CHAPTER 4
Vulnerability Scanning and Penetration Testing
In this chapter, you will
• Explain penetration testing concepts
• Explain vulnerability scanning concepts
This chapter explores the employment of vulnerability scanning and penetration testing to determine security control effectiveness. These techniques can provide significant insight into the actual effectiveness of a system security solution against actual threats.
Certification Objectives This chapter covers CompTIA Security+ exam objective 1.4, Explain penetration testing concepts, and exam objective 1.5, Explain vulnerability scanning concepts.
Penetration Testing Concepts
A penetration test (or pen test) simulates an attack from a malicious outsider probing your network and systems for a way in (often any way in). Pen tests are often the most aggressive form of security testing and can take on many forms, depending on what is considered “in” or “out” of scope. For example, some pen tests simply seek to find a way into the network—any way in. This can range from an attack across network links, to social engineering, to having a tester physically break into the building. Other pen tests are limited—only attacks across network links are allowed, with no physical attacks.
Regardless of the scope and allowed methods, the goal of a pen test is the same: to determine if an attacker can bypass your security and access your systems. Unlike a vulnerability assessment, which typically just catalogs vulnerabilities, a pen test attempts to exploit vulnerabilities to see how much access that vulnerability allows. Pen tests are very useful in that they
• Can show relationships between a series of “low-risk” items that can be sequentially exploited to gain access (making them a “high-risk” item in the aggregate).
• Can be used to test the training of employees, the effectiveness of your security measures, and the ability of your staff to detect and respond to potential attackers.
• Can often identify and test vulnerabilities that are difficult or even impossible to detect with traditional scanning tools.
EXAM TIP Penetration tests are focused efforts to determine the effectiveness of the security controls used to protect a system.
An effective pen test offers several critical elements. First, it focuses on the most commonly employed threat vectors seen in the current threat environment. Using zero days that no one else has discovered does not help an organization understand its security defenses against the existing threat environment. It is important to mimic real-world attackers if that is what the organization wants to test its defenses against. The second critical element is to focus on the objectives of real-world attackers, such as getting to and stealing intellectual property. Bypassing defenses but not obtaining the attacker’s objectives, again, does not provide a full exercise of security capabilities.
Active Reconnaissance
Reconnaissance is the first step of performing a pen test. The objective of reconnaissance is to obtain an understanding of the system and its components that attackers may want to attack. Pen testers can employ multiple methods to achieve this objective, and in most cases, multiple methods will be employed to ensure good coverage of the systems and the potential vulnerabilities that may be present. There are two classifications for reconnaissance activities, active and passive. Active reconnaissance testing involves tools that actually interact with the network and systems in a manner that their use can be observed. Active reconnaissance can provide a lot of useful information, but you should be aware as a pen tester that its use may alert defenders to the impending attack.
Passive Reconnaissance
Passive reconnaissance is the use of tools that do not provide information to the network or systems under investigation. Using information obtained via Google or other third-party search engines such as Shodan is a prime example. This allows the gathering of information without the actual sending of packets to a system where they could be observed. If a company announces the upgrade or adoption of a particular software package via a PR release, for example, this information can be used to determine potential threat measures to employ.
Passive vs. Active Tools
Tools can be classified as active or passive. Active tools interact with a target system in a fashion where their use can be detected. Scanning a network with Nmap (Network Mapper) is an active act that can be detected. In the case of Nmap, the tool may not be specifically detectable, but its use, the sending of packets, can be detected. When you need to map out your network or look for open services on one or more hosts, a port scanner is probably the most efficient tool for the job. Figure 4-1 shows a screenshot of Zenmap, a cross-platform version of the very popular Nmap port scanner available from Insecure.org.
Figure 4-1 Zenmap—a port scanner based on Nmap
Passive tools are those that do not interact with the system in a manner that would permit detection, as in sending packets or altering traffic. An example of a passive tool is Tripwire, which can detect changes to a file based on hash values. Another passive example is the OS mapping by analyzing TCP/IP traces with a tool such as Wireshark. Passive sensors can use existing traffic to provide data for analysis.
EXAM TIP Passive tools receive traffic only and do nothing to the traffic flow that would permit others to know they are interacting with the network. Active tools modify or send traffic and are thus discoverable by their traffic patterns.
