1
00:00:00,390 --> 00:00:05,100
So there we've scanned the network and discovered all the system ports and services.

2
00:00:05,100 --> 00:00:08,820
But now it's time to scan for vulnerabilities.

3
00:00:09,870 --> 00:00:16,940
Vulnerability scan is one of the most important parts of a penetration test or ethical hacking. Vulnerability

4
00:00:16,950 --> 00:00:24,510
scanning is an inspection of the potential points of compromising on a computer network to identify

5
00:00:24,510 --> 00:00:32,340
security holes. A vulnerability scan detects and classified system weaknesses and computers networks and

6
00:00:32,340 --> 00:00:37,160
network devices and predict the effectiveness of countermeasures.

7
00:00:37,500 --> 00:00:40,290
So let's think about that term vulnerability first.

8
00:00:40,310 --> 00:00:46,770
I want to show you two vulnerability definitions from two important documents.

9
00:00:46,770 --> 00:00:54,630
The first document ISO 27005 is the name of the prime 27000 series standard covering information

10
00:00:54,630 --> 00:01:02,210
security risk management. The standard provides guidelines for information security risk management (ISRM)

11
00:01:02,260 --> 00:01:08,410
in an organization. Specifically supporting the requirements of an information security management system

12
00:01:08,710 --> 00:01:12,150
defined by ISO 27001

13
00:01:12,160 --> 00:01:20,570
So according to ISO 27005, vulnerability is a weakness of an asset or group of assets that

14
00:01:20,570 --> 00:01:23,850
can be exploited by one or more threats.

15
00:01:25,700 --> 00:01:32,780
The second document is published by NIST. That's the National Institute of Standards and Technology. NIST

16
00:01:33,020 --> 00:01:41,520
is measurement standards laboratory and a non-regulatory agency of the United States Department of Commerce.

17
00:01:41,540 --> 00:01:46,160
Its mission is to promote innovation and industrial competitiveness.

18
00:01:46,420 --> 00:01:52,670
NIST has very good guides about cybersecurity. So, if you are cyber security personnel you should definitely

19
00:01:52,670 --> 00:01:54,150
keep your eyes on this.

20
00:01:54,500 --> 00:02:02,420
So according to NIST vulnerability is a flaw or weakness in a system security procedures design implementation

21
00:02:02,510 --> 00:02:10,940
or internal controls that could be exercised accidentally triggered or intentionally exploited. And result

22
00:02:11,210 --> 00:02:16,170
in a security breach or a violation of the systems security policy.

23
00:02:17,010 --> 00:02:23,350
Let's see the basic vulnerability detection methods by looking at an application's banner information

24
00:02:24,100 --> 00:02:27,680
or by obtaining version information of the application.

25
00:02:27,700 --> 00:02:31,660
It is possible to know about potential weaknesses in that application.

26
00:02:33,050 --> 00:02:39,050
The weakness is found in certain versions of the applications are detected over time and this information

27
00:02:39,050 --> 00:02:44,880
is collected in vulnerability databases. By looking at these databases

28
00:02:44,910 --> 00:02:49,390
you may have information about whether there is a weakness in that application.

29
00:02:50,650 --> 00:02:56,380
Now protocols used by the application in communication with the client may have vulnerabilities.

30
00:02:56,380 --> 00:02:59,050
In this case the application can be exploited.

31
00:02:59,060 --> 00:03:03,460
A weak encryption algorithm in communication is an example.

32
00:03:03,650 --> 00:03:10,710
The vulnerability scanners send different types of packets over the network. It examines the behavior

33
00:03:10,710 --> 00:03:16,470
of the servers against these packets and examines whether these behaviors are similar to the behaviors

34
00:03:16,560 --> 00:03:23,590
of the vulnerable services. Wrong configurations may cause vulnerabilities and weaknesses.

35
00:03:23,590 --> 00:03:28,570
For example if you configure your web applications authentication mechanism to allow three character

36
00:03:28,580 --> 00:03:33,220
passwords. It can very easily be tracked by attackers.

37
00:03:33,260 --> 00:03:40,070
A vulnerability scanner is a software program designed to assess computers, computer systems, networks

38
00:03:40,070 --> 00:03:43,190
or applications for known weaknesses.

39
00:03:43,190 --> 00:03:49,330
In plain words these scanners are used to discover the weak points or poorly constructed parts. It's

40
00:03:49,460 --> 00:03:56,120
utilized for the identification and detection of vulnerabilities relating to misconigured assets or

41
00:03:56,120 --> 00:04:03,500
flawed software that resides on a network based asset. Such as firewall,  router, web server, application,

42
00:04:03,500 --> 00:04:04,760
server etc..

43
00:04:06,700 --> 00:04:09,660
There are a lot of vulnerabilities scanners.

44
00:04:09,850 --> 00:04:15,390
Some of them are listed in the slide. We have seen and Nmap in previous lectures

45
00:04:15,390 --> 00:04:21,510
as a network scanner and we also learnt that with the help of Nmap Scripting Engine "NSC". It's possible

46
00:04:21,510 --> 00:04:29,590
to use and Nmap as a simple vulnerability scanner. Nessus is one of the most popular and capable vulnerability

47
00:04:29,590 --> 00:04:38,060
scanners. We'll see it in detail in the next lecture. Microsoft Baseline Security Analyzer provides a

48
00:04:38,060 --> 00:04:44,410
streamlined method to identify missing security updates and common security misconfiguration.

