Venom Academy/Ethical Hacking/Vulnerability Assessment
Now that you have learnt a lot, you can find open ports, services and operating systems. Now you will learn how to look for potential vulnerabilities, this will get us one step closer into compromising our target or victim. There are a number of softwares called vulnerability scanners that do the job of identifying vulnerabilities in a target. Some examples are OpenVAS and Nessus.
Advantages and Disadvantages of Vulnerability scanners
editOne good and excellent thing about vulnerability scanners is that they can automate tasks. You can perform a wide range of tasks just on the scanner, tasks like Reconnaissance, port scanning and more. One bad thing about them is that they leave too many traces behind. They work by leaving a large amount of traffic behind and this is quite lousy for a penetration tester.
Lab exercise
editScanning using Nmap
editmap contains scripts that we can use to our advantage in vulnerability scanning. Even though is contains so many other scripts but in this chapter we will set our focus only on vulnerability scanning. All nmap scripts are written in the Lua programming language and they are stored in this location:
/usr/local/share/nmap/scripts
Nmaps scripts are frequently updated, so you need to keep them up-to-date using the command shown below
nmap --script-updatedb
Now let's perform an example with a vulnerability scanner on nmap, let's scan for the ms08-067-netapi vulnerability, if you don't know what it is, it's just a vulnerability found in windows XP. Nmap has a script called smb-check-vulns which can automatically check for this vulnerability and report the results back. The command syntax is shown below:
nmap --script=smb-check-vulns <target host>
The script output then reports back as vulnerable. But what if we want to test all known vulnerabilities. The full vulnerability scan command syntax is shown below
nmap --script=vuln <target host>
So let's use the script above in an example and let's see the output. Here is the scan and it's output shown below:
root@venom [$]~ nmap --script=vuln 192.168.15.211 Host script results: | smb-check-vulns: |_ms08-067: vulnerable
The example above shows that our target is vulnerable to the ms08-067 exploit