CompTIA CySA+ Cybersecurity Analyst Certification: Threat and Vulnerability Management - Analyzing The Output From Common Vulnerability Assessment Tools

Objective 1.4  Given a scenario, analyze the output from common vulnerability assessment tools
 

Vulnerability Assessment Tools
To discover the weaknesses in our systems, we have a wide variety of vulnerability assessment tools at our disposal. Finding vulnerabilities in systems isn’t a process strictly confined to using technical tools, however. During a full vulnerability assessment, we should use a variety of methods that will expose weaknesses in all aspects of the system. Analysts should be reviewing system documentation, such as log files, architectural diagrams, and so forth, to determine how the system is designed and constructed, and to confirm that it has been built and performs securely. Assessors should also be interviewing and asking questions of systems personnel, such as system administrators and security technicians. And finally, another method for determining vulnerabilities is to observe the system in operation. Watching someone perform a security function on the system, to confirm that it works as it should, is a viable method for determining if a system has any weaknesses. However, the focus of this objective is the technical tools we use to determine technical configuration vulnerabilities in the system. There are so many technical tools available for us to use, and we will classify them, as the exam does, according to their function and use. Keep in mind that these are not necessarily all the tools available to you, but these are key tools you will need to have some familiarity with for the exam. Also, there’s no way we could cover every function of every tool, and the exam will not specifically ask you for that either, but it’s a good idea to study them, understand them, and even install and use them in a lab environment to prepare for the test.

Exam tip: You will not be expected to know the details of every single tool, but you should be familiar with their basic use and know a scenario in which you might employ them.

Application Tools
Application tools can be broken up into web application scanners and more generic software code tools. These are classified according to the type of application or service that is provided, such as web-based applications and client/server applications. Obviously, in today’s world, you’re going to see a mix that can’t easily be defined by a distinct boundary. However, web application tools focus more on vulnerabilities associated with web-based infrastructures, and the software application tools we’re going to discuss focus more on the application code itself.

Web Application Scanners
Our first category of application vulnerability assessment tools is web application scanners. These give us insight as to technical vulnerabilities, such as configuration issues, on web-based applications and the underlying servers that host them. Web application scanners can give us detailed information on weaknesses that might lead to web-based attacks, including cross-site scripting, cross-site forgery requests, buffer overflow attacks, and several others.

OWASP Zed Attack Proxy (ZAP)
The Open Web Application Security Project (OWASP) operates as a non-profit focused on software security. It has developed several open-source software projects, including the most popular one, the Zed Attack Proxy (ZAP). ZAP, and some of the other web application vulnerability scanners we will discuss coming up, falls into a category of typically browser-based proxies that will allow the analyst to send and receive highly customizable traffic from a web application and analyze that traffic to determine vulnerabilities in the web application itself. As with other web application vulnerability scanners, ZAP will scan a web application and determine if it has common vulnerabilities, such as cross-site scripting, injection vulnerabilities, input validation issues, and so on. It can also determine if the web application server has nonsecure files and directories, insecure permissions, and other configuration problems.

The figure below shows ZAP in action, identifying serious vulnerabilities within the target web application.


FIGURE: Zed Attack Proxy in action

Burp Suite
Burp Suite is another highly popular web application vulnerability scanner whose free community edition comes with popular Linux-based penetration testing distributions, such as Kali Linux. It allows the user to construct highly customizable and complex scan options. Burp has several modes, including a proxy mode that allows a user to inspect every request and response sent to and from a web application server. Burp also allows the analyst to customize traffic sent to the web application to elicit specific responses and take advantage of any discovered vulnerabilities. Burp has an intruder mode, which can execute customizable attacks against the server. Burp’s interface can be daunting at first, as it is complex and requires a significant level of web application and penetration testing knowledge. The paid professional version offers a significant number of additional features.

Nikto
Nikto is an older web application vulnerability testing tool and is usually seen as a command-line tool. Like ZAP and Burp Suite, it is also included with the penetration testing Linux distribution, Kali Linux. While lacking the finesse and complexity of some of its more modern, GUI-based brethren, Nikto is lightweight and very quick with simple scans that can determine several key vulnerabilities in a web application.

The figure below shows sample output from a Nikto scan.

