Performing vulnerability assessments is a crucial activity in identifying and addressing security weaknesses within systems, applications, and networks. Various scanning techniques are employed during vulnerability assessments to uncover potential vulnerabilities that could be exploited by attackers. Here’s a detailed overview of the methods mentioned:
1. Vulnerability Scans
- Purpose: Automatically probe systems, applications, and networks to identify known vulnerabilities, misconfigurations, and other weaknesses that may be exploited.
- Functionality: Vulnerability scanners compare the findings against a database of known vulnerabilities and provide reports that can guide remediation efforts.
2. Network Discovery Scanning
- Purpose: Scans a range of IP addresses to discover systems and identify open ports that could be entry points for attackers.
- Techniques:
- Ping Sweeps: Sends ICMP Echo Request packets to a range of IP addresses and listens for responses to identify active systems.
- Port Scanning: Identifies open ports on discovered systems to determine which services are running and potentially vulnerable.
3. TCP SYN Scanning (Half-Open Scanning)
- Purpose: A stealthy method to determine if a port is open without completing the TCP handshake.
- Method:
- Sends a packet with the SYN flag set to initiate a connection.
- If the target responds with a SYN-ACK, it indicates that the port is open, but the connection is not fully established, preventing the creation of a full log entry.
- Use Case: Useful for scanning when stealth is desired, as it minimizes the chance of detection.
4. TCP Connect Scanning
- Purpose: Establishes a full TCP connection to check if a port is open.
- Method:
- Initiates a full three-way handshake with the target system, opening a complete connection on the specified port.
- Use Case: Used when the scanning user does not have sufficient privileges to perform half-open scans. This scan is more likely to be logged by the target system.
5. TCP ACK Scanning
- Purpose: Determines whether ports are filtered or unfiltered by a firewall.
- Method:
- Sends packets with the ACK flag set, which indicates that the packet is part of an ongoing connection.
- The response helps determine if a port is filtered (blocked by a firewall) or unfiltered.
- Use Case: Used to map out firewall rules and determine the presence of stateful inspection.
6. Xmas Scanning
- Purpose: A stealthy scan method used to identify open ports by sending unusual packets.
- Method:
- Sends a packet with the FIN, PSH, and URG flags set, which is an unusual combination that can sometimes elicit a response from systems with open ports.
- Use Case: Called “Xmas” scanning because the packet is “lit up” like a Christmas tree. It’s used to detect open or closed ports in a way that might bypass some firewalls or packet filters.
7. Passive Scanning
- Purpose: Monitors network traffic to identify rogue devices or unauthorized activities without actively probing the network.
- Method:
- Listens for wireless signals or monitors network traffic passively to detect unauthorized devices or suspicious activities.
- Use Case: Effective for detecting rogue devices and unauthorized connections without alerting potential attackers.
8. Bluetooth Scans
- Purpose: Detects and assesses the security of Bluetooth-enabled devices.
- Types:
- Active Scanning: Tests the strength of PINs, security modes, and other configurations by interacting with the Bluetooth devices.
- Passive Scanning: Observes active connections and device broadcasts without direct interaction.
- Challenges: Time-consuming due to the large number of personal devices that may be present.
9. Authenticated Scans
- Purpose: Perform more thorough scans by using credentials to access system configuration files and settings.
- Method:
- Uses a read-only account to gain access to system configurations, allowing the scanner to assess vulnerabilities that might not be visible to unauthenticated scans.
- Use Case: Provides a more accurate view of the system’s security posture by revealing vulnerabilities that require authentication to detect.
Summary
- Vulnerability Scans: Automatically identify weaknesses across systems and networks.
- Network Discovery Scanning: Discovers systems and open ports, using techniques like TCP SYN, TCP Connect, and Xmas scanning.
- Passive Scanning: Monitors network activity to detect rogue devices and unauthorized activities without active probing.
- Bluetooth Scans: Assess the security of Bluetooth-enabled devices, both actively and passively.
- Authenticated Scans: Utilize credentials to perform more thorough assessments, accessing configuration files that might not be visible in unauthenticated scans.
These scanning techniques provide comprehensive coverage of potential vulnerabilities, helping security teams identify and mitigate risks before they can be exploited by attackers.