Cyber Security

Mr Gazy Abbas, Cyber Security Trainer

VAISHALEE JOISHAR 1
 UNIT-2

Systems Vulnerability Scanning

 VULNERABILITY

• Vulnerabilities are weaknesses or flaws present in a software or hardware of a system.

Vulnerability Scanning:

• Vulnerability scanning is a security technique used to identify security weaknesses in a

computer system.

• Vulnerability scanning can be used by individuals or network administrators for security

purposes, or it can be used by hackers attempting to gain unauthorized access to computer
systems.
 CLASSIFICATIONS OF VULNERABILITY

• Vulnerability originates from three sources:

• Vendor-originated: This includes software bugs, missing operating system patches,

vulnerable services, insecure default configurations, and web application vulnerabilities.

• System administration-originated: This includes incorrect or unauthorized system

configuration changes, lack of password protection policies, and so on.

• User-originated: This includes sharing directories to unauthorized parties, failure to

run virus scanning software, and malicious activities, such as deliberately introducing
system backdoors.
What Are the Vulnerability Scanning Methods?
VAISHALEE JOISHAR 6
There are two independent methods required for conducting vulnerability scans. They
are internal and external vulnerability scanning.

An internal scan is carried out within your network infrastructure. It takes into
consideration other hosts that are on the same network to spot internal weaknesses.
It detects issues like malware that has found its way into your system.

An external scan, on the other hand, is executed outside of your network and checks
for known vulnerabilities in the network composition. Here, the target is IT
components like open ports and web applications that are exposed to the online
world.
Vulnerability scanning is categorized into two: authenticated and unauthenticated scans. They
ensure there are no lapses in vulnerability detection.

Unauthenticated Scan

❑ In an unauthenticated scan, the IT specialist logs into the system as an intruder who has
unauthorized access to the network system. This method shows vulnerabilities that can be
accessed without having to sign into the network.

Authenticated Scan
❑ An authenticated scan entails the analyst logging into the network system as a trusted user
and revealing the security loopholes that can only be accessed by someone authorized.

❑ Here, the tester is gaining access as a genuine user and can uncover many loopholes that
unauthenticated scans fail to see.
 Authenticate
d Scan

VAISHALEE JOISHAR 9
 ❑ Host-Based Scanner

❑ Network and Wireless Scanner

Examples of ❑ Application Scanner

Vulnerability
❑ Database Scanner
Scanners
 Host-Based Scanner
❑ Host-based scanning is carried out on web servers, workstations,
or other network hosts used by individuals and organizations. It
identifies vulnerabilities and at the same time, gives more
visibility to configuration settings and the system's patch history.
Examples of
Vulnerability ❑ A host-based vulnerability scanner also offers insights into the
harm that can be done to a system once an attacker gains access to
Scanners it.
 Network and Wireless Scanner
❑ The worldwide connectivity in the network increases the risk of
data exploitation. For this reason, a network-based vulnerability
scanner is used to identify possible threats targeted at the
network and wireless system.
Examples of
❑ Network and wireless scanning also identify weaknesses in the
Vulnerability system and the unauthorized access to remote servers and
Scanners connections done on unsecured networks.
 Application Scanner

❑ Web applications are one of the chief gateways through which

cybercriminals exploit users. An application scanner searches for
Examples of security vulnerabilities in web apps. It scans for software loopholes and
Vulnerability misconfigured settings in the web application or network.

Scanners
 Database Scanner

❑ Databases facilitate the storage, retrieval, revamping, and

removal of data, as well as several data-processing operations.
Examples of ❑ Losing your data can result in damages. Database scanners
Vulnerability diagnose vulnerable areas like missing patches and weak
passwords to prevent harmful attacks.
Scanners
 ❑ Identify the Vulnerabilities

❑ Examine the Threats

How Does
Vulnerability ❑ Fix the Weaknesses

Scanning Work? ❑ Generate Reports Based on Your Findings

 Identify the Vulnerabilities
How Does ❑ Identifying the vulnerabilities involves detecting the weaknesses in the
Vulnerability specific area of your network. It could be on your web applications, hosts,
or servers. Focus on that angle to get a clear view of what the problem is.
Scanning Work?
 Examine the Threats

❑ You need to examine the threats to understand what they are and
How Does how they function.
Vulnerability ❑ What degree of damage do they pose? And what are the best ways
Scanning Work? to resolve them?
 Fix the Weaknesses

