A good vulnerability scan can give you the information you need to make your network resilient to attacks. In this video, you’ll learn how vulnerability scans work and see the results of a vulnerability scan on my network.
<< Previous: Single Point of FailureNext: Penetration Testing >>
As networking and security professionals, we often use vulnerability scans to try to find those systems that might be weak links in our security posture. But remember, a vulnerability scan can be interpreted by others as an offensive attack on computer systems. So it’s important that you always have explicit permission to perform a vulnerability scan. We are identifying new vulnerabilities in operating systems and applications every day.
The National Institute of Standards and Technologies here in the United States has a comprehensive list that it maintains called the National Vulnerability Database and you can find that at nvd.nist.gov. These vulnerabilities can be associated with applications, can be associated with operating systems, with device drivers, or any other executable that might run in an operating system. There are many different kinds of vulnerabilities and no matter what operating system you’re looking at, you will find many different examples of vulnerabilities.
There’s a lot of different kinds of vulnerability scanners out there. You might be someone who just needs a general operating system scanner. Maybe you’re in charge of the security on a web server so you want a vulnerability scanner that really focuses on the web server side. Or maybe your focus is on database servers. Some of the more popular scanners you might see are Nessus, Nikto, Nmap, the SATAN, SAINT, and SARA line of vulnerability scanners.
No matter which scanner you’re using though, you’re always going to find something interesting about the operating system or the software that’s running on your systems. Before you run a vulnerability scan, generally the first thing you do is update the database of the vulnerability scanner. We are obviously seeing new vulnerabilities all the time, so if you’re going to go through the process of scanning a device, it would be good to use the latest information available. Then we scan the device.
Generally the vulnerability scanner is not logging into the device although some scanners allow us to provide some credentials to get a little bit further into the operating system. But generally this is something that’s trying to determine what software is running on this device, and it’s trying to do it as passively as possible. It’s going to look at version numbers of applications. If it does have access to the operating system, it might look at the executable itself and examine the timestamps or even the executable binary itself. The scanner then compares the list of software versions that it has identified with what’s in its database.
And if it happens to find any matches in the database for those specific applications or operating system versions, it will identify these known vulnerabilities. These vulnerability scanners also do a very good job at finding misconfigurations. If you’ve accidentally enabled certain access or not disabled certain guest access, the vulnerability scanner can generally tell you that you’ve made that mistake. The vulnerability scanner then provides you with a report that shows you what’s been scanned, if there were any matches to what it has in its vulnerability database.
It might even put these vulnerabilities in different categories of low, medium, and high. An important thing to remember is not everything the vulnerability scans will be really applicable to what you’re running on that server. Maybe a certain version of a piece of software has a vulnerability, but only if you’re using certain capabilities of that software which you may or may not be doing. The scanner also does not generally try to exploit the vulnerability.
It’s simply identifying a version of software and telling you that the potential is there, that if somebody wanted to take advantage of that vulnerability, they could then attempt an exploit against it. If you wanted to see what would happen if you really did try to exploit that vulnerability, you’ll want to run something like a penetration test which we’ll talk about in another video. Here’s a good example of a vulnerability scanning report. I put my vulnerability scanner which I was running– this is Nessus– and I told it to scan everything on my 192.168.1 network.
And it found a number of devices and it showed me for all of these devices what it was able to find. Port numbers that were open, the protocols that normally run over those port numbers and the services, and then gives me a total number of vulnerabilities that it identified and then it categorized them as high, medium, low, and tells me if any of those ports were open. As I mentioned before, these scanners are never going to be 100% accurate. All they’re doing is comparing a version number with what it has in the database.
The vulnerability scanner generally doesn’t have the context of how you’re using that particular application or that particular part of the operating system, so all it can really do is give you an idea of what it thinks might be a problem with that particular application or that section of the operating system. You also have the challenge that many networks are filtering this kind of traffic. So if you’re coming from the outside of the network through a firewall, you may find that your vulnerability scans are not going to be as accurate as you’d like.
There’s also challenges in keeping up with all of the changes in our operating systems and applications. That’s why we always recommend that you upgrade the vulnerability scanner database before performing any scans to an operating system or an application. And you’re always going to find something that you weren’t expecting to see. Sometimes it’s a misconfiguration that you completely forgot about or maybe an application itself has a vulnerability that you were not informed of and you need to patch that to be able to close a hole with that particular server.
So let’s go back to our report and try to understand more about what we were seeing with this particular vulnerability. If we look at the list, you can see that a number of services were running on this 192.168.1 device. Of all of those services and vulnerabilities that were identified, only one of them turned out to be high. And it was on port 445 running TCP and running the CIFS service.
Well, that’s the Windows file sharing service, so if I drill down into that vulnerability, I get more detail about what this scanner has found. And it says that the Microsoft Windows SMB shares are providing unprivileged access which means that anyone can access these particular shares without any type of username and password. That’s really a misconfiguration on my side because if I look at the output that it was able to find, it was able to list through everything that was on my particular storage device.
So this is a good example of how vulnerability scans can be used not just to find vulnerable versions of software that might be running on your system, but to find examples of where you may have misconfigurations that are allowing more access than you really intended.