Info Security Memo
  • Blog
  • Sitemap
    • Categories
  • Contact
  • About
  • Resources
  • Tools
  • 51sec.org

Build Confidence

Focusing on Information Security 

Info Security Notes

New Advanced Features from Unimus - Network Automation Config Backup Change Mgmt Tool

6/15/2025

0 Comments

 
Click to set custom HTML
0 Comments

CyberArk P-Cloud (CyberArk Privilege Cloud) Identity Deployment

6/12/2025

0 Comments

 

This post summarizs the steps to deploy your P-Cloud.


Other posts:
  • CyberArk P-Cloud (CyberArk Privilege Cloud) Introduction and Basic Knowledge

Privilege Cloud Interface

Once you subscribed P-Cloud, you will get an activation email to activate your account. 
Your account will looks like cludadminjnetsec@
cyberark.cloud.1234
Your email will be used as MFA to authenticate your access to your p-cloud environment.
P-cloud url : https://<company name>.
cyberark.cloud

After logged in, it will look like this:


Connector Server 



1 CyberArk Identity Connector Service

Creates a secure Websocket Tunnel between the Identity tenant and the on premise LDAPS system

LDAPS , Radius

2 CyberArk Password Manager

All password management and rotation capabilities

3 CyberArk Privileged Session Manager


4 CyberArk Privilege Cloud Secure tunnel Service

SIEM and HTML5 Gateway integration

5 Install Identity Connector



6 From Connector Management, generate script to install Connector Management Agent


Once you successfully run the script, you will be able to deploy CPM and PSM through Connector Management agent to connector servers.


7 Applying the hardening GPO

Local security policies are configured during installation.

One unified domain GPO (for CPM and PSM) must be applied at domain level. 



8 Enabling MFA

a. Authentication Profile

b. MFA policy





The Vault and Its Clients




Pre-implementation

 1 Server Sizing

  • Separate CPM and PSM if needed
    • PSM and CPM will have different size requirements 
      • PSM (1-10, 11-50, 51-100) sessions
      • CPM (<1000, 1000-20000,20000-100000, 100000+ ) managed passwords



2 Minimum Server requirements
  • 8 Cores, 8GB RAM
  • Windows Server 2016 or 2019
  • Domain Joined (for full PSM features)
  • All connector servers need to be deployed into an OU that has GPO inheritance disabled


3 Design Consideration for Architecture
  • Components : PSM, CPM, Identity Connector (2 for resilience ), Secure Tunnel (2)
  • PSM best practice for HA
  • CPM Active /DR best practice
  • AAM  - separate VM
  • PSM for Unix - Separate



4  LDAP Requiremetns
  • Domain Joined
  • LDAPS
  • Read permissions on the deleted objects container
    • Domain admin
    • Delegate read permissions to a service account
    • https://
      docs.cyberark.com
      /Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/CoreServices/Connector/Add-AD.htm?tocpath=Setup%7CAdd%20Users%7CAdd%20users%20from%20an%20external%20directory%20service%7C_____1#Userandpermissionrequirements

5  RDS 
  • RDS license server
  • RDS Cal on your connector server
    • Windows 2019 Per-User CAL if Connector Server OS is 2019
    • Per-device CAL
  • RDS should not be installed prior to the implementation

6  Firewall


7  Verify Prerequisites
- Troubleshooting flag
  • script to validate required network traffic and local settings: https://
    cyberark-customers.force.com
    /s/article/Privilege-Cloud-How-to-run-the-PSMCheck
  • Privilege Cloud Checklist: https://
    cyberark-customers.force.com
    /s/article/Privilege-Cloud-Remote-Access-PreImplementation-Checklist
  • Remtoe Access for Privilege Cloud: https://
    cyberark-customers.force.com
    /s/article/Privilege-Cloud-PreImplementation-Checklist


Identity Connector Installation

 CyberArk Identity Connector


  • installeruser 
    • reset passowrd. and password will expire 24 hours
    • No MFA



Connector Management


Install Connector to a new Connector server

To deploy a new connector, you first generate the installation script and then run it on the connector host machine.

To perform the following steps, your user must be assigned to the System Administrator role in Identity Administration.

  1. Sign in to the CyberArk Identity Security Platform Shared Services using the link provided in the CyberArk email.

  2. Click the service picker, and select Connector Management.

  3. On the Connectors page, click Add a connector.

  4. In the Add connector wizard > Define installation details tab define the following details for the Management Agent in the host machine:



  1. Click Next.

  2. In the Copy installation script tab, review the connector settings you defined:

Click Copy script to later copy it to the connector host machine.

The script is available for 5 minutes.

Optionally:

  • Click Renew to renew the script availability for an additional 5 minutes

  • Click Preview to view the script format

Click Close.

https://
docs.cyberark.com
/ConnectorManagement/Latest/en/Content/Setup/CM_AddConnector.htm?tocpath=Setup%7C_____2#Addaconnector1

Upgrade CPM and Other Components

At this moment, Jan 2024, it is still not able to upgrade PSM from Connector Management page.


Connector shows components details



Upgrade Components page

You will need to get your [email protected] credential to process. Reset the installeruser password first since it will be changed in 24 hours after reset.



