What Are Vulnerabilities
Imagine you are living in a small, lovely house. One day, you notice that your roof has many small holes. If not treated, these small holes can cause significant problems. During rain, water can come through these leaks and damage your furniture. Dust particles and insects can enter the house through these tiny holes. These small holes are a weakness in your home that can lead to significant problems in the future if not addressed timely. These weaknesses are known as Vulnerabilities. You start repairing the roof to fix this problem and keep your home safe. This process of fixing the vulnerabilities is known as Patching.
Digital devices also have vulnerabilities inside their software or hardware. These are the weaknesses in the software programs or hardware that an attacker can leverage to compromise the digital device. These vulnerabilities may sound normal to you, like the small holes in the roof of a house that can be repaired anytime. However, the vulnerabilities in digital devices can lead to massive damage if not noticed on time. Hackers are always searching for these weaknesses as they make their way to your systems or networks by exploiting them. The interesting thing about digital device vulnerabilities is that you cannot notice them as easily as the holes in the roof until you dedicate yourself to hunting them down. After hunting these vulnerabilities down, the process of patching starts, where fixes are applied to protect the vulnerabilities.
This room is about learning how to hunt these vulnerabilities in digital devices. We will study some of the available tools to automate this hunting and leverage one of the tools to demonstrate how it’s done practically.
Learning Objectives
- Vulnerability scanning and its types.
- Tools used for vulnerability scanning.
- OpenVAS vulnerability scanner demonstration.
- Practical exercise.
Answer the questions
What is the process of fixing the vulnerabilities called?
Answer: Patching
Vulnerability Scanning
Vulnerability scanning is the inspection of digital systems to find weaknesses. Organizations carry critical information in their digital infrastructure. They must regularly scan their systems and networks for vulnerabilities, as attackers can leverage these vulnerabilities to compromise their digital infrastructure, resulting in a considerable loss. Vulnerability scanning is also an important compliance requirement of many regulatory bodies. Some security standards advise performing vulnerability scanning quarterly, while some advise performing it once a year.
We saw how important it is to conduct vulnerability scans in your digital landscape regularly; however, manually looking for these weaknesses can be very hectic and miss some major ones. The bigger the network is, the slower the process of manual vulnerability scanning would be. This is no longer an issue as some efficient vulnerability scanners that perform automated vulnerability scanning are available in the market. This automated vulnerability scanning has made life much easier. You only need to install the tool and give it an IP address for a host or a network range for a network; it will start checking vulnerabilities and give you an easy-to-read report with the details of the vulnerabilities found.
After identifying vulnerabilities, organizations fix them by making changes to a software program or system. These changes are referred to as Patches.
Vulnerability scans can be categorized into many types; however, the major categorization of these scans are explained below:
Authenticated vs. Unauthenticated Scans
Authenticated scans require the subject host's credentials and are more detailed than unauthenticated scans. These types of scans are helpful for discovering the threat surface within the host. However, unauthenticated scans are conducted without providing any credentials of the subject host. These scans help identify the threat surface from outside the host.
| Authenticated Scans | Unauthenticated Scans |
|---|---|
| The credentials of the subject host must be provided to the vulnerability scanner. | The vulnerability scanner does not require the host’s credentials; it only needs the IP address. |
| Identifies the vulnerabilities that can be exploited by the attackers having access to the host. | Identifies the vulnerabilities that can be exploited by an external attacker having no access to the subject host. |
| It provides a deeper visibility into the target system by scanning its configuration and installed applications. | It is less resource-intensive and straightforward to set up. |
| For example, scanning an internal database by providing its credentials to the vulnerability scanner. | For example, scanning a public-facing website for vulnerabilities that any user can exploit. |
Internal vs. External Scans
Internal scans are conducted from inside the network, while external scans are conducted from outside the network. Let's see a few of their differences below.
| Internal Scans | External Scans |
|---|---|
| Conducted from inside the network. | Conducted from outside the network. |
| It focuses on the vulnerabilities that can be exploited inside the network. | It focuses on the vulnerabilities that can be exploited from outside the network. |
| Identifies vulnerabilities that would be exposed to the attackers once they get inside the network. | Identifies the vulnerabilities exposed to the attacker from outside the network. |
The choice between vulnerability scan types depends on several factors. Authenticated scans are often used for internal vulnerability scanning, while unauthenticated scans are mostly used for external vulnerability scanning.
Answer the questions
Which type of vulnerability scans require the credentials of the target host?
Answer: Authenticated
Which type of vulnerability scan focuses on identifying the vulnerabilities that can be exploited from outside the network?
Answer: External
Tools for Vulnerability Scanning
There are many tools available for performing automated vulnerability scanning, each offering unique features. Let’s discuss some of the widely used vulnerability scanners.
Nessus
Nessus was developed as an open-source project in 1998. It was later acquired by Tenable in 2005 and became proprietary software. It has extensive vulnerability scanning options and is widely used by large enterprises. It is available in both free and paid versions. The free version offers a limited number of scan features. In contrast, its commercial version offers advanced scanning features, unlimited scans, and professional support. Nessus needs to be deployed and managed on-premises.
