Lesson 3 Vulnerability Assessment
55 minutes
Vulnerability Assessment
Vulnerability assessment is the systematic process of identifying, classifying, and prioritizing security vulnerabilities in systems, networks, and applications. It's a critical component of any security program.
Vulnerability Assessment vs Penetration Testing
Vulnerability Assessment
- Identifies vulnerabilities
- Automated scanning
- Broad coverage
- Less intrusive
- Compliance focused
- Regular/scheduled
Penetration Testing
- Exploits vulnerabilities
- Manual testing
- Focused scope
- More intrusive
- Risk assessment focused
- Point-in-time
Vulnerability Assessment Process
1. Scope Definition
Define targets and objectives
2. Discovery
Identify assets and services
3. Scanning
Automated vulnerability detection
4. Analysis
Validate and classify findings
5. Prioritization
Risk-based ranking
6. Reporting
Document findings and recommendations
Vulnerability Classification Systems
CVSS (Common Vulnerability Scoring System)
CVSS provides a standardized method for rating vulnerabilities based on their characteristics:
| CVSS Score | Severity | Color Code | Description |
|---|---|---|---|
| 9.0 - 10.0 | Critical | Red | Immediate action required |
| 7.0 - 8.9 | High | Orange | Fix within 30 days |
| 4.0 - 6.9 | Medium | Yellow | Fix within 90 days |
| 0.1 - 3.9 | Low | Green | Fix when convenient |
Common Vulnerability Categories
Network Vulnerabilities
- Unencrypted services
- Default credentials
- Unnecessary open ports
- Weak protocols (Telnet, FTP)
- Missing security patches
Web Application Vulnerabilities
- SQL Injection
- Cross-Site Scripting (XSS)
- Broken Authentication
- Security Misconfiguration
- Insecure Direct Object References
Vulnerability Scanning Tools
OpenVAS
Open-source vulnerability scanner with comprehensive vulnerability database
FreeNessus
Commercial vulnerability scanner with extensive plugin library
CommercialNikto
Web vulnerability scanner for identifying common web server issues
FreePython Script: Simple Vulnerability Scanner
#!/usr/bin/env python3
import requests
import socket
import ssl
import subprocess
from urllib.parse import urljoin, urlparse
import sys
class VulnerabilityScanner:
def __init__(self, target):
self.target = target
self.vulnerabilities = []
def check_ssl_configuration(self, host, port=443):
"""
Check SSL/TLS configuration
"""
try:
context = ssl.create_default_context()
with socket.create_connection((host, port), timeout=5) as sock:
with context.wrap_socket(sock, server_hostname=host) as ssock:
cert = ssock.getpeercert()
cipher = ssock.cipher()
# Check for weak ciphers
weak_ciphers = ['RC4', 'DES', 'MD5', 'NULL']
if any(weak in cipher[0] for weak in weak_ciphers):
self.vulnerabilities.append({
'type': 'SSL/TLS',
'severity': 'Medium',
'description': f'Weak cipher detected: {cipher[0]}'
})
# Check certificate validity
if cert:
print(f"SSL Certificate valid for: {cert.get('subject', 'Unknown')}")
except Exception as e:
self.vulnerabilities.append({
'type': 'SSL/TLS',
'severity': 'High',
'description': f'SSL/TLS connection failed: {str(e)}'
})
def check_web_vulnerabilities(self, url):
"""
Basic web vulnerability checks
"""
try:
# Check for common web vulnerabilities
response = requests.get(url, timeout=10)
headers = response.headers
# Check security headers
security_headers = {
'X-Frame-Options': 'Clickjacking protection missing',
'X-Content-Type-Options': 'MIME type sniffing protection missing',
'X-XSS-Protection': 'XSS protection header missing',
'Strict-Transport-Security': 'HSTS header missing',
'Content-Security-Policy': 'CSP header missing'
}
for header, description in security_headers.items():
if header not in headers:
self.vulnerabilities.append({
'type': 'Web Security',
'severity': 'Medium',
'description': description
})
# Check for server information disclosure
if 'Server' in headers:
server_info = headers['Server']
if any(tech in server_info.lower() for tech in ['apache', 'nginx', 'iis']):
self.vulnerabilities.append({
'type': 'Information Disclosure',
'severity': 'Low',
'description': f'Server information disclosed: {server_info}'
})
# Check for directory listing
dir_test_url = urljoin(url, '/admin/')