CyberArk Related Services on Connector Server

1. CPM Scanner
2. Identity Connector
3. Management Agent
4. CPM
5. Cloud Secure Tennel
6. PSM


  • Upgrade CyberArk PAM Components (Connector Manager, Secure Tunnel, CPM & PSM) for Privilege Cloud (CPM Failover)


External IDP Configuration (ADFS)

ADFS Windows Server Configuration:

AD FS Management Certifications:

1. Service Communications
2. Token-decryption
3. Token-signing


Access Control Policies

Pelying Party Trusts

CyberArk_Priv_Cloud Configuration:








CyberArk Identity Administration:

Settings - Users - External Identity Providers









Configure Identity Services


Using "CyberArk Service Users - No MFA" as an example:

Create Users



Create / Modify Role - Add Members





Create Policies


Choose the Authenticiation Policy you will use for CyberArk Identity

Authentication Profile: Configured as only Password.

To look into all authentication profiles, you can check the page at Settings - Authentication:




For most of users, the policy which will be applied is Default Policy as show below:

Default Policy in Core Services - Policies is using Default Other Login Profile, which is using 2FA for authentication.





CyberArk Useful Links


  • Main CyberArk Site
  • CyberArk Support Portal
  • CyberArk Secure File Exchange (SFE) Support Vault
  • UNOFFICIAL CyberArk REST API v9.8 Live Documentation (Postman)
  • CyberArk REST API on GitHub.io
  • RegEx101 - for configuring AllowedSafes++
  • CyberArk Official YouTube



https://blog.51sec.org


Via https://blog.51sec.org/2023/06/cyberark-p-cloud-cyberark-privilege.html
0 Comments

Latest Unimus Installation with Free MS SQL DB and New Features Introduction

6/6/2025

0 Comments

 
Click to set custom HTML
0 Comments

[Free VPS] Create a Free Tier Windows/Linux Azure VPS VM

6/5/2025

0 Comments

 
Azure free tier provides following free services for 12 months after one month for your free $200 credit:
  • 750 hours B1S VM Windows Virtual machines
  • 750 hours B1S VM Linux Virtual machines
  • 64GB x 2 Storage - 2 P6 SSDs
  • 5 GB File Storage
  • 250 GB SQL DB
  • 15 GB Bandwidth (Data Transfer)
  • etc 

Basically, you can run two virtual machines (one for windows , one for linux) free for a year. If you have student subscription, even after one year and your subscription got renewed, this free tier will still be valid to use. You two free VMs will be still staying on free tier. There are quire a few tricks which might get you drop into Microsoft Azure's trap to cause a charge. Read this post thoroughly, you will avoid this kind of charge trapps. 

Other free Azure resource to apply:
  • student benefits - $100 / year
  • developer grogram - a free Microsoft 365 E5 developer subscription and auto-renewed with quialifed development activities
  • Visual Studio subscriber benefit - a Microsoft 365 E5 developer subscription that renews automatically for the lifetime of the subscription.


[Notes] On Sep 30 2025, Basic SKU public IPs will be retired.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance

Get Azure for Free
1. Free Account
1.1 $200 for first 30 days
1.2 12 Month Free Services
1.3 Always free Services (55+)
2. Student Account
1.1 $100 / Year
1.2 Free account's free services 
1.3 Always free services
3. Developer Account
1.1 Credit / year (based on Visual Studio subscription)
1.2 Free account's free services 
1.3 Always free Services
4. Temporary Azure Sandbox subscription

Create a basic SKU public IP 

[Note] Updated on May 15, 2025
Microsoft is retiring this basic SKU and not allow to create one. Here is a way to create one for your VM using Cloud shell bash command:

az network public-ip create \
       --resource-group free-wi \
       --name pip-basic-free-win1 \
       --location westus2 \
       --sku Basic \
       --allocation-method Dynamic \


on [ ~ ]$ az network public-ip create        --resource-group free-wi        --name pip-basic-free-win1        --location westus2        --sku Basic        --allocation-method Dynamic 
It's recommended to create with `--sku standard`. Please be aware that Basic option will be removed in the future.
{
  "publicIp": {
    "etag": "W/\"63bff67a-386a-4925-ba95-63ac0e1e2b33\"",
    "id": "/subscriptions/688fe555-a9ee-4f82-897f-3a91356b2536/resourceGroups/free-wi/providers/Microsoft.Network/publicIPAddresses/pip-basic-free-win1",
    "idleTimeoutInMinutes": 4,
    "ipTags": [],
    "location": "westus2",
    "name": "pip-basic-free-win1",
    "provisioningState": "Succeeded",
    "publicIPAddressVersion": "IPv4",
    "publicIPAllocationMethod": "Dynamic",
    "resourceGroup": "free-wi",
    "resourceGuid": "c30057c8-4760-43d1-aa98-136d07fe51a3",
    "sku": {
      "name": "Basic",
      "tier": "Regional"
    },
    "type": "Microsoft.Network/publicIPAddresses"
  }
}
jon [ ~ ]$

You will need to assosiate this basic SKU dynamic public IP to your VM manually. 