Pivot
Pivoting is a key method used by a pen tester or attacker to move across a network. The first step is the attacker obtaining a presence on a machine, call it Machine A. The attacker then remotely through this machine examines the network again, using Machine A’s IP address. This enables an attacker to see sections of networks that were not observable from their previous position. Performing a pivot is not easy, as the attacker not only must establish access to Machine A, but also must move their tools to Machine A, and control those tools remotely from another machine, all while not being detected. This activity, also referred to as traversing a network, is one place where defenders can observe the attacker’s activity. When an attacker traverses the network, network security monitoring tools will detect the activity as unusual with respect to both the account being utilized and the actual traversing activity.
Initial Exploitation
A key element of a penetration test is the actual exploitation of a vulnerability. Exploiting the vulnerabilities encountered serves two purposes. First, it demonstrates the level of risk that is actually present. Second, it demonstrates the viability of the mechanism of the attack vector. During a pen test, the exploitation activity stops short of destructive activity. The initial exploitation is intended to demonstrate only that a vulnerability is present and exploitable, not that the objective of the pen test is achievable. In many cases, multiple methods, including pivoting (network traversal) and escalation of privilege to perform activities at administrator privilege, are used to achieve the final desired effect.
One key element to remember is that all activities on a system occur using an account, and pen testing is no different. Attackers will attempt to compromise an ordinary or standard user account in their initial exploitation, and then use that account and their tools to perform more attacks to gain access to other systems and accounts.
Persistence
Persistence is one of the key elements of a whole class of attacks referred to as advanced persistent threats (APTs). As covered in Chapter 3, APTs place two elements at the forefront of all activity: invisibility from defenders and persistence. APT actors tend to be very patient and use techniques that make it very difficult to remove them once they have gained a foothold. Persistence can be achieved via a wide range of mechanisms, from agents that beacon back out, to malicious accounts, to vulnerabilities introduced to enable reinfection. Each of these has advantages and disadvantages, but when used together in multiple places, closing all the doors opened by an attacker becomes very difficult.
Escalation of Privilege
Escalation of privilege is the movement from a lower-level account to an account that enables root-level activity. Typically, the attacker uses a normal user account to exploit a vulnerability on a process that is operating at root, enabling the attacker to assume the privileges of the exploited process—at root level. Once this level of privilege is achieved, the attacker takes additional steps to ensure persistent access back to the privileged level. With root access, things like log changes and other changes are possible, expanding the ability of the attacker to achieve their objective and to remove information, particularly logs that could lead to detection of the attack.
Black Box
Black box testing is a software-testing technique that consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Black box techniques test the functionality of the software, usually from an external or user perspective. Testers using black box techniques typically have no knowledge of the internal workings of the software they are testing. They treat the entire software package as a “black box”—they put input in and look at the output. They have no visibility into how the data is processed inside the application, only the output that comes back to them. Test cases for black box testing are typically constructed around intended functionality (what the software is supposed to do) and focus on providing both valid and invalid inputs.
Black box software testing techniques are very useful for examining any web-based application. Web-based applications are typically subjected to a barrage of valid, invalid, malformed, and malicious input from the moment they are exposed to public traffic. By performing black box testing before an application is released, developers can potentially find and correct errors in the development or testing stages.
Black box testing can also be applied to networks or systems. Pen tests and vulnerability assessments are often performed from a purely external perspective, where the testers have no inside knowledge of the network or systems they are examining.
White Box
White box testing is almost the polar opposite of black box testing. Sometimes called clear box testing, white box techniques test the internal structures and processing within an application for bugs, vulnerabilities, and so on. A white box tester will have detailed knowledge of the application they are examining—they’ll develop test cases designed to exercise each path, decision tree, input field, and processing routine of the application.
White box testing is often used to test paths within an application (if X, then go do this; if Y, then go do that), data flows, decision trees, and so on. Sometimes the term “white box testing” is applied to network assessments where the tester will have detailed knowledge of the network, including but not limited to IP addresses, network routes, valid user credentials, and so on. In those cases, the tester is typically referred to as a “white hat.”
