/
ECSA
/
LPT
EC
Council
EC
-
Council
Module XVII
Vulnerabilit
y
Anal
y
sis
yy
Penetration Testing Roadmap
Start Here
Information
Vulnerability External
Gathering
Analysis Penetration Testing
Fi ll
Router and
Internal
Fi
rewa
ll
Penetration Testing
Router

and

Switches
Penetration Testing
Internal

Network
Penetration Testing
IDS
Penetration Testing
Wireless
Network
Penetration Testing
Denial of
Service
Penetration Testing
Password
Cracking
Stolen Laptop, PDAs
and Cell Phones
Social
Engineering
Application
Cont’d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing
Penetration Testin
g

Penetration Testing
Penetration Testin
g
Penetration Testing Roadmap

(cont
’
d)
(cont d)
Cont’d
Physical
Si
Database
Pii
VoIP
PiTi
S
ecur
i
t
y
Penetration Testing
P
enetrat
i
on test
i
ng
P
enetrat

i
on
T
est
i
n
g
Vi d
Vi
rus an
d

Trojan
Detection
War Dialing
VPN
Penetration Testing
Log
Management
Penetration Testing
File Integrity
Checking
Blue Tooth and
Hand held
Device
Penetration Testing
Telecommunication
And Broadband
Communication
Email Security

Penetration Testin
g
Security
Patches
Data Leakage
Penetration Testing
End Here
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication

Penetration Testing
g
Penetration Testing
Penetration

Testing
Why Assess?
Before starting a penetration test, you must identify vulnerabilities
a
g
ainst network s
y
stems usin
g
vulnera
b
ilit
y

scanner
gygby
Produce and analyze the vulnerability assessment report
Identify areas where penetration is possible
Locate hacking tools
Att t t t t
Att
emp
t t
o

pene
t
ra
t
e
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Classification
Misconfigurations
Default installations
Buffer Overflows
Unpatched servers
Default passwords
Default passwords
Open services
Application flaws
Operating systems flaws
Design flaws

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What is Vulnerability Assessment?
Vulnerability assessment is an examination of the ability of a system or
application,
including
current
security
procedures
and
controls,
to
application,
including
current
security
procedures
and
controls,
to
withstand assault.
A vulnerability assessment may be used to:
• Identify weaknesses that could be exploited.
• Predict the effectiveness of additional securit
y
measures in
A vulnerability assessment may be used to:
y
protecting information resources from attack.

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Vulnerability Assessment
An
Active
Assessment
scans
the
network
using
any
network
scanner
An
Active
Assessment
scans
the
network
using
any
network
scanner
to find hosts, services, and vulnerabilities.
A
Passive
Assessment
is
a

technique
that
sniffs
the
network
traffic
to
A
Passive
Assessment
is
a
technique
that
sniffs
the
network
traffic
to
find out active systems, network services, applications, and
vulnerabilities present.
A Host-based Assessment is a sort of security check that carries out
a configuration level test through command line.
An Internal Assessment is a technique to scan the internal
infrastructure to find out the ex
p
loits and
v
ulnerabilities.
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
p
Types of Vulnerability
Assessment (cont
’
d)
Assessment (cont d)
An External Assessment assesses the network from a hacker's point
f
i
t
fi d
t
ht
lit
d
l biliti
ibl
t
th
o
f
vi
ew
t
o
fi
n
d

ou
t
w
h
a
t
exp
l
o
it
san
d
v
u
l
nera
biliti
es are access
ibl
e
t
o
th
e
outside world.
Application Assessments tests the web server infrastructure for any
misconfiguration, outdated content, and known vulnerabilities.
Network Assessments determine the possible network security
attacks that may occur on the organizations system.
Wireless Network Assessments determine and track all the wireless

tk
lt
t
th
li t’
it
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ne
t
wor
k
spreva
l
en
t
a
t
th
ec
li
en
t’
ss
it
e.
How to Conduct a Vulnerability
Assessment
Assessment

Use vulnerability assessment tools
Check for misconfigured web servers, mail servers, firewalls, etc.
Search the web for posting about the company’s vulnerability:
• Example: A hacker would post something like “I could not believe the XSECURITY’s
website had serious SQL injection flaws! Oh my God!”
Search
at
underground
websites
for
more
postings
about
the
company
’
s
Search
at
underground
websites
for
more
postings
about
the
company s
vulnerabilities
Hk
ftl

h
tt k
if ti
ith
th
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
H
ac
k
ers
f
requen
tl
yexc
h
ange a
tt
ac
k
i
n
f
orma
ti
on w
ith
one ano
th

er
How to Obtain a High Quality
Vulnerability Assessment
Vulnerability Assessment
Select the adviser carefully:
• Check if he/she has good experience with various applications and
operating systems
• Check if he
/
she has
g
ood understandin
g
of the core
p
rotocol
/g g p
• Check if he/she has an idea of the detection techniques
• Check if he/she has good communication skills and has the ability
to offer proper mitigation recommendation
Define the scope of the vulnerability assessment
Define the rules that will manage the assessment
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Classify the
v
ulnerabilities that need instant notification
Vulnerability Assessment Phases
Pre-Assessment


Phase
Assessment
Phase
Term of
References
Post
-
Assessment
Findings and
Rdti
Post
Assessment
Phase
R
ecommen
d
a
ti
on
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pre-Assessment Phase
Describes
the
scope
of
the
assessment

Describes
the
scope
of
the
assessment
Creates proper information protection procedures such as effective
li
hdli
di ti
d
liti
p
l
ann
i
ng, sc
h
e
d
u
li
ng, coor
di
na
ti
on, an
d
l
og

i
s
ti
cs
Identifies and ranks the critical assets
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Assessment Phase
The assessment phase contains the
fll i l
• Examines the network architecture
Evaluates
the
threat
environment
f
o
ll
ow
i
ng e
l
ements:
•
Evaluates
the
threat
environment
• Allows penetration testing

• Examines and evaluates physical security
Pf
hil
t
li
•
P
er
f
orms a p
h
ys
i
ca
l
asse
t
ana
l
ys
i
s
• Observes policies and procedures
• Conducts an impact analysis
Pf
ik
htiti
•
P
er

f
orms a r
i
s
k
c
h
arac
t
er
i
za
ti
on
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Post-Assessment Phase
The post-assessment phase involves:
• Prioritizing assessment recommendations.
• Providing action plan development to implement the
d
di
propose
d
recommen
d
at
i
on.