FIGURE: Nikto scan output

Arachni
Arachni is a web application security scanner framework that can operate across multiple platforms, including Windows, macOS, and Linux. It is Ruby-based and is used to evaluate the security of web-based applications. Its multiuser, multiscan intuitive interface can use preconfigured scan profiles. Arachni is free, open-source software whose source code is publicly available for inspection. It is highly customizable, allowing the user to develop custom checks, plug-ins, reporters, and other configuration items. One of its many positive features is that it’s easily installable, and there are no required dependencies, such as databases, system services, or other libraries. The user simply must download and extract the package to the supported OS, add an IP address to scan, and can immediately be scanning the target web application server.
Its reports formats are standardized, like most other vulnerability scanners, in that it can produce reports in HTML, XML, CSV, PDF, and other common formats.

Note: Many of these web vulnerability application tools can perform the same functions, so it becomes a matter of preference as to which tool you might use in a given scenario. As a matter of thoroughness, many analysts use multiple tools at once to verify that a vulnerability is real and not a false positive. If more than one tool reports the same vulnerability, you can be more assured that it is a valid finding.

Software Assessment Tools and Techniques
Software provides many different threat vectors and avenues of attack for malicious entities. This is particularly true with software in a web-based application since it may be directly exposed to the Internet. Web servers and their underlying applications and databases are constantly attacked, so cybersecurity analysts must be vigilant in staying on top of any vulnerabilities found in these systems. Cybersecurity analysts can use several methods to detect vulnerabilities, including static and dynamic analysis, reverse engineering, and fuzzing. These methods should be used by an experienced cybersecurity analyst who has a background in software application programming. All these methods should be used in different ways to determine the whole vulnerability picture for a web server and application.

Static Analysis
One of the many ways in determining vulnerabilities in software is to get down into the weeds and look at its underlying code. There are different ways to perform what we call code reviews, and one of them is static analysis. Static analysis is when we use an automated method, usually a specific type of vulnerability or security tool, to analyze the application’s code. These vulnerability tools typically look for a wide variety of known software or security flaws, such as embedded passwords, for example. They can also be configured to look for more unusual issues, depending upon the specific application they are looking at. Manual code review can also be performed on software applications, but typically a manual review involves a human being looking for specific flaws that an automated tool may not catch. Both are preferred methods of reviewing code and looking for vulnerabilities.

Dynamic Analysis
While static analysis and manual code review are excellent in looking for specific flaws that are typically known to cybersecurity analysts, they’re not always good at predicting how a piece of software will behave once it is running. That’s what dynamic analysis can do. Dynamic analysis is characterized by actually executing the binaries of the application in a controlled environment, typically a sandbox, so we can see how the application behaves. We can use this type of analysis to record and analyze software actions to determine if it’s behaving in a way that would violate security policies.

Exam tip: Remember that static analysis involves reviewing code through automated or manual means without executing the code. Dynamic analysis means that you actually execute the code and run the software program in a controlled environment such as a sandbox.

Reverse Engineering
While we should use both static and dynamic analysis to help discover vulnerabilities such as security flaws and unstable behavior in applications, this is typically only useful if we have the source code available to us, such as in the case of in-house application development. Sometimes, however, we may acquire a piece of software that is suspected to be malware or otherwise could cause harm or damage to our systems. In this case, it is useful to reverse engineer the software. While we can reverse engineer both hardware and software, in the case of applications, what we are doing is disassembling the components of the program into its component parts. This means decompiling the executables down into their lower-level languages, such as assembly or even machine language. This allows us to see how the program is constructed, what its executables are capable of, and their characteristics. This could help us determine if a piece of application code is, in fact, malicious or not.

Fuzzing
Fuzzing is a unique way of determining vulnerabilities in an application. Both security analysts and hackers use fuzzing to elicit results from an application by sending it unusual or malformed data requests, typically through user interfaces such as web forms, for example. If the application has not been designed properly from a security perspective, it may react unusually or unexpectedly to non-standard input. In some cases, it could allow memory contents to be overwritten, causing the system to be unstable, force the system to give up data that an attacker should not be able to access, or even result in an attacker escaping outside the confines of the application into the underlying operating system, where they could conceivably run arbitrary code at their discretion.