Qualys
Qualys was developed in 1999 as a subscription-based vulnerability management solution. Along with continuous vulnerability scanning, it provides compliance checks and asset management. It automatically alerts on the vulnerabilities found during continuous monitoring. The best thing about Qualys is that it is a cloud-based platform, which means there is no extra cost or effort to keep it up and running on our physical hardware and manage it.
Nexpose
Nexpose was developed by Rapid7 in 2005 as a subscription-based vulnerability management solution. It continuously discovers new assets in the network and performs vulnerability scans on them. It gives vulnerability risk scores depending on the asset value and the vulnerability’s impact. It also provides compliance checks against various standards. Nexpose offers both on-premises and hybrid (cloud and on-premises) deployment modes.
OpenVAS (Open Vulnerability Assessment System)
OpenVAS is an open-source vulnerability assessment solution developed by Greenbone Security. It offers basic features with known vulnerabilities scanned through its database. It is less extensive than commercial tools; however, it gives you the flavor of a complete vulnerability scanner. It is beneficial for small organizations and individual systems. The next section will explore this tool in more detail by performing vulnerability scanning.
Almost all vulnerability scanners offer reporting capabilities. They generate a detailed report after every vulnerability scan. These reports contain a list of the vulnerabilities discovered, their risk scores, and detailed descriptions. Some vulnerability scanners offer advanced reporting capabilities that provide remediation methods for all the discovered vulnerabilities and allow you to export these vulnerability assessment reports in different formats.
Each of the tools mentioned above has its strengths. When choosing a suitable vulnerability scanner for your digital assets, you must consider the scope, resources, depth of analysis, and other factors.
Answer the questions
Is Nessus currently an open-source vulnerability scanner? (Yea/Nay)
Answer: Nay
Which company developed the Nexpose vulnerability scanner?
Answer: Rapid7
What is the name of the open-source vulnerability scanner developed by Greenbone Security?
Answer: OpenVAS
CVE & CVSS
Imagine yourself as the person sitting on the help desk of an IT complaint office managing many clients. You deal with hundreds of complaints daily regarding IT outages or several other problems requiring support from your company. Let’s see how CVE and CVSS help you track all these inquiries and complaints.
CVE
CVE stands for Common Vulnerabilities and Exposures. Consider CVE a unique number for each of your inquiries and complaints. If there is any update to any issue, you can easily follow up on that using the unique CVE number. Coming out of the help desk example scenario, this CVE number is a unique number given to vulnerabilities. This was developed by the MITRE Corporation. Whenever a new vulnerability is discovered in any software application, it is given a unique CVE number as a reference and published online in a CVE database. This publication aims to make people aware of these vulnerabilities so they can apply protective measures to remediate them. You can find the details of any previously discovered vulnerability in the CVE database. An example of a CVE number given to a vulnerability can be seen in the picture below:
`CVE-2024-9374
- CVE prefix: Every CVE number has the prefix “CVE” in the beginning.
- Year: The second part of every CVE number contains the year it was discovered (e.g., 2024).
- Arbitrary Digits: The last part of the CVE numbers contains four or more arbitrary digits (e.g., 9374)
CVSS
CVSS stands for Common Vulnerability Scoring System. If we return to the help desk example again, you would always need to prioritize the complaints. The most efficient way to prioritize the complaints is by their severity level. What if all your complaints are registered with a score ranging from 0 to 10, where a higher score indicates a more severe complaint? This would resolve the problem of prioritizing critical complaints. This is called a CVSS score. In the computing world, just as each vulnerability has a CVE number that uniquely identifies it, each has a CVSS score that tells you its severity. The CVSS score is calculated by considering multiple factors, including its impact, ease of exploitability, etc. The severity as per the CVSS scores can be seen in the table below:
| CVSS Score Range | Severity Levels |
|---|---|
| 0.0-3.9 | Low |
| 4.0-6.9 | Medium |
| 7.0-8.9 | High |
| 9.0-10 | Critical |
Answer the questions
CVE stands for?
Answer: Common Vulnerabilities and Exposures
Which organization developed CVE?
Answer: MITRE Corporation
What would be the severity level of the vulnerability with a score of 5.3?
Answer: Medium
OpenVAS
As discussed in Task #3, OpenVAS is a complete open-source vulnerability scanner. In this task, we will see how to conduct a vulnerability scan using the OpenVAS scanner.
