What is a Vulnerability?
A vulnerability is a security hole in a piece of software or hardware which can provide a potential vector to attack a system. Thus to compromise a system the first step is to find a vulnerability in that system. In simple words a vulnerability is just the weakness in the software that allows an attacker to gain control.
Payload: Piece of software that allows an attacker to control the exploited system.
Vulnerability Assessments are necessary for discovering potential vulnerabilities throughout the environment. There are many tools available that automate this process so that even an inexperienced security professional or administrator can effectively determine the security posture of their environment. Full exploitation of systems and services is not generally in scope for a normal vulnerability assessment engagement.
Systems are typically enumerated and evaluated for vulnerabilities, and testing can
often be done with or without authentication. Most vulnerability management and
scanning solutions provide actionable reports that detail mitigation strategies such as
applying missing patches, or correcting insecure system configurations.
Vulnerability identification allows you to do your homework. You will learn about what
vulnerabilities your target is susceptible to so you can make a more polished set of attacks.
Various operating systems tend to respond differently when sent particular network probes because of the different networking implementations in use. These unique responses serve as a fingerprint that the vulnerability scanner uses to determine the operating system version and even its patch level. A vulnerability scanner can also use a given set of user credentials to log into the remote system and enumerate the software and services to determine whether they are patched. With the results it obtains, the scanner presents a report outlining any vulnerabilities detected on the system. That report can be useful for both network administrators and penetration testers. A vulnerability scanner can save you from having to probe systems manually to determine their patch levels and vulnerabilities. Whether you use an automated scanner or do it manually, scanning is one of the most important steps in the penetration testing process; if done thoroughly, it will provide the best value to your client
Server-side attacks are exploiting and finding vulnerabilities in services, ports, and applications running on a server. For example, a web server has several attack vectors. It is a server running an operating system and running various pieces of software to provide web functionality. It has many open TCP ports. Each one of these vectors could harvest a vulnerability that an attacker could exploit to get into the system and obtain valuable information. Many protocols on servers are handled through readable non-encrypted text. Let’s take a look at some tools.
Nessus depends on vulnerability checks in the form of feeds in order to locate vulnerabilities on our chosen target. Nessus comes in two flavors of feeds: Home and Professional.
Home Feed: The Home Feed is for noncommercial/personal usage. Using Nessus in
a professional environment for any reason requires the use of the Professional Feed.
Professional Feed: The Professional Feed is for commercial usage. It includes support and additional features such as unlimited concurrent connections and so on. If you are a consultant and are performing tests for a client, the Professional Feed is
the one for you.
OpenVAS, the Open Vulnerability Assessment System, is an excellent framework that can be used to assess the vulnerabilities of our target. It is a fork of the Nessus project. Unlike Nessus, OpenVAS offers its feeds completely free of charge.
Webshag is a multi-threaded, multi-platform tool used to audit web servers. Webshag gathers commonly useful functionalities for web servers such as port scanning, URL scanning and file fuzzing. It can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (basic or digest). In addition, Webshag can use IDS evasion capabilities aimed at making correlation between requests more complicated. Webshag provides additional innovative capabilities such as retrieving the list of domain names hosted on a target machine as well as fuzzing using dynamically generated file names. Webshag can perform fingerprinting of web pages while being resistant to content changes. This feature is designed as a false positive removal algorithm aimed at dealing with “soft 404” server responses.
Vega is a security testing tool used to crawl a website and analyze page content to
find links as well as form parameters. Vega offers details about vulnerabilities found in the central display window as well as a summary page. These details can be copied into a final deliverable.
There are few more powerful tools for scanning. We can also use OWASP- ZAP for Passive Scanning. I would suggest ZAP tool because we can Integrate with Selenium API. Just wait for it fellas, i’m gonna post it soon.