Found weaknesses
• identify vulnerabilities
• Port-based service scans version information (slow)
vulnerability database search • published (in large quantities)
• Use vulnerability scanner vulnerability management to achieve
defined dimension information from vulnerability management
• Information gathering:
• scan found network IP, OS, services, configuration, vulnerability
• capacity needs: content and objectives defined scanning
• information management
• formatting information, and to filter, group, defined priority
• capacity needs: asset group, specify the owner, to all reported vulnerabilities
• information output
• different levels of the crowd to show sufficient amount of information
• capacity demand: generate reports, export data, integration with SIEM
Vulnerability scanning type
• Proactive scanning
• There are authentication
• No authentication
• passive scanning
• Mirror port packet capture
• Other sources of input
• Agent-based scanning
• limited platform support
The basic concept of vulnerability
• CVSS (the Common Vulnerability Scoring System)
• Universal Vulnerability Scoring System - the industry standard
• describe the severity of security vulnerabilities common grading scheme
• V 3 versions - June 10, 2015
• Basic Metric: not a constant basis weakness of the right to change the weight
• Temporal Metric: weakness of the right to rely on the time factor heavy
• Enviromental Metric: the right to exploit weaknesses in the implementation of environmental requirements and the difficulty of weight
• CVSS is Security Content Automation Protocol (SCAP) part
• CVSS and CVE normally released together by the National Vulnerability Database (NVD) and keep the data updated
• score range: 0 - 10
• CVSS score defined by different agencies threat the high and low threat level
• CVSS vulnerabilities reflect the risk, threat level (severity) means that the vulnerability level of risk impact on business
• CVSS score is an industry standard, but the threat level is not
Reference Vulnerability •
• CVE (the Common Vulnerabilities and Exposures)
• published information security vulnerabilities dictionary, unified vulnerability numbering standard
• MITRE company responsible for maintenance (a non-profit organization)
• Most scanner to scan items corresponds to a CVE number
• Achieve exchange of information between different vendors uniform standards
• CVE release process
• identify vulnerabilities
• CAN is responsible for specifying ID CVE
• List published to CVE - CVE-2008-4250
• MITER responsible for the content editing maintenance
• Many manufacturers maintain their own Reference Vulnerability
• MS
• MSKB
• Other Reference Vulnerability
• CERT TA08-297A
• BID 31874
• IAVM 2008-A-0081
• OVAL OVAL6093
• OVAL (Open Vulnerability and Assessment Language)
• describe vulnerability detection method of machine-readable language
technical details of the vulnerability detection • Detailed descriptions can be imported automated testing tools in the implementation of vulnerability detection work
• OVAL using XML language to describe, it contains strict syntax logic
• CCE
• description of the software configuration of defects in a standardized format
• in information security risk assessment, the configuration of the defect detection is an important part, with CCE allows configuration defects in a standard way to show up, easy to configure defect assessment quantifiable action.
The CPE • (the Common Product Enumeration)
• information technology products, systems, structured package naming, classification naming
• CWE (the Common Weakness Enumeration)
• Common Vulnerabilities type of dictionary, describes the vulnerability of different types of features (access control, information disclosure , denial of service)
Security Content Automation Protocol • (SCAP)
• SCAP is a collection of various safety standards framework
• six elements: CVE, OVAL, CCE, the CPE, CVSS, XCCDF
• purpose is to showcase the standard method and operational safety data
• by NIST responsible for maintaining
• SCAP mainly to solve three problems
• achieve high-level policies and regulations implemented until the bottom floor (such as FISMA, ISO27000 series)
• the various elements involved in the standardization of information security (such as unified vulnerability naming and severity of the measure)
• complex system configuration verification automation
• SCAP is the current United States more mature set of information security evaluation standards, standardized, automated ideas for the information security industry had a profound impact.