Free Account Virtual Machine

The easiest way to create a free account virtual machine from Microsoft Azure Marketplace:




For Windows Machines

I was thinking to test free tier Windows VM to see if it is really free. And found if I am using a VM with following options, the free tier does not apply to this VM's storage option. By default, it will give you 128  GB storage and there is not option for you to make change for your disk to P6 SDD.


You will need to choose 60GB (P6) to be eligible for free account. If you choose wrong, even smaller size, you will get some kind of storage charges.

The daily charge comes from storage since this VM size is using s10 disk type . Daily charge will be around $0.25. It was not that much but I really want to find out how we can really enjoy the free tier services as much as we can.



After some research and I found that is because of the image we selected for this VM. If I am use those predefined Windows 2012 image, it will come with 128GB S10 disk.

To avoid that, I will have to choose [smalldisk] image, such as [smalldisk] Windows Server 2012 Datacenter or [smalldisk] Windows Server 2012 R2 Datacenter as show from following screenshot:

Note: Small Disk image will only give you 30GB OS disk from wizard. But you can resize it to 64GB P6 level. 

After that , in Disks window, you will have disk options available for you to choose a free account eligible P6 disk.


[Updated on April 2022] The method is still working, but the interface is different. 

If you want to be fully deducted by the free quota of Azure, there are mainly the following three pitfalls: The first is that the availability option must choose no infrastructure redundancy, otherwise you will be unable to use the dynamic IP of the basic SKU, so Microsoft will give You will not be able to use the quota of your dynamic IP; the second Windows system image must be marked with smalldisk, otherwise it will not be able to be compressed back because the system disk is larger than the P6 SSD; the third is the instance and disk type, the instance must be B1s, and the disks are premium SSDs (P6 64GB) (not standard SSD or HDD).

Here are some screenshots when you are trying to find out "Small Disk" image from Marketplace's Windows Server image:


Again, small disk image will give you only 30G P4 size disk for your VPS VM. 


You will have to stop the VM and go to disk page to resize from P4 32GB to P6 64GB for free tier usage.





For Linux Machines

It should be very straightforward. Only thing you will need to pay attention to is the disk size. You  will need to choose 64GB P6 Free account eligible disk (64GB Premium SSD - locally - redundant storage). By default, it will give you 30GB default size.



If you missed that, you are still able to change it after you stopped Linux VM.
1)After you created your Linux VM with right size (B1S), you will need to stop it before you can resize it.

2) After Linux VM stopped, you can choose Disks from right column

3) After found your Linux Disk, choose Configuration. You will find the option to choose your disk type and size. Change size from 30 to 64. After enter 64, you will find both IOPS and throughput limit changed to better value. 

4) After made the disk size change, go back to virtual machine page to start your Linux VM . 


Public IP Address - Create New & Choose Dynamic One

Microsoft Azure will charge you if you are using a static Public IP address. 

[Updated on April 2022] 
By default, Microsoft Azure will allocate you a static public ip address. 

If you would like to have dynamic public ip, you will have to go through create ip option to get a basic SKU and dynamic ip.


If you missed this step, you will have to stop your VM, disassociate your public ip to delete the static public ip then create a new dynamic one to re-associate to your VM.

Increate Virtual Memory

Ideally, your paging file size should be 1.5 times your physical memory at a minimum and up to 4 times the physical memory at most to ensure system stability. For example, say your system has 8 GB RAM. You can calculate your minimum paging file size with this equation: 8 GB x 1.5, and your maximum paging file size with this one: 8 GB x 4. The totals would be 12 GB and 32 GB of RAM respectively. ()

By default, paging file is system managed by using a temporary storage driver D which has 4GB.
Once VM is up, it will only use 512MB on D drive. That is actually too small for you to run other applications. 

To maximize the performance, you might want to increase it to initial size to 2048 and Maximum size to 3072. The reason why maximum size is not set to maximum size as show the following screenshot, it is still some available space for other temporary  files or folders. In this kind of set up, we still keep 1GB for those temporary system files on D drive.


“\Paging File\% Usage” displays the percentage of the paging file that is currently in use. A paging file is a hidden, optional system storage file on a hard disk. The paging file extends the RAM’s capacity because it stores RAM data that has not been used or accessed lately. Operations that exceed the limited RAM space are automatically sent to the file to be stored if you have the paging file enabled.

If your counter shows that your paging file has reached or is nearing 100% current usage, then your system and applications will not be able to function properly. You want your paging file to be large enough that, at any given time, only 50% to 75% of it is being used at most.   

 

One of these three solutions should resolve your paging file problems:

 

1. Identify and address which application/services are using the most of the server’s memory.

2. Add on to your memory.

3. Increase your paging file size.



Others



  • 从cloud shell用命令建的机器不指定其它参数的话默认是d系列,两个硬盘,都不免费。
  • 从cloud shell上stop机器的话收费照旧因为占用的资源依旧保留。一定要deallocate。


Microsoft Partner Benefits

[2025-06-02] Microsoft Partner Launch Benefits

https://partner.microsoft.com/dashboard/v2/membership/offers
lowest partner membership Cost: CA$468.00 + Applicable taxes

Partner Success Core: CA $1214.40

Partner Success Expanded: CA $5420.40

Solutions Partner designation: CA $6417.60 


Benefits:


Videos





Updated video on Apr 2022



References

  • 【Azure】免费Windows实例dd安装官方Linux
  • Azure 免费服务踩坑记录
  • Azure 跨订阅迁移资源踩坑记


https://blog.51sec.org


Via https://blog.51sec.org/2019/03/create-free-tier-windows-virtual.html
0 Comments

[Privacy] Four Steps to Achieve your Effective Data Privacy Program

6/5/2025

0 Comments

 

With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage for both IT and the business. 

