Introduction to vulnerability testing
Last updated
Last updated
Throughout this lab you will need to use the following material:
a web browser
the Kali Linux virtual machine
some vulnerable virtual machines - in this case, we are going to use the Metasploitable 2 and Windows 7 virtual machines.
An attacker conducts several activities from selecting target/objective until the compromise of such target. One of the frameworks that helps understand what happens during an attack is provided by the Cyber Kill Chain. This was developed by Lockheed Martin and represents a model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
The seven steps of the framework enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures. The seven steps are:
Reconnaissance: research, identification and selection of possible targets;
Weaponization: pairing remote access malware with exploit into a deliverable payload. Creating some malicious file that can be used to exploit a vulnerability and compromise a victim;
Delivery: the transmission of the weapon created on the previous step to the target. How the weapon is delivered to the target;
Exploitation: once delivered the weapon code is triggered and the vulnerable systems or applications are exploited;
Installation: the weapon may install a backdoor on the target system, allowing persistent access to an attacker;
Command & Control: outside server communication with the weapons previously delivered allowing an attacker to remotely control and command the compromised targets;
Actions on Objective: the attacker will work to achieve the objective of the intrusion, and possibly escalate the intrusion to other systems.
Another important referential is the MITRE ATT&CK framework. According to MITRE, this framework is globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
The framework identifies a set of adversary tactics that we should be aware and a group of techniques to implement those tactics:
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact.
Most of the times it is important to use the proper methodology to conduct the analysis and identification of vulnerabilities. There are plenty of choices to consider, and one of the most relevant one is the Penetration Execution Standard (PTES) that defines a set of stages for conducting vulnerabilities assessment.
PTES identifies the following stages:
Pre-engagement interactions
Intelligence gathering
Threat modelling
Vulnerability analysis
Exploitation
Post Exploitation
Reporting
This can be represented generically in the following image:
In this lab we are only going to address the Reconnaissance (Pre-engagement interactions) and Vulnerability Analysis phases. Exploitation and Post-Exploitation will be addressed in the following lab.
There are some important references to consider that are important in this field. Consider looking of information about the following:
SCAP - Security Content Automation Protocol, NIST leaded initiative to standardize vulnerability management between the different vulnerability identification and management software;
Languages:
OVAL - Open Vulnerability and Assessment Language: is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.
Identification schemes:
CPE - Common Platform Enumeration: a structured naming scheme for information technology systems, software, and packages.
CWE - Common Weakness Enumeration: community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
CVE - Common Vulnerabilities and Exposures: provides a reference-method for publicly known information-security vulnerabilities and exposures. Another place to visit is the CVE Details site.
Metrics
CVSS - Common Vulnerability Scoring System: is a free and open industry standard for assessing the severity of computer system security vulnerabilities. You may also use this calculator to understand how this metric calculation works.