• NVD (National Vulnerability Database)
• US government vulnerability management standard data
• based entirely on the SCAP framework
• automated vulnerability management, security measurement, compliance requirements
• contains the following libraries
• Safety Checklist
• Software security vulnerabilities
• Configuration errors
• Product name
• impact measurement
• https://nvd.nist.gov/
• periodic vulnerability scanning tracking
• priority to high-risk vulnerabilities
• Scanning Considerations
• Vulnerability management of the three elements
• accuracy
• Time
• Resources
NMAP
• nmap scan scripts
• 400 +
• Category
• CAT /usr/share/nmap/scripts/script.db
• grep vuln /usr/share/nmap/scripts/script.db | Cut -d "\" "-f 2
CAT /usr/share/nmap/scripts/smb-check-vulns.nse •
• smb-the Check-vulns.nse
• nmap -sU -sS --script = smb-the Check-vulns.nse --script-args = unsafe U 1 -p =: 137, T: 139,445 1.1.1.1
• MS08 - 067
• smb-vuln-ms10-061.nse
one • Stuxnet worm exploited four vulnerabilities
• Print Spooler improper permissions, print requests can be created in a file system directory, execute arbitrary code
• LANMAN API to enumerate the shared printer
• Remote shared printer name
• smb-enum-shares enumerate share
• authentication parameters --smbuser, smbpassword
• nmap -p445 --script = smb-enum-shares.nse --script-args = smbuser = ADMIN, smbpassword = 1.1.1.1 Pass
SP2 2003, Vista, Server 2008, win 7 • Windows XP, Server
• factors affecting the results of the scan
Scan results confirm
• Target system version
• patch is installed
• whether the invasion
• sometimes difficult to say what is the exact scan results
• Comprehensive should look at vulnerabilities
Openvas
• openvas
• Nessus project branch
vulnerability • management of the target system
• Free Open Source
• Kali installed by default, but the configuration and startup
• OpenVAS Manager
• Control scanner and center components other manager's
• Control Center database, saving the user profile and scan results
• Clients use OMP protocol to communicate with based on a stateless XML of
• centralized sorting filter, so that the client unanimous show
• OpenVAS Scanner
• Vulnerability Tests specific implementation Network (NVTs)
• NVTs updated daily by Feed
Manager • control by
OSP Scanner •
• centrally manage multiple scanner
• a set of scanner to the manager as an object management
Greenbone Security Assistant • (GSA)
• Service provides Web
• OpenVAS CLI
• omp command-line tool, enabling Batch Control Manager
• updated quickly
• find all the information of nearly all different levels of obsolete
• Installation
• Create a certificate
• Vulnerability Database synchronization
• Creating a client certificate
• rebuild the database
• Database Backup
• Start service loading plug-ins
• Creating administrator accounts
• Create a regular user account
• Configure service listening port
• Installation Verification
• Initial Setup
• openvas-Setup
• Check the installation results
• openvas-the Check-Setup
• View the current account
• openvasmd --list-the Users
• Modify the account password
• openvasmd --user = ADMIN --new-password = Passw0rd
• Upgrade
• openvas -feed-update
• 不是秘笈是经验
• vi /usr/bin/openvas-start
• Starting OpenVas Services
• Starting OpenVAS Manager: openvasmd
• Starting OpenVAS Scanner: openvassd
• Starting Greenbone Security Assistant: gsad
• scan configuration
• Scan Windows
• Scan Linux
• Scan network equipment
• Scan target
• Windows
• Linux
• router
• Scan Task
• Progress
• report
NESSUS
• Home
• Free
• Professional
• fee, unlimited concurrent connections
• Download
• http://www.tenable.com/products/nessus/select-your-operating-system
• Installation
• dpkg -i
• Installation Path: / opt / Nessus
• start service
• /etc/init.d/nessusd start
• Address Management
• https://127.0.0.1:8834
• registered activation code
• http://www.tenable.com/products/nessus-home
• management accounts
• Update plug
• Basic configuration (Setting)
• Upgrade
• Account
• the SMTP
• proxy
• Policy
• Scan
• Scan the machine
• Scan Windows
• Scan Linux
• Scan network devices
• Scan Server Web
• Reports
• Scheduling
NeXpose
• Rapid 7
• NeXpose
• complete vulnerability management to achieve
Scan results analysis
• False positive:
• false positives
• False negative
• omission