This leaves leaders questioning what exactly privacy involves and how to make it scalable for their respective organization. As a facet of the business that is traditionally left to the discretion of a legal team or professional(s), this new realm of privacy and data protection is shrouded in incumbent grey area. 

But what if privacy is a little more “black and white” than what previous thought frameworks may have dictated? By taking a quantitative vs. qualitative approach to privacy management, business and IT leaders can remove some of the ambiguity around what privacy controls need to be in place and how to balance privacy integration with current business operations.

As the general public begins to take back control over data privacy so too should organizations, by taking a tactical, measurable approach to privacy and the business. 




Four Steps to Achieve your Effective Data Privacy Program


Privacy vs. Security

A common assumption is that security and privacy are one and the same. Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including the loss of customer trust and potential regulatory consequences. As a result, we often think of how we use security to protect data.

But that is not equivalent to privacy …

Privacy must be thought of as a separate function. While there will always be ties to security in the ways it protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it.



Privacy : Personal Data

When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. On the converse side, an effective privacy program also enables accessibility to information based on regulatory guidance and appropriate measures.

See examples of personal data in the below charts: 


Data Controller vs Data Processor

A data controller determines the purposes and means of the processing of personal data.
A processor engages in personal data processing on behalf of the controller.
Processing involves any operation (or set) performed on personal data (such as, but not limited to, collection, structuring, storage, use or disclosure).

Data Controller: Defines Purpose and Means:
  • The data controller determines the reasons for processing personal data and the methods used to do so. 
  • Responsible for Compliance:
    They are primarily responsible for ensuring compliance with data protection laws, including those related to data subject rights.
  • Examples:
    A company collecting customer data for marketing, a government agency processing citizen information, or a hospital managing patient records. 

Data Processor: Processes Data on Behalf of Controller:
  • The data processor carries out the processing tasks under the instructions of the data controller. 
  • Examples:
    A third-party email service provider used by a company to send marketing emails, a cloud storage service provider storing data for a company, or a software company providing services that involve data processing. 


Feature
Data Controller
Data Processor
Decision-Making
Determines why and how data is processed.
Processes data as instructed by the controller.
Responsibility
Primarily responsible for compliance with data protection laws.
Primarily responsible for following the controller's instructions and ensuring the security and privacy of the data while processing it.
Control
Exercises control over the data and its processing.
Does not have independent control over the data or its processing; they act under the controller's instructions.
Obligations
Generally has more obligations under data protection laws, such as creating privacy policies and responding to data subject requests.
Generally has fewer obligations, but must ensure data is processed securely and in accordance with the controller's instructions and the relevant laws.


A Quiantitative Approach

Use risk and a metrics-based approach against a privacy framework that supports compliance while considering the custom needs of your organization.


1. Collect Privacy Requirements

2. Conduct a Privacy Gap Analysis

Phase Action Items

  • Define and document drivers
  • Establish privacy governance structure
  • Build a privacy RACI chart
  • Define personal data scope
  • Build a risk map
  • Complete the Data Process Mapping Tool
  • Compare compliance and regulatory requirements with gap analysis
  • Assess and categorize privacy gap initiatives

Phase Outcomes

•      Documented business and IT drivers for the privacy program

•      High-level understanding of how privacy is perceived in the organization

•      Completed Data Privacy Program RACI Chart

•      Data Process Mapping Tool detailing all business processes that involve personal data

•      Privacy maturity ranking (Privacy Framework Tool)

•      Identification of compliance or regulatory privacy gaps




3. Build the Privacy Roadmap

4. Implement and Operationalize

Phase Action Items

  • Finalize privacy gap initiatives
  • Prioritize initiatives based on cost, effort, risk, and business value
  • Set firm dates for launch and execution of privacy initiatives
  • Assign ownership for initiatives
  • Establish a set of metrics for the Data Privacy Program
  • Operationalize metrics
  • Set checkpoints to drive continuous improvement

Phase Outcomes

• Completed Privacy Framework Tool
• Completed privacy roadmap, including timeline for initiative implementation, and cost/benefit vs. value/risk assessment
• Customized set of privacy metrics
• Tasks to operationalize privacy metrics
• Data Privacy Report document
• Performance monitoring scheduled checkpoints


Privacy Controls with Metrics

As better privacy becomes the expectation from both B2B customers and end-consumers, expect a subsequent shift towards a strong privacy program as a competitive advantage for many organizations.

Privacy metrics take your program from a static framework to an operational model.

Select privacy metrics that are realistic and relevant for your organization, based on each of the 12 areas outlined as part of privacy control best practices.  