Infrastructure Tools
Included in our analyst’s toolbox are vulnerability scanners for networks and hosts. These don’t focus on application code, but rather on how network hosts connect and how secure configurations and protocols transport data over the network. First, we’ll discuss network enumeration tools, which provide us with a wealth of information about the network and can give us insight into potential vulnerabilities involving ports, protocols, and services. Then, we’ll look at more specific vulnerability scanners that can get into the operating system and application level to tell us what system patches and configuration changes may be needed.

Network Enumeration
When we discuss enumerating the network, what we’re talking about is discovering information about what operating systems may be on the network, ports that these operating systems have open, protocols they use, and services they provide to the network. Network enumeration can tell us if any non-secure elements could be exploited for vulnerabilities. It can also generate a useful map that tells us what type of hosts are on the network and how network traffic might flow between them.

Active vs. Passive Enumeration
Two types of network vulnerability scans you will see are active and passive scans. An active scan attempts a connection with the network host during the scanning process and is generally considered better in terms of the accuracy and volume of information it generates. A passive scan does not attempt a connection with a host. However, a passive scan does not generally yield as much or as accurate information as an active scan. An active scan is considered “noisy” in that the connection attempts are easily detected and recorded by intrusion detection systems and audit mechanisms. This isn’t necessarily important if you’re a system administrator performing an authorized scan on your network, but for a malicious actor, an active scan is generally avoided unless they believe there is little chance of detection by the target network. A passive scan may not be detected, depending on the type of scan you use and the types of intrusion detection systems present.

Exam tip: Keep in mind that an active scan attempts to make a connection to a host, which can be easily detected by either a network- or host-based intrusion detection system. A passive scan does not attempt a connection, but it does try to elicit a response from the host that may look like routine traffic to an IDS. A passive scan is meant to be stealthy and reduce the risk of the attacker getting caught.

Nmap
Nmap (for Network Mapper) is a tried-and-true tool that network administrators have been using for decades to scan their networks to discover what hosts are present and what services they are running. Nmap is extremely useful in that it can be configured to use a wide variety of specialized scanning techniques, including the use of various protocols to elicit information from network hosts. For example, Nmap can attempt a full TCP connection to a host, or it can use Internet Control Message Protocol (ICMP) packets to get a response. Nmap essentially sends specially crafted network traffic to a host, and depending on the port or protocol used, it can get a predictable response from the host that will tell you if a TCP or UDP port is open or closed, which protocol is being used, if a particular service is running, and which operating system is in use.
Nmap is widely used as a command-line tool, making it highly customizable and extremely easy to script, but there have also been several GUI front-end programs developed for Nmap, such as Zenmap and NmapFE, that provide an easy-to-use interface.

The figure below shows the output of the Nmap command-line interface.

FIGURE: The results of a network scan using Zenmap

FIGURE: Output of the Nmap command

Nmap can scan a particular host or even an entire logical network segment if given the proper network address and subnet mask. Nmap can also output to a wide variety of formats, including the ubiquitous CSV format. 

Nmap Command-Line Switches for Various Scanning Techniques


hping
hping has also been used for many years, and although it can also be used for simple port and service scanning, its value lies in the fact that it can manipulate packets to spoof IP addresses, use customized flags, and insert arbitrary data payloads in a packet. Hping3 (the current version of the tool) is the tool of choice to send specifically crafted packets to a host to not only elicit a response that can send useful information back to the attacker but also to initiate an attack. Although more often than not used by attackers, hping can be used by cybersecurity analysts to determine how the network host will react to certain traffic sent to them, thereby revealing potential vulnerabilities that should be mitigated.

responder
responder, developed by Trustwave SpiderLabs, is a tool used in different Linux penetration testing distributions, such as Kali Linux. It is used to poison name resolution services in Windows operating systems. If a Windows host is unable to resolve a name to an IP address using DNS, two protocols can be used to send name resolution requests out to the local network: the Link-Local Multicast Name Resolution (LLMNR) protocol and NetBIOS Name Service (NBT-NS). responder can be used to gain credentials and password hashes from systems by responding to these requests when they occur. Like hping and other attack tools, responder can be used to discover previously unknown vulnerabilities on hosts.

