
• This process is described as service discovery.
• Service discovery can also be used defensively, to probe potential rogue
systems and identify the presence of unauthorized network service ports.
Security+ (SY0-601) 11
SERVICE DISCOVERY AND
NMAP (cont.)
• When Nmap completes a host discovery scan, it will report on the state of
each port scanned for each IP address in the scope.
• At this point, you can run additional service discovery scans against one or more
of the active IP addresses.
• Some of the principal options for service discovery scans are:
TCP SYN (-sS)—this is a fast technique also referred to as half-open scanning, as the scanning
host requests a connection without acknowledging it, The target's response to the scan's
SYN packet identifies the port state.
UDP scans (-sU)—scan UDP ports, As these do not use ACKs, Nmap needs to wait for a
response or timeout to determine the port state, so UDP scanning can take a long time,
A UDP scan can be combined with a TCP scan.
Port range (-p)—by default, Nmap scans 1000 commonly used ports, as listed in
its configuration file, Use the -p argument to specify a port range.
+––
+
Security+ (SY0-601) 18
OTHER RECONNAISSANCE AND
DISCOVERY TOOLS
• There are hundreds of tools relevant to security assessments,
network reconnaissance, vulnerability scanning, and penetration
testing.
• Security distributions specialize in bundling these tools:
For Linux— KALI (kali.org) plus ParrotOS (parrotlinux.org)—and
For Windows— (fireeye.com/blog/threat-research/2019/03/commando-vm-windows-
offensive-distribution.html).
Security+ (SY0-601) 19
OTHER RECONNAISSANCE AND DISCOVERY
TOOLS (cont.)
• theHarvester
theHarvester is a tool for gathering open-source intelligence (OSINT) for a particular domain
or company name (github.com/laramies/theHarvester).
It works by scanning multiple public data sources to gather emails, names, subdomains,
IPs, URLs and other relevant data.
• dnsenum
While you can use tools such as dig and whois to query name records and hosting details and
to check that external DNS services are not leaking too much information.
a tool such as dnsenum packages a number of tests into a single
query (github.com/fwaeytens/dnsenum).
As well as hosting information and name records, dnsenum can try to work out the IP
address ranges that are in use.
Security+ (SY0-601) 20
OTHER RECONNAISSANCE AND DISCOVERY
TOOLS (cont.)
• scanless
Port scanning is difficult to conceal from detection systems, unless it is performed slowly and
results are gathered over an extended period.
Another option is to disguise the source of probes, To that end, scanless is a tool that
uses third-party sites (github.com/vesche/scanless).
This sort of tool is also useful in a defensive sense, by scanning for ports and services that
are open but shouldn't be.
• curl
curl is a command line client for performing data transfers over many types of protocol,
This tool can be used to submit HTTP GET, POST, and PUT requests as part of web
application vulnerability testing, curl supports many other data transfer protocols, including
FTP, IMAP, LDAP, POP3, SMB, and SMTP.
Security+ (SY0-601) 21
OTHER RECONNAISSANCE AND DISCOVERY
TOOLS (cont.)
• Nessus
The list of services and version information that a host is running can be cross-checked
against lists of known software vulnerabilities, This type of scanning is usually
performed using automated tools.
Nessus, produced by Tenable Network Security
(tenable.com/products/nessus/nessus- professional), is one of the best-known
commercial vulnerability scanners.
It is available in on-premises (Nessus Manager) and cloud (Tenable Cloud) versions, as well as
a Nessus Professional version, designed for smaller networks.
The product is free to use for home users but paid for on a subscription basis for enterprises.
As a previously open-source program, Nessus also supplies the source code for many
other scanners.
Security+ (SY0-601) 22
La
b
Security+ (SY0-601) 23
PACKET CAPTURE AND
TCPDUMP
• Packet and protocol analysis depends on a sniffer tool to capture and decode
the frames of data.
• Network traffic can be captured from a host or from a network segment.
• Using a host means that only traffic directed at that host is captured.
• Capturing from a network segment can be performed by a switched
port analyzer (SPAN) port (or mirror port).
• This means that a network switch is configured to copy frames passing
over designated source ports to a destination port, which the packet
sniffer is connected to.
Security+ (SY0-601) 24
PACKET CAPTURE AND
TCPDUMP (cont.)
• Sniffing can also be performed over a network cable segment by using a
test access port (TAP).
• This means that a device is inserted in the cabling to copy frames passing over it.
