In this lesson I'll talk about vulnerability scanning. Vulnerability scanning is a proactive security technique that helps you find vulnerabilities and risks in your systems. Can also help you find vulnerabilities in services and applications as well. Helps identify information about a system or a service such as: open ports, patch levels and many many more things. Usually it's going to find vulnerabilities however. We use vulnerability scanning to supplement what we can't do on our own. We can't look at every system all the time and determine whether the system is vulnerable or the system is at risk. So we have to have some kind of security posture, security process really to identify those systems that have vulnerabilities on them so that we can remediate them in a timely manner. This is usually automated because we need to make sure that well can't just go around with file integrity checking software like aid for example and make sure all of our binaries on our operating systems are good to go and don't have any vulnerabilities in them. We need to make sure that we do this on a regular schedule basis. There are two types of vulnerabilities scans out there: there's credentialed scans and there's uncredentialed scans. Credentialed scans log into the systems and can escalate privileges if needed. It looks at the patch levels. It can look at open ports. It can look at versions of software. What software is running the processes that are running. It can even identify malware if necessary. Uncredentialed scans are just the opposite it can't actually log into a system because it doesn't have credentials. Now you want to do uncredentialed scans if you don't have the information for the system. If you don't have a username and password for the system. This is going to create a lot more traffic and a lot more noise because we're not looking at the patch level of the system. Let's talk real quick about several different kinds of scanners. System scanners Nessus is excellent. It's a great tool. I've been using Nessus for probably about seven years. I've used Qualys a couple of times. It's also a great tool. Microsoft baseline security analyzer Actually that's a deprecated tool. But you can still use it. And Nmap. Nmap will help identify information about systems. If you use the Nmap scripting engine, it's going to allow you to dig even deeper into those systems. There are also application scanners out there. Applications scanners fall into service scanning and web applications scanning because the world runs on the Internet these days. There are a lot of web application scanners that have been brought up in the past few years. Burps Suite is a great tool for looking at Web applications and modifying and controlling web applications. AppScan from IBM is a great tool for real applications because it can look at look at the code itself. Netsparker is a great web applications tool. Nikto I'll show you that here in a second. Qualys can also do it, Nessus can also do it. W3 A-F that is a also great tool. Free tool out there from O Wasp. Allows us to scan for vulnerabilities for web applications and then sequel map as well. Sql map will scan your applications for or your servers for sequel injection vulnerabilities. Online scanning; US-Cert. You you can sign up for the government to scan your systems. Dorkbot is housed out of the University of Texas. Shodan will also scan your servers while it scans the entire world. And then ShadowServer is a great organization If you want to sign up and scan your own systems or have them scan your systems and then send you a copy of the report each day. The use of one scanner is a really bad idea. The scanners are designed for specific tasks. Now where Nessus and Qualys; Why had those both on on two different lists. One was operating systems and the other one was web applications. They can, do web application scanning but that is not their primary purpose. And I'm going to show you why here in a second the differences between using one that is designed for scanning Web applications versus one that is only looking at operating systems. When do we want to scan? Well, we should scan frequently on a set schedule. We scan our internal servers twice a month. Ours server subnets and anytime there's new vulnerabilities that have come out such as Heartbleed, ShellShock, Wannacry, Eternal Blue. These have been the latest ones that have come out. Wannacry and Eternal Blue where these are extremely dangerous vulnerabilities and our systems can be attacked very easily if we don't patch them. Let's look at two different types of scans. We're going to scan the same exact system and we're going to use two different kinds of scanners. The first scanner is Nessus. Nessus which I'll explain in a later video is great at operating systems. So here is a server. This is actually running some software 128 dot 198 dot 49 dot 195. This is running a vulnerable vulnerable version of Matile and which is a O Wasp test application framework. Notice that I only see medium vulnerabilities. So I see SSL SSL certificates. There's problems with those because they're self-signed. I can see HTTP trace methods. I can see service detection. Let's go Andrle in here. I can see a couple different ports are open 22, 80, 443 and another 443 Which is running a different protocol. However, what I want to show you is how they're not all created equal. Let's move over to our Linux system, scan with Nikto. Nikto is a web application vulnerability scanner and it's takes very few inputs. Here's the host again 128 dot 198 dot 49 dot 195. The root directory is going to be Matile. The output is going to be I'm going to call it test at HTML because I want it in HTML format and then the format is HTML and a press run here. And immediately I start getting information back from the server. So let that run for a minute. The scan is complete and it took about two minutes to scan the entire web application. Let's look at the results real quick. Type in Firefox, test dot HTML. When should I notice how many vulnerabilities that this picked up? Look at how many vulnerabilities it found. Let's pick on a couple here. Okay. Looks like we were able to get to the ETSI password file because it's not secured. PHP new Crocket add in is vulnerable to file traversal. Allowing an attacker to view any file on the host. Really dangerous if we were just to use Nessus and not a real web application vulnerability scanner. Because what that does is that it contributes to false negatives where we think that the system is okay but in when reality it is not.