dir_response = requests.get(dir_test_url, timeout=5)
if 'Index of' in dir_response.text:
self.vulnerabilities.append({
'type': 'Directory Listing',
'severity': 'Medium',
'description': 'Directory listing enabled on /admin/'
})
except requests.RequestException as e:
print(f"Web vulnerability check failed: {e}")
def check_open_ports(self, host, ports=None):
"""
Check for unnecessary open ports
"""
if ports is None:
ports = [21, 22, 23, 25, 53, 80, 110, 143, 443, 993, 995, 3389, 5432, 3306]
dangerous_ports = {
21: 'FTP - Unencrypted file transfer',
23: 'Telnet - Unencrypted remote access',
25: 'SMTP - Mail server (check for relay)',
3389: 'RDP - Remote desktop (brute force target)'
}
open_ports = []
for port in ports:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
result = sock.connect_ex((host, port))
if result == 0:
open_ports.append(port)
if port in dangerous_ports:
self.vulnerabilities.append({
'type': 'Network Security',
'severity': 'High' if port in [21, 23] else 'Medium',
'description': f'Port {port} open: {dangerous_ports[port]}'
})
sock.close()
except Exception:
pass
return open_ports
def run_scan(self):
"""
Run comprehensive vulnerability scan
"""
print(f"Starting vulnerability scan on {self.target}")
print("=" * 50)
# Parse target
if self.target.startswith('http'):
parsed = urlparse(self.target)
host = parsed.hostname
url = self.target
else:
host = self.target
url = f"http://{self.target}"
# Check open ports
print("Checking for open ports...")
open_ports = self.check_open_ports(host)
print(f"Open ports found: {open_ports}")
# Check SSL if HTTPS is available
if 443 in open_ports:
print("Checking SSL/TLS configuration...")
self.check_ssl_configuration(host)
# Check web vulnerabilities if HTTP/HTTPS is available
if 80 in open_ports or 443 in open_ports:
print("Checking web vulnerabilities...")
self.check_web_vulnerabilities(url)
# Generate report
self.generate_report()
def generate_report(self):
"""
Generate vulnerability report
"""
print("\n" + "=" * 50)
print("VULNERABILITY SCAN REPORT")
print("=" * 50)
if not self.vulnerabilities:
print("No vulnerabilities detected.")
return
# Group by severity
severity_order = ['High', 'Medium', 'Low']
for severity in severity_order:
vuln_list = [v for v in self.vulnerabilities if v['severity'] == severity]
if vuln_list:
print(f"\n{severity.upper()} SEVERITY ({len(vuln_list)} findings):")
print("-" * 30)
for i, vuln in enumerate(vuln_list, 1):
print(f"{i}. Type: {vuln['type']}")
print(f" Description: {vuln['description']}")
print()
print(f"Total vulnerabilities found: {len(self.vulnerabilities)}")
def main():
if len(sys.argv) != 2:
print("Usage: python3 vuln_scanner.py ")
print("Example: python3 vuln_scanner.py example.com")
sys.exit(1)
target = sys.argv[1]
scanner = VulnerabilityScanner(target)
scanner.run_scan()
if __name__ == "__main__":
main()
Best Practices for Vulnerability Assessment
Pre-Assessment
- Define clear scope and objectives
- Obtain proper authorization
- Schedule scans during maintenance windows
- Notify relevant stakeholders
- Prepare rollback procedures
Post-Assessment
- Validate findings to reduce false positives
- Prioritize based on business risk
- Provide clear remediation guidance
- Track remediation progress
- Schedule follow-up scans
Exercise
Vulnerability Assessment Lab
Objective: Perform a vulnerability assessment on a test system.
- Set up a vulnerable application (like DVWA or WebGoat) in a VM
- Run the Python vulnerability scanner script against it
- Use an automated scanner like OpenVAS or Nikto
- Compare the results from different tools
- Create a brief vulnerability report with:
- Executive summary
- Vulnerability findings by severity
- Remediation recommendations
- Risk assessment
Use only systems you own or have explicit permission to test.
Common False Positives
Be Aware of False Positives
- Version-based detection: Scanners may flag software as vulnerable based on version numbers alone
- Context-specific vulnerabilities: Some vulnerabilities may not be exploitable in specific environments
- Compensating controls: Additional security measures may mitigate reported vulnerabilities
- Custom applications: Generic scanners may not understand custom business logic
Lesson 3 of 10