❑ Having examined the threats and understood what they are all
about, you're well enough informed to know the appropriate
How Does cybersecurity measures to implement.
Vulnerability ❑ The most effective cybersecurity measures are specific to a
Scanning Work? particular cyber threat, instead of being generalized.
 Generate Reports Based on Your Findings

❑ This is the final phase. It involves an interpretation of the analysis

to help you identify opportunities that'll improve your
cybersecurity infrastructure.
How Does
❑ With vulnerability scanning, you'll be taking a proactive move,
Vulnerability instead of a reactive one, to identify threats to your network
Scanning Work? system and nip them in the bud before they become problematic.
 BENEFITS OF VULNERABILITY SCANNERS

• Allows early detection and handling of known security problems.

• A new device or even a new system may be connected to the network without
authorization .A vulnerability scanner can help identify rogue machines, which might
endanger overall system and network security.

• Vulnerability scanner allows early detection and handling of known security

problems. By employing ongoing security assessments using vulnerability scanners,
it is easy to identify security vulnerabilities that may be present in the network.
 OPEN PORT / SERVICE IDENTIFICATION
• Ports are an integral part of the Internet's communication model.
• They are the channel through which applications on the client computer can reach the software
on the server.
• Ports are an integral part of the Internet's communication model. They are the channel
through which applications on the client computer can reach the software on the server.
• The design and operation of the Internet is based on the Internet Protocol Suite, commonly
called TCP/IP.
• Network services are referenced using two components -a host address and a port number.
• There are 65536 distinct and usable port numbers.
• Some examples of service ports used are HTTP(port 80), FTP(port 21), and SMTP(port 25) etc.
Contd..
 Vulnerability scanning vs. penetration testing
• Vulnerability scanning is very often confused with penetration testing but there are some
major differences between the two.

• A vulnerability scan is automated high-level test that looks for potential security
vulnerabilities, while a penetration test is an exhaustive examination that includes a live
person actually digging into your network’s complexities to exploit the weakness in your
systems.

• A vulnerability scan only identifies vulnerabilities, while a penetration tester digs deeper to
identify the root cause of the vulnerability that allows access to secure systems or stored
sensitive data. The pen tester also looks for business logic vulnerabilities that might be
missed by an automatic scanner.

• Vulnerability scans can be instigated manually or on an automated basis and will complete in
as little as several minutes to as long as several hours.
 Common vulnerabilities
• SQL Injection (SQLi):
• Description: SQL injection is a code injection technique where an attacker can insert malicious SQL
statements into a query, potentially gaining unauthorized access to a database.
• Prevention: Use parameterized queries or prepared statements, input validation, and least privilege
principles.

• Cross-Site Scripting (XSS):

• Description: XSS involves injecting malicious scripts into web pages that are viewed by other users. It
can lead to the theft of sensitive information or session hijacking.
• Prevention: Input validation, output encoding, and implementing secure coding practices.
• Cross-Site Request Forgery (CSRF):
• Description: CSRF is an attack where a malicious website causes a user's web browser to perform an
unwanted action on a trusted site where the user is authenticated.
• Prevention: Use anti-CSRF tokens, implement the Same Site attribute for cookies, and ensure proper
authentication.
 Contd..
• Buffer Overflow:
• Description: Buffer overflow occurs when a program writes more data to a block of memory, or
buffer, than it was allocated for, leading to potential code execution by an attacker.
• Prevention: Bounds checking, input validation, and using secure coding practices.

• Security Misconfigurations:
• Description: Improperly configured settings, permissions, or default configurations can expose
sensitive information or provide unauthorized access.
• Prevention: Regularly audit configurations, follow security best practices, and minimize
unnecessary services.

• Zero-Day Vulnerabilities:
• Description: Zero-day vulnerabilities are newly discovered and unpatched vulnerabilities that can
be exploited before the software vendor releases a fix.
• Prevention: Keep software and systems updated, employ intrusion detection systems, and follow
responsible disclosure practices.
 Contd..
• Weak Authentication and Password Management:
• Description: Weak passwords, unencrypted storage, or insecure authentication mechanisms
can lead to unauthorized access.
• Prevention: Enforce strong password policies, use multi-factor authentication, and store
passwords securely (e.g., hashing and salting).

