Posted on Leave a comment

Vulnerability scoring for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you studied what is a vulnerability and different types of vulnerability scanning. In this blogpost, you will learn how is vulnerability scoring given and how are vulnerabilities scored.

What is vulnerability scoring?

Every time a vulnerability is identified or detected, its severity is needs to be estimated to understand the impact of this vulnerability after it is exploited. Based on this severity, a score is given to it.

How is this score given?

To give this scoring, an open framework named Common Vulnerability Scoring System (CVSS) is used. CVSS provides a numerical representation (ranging from 0 to 10) to the security vulnerability.

CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST), which is a USA based nonprofit organization. Members of this organization come from all around the globe. Cybersecurity professionals of any organization use CVSS scores for vulnerability management and remediating them.

How CVSS scoring works?

A CVSS score is assigned to a vulnerability by considering three metrics. They are:

A. Base
B. Temporal and
C. Environmental.

A. CVSS Base Metrics

The base metrics of CVSS represent the characteristics of the vulnerability itself. These characteristics never change with time or any protection put in place by any organization to prevent its exploitation. CVSS base metrics comprise of three sub score elements. They are, 1) Exploitability 2) Scope and 3) Impact.

1. Exploitability

The sub-score exploitability is made up of four sub-components.

i). Attack Vector:

The score of attack vector is based on the level of access that is required to exploit the vulnerability. If the vulnerability can be exploited remotely, the score is higher and if local access is required to exploit the vulnerability, the score is lower. For example, ms08-67 has higher score than malicious USB attack.

ii). Attack Complexity:

This score depends on the additional work that has to be put by attacker to exploit the vulnerability. For example, exploiting EternalBlue does not need any additional work by attacker whereas to performing a Man-In middle attack requires additional work from the attacker. Usually, the additional work the attacker puts depends on factors which are out of control of the attacker.

iii). Privileges required:

This score depends on the privileges required to exploit the particular vulnerability. If the exploitation doesn’t need any credentials or privileges, its score is high and if he needs privileges or authentication, the score is low. For example, Spring4shell vulnerability has higher score then Dirtypipe vulnerability

iv). User Interaction:

This score depends on the level of user interaction needed to exploit the vulnerability. If the attacker can exploit a vulnerability without user interaction, the score is high whereas if attacker needs user interaction the score is low. For example, Heartbleed has higher score than ms14-100, Follina or Macro attack.

2. Scope

The second base metric of CVSS is “Scope” which relates to the reach of the vulnerability. In simple words, when a vulnerability in a component is exploited, does it affect other components? If exploitation of vulnerability in one component affects the operating system or a database, the CVSS score is higher and in the opposite case, it is lower. For example, SQL injection has higher score than Cross Site scripting.

3. Impact

Impact is the actual affect that occurs when a vulnerability is exploited. The sub metric “Impact” has three sub-components. They are: Confidentiality, Integrity and Availability.

i). Confidentiality:

This score depends on the amount of data the attacker gains access to after exploiting the vulnerability. The score is higher if all the data on the exploited system is accessed by attacker and lower if little to no data is accessed.

ii). Integrity:

This score depends on the ability of attacker to make changes on the system by exploiting a particular vulnerability. If the attacker can completely alter the exploited system, this score is high and if he can make few or no changes at all, this score is low.

iii). Availability:

This score depends on the availability of the system to authorized users after being exploited. If a system is not accessible to authorized users after exploitation, the score is high.

B. CVSS Temporal Metrics

The meaning of English word “Temporal” is temporary or constantly changing. Similarly, the CVSS temporal metrics of a vulnerability constantly change.

When a vulnerability is just disclosed, the chances of some one exploiting it are there but a little low. When a Proof-Of-Concept (POC) exploit is released, the chances increase, sometimes exponentially, As the POC exploit is further improved, the chances increase more. As patches and fixes are released, the exploitation attempts fall. As you can see the exploitation of a vulnerability constantly changing with time. CVSS Temporal metrics have three sub-components. They are, Exploit code maturity, Remediation level and Report Confidence.