Gray Box
So what happens when you mix a bit of black box testing and a bit of white box testing? You get gray box testing. In a gray box test, the testers typically have some knowledge of the software, network, or systems they are testing. For this reason, gray box testing can be very efficient and effective because testers can often quickly eliminate entire testing paths, test cases, and toolsets and can rule out things that simply won’t work and are not worth trying.
EXAM TIP The key difference between black box, gray box, and white box testing is the perspective and knowledge of the tester. Black box testers have no knowledge of the inner workings and perform their tests from an external perspective. White box testers have detailed knowledge of the inner workings and perform their tests from an internal perspective. Gray box testers have partial knowledge.
Pen Testing vs. Vulnerability Scanning
Vulnerability scanning is the scanning of a system for vulnerabilities, whether they are exploitable or not. Penetration testing is the examination of a system for vulnerabilities that can be exploited. The key is exploitation. There may be vulnerabilities in a system, in fact, one of the early steps in penetration testing is the examination for vulnerabilities, but the differentiation comes in the follow-on steps—the examination of the system in terms of exploitability.
Vulnerability Scanning Concepts
One very valuable method that can help administrators secure their systems is vulnerability scanning. Vulnerability scanning is the process of examining your systems and network devices for holes, weaknesses, and issues and finding them before a potential attacker does. Specialized tools called vulnerability scanners are designed to help administrators discover and address vulnerabilities. But there is much more to vulnerability scanning than simply running tools and examining the results—administrators must be able to analyze any discovered vulnerabilities and determine their severity, how to address them if needed, and whether any business processes will be affected by potential fixes. Vulnerability scanning can also help administrators identify common misconfigurations in account setup, patch level, applications, and operating systems. Most organizations look at vulnerability scanning as an ongoing process, as it is not enough to scan systems once and assume they will be secure from that point on.
Passively Test Security Controls
When an automated vulnerability scanner is used to examine a system for vulnerabilities, one of the side effects is the passive testing of the security controls. This is referred to as passive testing because the target of the vulnerability scanner is the system, not the controls. If the security controls are effective, then the vulnerability scan may not properly identify the vulnerability. If the security control prevents a vulnerability from being attacked, then it may not be exploitable.
Identify Vulnerability
Vulnerabilities are known entities; otherwise, the scanners would not have the ability to scan for them. When a scanner finds a vulnerability present in a system, it makes a log of the fact. In the end, an enumeration of the vulnerabilities that were discovered is part of the vulnerability analysis report.
Identify Lack of Security Controls
If a vulnerability is exposed to the vulnerability scanner, then a security control is needed to prevent the vulnerability from being exploited. As vulnerabilities are discovered, the specific environment of each vulnerability is documented. As the security vulnerabilities are all known in advance, the system should have controls in place to protect against exploitation. Part of the function of the vulnerability scan is to learn where controls are missing or are ineffective.
Identify Common Misconfigurations
One source of failure with respect to vulnerabilities is in the misconfiguration of a system. Common misconfigurations include access control failures and failure to protect configuration parameters. Vulnerability scanners can be programmed to test for these specific conditions and report on them.
Intrusive vs. Non-intrusive
Vulnerability scanners need a method of detecting whether or not a vulnerability is present and exploitable. One method is to perform a test that changes the system state, an intrusive test. The other method is to perform a test in a manner that does not directly interact with the specific vulnerability. This non-intrusive method can be significantly less accurate in the actual determination of a vulnerability. If a vulnerability scan is going to involve a lot of checks, the non-intrusive method can be advantageous, as the servers may not have to be rebooted all the time.
Credentialed vs. Non-credentialed
A vulnerability scanner can be programmed with the credentials of a system, giving it the same access as an authorized user. This is assumed to be easier than running the same tests without credentials, widely considered to be a more real-world attempt. It is important to run both, for if an attacker is able to compromise an account, they may well have insider credentials. Credentialed scans will be more accurate in determining whether the vulnerabilities exist, as they are not encumbered by access controls. Non-credentialed scans demonstrate what the system may be vulnerable to against an outside attacker without access to a user account.
EXAM TIP Understanding how to recognize credentialed vs. non-credentialed scans is testable on the exam. Little scenario details can make the difference between correct and incorrect—watch for the details.