• Insecure Direct Object References (IDOR):

• Description: IDOR occurs when an application provides direct access to objects based on
user-supplied input, allowing unauthorized access to data.
• Prevention: Implement proper access controls, validate user input, and use indirect
references rather than direct references.
 Contd..

• File Inclusion Vulnerabilities:

• Description: Improper handling of user-supplied input in file paths can lead to inclusion of
unauthorized files, potentially exposing sensitive information.
• Prevention: Validate and sanitize user input, use whitelists for allowed file inclusions, and
avoid user input in file paths.

• Security Bypass and Elevation of Privilege:

• Description: Flaws that allow an attacker to bypass security controls or elevate their privileges
to gain unauthorized access.
• Prevention: Implement strong access controls, follow the principle of least privilege, and
conduct regular security assessments.
 WHAT IS BANNER?

"Banner" in the context of networking usually refers to a piece of information or text

that is displayed when connecting to a network service or server. It is a response sent
by the server when a connection is established, and it often contains information
about the server or service, such as its type, version, or additional details.
 BANNER GRABBING
• Banner grabbing is technique used to gain information about a computer
system on a network and the services running on its open ports.

• "Banner grabbing" is the process of collecting information from banners. It is

a technique used by network administrators, security professionals, or
attackers to gather information about a target system.

• The collected information can include details about the operating system,
software versions, and other configuration details.
 Outline of BANNER GRABBING
Connection Establishment: An attempt is made to establish a connection with a target server or
service.

Banner Retrieval: After the connection is established, the initial response or banner sent by the
server is captured. This banner often contains information about the server software, its version,
and sometimes additional details.

Information Analysis: The captured banner is then analyzed to gather intelligence about the target
system. This information can be useful for identifying potential vulnerabilities or misconfigurations.

Tools and Techniques: Various tools and techniques can be used for banner grabbing, including
manual methods using telnet or netcat, as well as automated tools designed for this purpose.

VAISHALEE JOISHAR 30
 TRAFFIC PROBE

• Probe is an action taken or object used for the purpose of learning something in a
network, a probe is an attempt to gain access to a computer and its files through a known
or probable weak point in the computer system

• A traffic probe, in the context of networking and cybersecurity, refers to a method or tool
used to gather information about network traffic, systems, or devices. The purpose of a
traffic probe is typically to analyze, monitor, or assess the characteristics of network
communication. This can include examining packet data, identifying devices on a network,
or understanding patterns of communication.
 NEED FOR TRAFFIC PROBE
Traffic probe is needed to measure and collect the data in large-scale
networks.

To capture and process data in today’s high-speed networks.

To detect abnormal behavior and malicious network traffic.

Traffic probes can be used for various purposes, including network

performance monitoring, troubleshooting, and security analysis. They help
identify unusual or malicious patterns that may indicate a security incident,
such as a denial-of-service (DoS) attack or unauthorized access attempts.
 EXAMPLE
Packet Sniffing:
Description: Packet sniffing involves capturing and analyzing network packets as they
travel over a network. This can provide insights into the types of traffic, the source and
destination of packets, and the protocols being used.
Example: Wireshark is a widely used packet sniffer. It allows users to capture, analyze,
and inspect the data traveling back and forth on a network. With Wireshark, you can
view packet details, protocol information, and even reconstruct higher-layer protocols.
 EXAMPLE

Port Scanning:
Description: Port scanning is a method of probing a computer system or network to discover
open ports and services. It involves sending connection requests to a range of ports on a target
system to determine which ports are open and what services are running.
Example: Nmap (Network Mapper) is a popular port scanning tool. It allows users to discover
hosts, services, and open ports on a computer network. For example, running nmap -p 1-1000
target_IP would scan the first 1000 ports on the specified target IP address.

VAISHALEE JOISHAR 34
 VULNERABILITY PROBE
• Definition: Vulnerability probes are tools or processes that actively seek and exploit weaknesses
(vulnerabilities) in a system, network, or application. These vulnerabilities could be security flaws,
misconfigurations, or other issues that could be exploited by attackers.

• Purpose: The primary purpose of vulnerability probes is to identify potential weaknesses before
malicious actors can exploit them. By proactively scanning for vulnerabilities, organizations can
prioritize and address security issues to reduce the risk of unauthorized access or data breaches.

