Vulnerability scanning is the process of identifying and analyzing critical security weaknesses in the target environment. Sometimes this operation is called vulnerability assessment. Vulnerability scanning is one of the main tasks of the program. With its help you can analyze all elements of IT infrastructure security management.
Vulnerabilities are scanned after we have detected, collected and listed information about the target system infrastructure. The information obtained after scanning the system for vulnerabilities can lead to compromise of the target system, violating its integrity and confidentiality.
In this chapter, we will discuss two common types of vulnerabilities and present different standards for their classification. We will also consider some known vulnerability assessment tools provided by the Kali Linux operating system. In this chapter, the following topics are presented.
- Concepts of two common types of vulnerabilities: local and remote.
- Vulnerability classification, indicating an industry standard that can be used to systematize any vulnerability and distribute it according to specific attributes.
- Get acquainted with several tools to search and analyze vulnerabilities present in the target environment. The tools presented are distributed according to their main security evaluation functions. These include tools such as Nessus, Cisco, SMB, SNMP and web application analysis tools.
Note that regardless of whether we are testing an external or internal network, manual and automated vulnerability assessment procedures should be used equally. If we use only automatic mode, we can get a lot of false positives and negatives. Also very important is the theoretical preparation of the penetration tester and also how well he knows the tools with which the test will be performed. The auditor constantly needs to improve his knowledge and skills.
One more very important point: the automated vulnerability assessment is not the final solution. There are situations when automated tools cannot detect logical errors, hidden vulnerabilities, unpublished software vulnerabilities and human factors affecting security. Therefore, it is recommended to use a comprehensive approach involving both automated and manual methods of vulnerability assessment. This will increase the success of penetration tests and provide the most objective information for vulnerabilities correction.
Notebook or desktop computer with at least 6 GB of RAM, quad-core processor and 500 GB of hard disk space. As an operating system we use Kali Linux 2018.2 or 2018.3 (as a virtual machine or system installed on a hard disk, SD card or USB stick).
There are three main categories of vulnerabilities, which, in turn, can be divided into local and remote ones. These are vulnerabilities made during software development, software implementation errors and vulnerabilities discovered during system exploitation.
- Vulnerabilities in development – detected due to shortcomings in software specifications.
- Installation vulnerabilities – technical security bugs found in system code.
- Application vulnerabilities – vulnerabilities that may occur due to incorrect configuration and deployment of the system in the target environment.
Based on these three classes we have two general types of vulnerabilities: local and remote, which can appear in any category of the described vulnerabilities.
If an attacker gains access by executing part of the code, this is called a local vulnerability. By taking advantage of this vulnerability, the cracker can increase his access rights and gain unlimited access to his computer.
Consider an example where an attacker Bob has local access to a system running Windows Server 2008 (32-bit x86 platform). His access was restricted by the administrator during the implementation of the security policy, and as a result, Bob was unable to access a specific application. Under extreme conditions, Bob discovered that with the help of a malicious piece of code he could gain access to a computer at the system or kernel level. Taking advantage of a well-known vulnerability (e.g. CVE-2013-0232, GP Trap Handler nt!KiTrap0D), he increased his access rights, which allowed him to perform all administrative tasks and get unlimited access to the application. This clearly shows us how an attacker took advantage of a vulnerability to gain unauthorized access to the system.
A remote vulnerability is a state where an attacker has no access yet but can get it by running the malicious part of the code through the network. This type of vulnerability allows an attacker to access a computer remotely without any physical or local barriers.
For example, Bob and Alice are connected to the Internet from different devices. They have different IP addresses and live in different places. Let’s assume that Alice’s computer runs on Windows XP and contains secret biotech information, and Bob knows the IP address of Alice’s machine and which operating system is installed on this computer. Bob is looking for a solution that will allow him to remotely access the Alice computer. He will eventually learn that the Windows Server MS08-067 service vulnerability can be easily exploited remotely on a computer running Windows XP. He then launches an exploit against Alice’s computer and gains full access to the machine.
As the number of available technologies has increased over the last few years, various attempts have been made to introduce the most convenient classification to categorize all possible vulnerabilities. However, not all common coding errors that could affect system security could be classified. This is due to the fact that each vulnerability may belong to several categories or classes. In addition, each system platform has its own plug-in database of vulnerabilities, complexities with extension and, as a result, complex interaction with the external environment.
In the following table we present you the taxonomy standards (classification and systematization) that will help you to identify most common security failures if possible. Note: almost all of these standards are already implemented in a number of security evaluation tools. These tools allow you to study software security problems in real time.
The main function of each of these security standards (taxonomies) is to systematize vulnerability categories and classes that security professionals and software developers can use to identify specific bugs. Please note: no such security standard can be considered accurate and complete.
Automatic vulnerability scanning
Penetration testers are very cautious about automatic vulnerability scanning and sometimes say it’s just fraud. Although, if time is short, automatic vulnerability scanners can help to get a lot of information about the target network.