Network Vulnerability Scanners
Network vulnerability scanners are probably the most useful tools you can have in your cybersecurity analyst’s toolbox. This tool is used to scan a wide variety of network hosts and report back patching and misconfiguration issues for both operating systems and some applications. Remember that server-based scanners send specific traffic to an entire network segment, without the need for any specialized software installed on the host. Agent-based scanners rely on a small piece of software installed on the host that can scan the host periodically and simply report the results to a centralized scanner. The advantage of an agent-based network scanner is that it does not generate as much network traffic, thus saving on bandwidth and reporting scan results more efficiently.
Another aspect of network vulnerability scanners you need to be aware of is the question of whether to run credentialed or non-credentialed scans. Remember that credentialed scans are more accurate but require some level of privileges on the host, so it’s necessary to configure the scan with those privileges. Non-credentialed scans do not return as much detailed information about network hosts but have the advantage of reporting results back as a potential attacker might see them. Typically, credentialed scans are more useful and most often used.

Nessus
Nessus is one of the more widely used network vulnerability scanners, originally starting as an open-source product and then gaining in popularity enough to become an enterprise-level, scalable commercial product from Tenable. Nessus is available as both cloud-based and server-based solutions. Nessus is highly configurable and can allow you to use a wide range of plug-ins (scanning signatures based on vulnerability or operating system). It can scan a wide variety of operating systems and applications, including all flavors of Windows, macOS, and most Linux distributions. It can also scan the odd embedded OS devices as well. It can produce vulnerability results on a variety of popular applications as well, including Microsoft Office, Java, Adobe products, and so on. You can create preconfigured scans, target lists, and several other options when configuring a scan. You can also exclude certain checks in the scan that might be considered “dangerous,” meaning that they may cause a device to shut down, hang, or reboot.
Nessus reports provide information on missing patches and updates, configuration issues, and so on. It can break those down into OS, network segment, vulnerability severity, and many other categories. Nessus can output its results in a variety of report formats, including its native Nessus (XML) format, PDF reports, and CSV format.

An example of a critical vulnerability in a Nessus report is shown below.

FIGURE: A critical Adobe vulnerability detailed in a Nessus report

OpenVAS
OpenVAS is a widely used open-source network vulnerability scanner, a fork of the earlier Nessus open-source code. It has been maintained since 2009 by Greenbone Networks, which has included the open-source vulnerability scanner into its commercial Greenbone Security Manager products. You can also use the community open-source version on the Kali Linux penetration testing tool distribution, although it is more limited in both function and signatures. OpenVAS uses Network Vulnerability Tests, or NVTs (similar in concept to Nessus plug-ins or vulnerability signatures), to scan for over 50,000 potential vulnerabilities and configuration issues. Like Nessus, it also has a web-based interface and can be configured as a client/server setup.

The figure below shows the results of an OpenVAS vulnerability scan.

FIGURE: Results of an OpenVAS scan

Note: Most reputable network vulnerability scanners perform the same functions, so which one you use is a matter of choice, based on quality of vulnerability feeds, economic model, and standards set by the organization. However, sometimes it’s a good idea to run more than one scanner so you can verify their results with each other. A finding from one scanner confirmed by a different scanner can give you confidence that the finding is not a false positive.

Qualys
Qualys has been a leading vulnerability scanner for years and can compete head-to-head with Nessus. It is frequently used to conduct scans satisfying compliance requirements, such as PCI DSS requirements. Qualys is usually seen as a collection of cloud applications, using a subscription-based model to perform targeted scans on your network periodically. In addition to its vulnerability scanners, Qualys consolidates its cloud vulnerability scanning application with its inventory application, as well as vulnerability management, detection, and response applications.


Note: Depending on the size and complexity of the network segment you are scanning, vulnerability scanners can sometimes take long periods of time without showing any results, due to “hanging” on a particular host. One good way to make sure that the vulnerability scanner is still doing its job is to run a network sniffer, such as Wireshark, in the background so that you can see active traffic passing between the scanner and the hosts. If you see that there is no active traffic for long periods, it may indicate a problem with the scan. This can usually be resolved by restarting the scanner; in rare cases, you may need to reconfigure the scan.