Privacy Control Categories: (from Info-Tech)
  1. Governance
  2. Regulatory Compliance
  3. Data Processing and Handling
  4. Data Subject Requests
  5. Privacy by Design
  6. Notices and Consent
  7. Incident Response
  8. Privacy Risk Assessments
  9. Information Security
  10. Third-Party Management
  11. Awareness and Training
  12. Program Measurement








Privacy Law







 

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is California’s data privacy law that took effect on January 1, 2020.

The CCPA empowers California residents with enforceable rights over the personal information they generate every day online.








GDPR




CCPA vs GDPR vs CPRA

The CPRA is an amendment to the CCPA and is effectively a part of the larger California Consumer Privacy Act. These two regulations are not separate, and should not be handled as such, or ignored in favor of the other. The CPRA grants two more privacy rights to California residents.


Aspect CCPA CPRA
Consumer Rights – Right to access personal data- Right to delete dataRight to opt out of the sale of personal data – Enhanced rights from CCPA-Right to correct inaccurate personal data- Right to limit the use of sensitive personal information (e.g., precise geolocation, race, health data)
Business Obligations – Provide clear notices about data collection and use-Offer opt-out mechanisms- Ensure data security – Builds on CCPA requirements- Conduct regular risk assessments- Limit data retention periods- Implement more stringent data protection measures
Enforcement California Attorney General – California Privacy Protection Agency (CPPA)- The Attorney General retains some enforcement authority
Operational Dates Effective January 1, 2020 – Effective December 16, 2020- Provisions operative January 1, 2023]- Enforcement began July 1, 2023

Likewise, while the CCPA and the EU’s General Data Privacy Regulation (GDPR) share many components and have similar purposes, the requirements under each are not the same. Companies must take care to identify their privacy compliance needs and requirements, and then adopt the policies and practices they need to satisfy regulatory obligations. Complying with both the CCPA and GDPR involves more than complying with one or the other.







PIPEDA


PIPEDA Self-Assessment Tool


https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pipeda_sa_tool_200807/



Tools


Scytale: https://scytale.ai/pricing/


OneTrust : https://www.onetrust.com/solutions/ccpa-compliance/


Scrut: https://www.scrut.io/solutions/ccpa


Usercentrics.com



www.osano.com 
Free Cookie Consent 
  • Free: USD 0/month for 1 user, 1 domain, and up to 5,000 visitors/month

Ketch
  • Ketch Free: USD 0


Orrick’s CCPA Readiness Assessment Tool consists of five sections with questions covering the Scope of the CCPA, Notice to California Residents, CCPA California Residents Rights, Vendor Management and Contracting, and additional considerations.





References








https://blog.51sec.org


Via https://blog.51sec.org/2025/06/privacy-compliance-ccpa-gdpr-cpra.html
0 Comments

Get Azure Free Tier VMs Easily in 2025 (Multiple Methods)

5/25/2025

0 Comments

 
Click to set custom HTML
0 Comments

CEH13 Lab - Module 05: Vulnerability Analysis

5/20/2025

0 Comments

 

Scenario

Earlier, all possible information about a target system such as system name, OS details, shared network resources, policies and passwords details, and users and user groups were gathered.

Now, as an ethical hacker or penetration tester (hereafter, pen tester), your next step is to perform vulnerability research and a vulnerability assessment on the target system or network. Ethical hackers or pen testers need to conduct intense research with the help of information acquired in the footprinting and scanning phases to discover vulnerabilities.

Vulnerability assessments scan networks for known security weaknesses: it recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channel; and evaluates the target systems for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Additionally, it assists security professionals in securing the network by determining security loopholes or vulnerabilities in the current security mechanism before attackers can exploit them.

The information gleaned from a vulnerability assessment helps you to identify weaknesses that could be exploited and predict the effectiveness of additional security measures in protecting information resources from attack.

The labs in this module will give you real-time experience in collecting information regarding underlying vulnerabilities in the target system using various online sources and vulnerability assessment tools.



 

Objective

The objective of this lab is to extract information about the target system that includes, but not limited to:

  • Network vulnerabilities
  • IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports and services that are listening
  • Application and services configuration errors/vulnerabilities
  • The OS version running on computers or devices
  • Applications installed on computers
  • Accounts with weak passwords
  • Files and folders with weak permissions
  • Default services and applications that may have to be uninstalled
  • Mistakes in the security configuration of common applications
  • Computers exposed to known or publicly reported vulnerabilities

Overview of Vulnerability Assessment

A vulnerability refers to a weakness in the design or implementation of a system that can be exploited to compromise the security of the system. It is frequently a security loophole that enables an attacker to enter the system by bypassing user authentication. There are generally two main causes for vulnerable systems in a network, software or hardware misconfiguration and poor programming practices. Attackers exploit these vulnerabilities to perform various types of attacks on organizational resources.

Lab Tasks

Ethical hackers or pen testers use numerous tools and techniques to collect information about the underlying vulnerability in a target system or network. Recommended labs that will assist you in learning various vulnerability assessment techniques include:

  1. Perform vulnerability research with vulnerability scoring systems and databases

    • Perform vulnerability research in Common Weakness Enumeration (CWE)
  2. Perform vulnerability assessment using various vulnerability assessment tools

    • Perform vulnerability analysis using OpenVAS
  3. Perform Vulnerability Analysis using AI

    • Perform vulnerability analysis using ShellGPT

Lab 1: Perform Vulnerability Research with Vulnerability Scoring Systems and Databases

Lab Scenario

As a professional ethical hacker or pen tester, your first step is to search for vulnerabilities in the target system or network using vulnerability scoring systems and databases. Vulnerability research provides awareness of advanced techniques to identify flaws or loopholes in the software that could be exploited. Using this information, you can use various tricks and techniques to launch attacks on the target system.