1. Exploit code maturity

As the code of the exploit of the vulnerability becomes more stable and widely available, this score will increase.

2. Remediation Level

This score is more when the vulnerability is discovered, but as fixes and patches are applied this score keeps decreasing. If the vulnerability is fixed completely, this score decreases further.

3. Report confidence

This sub metric measures the level of validation that demonstrates that a vulnerability is valid and can be exploited by attackers.

C. CVSS Environmental Metrics

Environmental metrics of CVSS are used to allow an organization to modify the base CVSS score based on security Requirements and modification of Base metrics.

1. Security requirements

Security Requirements are used to characterize the asset in which a vulnerability is reported. For example, a vulnerability affecting the database server gets higher score that a vulnerability in a software being used on one of the workstations by an employee of the organization.

2. Modified Base Metrics

An organization or company changes the values of the Base CVSS metrics after putting some fixes, mitigations or patches. For example, we have discussed some vulnerabilities above which can be exploited remotely. If the system having that vulnerability is disconnected from the internet, the score can be decreased.

That’s how vulnerability scoring is assigned to vulnerabilities.

Posted on

Vulnerability scanning for beginners

Hello aspiring Ethical Hackers. In this blogpost, you will learn about vulnerability scanning. Before you learn what a vulnerability scan is, you need to know what a vulnerability is? A vulnerability is a weakness, flaw, error or a misconfiguration in a software or network that allows hackers to gain unauthorized access to the organization by exploiting it.

What is vulnerability scanning?

Now that you have understood what is a vulnerability, let’s see what is scanning. Vulnerability scanning is the process of identifying the security vulnerabilities in a software or a network of the organization. Vulnerability scanning is usually performed to protect the organization from hackers although it is also performed by hackers to gain access to the organization.

Types of vulnerability scans

Vulnerability scanning can be categorized into different types. They are,

  1. External Vulnerability Scan
  2. Internal vulnerability scan
  3. Environmental scans
  4. Intrusive Scans
  5. Non-Intrusive scan.
  6. Credentialed scan
  7. Non-credentialed scan

1. External vulnerability scan:

In an external vulnerability scan, the external facing resources of an organization are scanned. These include, websites, systems, ports and services.

2. Internal vulnerability scan:

In this type of scan, the vulnerability scan is performed on the internal network of the organization or on resources to which the users or employees of the organization have access to. This scan is performed to get information about the vulnerabilities which employees or malware which gained access to the network can exploit.

3. Environmental scan:

Environmental vulnerability scans are performed based on the target environment. For example, target environment can be cloud based, IOT, mobile devise, websites etc.

Vulnerability scans can also be classified as either Intrusive or Non-Intrusive.

4. Non- Intrusive scan:

In a non-intrusive vulnerability scan, vulnerabilities are just identified and reported.

5. Intrusive scan:

In an intrusive vulnerability scan, vulnerability is not just identified but also exploited.

Apart from these categorizations, vulnerability scan is also classified as credentialed scans and non-credentialed scans.

6. Credentialed scan:

Also known as authenticated scan, this vulnerability scan in performed using a set of credentials. This type of scan gives the trusted users view of the organization.

7. Non-credentialed scan:

Also known as non-authenticated scan, this vulnerability scan gives the external user’s view of the network or revenue of organization.

Uses of vulnerability scans

Vulnerability scanning can help cyber security personnel of the organization to get an idea about the vulnerabilities in the organization beforehand and to prevent them from being exploited by attackers. As hackers also perform vulnerability scans, vulnerability scanning gives an idea to the organization as to what hackers can see.

How are vulnerability scans performed?

Vulnerability scans can be performed manually or using tools (vulnerability scanner). See how to perform vulnerability scanning with Nikto and Nessus.

Vulnerability scan vs Vulnerability assessment

In vulnerability scanning, vulnerabilities are scanned and reported whereas in vulnerability assessment, apart from identifying vulnerabilities the impact of the vulnerabilities when exploited is also assessed. Learn more about vulnerability assessment.

