InfoSecLabs
  • Information Security Labs
  • Cryptography
    • Introduction to OpenSSL/LibreSSL
    • Symmetric cryptography
    • Asymmetric cryptography
    • Hashes and Message Authentication Codes
    • Elliptic Curve Cryptography
    • Diffie-Hellman (DH)
    • Digital Signatures
    • Digital Certificates
    • S/MIME
    • OCSP - Online Certificate Status Protocol
    • SSL/TLS
  • Passwords
    • Understanding and attacking password-based systems
    • THC-Hydra
    • John the Ripper
    • Hashcat
  • Vulnerability Testing
    • Introduction to vulnerability testing
    • Reconnaissance and Footprinting
      • OSINT
      • Maltego
      • Recon-ng
      • theHarvester
      • dmitry
    • Scanning and Enumeration
      • Nmap
      • Hping3
    • Vulnerability Identification and Analysis
      • OpenVAS
        • OpenVAS Architecture
        • Installing OpenVAS on Kali Linux
        • Starting and Stopping OpenVAS
        • Navigating through OpenVAS
        • Scanning a target
      • Nessus
  • Vulnerability Exploitation
    • About the Metasploit Framework
    • Basics of Metasploit Framework
    • Exploitation with Metasploit Framework
      • vsftp Backdoor Vulnerability [CVE-2011-2523]
      • UnrealIRCd backdoor [CVE-2010-2075]
      • distCC RCE [CVE-2004-2687]
      • Java RMI Server Insecure Default Configuration RCE Vulnerability
      • VNC Brute Force Login
      • MySQL / MariaDB Default Credentials (MySQL Protocol)
      • SAMBA (Samba “username map script” Command Execution)
      • Tomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)
      • Apache (CGI Argument Injection)
      • Windows Eternalblue [CVE-2017-143,144,145,146,148]
    • Create payload to exploit users
  • Application Security
    • DVWA - Damn Vulnerable Web Application
      • Introduction
      • Setup
      • Web Apps Vulnerability Testing
        • Brute-Force
        • Command Injection
        • File inclusion
        • File upload
        • SQL Injection
        • SQL Injection (Blind)
        • XSS (Reflected)
        • XSS (Stored)
  • Social Engineering
Powered by GitBook
On this page
  • Table of Contents
  • Setup
  • How an attacker acts
  • Methodologies for vulnerabilities identification
  • Important references to consider
  1. Vulnerability Testing

Introduction to vulnerability testing

PreviousVulnerability TestingNextReconnaissance and Footprinting

Last updated 2 years ago

Table of Contents

  • Setup

  • How an attacker acts

  • Methodologies for vulnerabilities identification

  • Important references to consider

Setup

Throughout this lab you will need to use the following material:

  • a web browser

  • the Kali Linux virtual machine

  • some vulnerable virtual machines - in this case, we are going to use the Metasploitable 2 and Windows 7 virtual machines.

How an attacker acts

An attacker conducts several activities from selecting target/objective until the compromise of such target. One of the frameworks that helps understand what happens during an attack is provided by the Cyber Kill Chain. This was developed by Lockheed Martin and represents a model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

The seven steps of the framework enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures. The seven steps are:

  1. Reconnaissance: research, identification and selection of possible targets;

  2. Weaponization: pairing remote access malware with exploit into a deliverable payload. Creating some malicious file that can be used to exploit a vulnerability and compromise a victim;

  3. Delivery: the transmission of the weapon created on the previous step to the target. How the weapon is delivered to the target;

  4. Exploitation: once delivered the weapon code is triggered and the vulnerable systems or applications are exploited;

  5. Installation: the weapon may install a backdoor on the target system, allowing persistent access to an attacker;

  6. Command & Control: outside server communication with the weapons previously delivered allowing an attacker to remotely control and command the compromised targets;

  7. Actions on Objective: the attacker will work to achieve the objective of the intrusion, and possibly escalate the intrusion to other systems.

Another important referential is the MITRE ATT&CK framework. According to MITRE, this framework is globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

The framework identifies a set of adversary tactics that we should be aware and a group of techniques to implement those tactics:

  • Reconnaissance

  • Resource Development

  • Initial Access

  • Execution

  • Persistence

  • Privilege Escalation

  • Defense Evasion

  • Credential Access

  • Discovery

  • Lateral Movement

  • Collection

  • Command and Control

  • Exfiltration

  • Impact.

Methodologies for vulnerabilities identification

Most of the times it is important to use the proper methodology to conduct the analysis and identification of vulnerabilities. There are plenty of choices to consider, and one of the most relevant one is the Penetration Execution Standard (PTES) that defines a set of stages for conducting vulnerabilities assessment.

PTES identifies the following stages:

  • Pre-engagement interactions

  • Intelligence gathering

  • Threat modelling

  • Vulnerability analysis

  • Exploitation

  • Post Exploitation

  • Reporting

This can be represented generically in the following image:

In this lab we are only going to address the Reconnaissance (Pre-engagement interactions) and Vulnerability Analysis phases. Exploitation and Post-Exploitation will be addressed in the following lab.

Important references to consider

There are some important references to consider that are important in this field. Consider looking of information about the following:

  • SCAP - Security Content Automation Protocol, NIST leaded initiative to standardize vulnerability management between the different vulnerability identification and management software;

  • Languages:

    • OVAL - Open Vulnerability and Assessment Language: is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.

  • Identification schemes:

    • CPE - Common Platform Enumeration: a structured naming scheme for information technology systems, software, and packages.

    • CWE - Common Weakness Enumeration: community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.

    • CVE - Common Vulnerabilities and Exposures: provides a reference-method for publicly known information-security vulnerabilities and exposures. Another place to visit is the CVE Details site.

  • Metrics

    • CVSS - Common Vulnerability Scoring System: is a free and open industry standard for assessing the severity of computer system security vulnerabilities. You may also use this calculator to understand how this metric calculation works.

intrusion kill chain