Lab Objectives

  • Perform vulnerability research in Common Weakness Enumeration (CWE)

Overview of Vulnerabilities in Vulnerability Scoring Systems and Databases

Vulnerability databases collect and maintain information about various vulnerabilities present in the information systems.

The following are some of the vulnerability scoring systems and databases:

  • Common Weakness Enumeration (CWE)
  • Common Vulnerabilities and Exposures (CVE)
  • National Vulnerability Database (NVD)


Task 1: Perform Vulnerability Research in Common Weakness Enumeration (CWE)

Common Weakness Enumeration (CWE) is a category system for software vulnerabilities and weaknesses. It has numerous categories of weaknesses that means that CWE can be effectively employed by the community as a baseline for weakness identification, mitigation, and prevention efforts. Further, CWE has an advanced search technique with which you can search and view the weaknesses based on research concepts, development concepts, and architectural concepts.

Here, we will use CWE to view the latest underlying system vulnerabilities.

  1. By default, Windows 11 machine is selected, click Ctrl+Alt+Delete to activate the machine and login with Admin/Pa$$w0rd.

    Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.

  2. Launch any web browser, and go to https://cwe.mitre.org/ website (here, we are using Mozilla Firefox).

    If the Default Browser pop-up window appears, uncheck the Always perform this check when starting Firefox checkbox and click the Not now button.

    If a New in Firefox: Content Blocking pop-up window appears, follow the step and click start browsing to finish viewing the information.

  3. CWE website appears. Navigate to Search tab, in the Google Custom Search under CWE List Quick Access section and search for SMB in the search field.

    Here, we are searching for the vulnerabilities of the running services that were found in the target systems in previous module labs (Module 04 Enumeration).

    Screenshot

  4. The search results appear, scroll-down to view the underlying vulnerabilities in the target service (here, SMB). You can click any link to view detailed information on the vulnerability.

    The search results might differ when you perform this task

    Screenshot

  5. Now, click any link (here, CWE-284) to view detailed information about the vulnerability.

    Screenshot

  6. Similarly, you can click on other vulnerabilities and view detailed information.

  7. Now, navigate to the CWE List tab. CWE List Version will be displayed. Scroll down, and under the External Mappings section, select CWE Top 25 (2023).

    The result might differ when you perform this task.

    Screenshot

  8. A webpage appears, displaying CWE VIEW: Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses. Scroll down and view a list of Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses under the Relationships section. You can check each weakness to view detailed information on it.

    This information can be used to exploit the vulnerabilities in the software and further launch attacks.

    The result showing publishing year might differ when you perform this task.

    Screenshot

  9. Similarly, you can go back to the CWE website and explore other options, as well.

  10. Attacker can find vulnerabilities on the services running on the target systems and further exploit them to launch attacks.

  11. This concludes the demonstration of checking vulnerabilities in the Common Weakness Enumeration (CWE).

  12. Close all open windows and document all the acquired information.





Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools


Lab Scenario

The information gathered in the previous labs might not be sufficient to reveal potential vulnerabilities of the target: there could be more information available that may help in finding loopholes. As an ethical hacker, you should look for as much information as possible using all available tools. This lab will demonstrate other information that you can extract from the target using various vulnerability assessment tools.

Lab Objectives

  • Perform vulnerability analysis using OpenVAS

Overview of Vulnerability Assessment

A vulnerability assessment is an in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand exploitation. It scans networks for known security weaknesses, and recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels. It identifies, quantifies, and ranks possible vulnerabilities to threats in a system. Additionally, it assists security professionals in securing the network by identifying security loopholes or vulnerabilities in the current security mechanism before attackers can exploit them.

There are two approaches to network vulnerability scanning:

  • Active Scanning
  • Passive Scanning

Task 1: Perform Vulnerability Analysis using OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. Its capabilities include unauthenticated testing, authenticated testing, various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans, and a powerful internal programming language to implement any vulnerability test. The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs)-over 50,000 in total.

Here, we will perform a vulnerability analysis using OpenVAS.

In this task, we will use the Parrot Security (10.10.1.13) machine as a host machine and the Windows Server 2022 (10.10.1.22) machine as a target machine.

  1. Click on Parrot Security to switch to the Parrot Security machine and login with attacker/toor.

    If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close it.

    If a Question pop-up window appears asking you to update the machine, click No to close the window.

  2. Open a Terminal window and execute sudo su to run the programs as a root user (When prompted, enter the password toor).

    The password that you type will not be visible.

  3. Run docker run -d -p 443:443 --name openvas mikesplain/openvas command to launch OpenVAS.

  4. After the tool initializes, click Firefox icon from the top-section of the Desktop.

  5. The Firefox browser appears, go to https://127.0.0.1/. OpenVAS login page appears, log in with admin/admin.

    If a Warning page appears, click Advanced and select Accept the Risk and Continue.

    Screenshot

  6. The OpenVAS Dashboards appears. Navigate to Scans --> Tasks from the Menu bar.

    If a Welcome to the scan task management! pop-up appears, close it.

    Screenshot

  7. Hover over wand icon and click the Task Wizard option.

    Screenshot

  8. The Task Wizard window appears; enter the target IP address in the IP address or hostname field (here, the target system is Windows Server 2022 [10.10.1.22]) and click the Start Scan button.

    Screenshot

  9. The task appears under the Tasks section; OpenVAS starts scanning the target IP address.

  10. Wait for the Status to change from Requested to Done. Once it is completed, click the Done button under the Status column to view the vulnerabilities found in the target system.

    It takes approximately 20 minutes for the scan to complete.

    If you are logged out of the session then login again using credentials admin/admin.

    Screenshot

  11. Report: Results appear, displaying the discovered vulnerabilities along with their severity and port numbers on which they are running.

    The results might differ when you perform this task.

    open1.jpg

  12. Click on any vulnerability under the Vulnerability column to view its detailed information.

  13. Detailed information regarding selected vulnerability appears, as shown in the screenshot.

    open4.jpg

  14. Similarly, you can check other Reports by hovering over the Report: Results section to view other Reports regarding the vulnerabilities in the target system.

  15. Next, go through the findings, including all high or critical vulnerabilities. Manually use your skills to verify the vulnerability. The challenge with vulnerability scanners is that they are quite limited; they work well for an internal or white box test only if the credentials are known. We will explore that now: return to your OpenVAS tool, and set up for the same scan again; but this time, turn your firewall ON in the Windows Server 2022 machine.

  16. Now, we will enable Windows Firewall in the target system and scan it for vulnerabilities.

  17. Click on Windows Server 2022 to switch to the Windows Server 2022 machine and click Ctrl+Alt+Delete and login with CEH\Administrator / Pa$$w0rd.

  18. Navigate to Control Panel --> System and Security --> Windows Defender Firewall --> Turn Windows Defender Firewall on or off, enable Windows Firewall, and click OK.

    By turning the Firewall ON, you are making it more difficult for the scanning tool to scan for vulnerabilities in the target system.

    Screenshot

  19. Click on Parrot Security to switch to Parrot Security machine and perform Steps# 7-9 to create another task for scanning the target system.

  20. A newly created task appears under the Tasks section and starts scanning the target system for vulnerabilities.

  21. After the completion of the scan, click the Done button under the Status column.

    It takes approximately 15-20 minutes for the scan to complete.

  22. Report: Results appears, displaying the discovered vulnerabilities along with their severity and port numbers on which they are running.

    The results might differ when you perform this task.

    open3.jpg

  23. The scan results for the target machine before and after the Windows Firewall was enabled are the same, thereby indicating that the target system is vulnerable to attack even if the Firewall is enabled.

  24. This concludes the demonstration performing vulnerabilities analysis using OpenVAS.

  25. Close all open windows and document all the acquired information.

  26. Click on Windows Server 2022 to switch to the Windows Server 2022 machine and click Ctrl+Alt+Delete login with Administrator/Pa$$w0rd.

  27. Navigate to Control Panel --> System and Security --> Windows Defender Firewall --> Turn Windows Defender Firewall on or off, disable Windows Firewall, and click OK.

Question 5.2.1.1





Lab 3: Perform Vulnerability Analysis using AI

 

Lab Scenario

As a professional ethical hacker or pen tester, you must acknowledge the limitations of conventional approaches in revealing all potential vulnerabilities. Therefore, you will utilize AI-driven vulnerability analysis tools to identify and assess security weaknesses in a simulated network environment.

Lab Objectives

  • Perform vulnerability analysis using ShellGPT

Overview of vulnerability analysis using AI

Vulnerability Analysis with AI employs advanced algorithms to unearth hidden security flaws in networks. AI-driven tools extract comprehensive data, prioritize risks, and fortify defenses, empowering ethical hackers to anticipate and mitigate emerging threats effectively. This innovative approach enhances cybersecurity readiness by leveraging AI's precision and adaptability.

Task 1: Perform Vulnerability Analysis using ShellGPT

ShellGPT swiftly interprets and executes commands, conducting scans, identifying weaknesses, and suggesting mitigation strategies in real-time. Its adaptive nature facilitates dynamic navigation through complex systems, enhancing efficiency and precision in vulnerability analysis. By integrating ShellGPT, you can gain a powerful ally in their quest to safeguard digital ecosystems, leveraging AI's capabilities to uncover and address security risks with unparalleled speed and accuracy.

Here, we will use ShellGPT to discover potential vulnerabilites in the target.

The commands generated by ShellGPT may vary depending on the prompt used and the tools available on the machine. Due to these variables, the output generated by ShellGPT might differ from what is shown in the screenshots. These differences arise from the dynamic nature of the AI's processing and the diverse environments in which it operates. As a result, you may observe differences in command syntax, execution, and results while performing this lab task.

  1. Click Parrot Security to switch to Parrot machine, and login with attacker/toor. Open a Terminal window and execute sudo su to run the program as a root user (When prompted, enter the password toor).

    The password that you type will not be visible.