Wireless Assessment
Traditional wired networks have the advantage of all being physically connected. Wireless networks, on the other hand, are connected only by radio waves. This can actually present some challenges with vulnerability assessments. A variety of tools, both hardware and software, are used to assess wireless vulnerabilities. To assess vulnerabilities over wireless media, specialized wireless network cards may be required so that they may be able to intercept traffic not designated for a particular host. This is often called placing the card into monitor or promiscuous mode. Not every wireless network card is capable of being placed in those modes of operation, and Windows, in particular, does not have wireless network card drivers built into it natively to take advantage of those modes. Usually, you would have to purchase third-party drivers along with specialized wireless network cards to use those capture modes in Windows operating systems. Linux distributions usually are capable of placing wireless cards into either of those modes, provided you have a card with a chipset that supports it.
As with traditional wired network vulnerability assessment tools, a wide variety of wireless tools are available. Obviously, we can’t cover every available tool in this book, but the three specific tools mentioned on the CySA+ objectives—Aircrack-ng, Reaver, and oclHashcat—will be discussed in the next few paragraphs.

Aircrack-ng
Aircrack-ng is an open-source suite of wireless assessment tools typically found on Linux distributions, although it has also been ported to Windows operating systems. Aircrack-ng can be used to monitor wireless networks, intercept traffic, disrupt wireless communication between hosts, and even crack wireless keys, such as those used in WEP and both WPA2 and WPA3. Aircrack-ng consists of several separate tools, each with a specific purpose.

Figure below lists some of the more commonly used tools found in the Aircrack-ng suite, as well as some of their more useful functions.

Aircrack-ng Tools and Their Functions


Reaver
Reaver is a wireless vulnerability assessment tool that has a specific purpose. Reaver is used to launch attacks against wireless access points that use the Wi-Fi Protected Setup (WPS) feature. When this feature/protocol was included in wireless access points, it was designed as a way for users to connect to a wireless access point without having to remember the wireless access key or any configuration information. WPS unfortunately has a major flaw in how it validates the WPS password, or PIN, required for connection. Reaver takes advantage of the fact that the PIN is divided up into two halves, and each half is validated by the access point separately. This has the effect of limiting the key space available for the key, which allows Reaver to quickly crack that portion of the key. It’s worth noting that Reaver must use a wireless interface that has been put into monitor mode already. Reaver is typically used as a command-line interface tool and is included with the penetration testing distribution Kali Linux. The tool is straightforward to use; you simply include the -i and-b switches, which specify the interface and the MAC address of the wireless access point, respectively, as indicated in the following example:
#reaver -i wlan0mon -b 00:90:4C:C1:BC:21
The best way to prevent this type of attack is to simply disable WPS on the access point.

oclHashcat
oclHashcat (sometimes referred to simply as Hashcat, from its previous versions) is a modern password-cracking tool that takes advantage of the high-end graphics processors found on newer computers. Because these high-end graphics cards (typically used by gamers or others who require high-performance video graphics) have dedicated CPU cores and memory, they can be used to perform complex mathematical operations quickly and separately from the primary CPU in the computer. This can speed up password-cracking operations by several orders of magnitude faster than what normally might be performed on a typical computer, which must share its CPU with the operating system and other applications.
oclHashcat supports a wide variety of password-hashing algorithms, including MD4, MD5, and the secure hashing algorithm (SHA) family. It also supports the secure network protocols that use many of these hashing algorithms, including Kerberos, NTLM, TACACS+, DNSSEC, and others. Additionally, it can crack passwords that are specific to particular applications, including those created in 7-Zip and VeraCrypt.
Hashcat can use a variety of common password attack methods, including brute force attacks, dictionary attacks, hybrid attacks, and many others. It comes standard with Kali Linux as well, although you can download versions of it for Windows and macOS.