Posted on

LDAP enumeration for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you learnt what is enumeration, why it is important in pen testing and what are the various types of enumeration. In this blogpost, you will learn about LDAP enumeration.

What is LDAP?

Lightweight Directory Access Protocol (LDAP) is a protocol that enables users to locate data about the organization, users and other resources like files and devices in a network. LDAP is also used as a central server for authentication. LDAP runs on port 389. Learn how LDAP works.

What information does LDAP enumeration reveal?

By enumerating LDAP, attackers can gather important information like valid usernames, addresses and other data about organization that can help as the hack progresses.

How to perform LDAP enumeration?

There are many tools that can be used to enumerate LDAP. For this article, let’s see how to perform it using a Nmap script. The script we use is “ldap and not brute”.

Posted on

SNMP enumeration for beginners

Hello aspiring Ethical Hackers. In our previous blogpost, you learnt what is enumeration, why it is important and various types of enumeration. In this blogpost, you will learn about SNMP enumeration.

What is SNMP?

SNMP stands for Simple Network Management Protocol. It is a protocol that is used to monitor devices in the network. These devices include routers, switches, bridges, computers and printers etc. This protocol really helpful for organizations with thousands of devices in is network. Learn more about how SNMP works. SNMP contains 3 main components. They are SNMP manager, SNMP agent and Management Information Base (MIB). SNMP runs on UDP ports 161,162.

What information does SNMP enumeration reveal?

SNMP enumeration can reveal information about all the devices on the target network and user accounts on the target system with SNMP server running. Apart from this, SNMP enumeration reveals information about hosts, routers, network information, network interfaces, active TCP and UDP ports on the target system, services running on the network and network shares etc.

How to perform SNMP enumeration?

Simple Network Management Protocol (SNMP) consists of a manager and an agent. Agents are embedded on each and every network device and the manager is installed on a separate computer. SNMP consists of two passwords that are used to access and configure the SNMP agents from the management station. They are, Read community string, Read/write community string.

  1. Read community string: By default Public, it allows attackers to view device/system configuration.
  2. Read/write: It is private by default and allows remote editing of configuration.

Tools use these default community strings to extract information about the target. There are many tools that can be used to perform SNMP enumeration. Let’s see one of them.

1. snmp-check

SNMP-check is a tool that is installed by default in Kali Linux. Here’s how we can enumerate the default community string of “public” of SNMP.

Here are the user accounts on the target system.

Here the network information is revealed.

We can see that the target is a Dual-homed system.

Here are the active TCP and UDP ports.

It also reveals other system information about the target.

You can see that SNMP enumeration reveals a lot of information about the target system and network which can prove very helpful as the hack progresses.

Posted on

NetBIOS enumeration for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you learnt what is Enumeration, what are its uses, why it is used and types of enumeration. In this blogpost, you will learn about NetBIOS enumeration.

What is NetBIOS service?

NetBIOS stands for Network Basic Input/Output System. It is used to allow applications and programs on separate computers to communicate with each other and establish sessions. This can be used to access shared resources.

NetBIOS can be used to provide three distinct services. They are NetBIOS Name Service, (NetBIOS-NS), NetBIOS Datagram distribution services (NetBIOS-DGM) and NetBIOS Session service (NetBIOS-SSN). These services run on ports 137,138 and 139 respectively.

What information does NetBIOS enumeration reveal?

It can provide information such as list of computers belonging to a particular domain, list of shares on target systems and sometimes even policies and passwords etc.

How to perform NetBIOS enumeration?

There are many tools that can be used to perform NetBIOS enumeration. Let’s see some of them.

1. nmblookup

The nmblookup command in Linux allows users to query NetBIOS names and maps them to IP addresses in a network using NetBIOS over TCP/IP queries.


2. NBTscan

NBTscan is a program that is used to scan IP networks for NetBIOS name information. It works by sending a NetBIOS status query to target system and lists received information in human readable form.