• Capturing lessons that are learned to improve the complete
process in the future.
Cdti
tii
•
C
on
d
uc
ti
ng
t
ra
i
n
i
ng.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Analysis Stages
Vulnerability analysis refers to identifying areas where vulnerability
it
ex
i
s
t
s.
Perform vulnerability analysis and list the areas that needs testing and
tti

pene
t
ra
ti
on.
Vulnerability penetration capabilities can be
bk d it th t
•Locating nodes
•
Performing service discoveries on them
b
ro
k
en
d
own
i
n
t
o
th
ree

s
t
eps:

•
Performing service discoveries on them
• Testing those services for known security holes

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Comparing Approaches to
Vulnerability Assessment
Vulnerability Assessment
Product-based versus service-based assessments solution
Product-based solutions Service-based solutions
The
y
are installed in the organization’s
internal network
The
y
are offered b
y
third party, such
as auditing firms or security
consultant firms
h
illd
i
i
S
f
h
li
hd
T
h

e
y
are
i
nsta
ll
e
d
i
npr
i
vate or non
routable, or Internet addressable
portion of an organization’s network
S
ome o
f
t
h
eso
l
ut
i
ons are
h
oste
d
inside the network and others are
hosted outside the network
If it is installed in the private network

or in other words, behind the firewall,
it cannot always detect outside attacks
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Comparing Approaches to
Vulnerability Assessment (cont
’
d)
Vulnerability Assessment (cont d)
Tree-based versus inference-based assessment
Tree-based assessment Inference-based assessment
In a tree-based assessment, administrator
selects the tree appropriate for each
machine.
In an inference-based assessment,
scanning starts by building an inventory of
protocol found on the machine.
For example, administrator selects trees
for server running window, databases,
and web services.
After finding protocol, scanning process
starts to detect which ports are attached to
the service such as an email server, web, or
database server.
This approach relies on the administrator
to provide starting shot of intelligence and
then to start scanning continuously
without incorporating any information
After finding services, it selects

vulnerabilities on each machine and starts
to execute only those relevant tests.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
without incorporating any information
found at the time of scanning.
Characteristics of a Good
Vulnerability Assessment Solution
Vulnerability Assessment Solution
Ensures correct outcomes by testing network, network resources, ports,
protocols
and
operating
systems
protocols
,
and
operating
systems
Uses well-organized inference-based approach for testing
Automatic scan against continuously updated database
Creates brief, actionable, customizable reports, including report of
vulnerabilities by severity level and trend analysis
Supports various networks
i
d
di
d
kd

lbilii
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
G
i
ves teste
d
reme
di
es an
d
wor
k
aroun
d
s to correct
v
u
l
nera
bili
t
i
es
Vulnerability Assessment
Considerations
Considerations
What parts of the organization will be included?
How much (if not all) of the network will be reviewed?

H
l
ill
b
lt d?
H
ow man
y
peop
l
ew
ill
b
econsu
lt
e
d?
How many people will be working on the project?
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Assessment Reports
Th
t
it
f
diti
f
th
l biliti

Th
erepor
t
cons
i
s
t
so
f
d
escr
i
p
ti
on o
f
th
e
v
u
l
nera
biliti
es.
If ti
il bl
i
th
t
i

d
t
fi
it
fl
I
n
f
orma
ti
on ava
il
a
bl
e
i
n
th
erepor
t
s
i
suse
d
t
o
fi
xsecur
ity
fl

aws.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Report Model
Vulnerability Report
Report
ScanAlert
Scan Information
Tool (name, version)
Scanner
Scan Information
Scan Information
Target Information
Results
Scanner
Node
Target
Information
Summary
Target
Vulnerability
V
ulnerabilit
y

Node
OS
Date
y

Information
Classification
Name
URL
Sit
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Date
Summery
Services
Assessment
S
ecur
ity
Risk
Timeline
A
typical
vulnerability
assessment
can
take
as
long
as
12
weeks
A
typical

vulnerability
assessment
can
take
as
long
as
12
weeks
.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Attempts
Analyze
Vulnerability
Assessment
Report
Start
Vulnerability
assessment
Penetration
Attempts
Identify areas
Of vulnerability
assessment
Locate
Hacking tools
EC-Council
Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited
Types of Vulnerability
Assessment Tools
Assessment Tools
Host-based vulnerability assessment tools:
• A host-based vulnerability assessment tool finds and identifies the OS
running on a particular host computer and tests it for known deficiencies
•
Searches for common applications and services
Searches for common applications and services
Application-layer vulnerability assessment tools:
• Application-layer vulnerability assessment tools are directed toward web
servers or databases
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Vulnerability
Assessment Tools (cont
’
d)
Assessment Tools (cont d)
Scope assessment tools:
• They provide security to the IT system by testing for vulnerabilities in the
applications and OS
Depth assessment tools:
• These tools find and identifies previously unknown vulnerabilities in a
system
• Such types of tools include ‘fuzzers’
EC-Council
Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited