Chapter 3

Objective 3.1

Container Scans

  • Purpose: Assess security of containerized applications and environments.
  • Techniques:
    • Sidecar Scans: Utilize a sidecar container to monitor and analyze the security of a main container.
      • Example: A sidecar container running a security tool to check for vulnerabilities in a main application container.

Application Scans

  • Purpose: Identify vulnerabilities in applications at different stages of development and deployment.
  • Techniques:
    • Dynamic Application Security Testing (DAST): Test running applications for vulnerabilities by simulating attacks.
      • Example: Using tools like OWASP ZAP to perform DAST on a web application.
    • Interactive Application Security Testing (IAST): Combine elements of DAST and SAST by monitoring the application from within during runtime.
      • Example: Using tools like Contrast Security to identify vulnerabilities as the application runs.
    • Software Composition Analysis (SCA): Analyze third-party and open-source components for known vulnerabilities.
      • Example: Using tools like Snyk or Black Duck to scan dependencies for vulnerabilities.
    • Static Application Security Testing (SAST): Analyze source code for vulnerabilities without executing the code.
      • Example: Using tools like SonarQube or Checkmarx for static code analysis.
      • Subtypes:
        • Infrastructure as Code (IaC): Analyze infrastructure configuration files (e.g., Terraform, CloudFormation) for security issues.
        • Source Code Analysis: Directly examine the application’s source code to find vulnerabilities.
    • Mobile Scan: Assess mobile applications for security vulnerabilities.
      • Example: Using tools like MobSF to scan Android or iOS applications.

Network Scans

  • Purpose: Identify vulnerabilities in network devices, services, and configurations.
  • Techniques:
    • TCP/UDP Scan: Scan for open TCP and UDP ports to identify services running on the network.
      • Example: Using Nmap to perform TCP/UDP scans on a target network.
        • Command: nmap -sS -sU target_ip
    • Stealth Scans: Use techniques to avoid detection by network security systems while scanning.
      • Example: Using Nmap’s SYN scan (also known as half-open scan) to perform stealth scans.
        • Command: nmap -sS target_ip

Host-Based Scans

  • Purpose: Identify vulnerabilities on individual hosts (e.g., servers, workstations).
  • Techniques:
    • Agent-based: Install an agent on the host to gather detailed information.
      • Example: Using Nessus agents to perform deep scans on hosts.
    • Agentless: Use network protocols (e.g., SMB, SSH) to gather information without installing software.
      • Example: Using OpenVAS to perform remote scans on hosts.

Authenticated vs. Unauthenticated Scans

  • Authenticated Scans:
    • Purpose: Perform scans with credentials to get deeper insights into vulnerabilities.
    • Benefits: Access to detailed information such as configuration files, installed software, and patches.
    • Example: Running a credentialed Nessus scan to check for missing patches.
  • Unauthenticated Scans:
    • Purpose: Perform scans without credentials, simulating an external attacker.
    • Benefits: Identify vulnerabilities exposed to unauthenticated users.
    • Example: Using Nmap for a network scan without credentials.

Secrets Scanning

  • Purpose: Identify sensitive information such as API keys, passwords, and tokens in source code and configuration files.
  • Techniques:
    • Automated Tools: Use tools specifically designed to find secrets.
      • Example: Using GitGuardian to scan repositories for exposed secrets.

Wireless Scans

  • Purpose: Assess security of wireless networks.
  • Techniques:
    • SSID Scanning: Identify and list the SSIDs of nearby wireless networks.
      • Example: Using tools like Kismet to scan for SSIDs.
    • Channel Scanning: Identify which channels wireless networks are operating on.
      • Example: Using tools like WiFi Analyzer to scan channels.
    • Signal Strength Scanning: Measure the signal strength of wireless networks to determine proximity and potential interference.
      • Example: Using tools like NetSpot to map signal strength.