• Examples: Vulnerability scanners such as Nessus, OpenVAS, or Qualys

 Tools Used for system Vulnerability Scanning
NESSUS: Tenable Nessus Scanner is a vulnerability scanner which is developed by Tenable to
perform vulnerability assessment and penetration testing using Common Vulnerability
and Exposure architecture.

VAISHALEE JOISHAR 36
 Features of Nessus
Remote Scanning: Nessus can perform remote scans on devices and systems across a network, identifying
vulnerabilities without requiring direct access to each device.

Plugin Architecture: It utilizes a plugin architecture, where a wide range of vulnerability checks, known as
plugins, are regularly updated to keep pace with the evolving threat landscape.

Scalability:Nessus is scalable, allowing it to be used in various environments, from small businesses to large
enterprises, to ensure the security of diverse network infrastructures.

Vulnerability Assessment:Nessus conducts vulnerability assessments by actively scanning and analyzing

networked systems to pinpoint security weaknesses that could be exploited by attackers.

Reporting:Generates detailed reports that provide a clear overview of identified vulnerabilities, their severity levels,
and recommendations for remediation.
VAISHALEE JOISHAR 37
 Uses of Nessus
Security Professionals: Use Nessus security scanner to perform various security scans and vulnerability
assessment and gives detailed report about it with remediation too.
IT Administrators: They perform scan on daily basis to find any kind of weakness in the system. IT
administrators uses Nessus to monitor and maintain their system, application and network.
System and Security Administrator: Using Nessus they can identify misconfigurations, vulnerabilities
and outdated software that may cause threat to the organization. It enables them to take proactive steps to
patch the loop holes (vulnerability) to strengthen the infrastructure’s security.
Software Developers: Software developers uses Nessus during the testing phase of a software, it helps
them to know the weakness before the deployment of the software.

VAISHALEE JOISHAR 38
 NetCat
• Netcat is a Unix utility which reads and writes data across network connections using TCP or
UDP protocol.
• Netcat's ability to execute various tasks from a single command-line interface makes it an
indispensable tool in networking and security contexts.
• Its adaptability makes it suitable for tasks ranging from penetration testing to network
troubleshooting.
• It enables data transfer between computers over a network, making it a versatile tool for various
networking tasks like:

Port Scanning, Banner Grabbing, File Transfer,

VAISHALEE JOISHAR Chatting. 39
 Uses of NetCat
Port Scanning: Netcat is used to Check for open ports on a remote system.
nc -zv example.com 1-100
The -z option makes Netcat operate in scanning mode, and -v provides verbose output. This command
checks for open ports on example.com in the range from 1 to 100.

Banner Grabbing: Netcat is used to Retrieve service banners to identify running services.
nc -vz example.com 80
The -v option provides verbose output, and the -z option makes Netcat operate in scanning mode without
sending any data. This command checks for open ports on example.com.

VAISHALEE JOISHAR 40
 Contd..
File Transfer: To transfer files between systems.

nc -l -p 1234 > received_file # On the receiving end

nc -w 3 remote_host 1234 < local_file # On the sending end

The first command sets up Netcat to listen (-l) on port 1234 and redirects the incoming data to a file. The
second command connects to the remote host on port 1234 and sends the contents of local_file.

Chat Server/Client: To establish a simple chat server and client.

nc -l -p 1234 # Server
nc remote_host 1234 # Client

The first command sets up a listening server on port 1234, and the second command connects to that server.
Anything typed on one end will be sent to the other.
VAISHALEE JOISHAR 41
 Network Reconnaissance – Nmap.

Network reconnaissance, often referred to as "network discovery" or "network scanning," is a

crucial phase in the process of information gathering for cybersecurity purposes.

Nmap (Network Mapper) is a widely used tool for network reconnaissance that helps security
professionals and system administrators discover hosts, services, and open ports on a computer
network. Nmap provides a wealth of information that can be used to assess the security posture of
a network and identify potential vulnerabilities.

VAISHALEE JOISHAR 42
 How Nmap is used for network reconnaissance
Host Discovery: Used to Identify live hosts on a network.
Nmap uses various methods to determine which hosts are active, including ICMP echo requests
(ping), TCP handshake, and others.
eg, nmap -sn 192.168.1.0/24

Port Scanning: To Identify open ports on live hosts.