False Positive
Tools are not perfect. Sometimes they will erroneously report things as an issue when they really are not a problem—and other times they won’t report an issue at all. A false positive is an incorrect finding—something that is incorrectly reported as a vulnerability. The scanner tells you there is a problem when in reality nothing is wrong. A false negative is when the scanner fails to report a vulnerability that actually does exist—the scanner simply missed the problem or didn’t report it as a problem.
EXAM TIP False positive and false negative are terms used in several contexts. Understanding the difference is important to get exam questions correct. For a given question, one needs to have an understanding of the expected answer for a test. If they get a positive result as an answer, but if in reality this result is wrong, that is a false positive. If a woman takes a pregnancy test and it returns a positive result, but the woman in fact is not pregnant, that is a false positive.
Chapter Review
In this chapter, you learned about penetration testing and vulnerability scanning. Under the topic of penetration testing, you explored the concepts of active and passive reconnaissance, the pivot operation, and the initial exploitation, followed by escalation of privilege and persistence. Black box, white box, and gray box testing were also covered. The vulnerability scanning coverage introduced you to passive scanning, followed by the identification of vulnerabilities, lack of security controls, and common misconfigurations. It examined intrusive versus non-intrusive scans, credentialed versus non-credentialed scans, and finished with false positives.
Questions
To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the correct answers at the end of the chapter.
1. You’ve been asked to perform an assessment of a new software application. Your client wants you to perform the assessment without providing you any information about how the software was developed or how data is processed by the application. This is an example of what type of testing?
A. White box testing
B. Passive testing
C. Black box testing
D. Active testing
2. While examining log files on a compromised Linux system, you notice an unprivileged user account was compromised, followed by several processes crashing and restarting, and finally the shadow file was accessed and modified. Which of the following techniques might the attacker have used?
A. Active scanning
B. Escalation of privilege
C. Passive scanning
D. Credentialed attack
3. While running a vulnerability scanner against a Windows 2016 server, the tool reports the server may be affected by an offset2lib patch vulnerability. You find this odd because the offset2lib patch vulnerability only applies to Linux-based systems. Your vulnerability scanner has most likely reported which of the following?
A. System misconfiguration
B. Overflow finding
C. Actual negative
D. False positive
4. While responding to a security incident, your team examines network traffic logs. You see incoming connections to a web server in the DMZ. Several hours later in the same traffic logs you see connections from the web server to other systems in the DMZ as well as internal systems. This is an example of what type of technique?
A. Buffer overflow
B. SQL injection
C. Passive injection
D. Pivoting
5. You’ve been asked to examine network traffic for evidence of compromise. You have 1TB of tcpdump logs to review. Which of the following tools would you use to examine these logs?
A. Nmap
B. Zenmap
C. Wireshark
D. Nessus
6. A colleague calls you to ask for assistance. He is having trouble keeping an attacker out of his network. He tells you no matter what he tries, he can’t seem to keep the attacker out of his network and he has no idea how the attacker keeps getting in. This is an example of what kind of attack?
A. Gray box attack
B. Whack-a-mole attack
C. Advanced persistent threat
D. Privilege escalation
7. Your network traffic logs show a large spike in traffic to your DNS server. Looking at the logs, you see a large number of TCP connection attempts from a single IP address. The destination port of the TCP connections seems to increment by one with each new connection attempt. This is most likely an example of what activity?
A. Active reconnaissance
B. Passive reconnaissance
C. Buffer overflow
D. Initial exploitation
8. You’ve been asked to examine a custom web application your company is developing. You will have access to design documents, data structure descriptions, data flow diagrams, and any other details about the application you think would be useful. This is an example of what type of testing?
A. Active testing
B. White box testing
C. Gray box testing
D. Active testing
9. You are attempting to perform an external vulnerability assessment for a client, but your source IP addresses keep getting blocked every time you attempt to run a vulnerability scan. The client confirms this is “as expected” behavior. You aren’t able to scan for vulnerabilities, but you have been able to do which of the following?
A. Identify vulnerability controls
B. Identify common misconfigurations
C. Passively test security controls
D. All of the above
10. What is the main difference between a credentialed and non-credentialed vulnerability scan?
A. A credentialed scan is performed by a certified professional.
B. A credentialed scan is performed with a valid userid/password.
C. A non-credentialed scan uses passive techniques.
D. A non-credentialed scan will identify more vulnerabilities.
11. While validating a vulnerability, your colleague changes the password of the administrator account on the Windows Server she is examining (as proof of success). This is an example of what type of testing?