Industrial Control Systems (ICS) Vulnerability Assessment

  • Purpose: Identify vulnerabilities in ICS environments, which are critical for industrial operations.
  • Techniques:
    • Manual Assessment: Perform a hands-on review of ICS components and configurations.
      • Example: Conducting a physical and logical assessment of PLCs, SCADA systems, and network configurations.
    • Port Mirroring: Use port mirroring on network switches to capture and analyze ICS traffic without interrupting operations.
      • Example: Setting up port mirroring on a switch to capture ICS traffic for analysis using Wireshark.

Tools

  • Nikto
    • Purpose: Web server scanner.
    • Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6,700 potentially dangerous files or programs, checks for outdated versions of over 1,250 servers, and version-specific problems on over 270 servers.
    • Nikto is widely used by penetration testers, security researchers, and IT professionals to identify vulnerabilities and misconfigurations in web servers.
    • Usage: Identify potential issues in web servers, such as outdated software, misconfigurations, and vulnerabilities.
    • Example: Scanning a web server for common vulnerabilities.
      • Command: nikto -h http://targetwebsite.com
  • Greenbone/OpenVAS
    • Purpose: Vulnerability scanning and management.
    • Greenbone Vulnerability Manager (GVM), often referred to as OpenVAS (Open Vulnerability Assessment System), is an open-source framework for vulnerability scanning and management.
    • OpenVAS is part of the GVM suite and provides comprehensive vulnerability scanning capabilities.
    • It helps organizations identify security issues, misconfigurations, and vulnerabilities in their networks and systems.
    • Usage: Perform comprehensive vulnerability assessments across networks and systems.
    • Example: Using OpenVAS to scan a network for vulnerabilities.
      • Command: openvas-start to start the service, then configure and run scans through the web interface.
  • TruffleHog
    • Purpose: Secrets detection tool.
    • Usage: Scan repositories for high-entropy strings and secrets such as API keys and passwords.
    • Example: Scanning a Git repository for secrets.
      • Command: trufflehog git https://github.com/target/repo
  • BloodHound
    • Purpose: Active Directory (AD) mapping and exploitation tool.
    • Usage: Identify and analyze AD relationships and permissions that could be exploited.
    • Example: Using BloodHound to map AD relationships and identify attack paths.
      • Command: Invoke-BloodHound -CollectionMethod All in PowerShell to collect data, then analyze with the BloodHound interface.
  • Tenable Nessus
    • Purpose: Comprehensive vulnerability scanner.
    • Tenable Nessus is a widely-used commercial vulnerability scanner designed to assess networks, systems, and applications for security vulnerabilities.
    • Developed by Tenable, Nessus offers robust scanning capabilities, ease of use, and comprehensive reporting.
    • It’s popular among security professionals for identifying, prioritizing, and remediating vulnerabilities in IT environments.
    • Usage: Identify vulnerabilities, misconfigurations, and compliance issues across various systems.
    • Example: Running a vulnerability scan on a network.
      • Command: Configure and start scans through the Nessus web interface.
  • PowerSploit
    • Purpose: Post-exploitation framework for PowerShell.
    • PowerSploit is a collection of PowerShell scripts designed for offensive security and post-exploitation purposes.
    • It is widely used by penetration testers and red teamers to perform various tasks such as reconnaissance, exploitation, persistence, and data exfiltration.
    • PowerSploit leverages the capabilities of PowerShell to interact with the Windows operating system and perform complex tasks.
    • Usage: Perform various post-exploitation tasks such as privilege escalation, credential dumping, and persistence.
    • Example: Using PowerSploit to execute a PowerShell script for dumping credentials.
      • Command: Import-Module PowerSploit; Invoke-Mimikatz
  • Grype
    • Purpose: Vulnerability scanner for container images and filesystems.
    • Grype is an open-source vulnerability scanner for container images and filesystems.
    • Developed by Anchore, it is designed to identify vulnerabilities in container images, making it an essential tool for DevOps and security teams to ensure the security of their containerized applications.
    • Usage: Identify known vulnerabilities in container images.
    • Example: Scanning a Docker image for vulnerabilities.
      • Command: grype docker:targetimage
  • Trivy
    • Purpose: Vulnerability scanner for containers, Kubernetes, and other artifacts.
    • Trivy is a comprehensive and easy-to-use open-source vulnerability scanner for container images, filesystems, and repositories.
    • Developed by Aqua Security, Trivy is known for its speed, accuracy, and simplicity.
    • It supports scanning for OS packages and application dependencies, making it a versatile tool for DevSecOps workflows.
    • Usage: Detect vulnerabilities, misconfigurations, and secrets.
    • Example: Scanning a container image for vulnerabilities.
      • Command: trivy image targetimage
  • Kube-hunter
    • Purpose: Kubernetes security tool.
    • Kube-hunter is an open-source tool designed to perform security assessments on Kubernetes clusters.
    • Developed by Aqua Security, it is used to identify security vulnerabilities and misconfigurations in Kubernetes environments.
    • Kube-hunter is particularly useful for penetration testers, security professionals, and Kubernetes administrators looking to enhance the security of their clusters.
    • Usage: Identify and exploit vulnerabilities in Kubernetes clusters.
    • Example: Running a scan to find vulnerabilities in a Kubernetes cluster.
      • Command: kube-hunter --remote targetclusterip