Nmap supports different types of port scans, such as TCP connect scans, SYN scans, and UDP
scans. It attempts to connect to ports to determine their status.
eg, nmap -p 1-100 192.168.1.1
VAISHALEE JOISHAR 43
 Contd..
Service Version Detection: To Determine the version of services running on open ports.
Nmap sends specific probes to open ports and analyzes the responses to identify the version
and type of services.
eg, nmap -sV 192.168.1.1

OS Fingerprinting: Determine the operating system of the target hosts.

Nmap sends a series of probes and analyzes the responses to make an educated guess about
the operating system.
eg, nmap -O 192.168.1.1
VAISHALEE JOISHAR 44
 Contd..
Apart from above mentioned uses Nmap is used to perform various other network
Reconassances tasks like:

Scripting Engine: Nmap has a scripting engine (NSE) that allows users to run custom scripts to extract more
information about hosts, services, and potential vulnerabilities.

Output Formats: Nmap can output results in formats like XML, JSON, and plain text, making it versatile for
different use cases.

Aggressive Scanning: Nmap allows users to combine different scan types and options to perform aggressive
scanning and gather maximum information.

Nmap Scripting Engine (NSE): NSE provides a framework for writing and running scripts that can perform
various tasks, such as vulnerability detection, brute-force attacks, and more.

VAISHALEE JOISHAR 45
 Network Sniffers and Injection tools
Network Sniffers: Network sniffers, also known as packet analyzers or network protocol analyzers, are used
to capture and analyze data packets transmitted over a network. They allow users to inspect and interpret the
traffic between devices on a network.
Sniffers intercept and log the data packets passing through a network. This can include information such as
source and destination IP addresses, port numbers, protocol types, and the actual data being transmitted.
eg, wireshark , TCP dump.

Injection Tools: Injection tools are used to inject or manipulate data within a network. They can be
employed for various purposes, including security testing, debugging, and sometimes for malicious activities if
misused.
Injection tools can alter the normal flow of data in a network by injecting additional packets or modifying
existing ones. This can be useful for testing the resilience of network applications to various types of attacks.
eg, Burpsuit, Scapy.

VAISHALEE JOISHAR 46
 WireShark
Wireshark is an open-source network protocol analyzer that allows users to capture and analyze
the traffic on a computer network. It provides detailed information about the protocols being
used, the data being transmitted, and facilitates in-depth packet inspection.

Wireshark is a powerful, open-source network protocol analyzer.

Its primary purpose is to capture and analyze network traffic, providing
detailed insights into the communication between devices on a network

VAISHALEE JOISHAR 47
 Applications
Network Troubleshooting: Identifying and resolving connectivity issues by analyzing packet
exchanges.

Security Analysis: Detecting and investigating security incidents by monitoring network traffic for
suspicious activities.

Protocol Development: Assisting developers in debugging and analyzing custom or proprietary

network protocols.

Performance Monitoring: Optimizing network performance by analyzing traffic patterns and

identifying bottlenecks.

VoIP Troubleshooting: Diagnosing problems in Voice over IP (VoIP) environments, such as call
quality issues.
VAISHALEE JOISHAR 48
 Features
Real-time Packet Capture: Capturing live network traffic as it flows through the network
interfaces.
Protocol Analysis: Dissecting and decoding a wide range of network protocols for detailed
inspection.
Powerful Filters: Filter packets based on various criteria, such as IP addresses, protocols, keyword

Packet Inspection: Providing the ability to inspect the content of each packet, including headers
and data payload.

VoIP Support: Specialized features for analyzing and troubleshooting Voice over IP traffic.

Cross-Platform Compatibility: Available for Windows, macOS, and Linux, making it a versatile
tool for different operating systems.
VAISHALEE JOISHAR 49
 Example Commands

Capture Packets on a Specific Interface: sudo wireshark -i eth0

Save Captured Packets to a File: sudo tcpdump -i eth0 -w captured_packets.pcap

Read a Captured File in Wireshark: wireshark -r captured_packets.pcap

Display Packet Details in the Command Line: tshark -r captured_packets.pcap -V

Capture Packets with a Filter and Save to a File: sudo tcpdump -i eth0 'host 192.168.1.1' -w
filtered_packets.pcap

VAISHALEE JOISHAR 50
www.paruluniversity.ac.in
VAISHALEE JOISHAR 51