Tenable’s Nessus was developed two decades ago and still remains a very popular vulnerability assessment tool. You can subscribe to Nessus for a year. However, good people at Tenable have created the seventh version of Nessus Professional and offer a trial version to anyone who wants to get acquainted with it.
Before installing it you need to know which version of Kali Linux is installed on your computer. This will help you to download the version of Nessus which will work seamlessly with your operating system.
uname --a at the command line of your terminal (Fig. 6.1).
Installation of Nessus vulnerability scanner. To install Nessus in Kali Linux open your browser and go to
The evaluation version comes with all the features of the full version except the 16-IP restrictions.
To get the trial version, you will need to register with Tenable. You will receive a confirmation code via email. Once you have received the confirmation code email you can download the desired version of Nessus in Kali Linux (Fig. 6.2).
Once the download is complete, start a new terminal and go to the download directory. To do this, type
cd Downloads into the command line. Next, browse to the contents of the directory by typing
ls. With this action, you can verify that the file has actually been downloaded and saved to the target folder. Alternatively, you can copy the name of the installation file to paste it into the next command. Next, to install Nessus, type the command
dpkg --i Nessus-7.1.3-debian6_amd64.deb as shown in the figure. 6.3.
If new versions of Nessus are available, to run
dpkg -i, copy the name of the downloaded file and its version.
Start the Nessus service without leaving the Downloads directory. To do this, type the command service nessusd start. The next time you ask for a password for Kali Linux (Fig. 6.4).
To work with Nessus, open your browser, type in
https://localhost:8834 and press Enter. When a hazard warning banner appears, click the Advanced button, then click Add Exception, and at the end click Confirm Security Exception (Figure 6.5).
Perform the following steps to continue running the service.
1. Create an account first by specifying your username and account, then click Continue.
2: Leave the default settings Home, Professional or Manager, enter the Activation Code received by email into the input field and click Continue.
If all goes well, Nessus will start initializing, download and compile the necessary plugins (Fig. 6.6).
Depending on the speed of your Internet connection, this procedure may take some time. While the installation is underway you can go to www.packtpub.com and see more books from Packt Publishing on Kali Linux and on penetration testing.
After all the updates are completed the Nessus interface will be downloaded. Click on the New Scan button in the upper right corner to see all available types of scans (Fig. 6.7).
A large number of scanning templates are available for use here. There are several templates that are available only with a paid subscription. Besides node detection and advanced scanning, Nessus performs advanced vulnerability scanning, including the following types.
- Scanning cloud infrastructure.
- Local and remote scanning of detected damaged shells.
- Scan the internal network PCI.
- Scanning Linux and Windows malware.
- Scan Meltdown and Spectre.
- Scanning WannaCry.
- Extortion programs.
- Scan web vulnerabilities.
To demonstrate the detection of vulnerabilities we will use the vulnerable Linux web server. In chapter 2 we explained how to configure Metasploitable 2, Metasploitable 3, a very vulnerable Linux system and BadStore.
In the scanner window click on the Advanced Scan template and in the BASIC (Basic) section fill in the input fields. In the Targets field, specify the IP address of the target machine or the range of IP addresses of the target machines to be scanned using the Advanced Scan template (Fig. 6.9).
Since there are several different settings available, explore other sections of the left column. Each of these sections lets you customize your scanning to suit your specific needs.
- DISCOVERY (Open). Nessus uses a number of different methods to detect currently active hosts. Here, you can set specific parameters to detect them.
- ASSESSMENT (Evaluation). Here you can specify the type and depth of the scan.
- REPORTING. It is important to have detailed information about vulnerability testing when preparing penetration test report. This function allows you to set report parameters.
- ADVANCED (Optional). Advanced settings allow you to change not only the number of hosts to be scanned, but also other synchronization settings.
After configuring the scan, you can select the Save or Launch command. You will see a list of My scans.
Click the Play icon, which is located to the right of the scan template name. The scan will start. If you click on the name of the scan template during the test, you will see general information about the target machine being scanned and about the vulnerability (Fig. 6.10).
If you click on the target computer being scanned, you will see a more detailed list of detected vulnerabilities. Vulnerabilities are color coded:
- red – critical level;
- orange – high;
- yellow – medium;
- green – low;
- blue – contains information.
As you can see from the picture. 6.11, a total of 70 vulnerabilities were detected during scanning, of which six are critical and 17 are high level vulnerabilities. This means that the machine is very vulnerable.
If you click on color categories of vulnerabilities, the detected vulnerabilities will be displayed in order from the most vulnerable (i.e. critical) to the least vulnerable (informational) ones (Fig. 6.12).
The information obtained includes not only vulnerabilities but also exploits. It allows testers to plan and execute additional attacks on these vulnerabilities (Fig. 6.13).
