Now that we have information on open ports, services, service version, and operating system of our target host/network, we will look for its potential vulnerabilities (weaknesses) in order to get one step closer into compromising our target.
Nessus vulnerability scanner would be the prime focus as it is one of the oldest
and best vulnerability scanners in the market. We will also see its integration with Metasploit and how Nessus could be used within Metasploit to perform vulnerability assessment more effectively.
We will also take a look at nmap’s scripting engine, which is a built-in feature inside nmap and can also be used for scanning different kinds of vulnerabilities. It is not as powerful as nessus as it includes very few plug-ins, but it can still be used to detect vulnerable hosts on a target network.
and best vulnerability scanners in the market. We will also see its integration with Metasploit and how Nessus could be used within Metasploit to perform vulnerability assessment more effectively.
We will also take a look at nmap’s scripting engine, which is a built-in feature inside nmap and can also be used for scanning different kinds of vulnerabilities. It is not as powerful as nessus as it includes very few plug-ins, but it can still be used to detect vulnerable hosts on a target network.
WHAT ARE VULNERABILITY SCANNERS AND HOW DO THEY WORK?
Vulnerability scanners scan computers, networks, or applications looking for potential weaknesses that could be used by attackers to compromise the target.
The way a vulnerability scanner works is that it probes the system by sending specific data to the target host/network, and based on its analysis of the response (fingerprint) received from the target, it can determine many things such as the following:
The way a vulnerability scanner works is that it probes the system by sending specific data to the target host/network, and based on its analysis of the response (fingerprint) received from the target, it can determine many things such as the following:
Open ports
Services
Operating System
Vulnerabilities
Services
Operating System
Vulnerabilities
PROS AND CONS OF A VULNERABILITY SCANNER
The main advantage of any vulnerability scanner is task automation; it can automate many tasks such as reconnaissance, port scanning, service, and version detection. This can make your work faster and more effective than doing everything manually.
On the other hand, there are some disadvantages of using a vulnerability scanner. One of the main disadvantages is that the vulnerability scanners are very loud by nature and can be easily detected since we are sending lots of traffic over the network. So if you want to stay undetected/anonymous during the pentest, then this is not the best choice in my opinion.
The other problem with a vulnerability scanner is that it can produce lots of false positives,
meaning that it will report vulnerabilities in the target that may not exist in reality. However, it will also report a lot of false negatives, meaning that the scanner would miss or not report the vulnerabilities that actually exist.
On the other hand, there are some disadvantages of using a vulnerability scanner. One of the main disadvantages is that the vulnerability scanners are very loud by nature and can be easily detected since we are sending lots of traffic over the network. So if you want to stay undetected/anonymous during the pentest, then this is not the best choice in my opinion.
The other problem with a vulnerability scanner is that it can produce lots of false positives,
meaning that it will report vulnerabilities in the target that may not exist in reality. However, it will also report a lot of false negatives, meaning that the scanner would miss or not report the vulnerabilities that actually exist.
VULNERABILITY ASSESSMENT WITH NMAP
One of the most powerful features in nmap is the nmap scripting engine, which can be used for automating many tasks. Nmap scripting engine contains many scripts for performing tasks such as OS fingerprinting, DNS enumeration, and SNMP enumeration. They can also be used for vulnerability scanning purposes. The scripts are written in Lua language, which is very well documented.Learning it will help you write your own scripts or modify existing ones.
The nmap scripts are located in the /usr/local/share/nmap/scripts directory in
BackTrack. Just navigate to the directory and you will see tons of useful scripts that can be used for target enumeration as well as scanning vulnerabilities.
The nmap scripts are located in the /usr/local/share/nmap/scripts directory in
BackTrack. Just navigate to the directory and you will see tons of useful scripts that can be used for target enumeration as well as scanning vulnerabilities.
UPDATING THE DATABASE
The scripts are frequently updated, so it’s very good practice to frequently update your nmap scripting engine database. You can use the following command to update the scripting engine:
nmap –script-updatedb
nmap –script-updatedb
SCANNING MS08 _ 067 _ NETAPI
MS08 _ 067 _ netapi is one of the most commonly found vulnerabilities in Windows XP or
Windows 2003, and it’s one of the first vulnerabilities you should look for.
The nmap scripting engine has a script named “smb-check-vulns”, which will automatically test the specified targets against this vulnerability and report if a certain target is vulnerable to it.
Command:
nmap –script=smb-check-vulns <target iP>
Windows 2003, and it’s one of the first vulnerabilities you should look for.
The nmap scripting engine has a script named “smb-check-vulns”, which will automatically test the specified targets against this vulnerability and report if a certain target is vulnerable to it.
Command:
nmap –script=smb-check-vulns <target iP>
The output shows that the target host is vulnerable to the ms08 _ 067 _ netapi exploit.
Alternatively, we can use the –script=vuln to execute all the scripts that are related to vulnerability scanning and can report additional vulnerabilities. At the same time, we need to keep in mind that this type of scan could be very loud and be easily detected.
Command:
nmap –script=vuln <target ip>
Command:
nmap –script=vuln <target ip>
The output shows that the target machine is vulnerable to the MS08 _ 067 exploit.
No comments:
Post a Comment