A. Intrusive testing
B. Credentialed testing
C. Passive testing
D. Security control testing
12. A colleague shows you a scanning report indicating your web server is not vulnerable to the Heartbleed bug. You know this isn’t true as you’ve personally verified that web server is vulnerable. You believe the scanner used to examine your web server is reporting which of the following?
A. Common misconfiguration
B. False positive
C. False negative
D. SSL mismatch
13. Which of the following would be an example of initial exploitation?
A. Scanning a network using Nmap
B. Using a SQL injection attack to successfully bypass a login prompt
C. Using cracked credentials to delete customer data
D. Installing a backdoor to provide future access if needed
14. Which of the following is a passive tool?
A. Tripwire
B. Nmap
C. Zenmap
D. Nessus
15. What is the primary difference between penetration tests and vulnerability scans?
A. Penetration tests use active tools.
B. Vulnerability scans are performed from internal and external perspectives.
C. Penetration tests exploit discovered vulnerabilities.
D. Vulnerability scans never use credentials.
Answers
1. C. Black box testing is performed with no knowledge of the internal workings of the software being tested. The application is treated as a “black box”—the tester cannot see what’s inside the box.
2. B. Escalation of privilege is the movement to an account that enables root-level activity. Typically, the attacker uses a normal user account to exploit a vulnerability on a process that is operating at root, enabling the attacker to assume the privileges of the exploited process—at root level. With root-level access, the attacker was able to access and modify the shadow file.
3. D. A false positive is the erroneous reporting of an issue when none really exists. In this case the scanner incorrectly identified the presence of a Linux-specific vulnerability on a Windows system.
4. D. This is an example of pivoting. Pivoting occurs when an attacker gains access to a system and then uses that system to scan/attack other systems on the same network.
5. C. Wireshark is a network protocol analyzer used for capturing and examining network traffic. Nmap and Zenmap are port scanners. Nessus is a vulnerability scanner.
6. C. This is most likely persistence efforts from an advanced persistent threat (APT). APTs typically try to avoid detection and employ methods that provide them with continued access to compromised systems.
7. A. This is most likely an example of active reconnaissance. This particular traffic would be indicative of a TCP port scanning attempt where the attacker is probing the system for any open TCP ports.
8. B. This is an example of white box testing. In white box testing, the tester has access to detailed knowledge of the things they are examining, whether it’s an application, host, or network.
9. C. If your source IP addresses are blocked every time you attempt a vulnerability scan, you’ve successfully done a passive test of the client’s security controls. Your goal was to test for vulnerabilities, but the side effect of your testing validated the client’s security controls were working as intended.
10. B. A credentialed scan is performed with a valid set of user credentials. Credentialed scans are performed with “valid user” access and have the potential to identify vulnerabilities inside an application or environment.
11. A. This is an example of intrusive testing. Intrusive testing to validate a vulnerability involves exploiting the vulnerability and then making changes to the tested item to prove the vulnerability is present and exploitable. In this case, changing the administrator password proves your colleague could exploit the vulnerability she found.
12. C. A false negative is when the scanner fails to report a vulnerability that actually does exist—the scanner simply missed the problem or didn’t report it as a problem.
13. B. Using a SQL injection attack to successfully bypass a login prompt is an example of initial exploitation. The vulnerability was identified and exploited, but no further action was taken. This proves the existence of the vulnerability and demonstrates the risk associated with the vulnerability.
14. A. Tripwire is the only passive tool listed. Tripwire detects changes to files based on hash values. Nmap and Zenmap are active tools that generate and send packets to systems being examined. Nessus is a vulnerability scanning tool.
15. C. Penetration testing is the examination of a system for vulnerabilities that can be exploited. The key is exploitation. There may be vulnerabilities in a system, in fact, one of the early steps in penetration testing is the examination for vulnerabilities, but the differentiation comes in the follow-on steps—the examination of the system in terms of exploitability. Discovered vulnerabilities are exploited during penetration testing.