Nessus is a powerful tool with a lot of functionality that can be used in penetration testing. It provides a lot of information. Unfortunately, in this section we won’t be able to cover all the functionality of the program, but we recommend you to spend some time on your own exploring the available features. Please note that Tenable also offers the home version for free. If you want to test external IP addresses or use Nessus for a client, you will have to use the paid version.
Open Vulnerability Assessment System (OpenVAS) is a framework consisting of several services and utilities. OpenVAS is an open source scanner. It is easy to install and has a user-friendly interface allowing to perform active monitoring (with active network actions). According to http://www.openvas.org/about.html, OpenVAS uses a vulnerability collection of 50,000 tests (NVTs) when running. OpenVAS is the basis of Greenbone Secure Manager line of professional devices.
To install OpenVAS, open the terminal and type the command apt-get install openvas (Fig. 6.14).
When the OpenVAS installation is complete, type the command openvas-setup on the terminal command line to start the configuration. The configuration process will take some time, depending on the network load and the speed of the Internet connection (Fig. 6.15).
At the end of the installation and configuration process, OpenVAS will generate the password that will be required when running OpenVAS (Fig. 6.16).
To run the OpenVAS service, enter the openvas-start command. Next, start your browser and type in
When using OpenVAS again, open a terminal and type the command openvas-start. You should not run a new installation.
You will need to add a security exception again after entering the previous URL. To do this click the Advanced button, then the Add Exception button and then the Confirm Security Exception button (Fig. 6.17).
When prompted, log in by entering the admin username and password generated during the installation process. Make sure that the login and password are securely saved, as you will need to login repeatedly when working with OpenVAS (fig. 6.18).
To start a scan, click on the shortcut in the Scans tab and then on the Tasks line. An information window will open, where you will need to select the Tasks Wizard. It is presented as a purple icon located in the upper left corner of the screen (Fig. 6.19).
Click on the Advanced Task Wizard line in the menu that opens. In the fields that appear, enter the corresponding information (Fig. 6.20). Note: the Scan Config field has several types of scans to choose from, including Discovery, Full and fast, Full and fast ultimate, and Full and very deep ultimate (the most time consuming and time consuming option).
The Start time option allows the penetration tester to schedule a scan. This is a very useful feature. Scanning can disrupt the network, so it is better to do it when the network is not very busy, i.e. outside working hours or on weekends.
Once all fields are full, scroll down the page and click Create. As a result, the scan will start and a summary of the scan and status information will appear on the screen (Fig. 6.21).
To view more information about a task, click on the task name in the Name field (Fig. 6.22).
When the scan is complete, press the Done button. This will generate a report with a list of detected vulnerabilities and a threat assessment for each of them (Fig. 6.23).
Clicking on any of the listed vulnerabilities will display additional information such as Summary, Impact, Solution, Affected Software/OS, etc. (fig. 6.24).
Linux Vulnerability Scan with Lynis
Developed by Cisofy (www.cisofy.com) the Lynis app is a security check tool which is managed from the Kali Linux command line. It is free but there is also a corporate version available. Lynis is used for automated security evaluation and vulnerability scanning in different versions of Linux, macOS X and Unix operating systems.
Unlike other applications of this type, Lynis specializes in HIPAA, PCI DSS, SOX and GLBA internal control systems. This application will allow enterprises using different standards to ensure the security of their systems.
Lynis can be downloaded and installed by yourself. Installing the application in the target system will save traffic compared to installing it on a remote computer.
To run Lynis in Kali, select the menu command ApplicationsVulnerability AnalysisLynis. To run the application from the command line, type the command lynis in the terminal. It will display the installed version of Lynis (in this case 2.6.2) and initialize the program. You will also see a list of all command parameters (Fig. 6.25).
If you have forgotten the right command, type lynis show commands (Fig. 6.26).
Lynis is a fully mechanized security check tool which has a minimal set of commands. To test your Kali Linux machine, just type lynis audit system. The time it takes to check depends on the characteristics of the Kali Linux machine being checked. Usually, the check lasts from 15 to 30 minutes. The result of the check is shown in the figure below. 6.27.
The test results include information:
- to Debian version;
- boot and services;
- Memory and processor
- users, groups and authentication;
- file system;
- USB devices;
- networks and firewalls;
- Ports and printers
- kernel reliability.
In this chapter we discussed how to identify and analyze critical security vulnerabilities using several Kali Linux tools. We have also considered three main vulnerability classes: design, implementation and exploitation and examined how they can be allocated to two general types of vulnerabilities: local and remote. We then discussed several taxonomies of vulnerabilities that could be used in security checks and classified them by similarity of templates.
Then, we introduced you to several tools that can be used to automatically scan the system and identify existing vulnerabilities. These are tools such as Nessus, OpenVAS, Lynis and SPARTA.
In the next chapter we will discuss the art of deception and talk about how you can exploit human weaknesses to achieve your goal. In many cases this procedure can be avoided. But when we do not have the information to use the target infrastructure, such methods can be very useful.