• Typically, sniffers are placed inside a firewall or close to a server of
particular importance.
• The idea is usually to identify malicious traffic that has managed to get past
the firewall.
• A single sniffer can generate an exceptionally large amount of data, so you
cannot just put multiple sensors everywhere in the network without provisioning
the resources to manage them properly.
• Depending on network size and resources, one or just a few sensors will
be deployed to monitor key assets or network paths.
Security+ (SY0-601) 25
PACKET CAPTURE AND
TCPDUMP (cont.)
• tcpdump
is a command line packet capture utility for Linux (linux.die.net/man/8/tcpdump).
The basic syntax of the command is tcpdump -i eth0, where eth0 is the interface to listen
on.
The utility will then display captured packets until halted manually (Ctrl+C).
Frames can be saved to a .pcap file using the -w option.
Alternatively, you can open a pcap file using the -r option.
Security+ (SY0-601) 26
PACKET CAPTURE AND
TCPDUMP (cont.)
• tcpdump is often used with some sort of filter expression to reduce the
number of frames that are captured:
Type—filter by host, net, port, or portrange.
Direction—filter by source (src) or destination (dst) parameters (host, network, or port).
Protocol—filter by a named protocol rather than port number (for example, arp, icmp,
ip, ip6, tcp, udp, and so on).
and (&&)
or (||)
not (!)
For Example:
tcpdump -i eth0 "src host 10.1.0.100 and (dst port 53 or dst port 80)"
Security+ (SY0-601) 27
PACKET ANALYSIS AND
WIRESHARK
• A protocol analyzer (or packet analyzer) works in conjunction with a sniffer
to perform traffic analysis.
• You can either analyze a live capture or open a saved capture (.pcap) file.
• Protocol analyzers can decode a captured frame to reveal its contents in
a readable format.
• You can choose to view a summary of the frame or choose a more detailed
view that provides information on the OSI layer, protocol, function, and data.
Security+ (SY0-601) 28
PACKET ANALYSIS AND
WIRESHARK (cont.)
• Wireshark (wireshark.org) is an open-source graphical packet capture
and analysis utility, with installer packages for most operating systems.
• Having chosen the interface to listen on, the output is displayed in a three-pane
view:
The packet list pane shows a scrolling summary of frames.
The packet details pane shows expandable fields in the frame currently selected from the
packet list.
The packet bytes pane shows the raw data from the frame in hex and ASCII, Wireshark is
capable of parsing (interpreting) the headers and payloads of hundreds of network
protocols.
Security+ (SY0-601) 32
PACKET INJECTION AND
REPLAY (cont.)
hping
• is an open-source spoofing tool that provides a penetration tester with the ability to
craft network packets to exploit vulnerable firewalls and IDSs, hping can perform the
following types of test:
Host/port detection and firewall testing—like Nmap, hping can be used to probe IP
addresses and TCP/UDP ports for responses.
Traceroute—if ICMP is blocked on a local network, hping offers alternative ways of mapping
out network routes, hping can use arbitrary packet formats, such as probing DNS ports
using TCP or UDP, to perform traces.
Denial of service (DoS)—hping can be used to perform flood-based DoS attacks from
randomized source Ips, This can be used in a test environment to determine how well
a firewall, IDS, or load balancer responds to such attacks.
nc 10.1.0.1 666
Security+ (SY0-601) 40
NETCAT
(cont.)
• Used the other way around, Netcat can be used to receive files.
• For example, on the target system the attacker runs the following:
• On the handler (IP 10.1.0.192), the attacker receives the file using the following
command:
Security+ (SY0-601) 41
La
b
Lab 3: Intercepting and Interpreting Network Traffic with Packet Sniffing Tools
Security+ (SY0-601) © 44
ZERO-DAY AND LEGACY PLATFORM
VULNERABILITIES
• Zero-Day is a vulnerability that is exploited before the developer knows about
it or can release a patch.
• A legacy platform is one that is no longer supported with security patches by its
developer or vendor.
• This could be a PC/laptop/smartphone, networking appliance, peripheral
device, Internet of Things device, operating system, database/programming
environment, or software application.
• By definition, legacy platforms are unpatchable.
• Such systems are highly likely to be vulnerable to exploits and must be
protected by security controls other than patching, such as isolating them to
networks that an attacker cannot physically connect to.
Score Description
0.1+ Low
4.0+ Medium
7.0+ High
9.0+ Critical