Join Mike Chapple for an in-depth discussion in this video Scanning for vulnerabilities, part of CompTIA Security+ Exam Prep (SY0-401): Threats and Vulnerabilities.
- View Offline
- Testing systems for security issues is one of the most important tasks performed by security professionals, but it can be a little tedious. Security analysts must test for vulnerabilities, because if they don't, hackers will. You're much better off if you discover an issue and correct it than if an attacker discovers it and exploits it. Fortunately, vulnerability assessment tools automate the process of vulnerability scanning. There are three major categories of these tools: port scanners, which simply probe a system for open network ports; vulnerability scanners, which check those ports for known vulnerabilities; and application scanners that probe deep into web applications to detect flaws.
Port scanners are the equivalent of rattling all the doorknobs on a server, looking for unlocked doors. They check all of the possible 65, 535 network ports on a server, to see which ones might be open. The most popular port scanning tool is a program called Nmap. Let's give it a try. I'm going to go ahead and run Nmap from the Linux command line. I already have an ssh connection open to a Linux server, and I'm going to go ahead and execute the scan. The target of the scan is going to be a Windows server that I control.
To start the scan, I type nmap, and then the IP address of the server that I am scanning. Once I hit enter, the Nmap scan begins to run. Once it completes, it shows me the ports that are open on the machine. As I look at these scan results, I see that two ports are open on the server. Port 80, for web connections, this is a web server. If you watched my earlier video on system hardening, you might remember me enabling the World Wide Web publishing service on a Windows server.
We're scanning that same server here, so this makes sense. And then port 3389 is the Remote Desktop Protocol. That's a service used to manage Windows systems remotely. So as long as the only ports open on the server are those that I expect, I can move on. If I do see ports corresponding to unexpected services, I'd probably want to go ahead and investigate those further, possibly disabling the services that have those ports open. Vulnerability scanners go much deeper. Instead of simply checking to see what ports are open, they dig into the details of what services are using those ports.
They also have a database of all known vulnerability exploits and test the server to see if it contains vulnerabilities. The reports from vulnerability scanners provide important information for system remediation. In the hands of an attacker, however, that remediation information can be a roadmap for exploitation. One popular vulnerability scanning tool is a web-based tool called Nessus. I have that running on one of my servers. Let's try scanning the same Windows server that we Nmapped using Nessus. Here I am at the main screen of Nessus.
I'm going to go ahead and click New Scan. I'm going to choose a Basic Network Scan, I'm going to give it a name, we'll call it My Server Scan, and then I need to type in the IP address of the server that I am going to scan. I'm going to go ahead now, and click Save, and my scan has now begun. You can see it's scheduled as an on-demand scan. I could use Nessus, if I wanted to, to set up recurring scans at different times of the day or week. And these green arrows indicate that the scan is actually running.
Now Nessus scans often take a long time to finish, so instead of waiting for this scan to finish, I'm going to go look at an earlier version of a scan against the same server. When I click on that scan, it shows me the vulnerabilities that it's identified. There's a nice summary here, color coded, showing me that there are twenty-four informational vulnerabilities on this server, one low-priority vulnerability, and six medium priority vulnerabilities. There were not any critical or high vulnerabilities found on this server. When I click on this line, it brings me into the detailed vulnerability listings for this server.
You can see in the report that there are a number of issues with encryption on this server. I should probably check those out and remediate those issues, for example, if I click inside this first one, it provides me with a detailed description of the vulnerability, and then also offers a solution with advice on how I can actually remediate the problem. If we return to the list of vulnerabilities and scroll down, you'll see that there is quite a bit of other information about possible issues with this server. I'm going to go ahead and click inside the HTTP Server Type and Version report here.
Notice it's only an informational report. There's nothing that actually needs to be corrected. When I look inside, I see the actual output from the vulnerability scan. It shows me that the Nessus vulnerability scanner went in and grabbed the HTTP header, the banner from the server, which actually reported that it is running Microsoft Internet Information Server version 8.5. This could be useful information to an attacker if that particular version of the web server had a known vulnerability. There's all sorts of detailed evidence gathered within a vulnerability scan to help you diagnose when an issue occurs.
For example, I mentioned earlier that the Remote Desktop Protocol is running on this server. If I double click on this RDP Screenshot item, you'll see that it actually captured a screenshot of the RDP connection. Tools like Nmap and Nessus provide system administrators with important insight into the current security status of their servers. Organizations with robust security programs use these tools regularly, and repeat scans until they obtain satisfactory passing results.
NOTE: We are now a CompTIA Content Publishing Partner. Our training prepares members to pass CompTIA certification exams and become qualified IT professionals. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Understanding backdoors and logic bombs
- Defending against denial of service and password attacks
- Preventing insider threats
- Detecting social engineering attacks
- Preventing wireless eavesdropping
- Understanding cross-site scripting
- Preventing SQL injection
- Deterring attacks
- Securing your network
- Scanning for and assessing threats