Welcome to Hacking 101: Vulnerability Assessments! This will be our first entry in a new “Hacking 101” series, giving you the knowledge needed to better protect yourself in today’s cyberthreat landscape.
In our last article, we covered the basics of penetration testing. To illustrate how part of the process works, I wrote a very simple, high-level guide on how to conduct your very own vulnerability assessment. We’ll make this short and easy, so you can make educated decisions on how to tackle IT security or when to engage with specialized security professionals (like us!). Have fun, and don’t try this on your competitors’ websites!
Some disclaimers: We won’t make this a full penetration test how-to. Like the previous article hinted, penetration tests require a lot of time and effort, and this can’t be a substitute to one. Basically, vulnerability assessments only point you in the right direction in terms of where weaknesses lie. They don’t tell you if the reported vulnerabilities actually exist, how to exploit them, or how to fix them. Penetration tests – and only penetration tests – give you all the information you need to fully address security weaknesses. As a matter of personal and professional ethics, I also have to inform you that this guide won’t help you with HIPAA or NIST compliance; you’ll need to do a lot more to get to that level.
The Tools You’ll Need
Although myriad security tools exist, we’ll keep things simple by only using two tools, Nmap and the free version of Nessus.
Nmap is a free and open source networking tool. While IT administrators use Nmap for myriad reasons, such as IT asset inventory or system uptime monitoring, we as security professionals care about one specific feature of Nmap. Namely, we use the tool to check what ports and applications exist on each target system. If we find open ports, Nmap can tell us what services run on each port, what OS and application versions the system uses, and even what security tools protect the system! I’ve heard Nmap called the “Swiss army knife of security tools”, and I love using it. Software security is critical in the digital world. Securing your applications is fundamental, because if your application goes down, leaks data, or behaves maliciously, the consequences can be devastating. Check out this guide to application security testing from Parasoft to learn more.
Protip: Nmap works through the command line only. If you’d prefer, download Zenmap, which wraps Nmap in a (comparatively) easy-to-use graphical user interface.
Nessus is an automated vulnerability scanner. When pointed to a target, it scans the target, lists any weaknesses it finds, and lists those weaknesses in several easy-to-read report formats. Nessus costs a lot of money – almost $2,200 annually! Thankfully, the makers of Nessus offer a seven-day free trial. I don’t know about you, but I’d rather not pay thousands of dollars to use this. Let’s sign up for the trial, input the trial key, and be on our way.
Protip: Use a “throwaway” email to register. Otherwise, Tenable will bombard you with trial reminders and marketing emails.
Note: I use both these tools on Linux. You don’t have to; just know that what you see may differ from my screenshots.
Step 1: Scanning your Target with Nmap
If you want, you can start learning more about Nmap by typing “nmap –help” in a terminal. That will show you all the ways we can configure Nmap. We only care about a few specific options right now:
- -p [ports]: This flag specifies the ports that Nmap will scan. We specify 1-65535 to scan all possible ports.
- -sV: This flag means Nmap will try to find the application and version number associated with each port. We call this “fingerprinting”.
- -O: This flag will ask Nmap to find what version of operating system our target uses.
In practice, we use a lot more of these flags. Pick a few and play around with them, see what happens!
In our example, I pointed Nmap to a lab environment I use for pentesting, called “dvwa“. You can also use an IP address or URL if needed. I used the listed flags, and here’s what we see:
We find that Nmap can connect to five ports (21, 22, 80, 443, and 3306). Right below the port details, we see that our target runs Linux (“Running” and “OS details”) in a VMWare virtual machine (“MAC Address”).
From here, we can narrow our attack surface significantly. We have fingerprinted each service on each port, so we can now run Nessus and see if any of thoseservices have exploitable weaknesses!
Step 2: Configuring and Running Nessus
When you’ve downloaded, installed, and activated Nessus, you’ll see a screen similar to the below:
Click on “Create a New Scan”.
Click on “Basic Network Scan”. Under “Settings” > “Basic” > “General”, name this scan under “Name” and input your target information under “Targets” (remember, mine is “dvwa”).
Go to “Settings” > “Discovery”, and change “Scan Type” to “Custom”.
Go to “Settings” > “Discovery” > “Port Scanning”. Check the box entitled “Consider unscanned ports as closed”. Specify the port numbers found in our Nmap scan in “Port scan range” (mine were 21, 22, 80, 443, and 3306).
Click the “Save” button at the bottom of the page. You’ll get redirected to the “My Scans” page.
Check the box next to your newly-created scan. Click the “More” menu option, then click “Launch”.
Confirm on the second prompt (if you get one). You’ll know you’re running the scan successfully by the appearance of a green refresh icon next to the “Last Modified” date.
When the green icon turns into a grey checkbox, like above, Nessus has finished scanning. Click on your scan. On the next screen, check the checkbox next to it, then move to the “Export” menu and click “PDF”.
Click “Export” again if needed. Download and open your PDF. You successfully completed your vulnerabiliity assessment!
In this blog post, I walked you through a very simple vulnerability assessment. Using Nmap, we scanned all ports of a single target machine and fingerprinted each active service. We passed those results to Nessus, which then executed a simple vulnerability scan. We finally downloaded and reviewed Nessus’s findings report, which we can then use in further testing and remediation activities.
Although we left a lot out, we still received an actionable listing of potential weaknesses in our system. If you, your IT staff, or your preferred IT security partner conduct comprehensive vulnerability assessments at regular intervals, you’ll make great progress in securing your practice’s IT assets against ransomware and cybercriminals.