49
00:04:44,780 --> 00:04:50,780
It's only for Microsoft systems and we have to say that it's not an overall vulnerability scanner at

50
00:04:50,780 --> 00:04:51,380
all.

51
00:04:51,500 --> 00:04:57,080
But no matter what, if you have Windows systems in your network it would be better if you use Microsoft

52
00:04:57,080 --> 00:05:00,690
baseline security analyzer. Nexpose

53
00:05:00,700 --> 00:05:07,870
is a commercial tool developed by Rapid 7 which are the producers of Metasploit Framework.

54
00:05:08,960 --> 00:05:15,240
It is a vulnerability scanner which aims to support the entire vulnerability management lifecycle. Including

55
00:05:15,240 --> 00:05:23,980
discovery, detection, verification, risk classification, impact analysis, reporting and mitigation.

56
00:05:24,000 --> 00:05:32,540
It integrates with Metasploit for vulnerability exploitation. OpenVAS is an open source vulnerability

57
00:05:32,540 --> 00:05:36,350
scanner that was forked from the last free version of Nessus.

58
00:05:36,500 --> 00:05:45,670
after that tool went proprietary in 2005. SAINT is a commercial vulnerability assessment tool. Like Nessus

59
00:05:45,680 --> 00:05:52,680
it used to be free and open source but is now a commercial product. Unlike Nexpose, and QualysGuard,

60
00:05:53,090 --> 00:05:55,860
SAINT runs on Linux and Mac OS X.

61
00:05:55,980 --> 00:06:05,480
In fact, SAINT is one of the few scanner vendors that don't support (run on) Windows at all. .GFI LANGuard

62
00:06:06,530 --> 00:06:12,950
is a network security and vulnerability scanner designed to help with patch management network and software

63
00:06:13,040 --> 00:06:16,330
audits and vulnerability assessments.

64
00:06:16,340 --> 00:06:20,240
The price is based on the number of IP addresses you wish to scan.

65
00:06:20,240 --> 00:06:29,970
A free trial version up to 5 IP addresses is available. QualysGuard is a popular code based SaaS (software as a service)

66
00:06:29,970 --> 00:06:36,840
vulnerability management offering. It's web-based UI offers network discovery and mapping, asset

67
00:06:36,840 --> 00:06:43,160
prioritisation, vulnerability assessment reporting and remediation tracking according to business risk.

68
00:06:44,270 --> 00:06:51,170
Secunia PSI (Personal Software Inspector) is a free security tool designed to detect vulnerable and

69
00:06:51,170 --> 00:06:58,260
outdated programs and plugins that expose your PC to attacks. Attacks exploiting vulnerable programs

70
00:06:58,260 --> 00:07:02,630
and plugins are rarely blocked by traditional anti-virus programs.

71
00:07:02,850 --> 00:07:10,320
So Secunia PSI checks only the machine it is running on while it's commercial sibling Secunia CSI (Corporate

72
00:07:10,320 --> 00:07:11,720
Software Inspector).

73
00:07:11,780 --> 00:07:20,700
I know you TV fans are thinking, anyway that scans on multiple machines on a network. So all vulnerability

74
00:07:20,700 --> 00:07:26,520
database is a platform aimed at collecting maintaining and disseminating information about discovered

75
00:07:26,520 --> 00:07:30,480
vulnerabilities, targeting real computer systems.

76
00:07:30,540 --> 00:07:36,480
The database will customarily describe the identified vulnerability, assess the potential infliction

77
00:07:36,480 --> 00:07:41,580
on computer systems and the workaround required to desist a hacker.

78
00:07:41,730 --> 00:07:52,210
Now here are the most known vulnerability databases.  Open Sourced Vulnerability Database (OSVDB) was an

79
00:07:52,210 --> 00:07:58,770
independent and open source database where all of the project was to provide accurate, detailed, current

80
00:07:59,250 --> 00:08:03,750
and unbiased technical information on security vulnerabilities.

81
00:08:03,810 --> 00:08:09,580
The project promoted greater and more open collaboration between companies and individuals.

82
00:08:09,630 --> 00:08:16,800
The project was started in August 2002 at the Blackhat  and DEF CON Conferences by several industry notables

83
00:08:17,310 --> 00:08:19,680
On the 5th of April 2016

84
00:08:19,680 --> 00:08:24,630
the database was shut down. Although the blog will continue.

85
00:08:24,750 --> 00:08:30,840
The National Vulnerability Database is the US government repository of standards based vulnerability

86
00:08:30,840 --> 00:08:39,159
management data represented using the Security Content Automation Protocol (SCAP) this data enables automation

87
00:08:39,159 --> 00:08:47,720
of vulnerability management as well as security, measurement and compliance. NVD include databases security

88
00:08:47,720 --> 00:08:57,810
checklists, security related software flaws, misconfiguration, product names, and impact metrics. CVEdetails.com

89
00:08:57,820 --> 00:09:07,460
is a free CVE security vulnerability database/information source. You can view vulnerability details, exploits,

90
00:09:07,460 --> 00:09:15,530
references, metasploit modules, a full list of vulnerable products and CVSS score reports and vulnerability

91
00:09:15,530 --> 00:09:21,480
trends over time. CVE, Common Vulnerabilities and Exposures

92
00:09:21,820 --> 00:09:27,760
is a system that provides a reference method for publicly known information security vulnerabilities

93
00:09:27,760 --> 00:09:28,950
and exposures.