Objective 3.2

Validating Scan, Reconnaissance, and Enumeration Results

  • False Positives
    • Definition: Incorrectly identifying a non-vulnerability as a vulnerability.
    • Example: A scanner flags an outdated software version, but it’s actually patched and secure.
    • Validation: Manually verify the flagged issue to confirm if it’s a real vulnerability.
  • False Negatives
    • Definition: Failing to identify an actual vulnerability.
    • Example: A scanner misses a known SQL injection vulnerability due to misconfiguration.
    • Validation: Cross-check results with other tools or manual testing to ensure comprehensive coverage.
  • True Positives
    • Definition: Correctly identifying a real vulnerability.
    • Example: A scanner detects an open port that is genuinely exposed and vulnerable.
    • Validation: Verify the vulnerability through manual testing or exploitation.
  • Scan Completeness
    • Definition: Ensuring the scan has covered all intended targets and aspects.
    • Example: Verifying all network segments, hosts, and services were scanned.
    • Validation: Review scan logs and reports to ensure no areas were missed.
  • Troubleshooting Scan Configurations
    • Definition: Adjusting scan settings to ensure accurate and complete results.
    • Example: Modifying timeout settings or authentication credentials to ensure thorough scanning.
    • Validation: Perform test scans after configuration changes to verify improved accuracy and completeness.

Public Exploit Selection

  • Purpose: Choosing appropriate publicly available exploits to validate vulnerabilities.
  • Sources: Exploit databases such as Exploit-DB, Metasploit, and GitHub repositories.
  • Example: Selecting a Metasploit module to exploit a detected vulnerability.
    • Command: msfconsole, then search and use the relevant module, e.g., use exploit/windows/smb/ms17_010_eternalblue

Using Scripting to Validate Results

  • Purpose: Automating the validation of scan, reconnaissance, and enumeration results.
  • Scripting Languages: Python, Bash, PowerShell.
  • Examples:
    • Scripts for cross-checking open ports, vulnerable software versions, and open SMB shares.

Objective 3.3

  • Tailgating
    • Definition: Unauthorized entry by following an authorized person.
    • Prevention: Turnstiles, employee training, security guards.
  • Site Surveys
    • Definition: Assessments of physical security measures.
    • Purpose: Identifying vulnerabilities, recommending improvements, ensuring compliance.
  • USB Drops
    • Definition: Malicious USB devices left in conspicuous places.
    • Purpose: Deliver malware, gain access to data/systems.
    • Prevention: Employee education, strict USB policies, disabling USB ports.
  • Badge Cloning
    • Definition: Duplicating access badges.
    • Purpose: Bypassing access controls.
    • Prevention: Secure badge technologies, multi-factor authentication, regular audits.
  • Lock Picking
    • Definition: Manually opening locks without a key.
    • Purpose: Unauthorized access.
    • Prevention: High-security locks, additional security layers, monitoring.