Cloud Infrastructure Assessment
While cloud solutions are becoming more common in day-to-day business, managing a cloud infrastructure can be more complex than it seems at first. One of the key issues for cybersecurity analysts is the issue of monitoring parts of their infrastructure that are either connected to the cloud or actually a part of the cloud and hosted by another organization. There are challenges to securing a cloud infrastructure, and those include assessing risk and scanning for vulnerabilities within the infrastructure. This is an issue that must be addressed in the contract your organization may have with the cloud service provider. There are likely security responsibilities that are shared between your organization and the provider. Vulnerability scanning may be one of those shared responsibilities, in that your provider may have a responsibility and exclusive power over scanning off-premises parts of the infrastructure. This is something that needs to be determined in the contract negotiations with the provider.
Having said that, there are several tools available to security analysts to assess the security of cloud infrastructure services that an organization may employ. The three key ones you’ll need to know for the exam are Scout Suite, Prowler, and Pacu, which we will discuss next.

Scout Suite
Scout Suite is an open-source security auditing tool developed by the NCC Group. It uses application programming interfaces (APIs) exposed by cloud service providers. Scout Suite can gather configuration data and show potential attack surfaces for cloud infrastructures.
Scout Suite can support a variety of cloud providers, including Amazon Web Services, Microsoft Azure, Google Cloud Platform, Alibaba Cloud, and Oracle Cloud Infrastructure. Scout Suite is a series of Python scripts, and its rules for each type of cloud service are created and stored in a customized JSON file. Its results can be viewed and imported into a wide variety of formats. Scout Suite should be used only when you have appropriate contracts and/or service agreements that allow you to use it in your provider’s cloud environment.

Prowler
Prowler is a cloud security tool specifically developed for analyzing best security practices of Amazon Web Services (AWS) cloud infrastructures. Prowler uses the Center for Internet Security (CIS) AWS Foundations Benchmark and other security checks that focus on privacy, particularly the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) privacy requirements. It is a command-line tool and can currently run over 140 separate checks against the organization’s AWS implementation. It is also useful for auditing best security practices, forensics, and system hardening. As with many other assessment tools, it can output its reports in a multitude of formats, including comma-separated values (CSV). It runs primarily on Linux and macOS.

Pacu
Pacu is a cloud security tool that goes one step further and is an effective penetration testing tool for AWS cloud services. Pacu is written in Python and provides many automated attack scripts. It consists of over 35 Python modules that enable a plethora of penetration testing tasks, including infrastructure reconnaissance, persistence, privilege escalation, system enumeration, sensitive data exfiltration, and even manipulation of logs. Like Prowler, Pacu is supported on Linux and macOS.


Caution: Before you use any cloud-based security tools, make sure you are within your right to do so, as specified in your service agreement with your cloud service provider. Failure to do so may result in legal issues between your organization and the cloud service provider, since you may be considered an attacker and not as an analyst performing a legitimate, authorized security test.

Review
Objective 1.4: Given a scenario, analyze the output from common vulnerability assessment tools

In this module, we reviewed several vulnerability assessment tools, including application and infrastructure tools. Popular application tools, specifically web application scanners, include OWASP ZAP, Burp Suite, Nikto, and Arachni. Each of these tools searches out and identifies common web application vulnerabilities, which include cross-site scripting, input validation issues, and injection weaknesses. We also looked at software assessment tools and techniques, including static analysis, dynamic analysis, reverse engineering, and fuzzing. Static analysis involves analyzing the code using either automated or manual techniques. Dynamic analysis requires us to run the code in a protected environment, such as a sandbox, to determine how it executes. Reverse engineering allows us to disassemble unknown binaries to determine their characteristics and function. Finally, fuzzing allows us to send a wide variety of unorthodox input into an application to determine how it will react, thus identifying any unusual behaviors or unexpected vulnerabilities.
The infrastructure tools we examined include those designed to enumerate networks, scan for vulnerabilities, assess wireless networks, and audit cloud infrastructures. We discussed network enumeration techniques using both active and passive enumeration, as well as tools we would use to perform enumeration, including the ubiquitous Nmap. We also discussed specialized attack tools, including hping and responder. You also learned about network vulnerability scanners, including the ever-popular Nessus, OpenVAS, and Qualys. Aircrack-ng is a suite of tools used to intercept and disrupt wireless network traffic. Reaver is used to defeat the WPS protections on an access point, and oclHashcat is used to crack passwords that can be intercepted from wireless or wired networks as well as applications. Finally, we discussed the issues involved with auditing cloud infrastructures, and we reviewed three critical tools that can be used to assess an organization’s cloud presence: Scout Suite, Prowler, and Pacu.