Vulnerability scans can provide you with a wealth of information about your network security. In this video, you’ll learn about different scan types, how to identify vulnerability, and how to interpret scan results.
<< Previous Video: Penetration TestingNext: Fuzzing >>
Vulnerability scanning is something that is generally a passive test. We’re not connecting to a device and trying to log into that device or take advantage of a vulnerability that might be on that device. Instead, we’re doing everything from the outside. A good example of this might be something like a port scan, where we’re not logging into the device, we’re simply sending one message to the device to see if we can get one single response back.
There’s no authentication. We’re not using any particular application. We’re just looking to see what’s accessible on that machine. This, of course, will help us understand what devices might be on our network. And if we’re communicating across a distance, we may be able to tell if there’s any security devices between us and the destination station. This is often a test that we think about running from the outside so we can tell what ports might be shown to the public world over the internet.
But if you run these tests on the inside, you can also get a very interesting perspective of what devices are on your network and how open they might be to everybody who’s on the inside of your network. These vulnerability scans allow us to gather a lot of information. And as you’re running it, there will be a lot of details in the logs.
The important part is to store as much as you can. And later on, you’ll be able to go through all of the information to try to understand exactly what you saw during the scan. The scanning software and hardware that we use on today’s network is extremely powerful. It uses a lot of different techniques to be able to see what’s happening on a system. Generally, with a vulnerability scan, we’re performing non-intrusive scans.
We’re simply gathering information. We aren’t actively trying to log in or exploit a vulnerability. There are also scanners that can perform intrusive scans, where you ask it to log into an operating system by giving it a username and password just to see what it’s able to do. Or you tell it to try to take advantage of a known vulnerability to see if that particular device might be susceptible.
Usually, these scanners can be configured not to use any type of credential. Just assume we are a stranger from the outside with no special access to a system, just to see how far we can get with these types of scans. The credentialed scans might give you a little more detail, because you’re actively logging onto a computer. And then from the inside of that computer, you’re examining for instance, how many patches have been installed to that particular operating system.
It’s all of these different options that give you a lot of control when you begin doing vulnerability scans. Let’s run a vulnerability scan on my network and see what we can find. I’m using a product called Nessus Home, which is a free tool that you can use for doing home type scans. I’m going to perform a new scan. And I’m just going to tell it this is a test scan.
No description, and the targets on my network I’m going to tell it to use the entire range of the network that I have running, which is 10.1.10.1 through 10.1.10.254. That looks good. Let’s launch it.
And at this point, behind the scenes, the scan is taking place. We can drill down on it to see what is it able to find during the scanning session. What information and devices are now appearing on my network. And then are there any vulnerabilities associated with the devices on my network?
And you can see it’s actively going through the network, actively scanning for different port numbers, and identifying not just the IP addresses of those devices, but just how many vulnerabilities may be existing on those devices themselves. Now that this scan has been running for a while, we can see all of the different IP addresses that are on my internal network.
And most of the vulnerabilities that have been identified are these blue informational vulnerabilities. But you can see a number of devices have low, medium, or even high vulnerabilities associated with them. If we drill down into a device, we can, for instance, see a number of these that have been identified. And we can drill down on those. Let’s do one that says, the SSL certificate cannot be trusted.
It explains what this vulnerability happens to be and how we should be concerned about how the configuration of this device is set up, especially as it relates to the SSL certificates on this device. So by simply clicking a button and giving an IP address range, we’re able to gather a lot of information on where possible problems might be with the security of our network.
As you can see, the scanner is looking for a lot of information. But it can only find the things that it knows about. And a scanner generally has a database of signatures that it knows to look for in these different devices and operating systems. Generally, these scanners will have an update process so that you can have the latest signatures in your vulnerability scanner.
Almost all of these vulnerabilities can be listed and categorized online. The National Institute of Standards and Technology has a great database at nvd.nist.gov. And if you go to Microsoft’s website, they always keep a list of all of the Microsoft Security bulletins, along with a lot of technical details that can give you some history in some inside into the severities of these vulnerabilities.
Sometimes the scanner will give you a very generic response, saying that there may be a particular kind of vulnerability. So it’s still up to you to do the final checks to make sure that what the scanner is telling you is really accurate for that computer. The scanner is at least going to give you a heads up and let you know that a problem may exist.
But ultimately, it’s up to you to really make the final determination. The results of the vulnerability scan can give you a lot of work to do. You may have a notice that there is a lack of security controls. Maybe they were supposed to be filtering to a device. And yet you’re still able to access certain port numbers on that machine.
That means that your firewall may not be configured properly. Or maybe there’s no antivirus or anti-malware running on that device. Maybe it’s something like a simple misconfiguration. Maybe somebody meant to configure a share, but they didn’t assign the right permissions to that share. Now you have access to those through the scanner.
Or maybe somebody enabled guest access. And normally guest access should be turned off. And of course, the scanner may find some true vulnerabilities with an application or an operating system. Especially if you haven’t patched lately, you’ll find a lot of the new vulnerabilities, and these scanners will give you a notice that it’s time to update your system.
If you are going through the results of your vulnerability scan and you notice some of the information is not quite correct, you may have run into a false positive. False positive is when you have a scanner identify a vulnerability. But in reality, that device truly is not vulnerable to that particular issue.
A false positive is something that absolutely does not exist on this computer. That’s a little different than a vulnerability that has a low severity. A low severity might be something like an open port number. Well, obviously, every open port number may not necessarily be a big problem. But it’s still an open port number. It still exists. It’s just at a lower priority or a lower severity than perhaps something like a buffer overflow in an operating system.
So don’t confuse a low severity type of problem with an actual false positive. The reverse of this is a false negative. That’s when a device does have a vulnerability but you ran your virus scan and you ran your vulnerability scan and nothing was identified as being a vulnerability. This is almost worse than a false positive.
A false positive, at least we can look at the machine and determine that that was incorrect. But a false negative is something that we’ll never know is there because we’ve scanned and got no results from it. The goal with both false positives and false negatives is to make sure that you update to the latest signatures. These scanners can only scan for what they know about. And the signature update is a critical part for ensuring we’re able to see as much as possible on those devices.
And ultimately, you may need to talk to the manufacture of your vulnerability scanner and let them know what you’re seeing. They may not have seen the type of environment you’re running. And they’d be able to create a signature that’s able to solve either the false positive or the false negative issue in your environment. And at the same time, you’re probably going to be helping everybody else who has a similar configuration on their network.