Installation
We will be installing OpenVAS on an Ubuntu machine. The installation of OpenVAS can be very hectic as it has many dependencies. We will use docker to install OpenVAS. Docker is a platform that helps you create and distribute packages of different applications. These packages are known as containers. A container of an application has all the dependencies already installed inside it, so we do not need to spend more time installing the application’s dependencies. For your ease, we have already installed the OpenVAS tool on the machine given for the practical exercise in the next task. However, just for your information, the installation steps are mentioned below:
sudo apt install docker.io
After we installed docker on our machine, we can proceed to install OpenVAS within a docker container. For simplicity, we will use the docker image provided by Immauss as it fits everything within a single docker image. This is enough for our lab work. We will run the following command to install the OpenVAS container with all the dependencies installed:
sudo docker run -d -p 443:443 --name openvas immauss/openvas
Accessing OpenVAS
Once you have completed the installation process mentioned above, you can access the OpenVAS web interface by opening any of your browsers and typing the following in the URL:
https://127.0.0.1
This will take you to the login page of OpenVAS. Once you enter the correct login credentials, the following dashboard will open. This dashboard provides a comprehensive overview of all your vulnerability scans:
Performing a Vulnerability Scan
Now, we are going to perform a vulnerability scan on a machine. The first step is to create a task inside the OpenVAS dashboard. We will fill out the details for this task and execute it to run the vulnerability scan.
Click the “Tasks” option available inside the “Scans” option displayed on the dashboard:
You will reach the page where all the running tasks are displayed. We would not see any task on this page because we have not yet performed any scans. To create a task, click the star icon and then the “New Task” option.
Enter the name of the task, and click the “Scan Targets” option.
Enter the name of the target machine and its IP address, and click “Create”.
You will have multiple scan options available. Each scan option has its scope of scanning; you can study the details of each scan type and choose accordingly, and then click on the “Create” button.
The task is created and will be displayed to you on the Tasks dashboard. To initiate the scan, click the play button in the “Actions” option of the task.
It will take a few minutes to complete the scan. After the scan is completed, you will see its status marked as “Done”. The visualizations inside the Tasks dashboard will display some numbers indicating the severity of vulnerabilities found. To check the details of the scan, you have to click on the task name.
To see the details of all the vulnerabilities discovered during the scan, you can click on the number indicating the count of vulnerabilities found in the subject host.
Now, we have a list of all the vulnerabilities found in this machine and their severity. We can also click on any of them to see more details.
Like other vulnerability scanners, OpenVAS allows us to export these results as reports. You can fetch the reports in any format from the Tasks dashboard.
Answer the questions
What is the IP address of the machine scanned in this task?
Answer: 10.10.154.44
How many vulnerabilities were discovered on this host?
Answer: 13
Practical Exercise
Scenario: A reputable firm conducted a vulnerability scan on a server (10.82.143.171) on its network that stores critical information. This activity was intended to enhance the organization’s security posture. The security team conducted the activity using the OpenVAS vulnerability scanner, and the vulnerability scan report was placed on the desktop. You are an information security engineer working for that firm. You are tasked with reviewing this report. You can simply open the report placed on the desktop or perform the vulnerability scan again to answer the questions below. OpenVAS is pre-installed on the host to which you are given access.
Note: Performing the vulnerability scan may take some time. This is why we have already placed the scan report on the desktop so you can analyze and answer the questions.
You can start the Virtual Machine by pressing the Start Machine button below. The machine will start in Split-Screen view. In case the VM is not visible, use the blue Show Split View button at the top of the page.
Once the machine has started, if you prefer to perform the vulnerability scan yourself rather than analyzing the scan report, you must start the docker container of OpenVAS to access it. You can do so by executing the following command with root privileges:
Start Docker
root@tryhackme$ docker start openvas
As the docker is started, you can now access OpenVAS by typing the following URL inside the browser:
https://127.0.0.1/login/login.html
The default login credentials of the tool are mentioned below:
Username: admin
Password: admin
Note: Please be aware that the scanning process can be slow.
Answer the questions
What is the score of the single high-severity vulnerability found in the scan?
Security Issues for Host 127.0.0.1
9390/tcp
High (CVSS: 10.0)
NVT: OpenVAS / Greenbone Vulnerability Manager Default Credentials (OID: 1.3.6.1.4.1.25623.1.0.108554)
Product detection result: cpe:/a:openvas:openvas_manager:7.0 by OpenVAS / Greenbone Vulnerability Manager Detection (OID: 1.3.6.1.4.1.25623.1.0.103825)
Summary
The remote OpenVAS / Greenbone Vulnerability Manager is installed/configured in a way that it has account(s) with default passwords enabled.
Vulnerability Detection Result
It was possible to login using the following credentials (username:password:role):
admin:admin:Admin
Impact
This issue may be exploited by a remote attacker to gain access to sensitive information or modify system configuration.
Solution
Solution type: Workaround
Change the password of the mentioned account(s).
Vulnerability Insight
It was possible to login with default credentials: admin/admin, sadmin/changeme, observer/observer or admin/openvas.
Vulnerability Detection Method
Try to login with default credentials via the OMP/GMP protocol.
Details: OpenVAS / Greenbone Vulnerability Manager Default Credentials (OID: 1.3.6.1.4.1.25623.1.0.108554)
Version used: $Revision: 13944 $
Product Detection Result
Product: cpe:/a:openvas:openvas_manager:7.0
Method: OpenVAS / Greenbone Vulnerability Manager Detection (OID: 1.3.6.1.4.1.25623.1.0.103825)
Answer: 10
What is the solution suggested by OpenVAS for this vulnerability?
Answer: Change the password of the mentioned account