  2. Run bash sgpt.sh command to configure ShellGPT and the AI activation key.

    You can follow the Instructions to Download your AI Activation Key in Module 00: CEH Lab Setup to obtain the AI activation key. Alternatively, follow the instructions available in the file, Instructions to Download your AI_Activation_Key - CEHv13.

    jetvfd99.jpg

  3. After configuring the ShellGPT in Parrot Security machine, in the terminal window, run **sgpt

  4. --chat nikto --shell "Scan the URL https://www.certifiedhacker.com to identify potential vulnerabilities with nikto"** to launch Nikto scan on the target website.

    In the prompt, type E and press Enter to execute the command.

    Screenshot

  5. Scan result appears displaying the discovered vulnerabilities in the target website (here, www.certifiedhacker.com), as shown in the screenshot.

    Screenshot

    Screenshot

    Nikto scan takes long time to complete. You can terminate the scan, by pressing Ctrl + Z.

  6. In the terminal, run sgpt --chat vuln --shell "Perform vulnerability scan on target url http://www.moviescope.com with Nmap" command to perform vulnerability scan on the target website. The result appears displaying open ports and services running on the target website.

    Screenshot

  7. Run sgpt --chat vuln --shell "Perform a vulnerability scan on target url http://testphp.vulnweb.com with skipfish" to scan the target URL using skipfish tool.

    If a prompt appears, enter any key to continue the scanning process.

    Screenshot

  8. The skipfish begins scanning the target url. After the successful completion of the scan, report is saved at the /tmp/skipfish_scan_output/ location, named as index.html. Navigate to the location, right-click on index.html and open with Firefox ESR Web Browser, as shown in the screenshot.

    The location of scan report might differ. You can view the location in the skipfish command generated by ShellGPT.

    Screenshot

  9. Firefox browser window appears displaying the complete scan report, as shown in the screenshot.

    Screenshot

  10. Apart from the aforementioned commands, you can further explore additional options within the ShellGPT tool and utilize various other tools to conduct vulnerability assessments on the target.

  11. This concludes the demonstration of performing vulnerability assessment on the target system using ShellGPT.

  12. Close all open windows and document all the acquired information.

Question 5.3.1.1






References





https://blog.51sec.org


Via https://blog.51sec.org/2025/05/ceh13-lab-module-05-vulnerability.html
0 Comments

CEH13 Notes - Module 05: Vulnerability Analysis

5/20/2025

0 Comments

 

Learning Objectives:

  • Summarize Vulnerability Assessment Concepts
  • Use Vulnerability Assessment Tools
  • Analyze Vulnerability Assessment Reports




Vulnerability Assessment Concepts

Any vulnerability that is present in a system can be hazardous and can cause severe damage to the organization. It is important for ethical hackers to have knowledge about various types of vulnerabilities that they can employ, along with various vulnerability scanning techniques. This section provides an overview of vulnerability classification, vulnerability scoring systems, vulnerability databases, the vulnerability-management lifecycle, and types of vulnerability scanning.

Vulnerability Classification





Vulnerability Scoring Systems and Databases 


Due to the growing severity of cyber-attacks, vulnerability research has become critical as it helps to mitigate the chance of attacks. Vulnerability research provides awareness of advanced techniques to identify flaws or loopholes in the software that can be exploited by attackers. Vulnerability scoring systems and vulnerability databases are used by security analysts to rank information system vulnerabilities and to provide a composite score of the overall severity and risk associated with identified vulnerabilities. Vulnerability databases collect and maintain information about various vulnerabilities present in information systems. 
Following are some of the vulnerability scoring systems and databases:
▪ Common Vulnerability Scoring System (CVSS) Source: https://www.first.org
▪ Common Vulnerabilities and Exposures (CVE) Source: https://cve.mitre.org 
▪ National Vulnerability Database (NVD)  Source: https://nvd.nist.gov
▪ Common Weakness Enumeration (CWE) Source: https://cwe.mitre.org








Vulnerability-Management Life Cycle 




The vulnerability management life cycle is an important process that helps identify and remediate security weaknesses before they can be exploited. This includes defining the risk posture and policies for an organization, creating a complete asset list of systems, scanning and assessing the environment for vulnerabilities and exposures, and taking action to mitigate the vulnerabilities that are identified. The implementation of a vulnerability management lifecycle helps gain a strategic perspective regarding possible cybersecurity threats and renders insecure computing environments more resilient to attacks. Vulnerability management should be implemented in every organization as it evaluates and controls the risks and vulnerabilities in the system. The management process continuously examines the IT environments for vulnerabilities and risks associated with the system. Organizations should maintain a proper vulnerability management program to ensure overall information security. Vulnerability management provides the best results when it is implemented in a sequence of well-organized phases

The phases involved in vulnerability management are: ▪ Pre-Assessment Phase o Identify Assets and Create a Baseline
▪ Vulnerability Assessment Phase o Vulnerability Scan o Vulnerability Analysis
▪ Post Assessment Phase o Risk Assessment o Remediation o Verification o Monitoring



Vulnerability Research 

Vulnerability research involves utilizing various online resources, tools, and platforms to identify, analyze, and share information about security vulnerabilities. 

An administrator needs vulnerability research: ▪ To gather information about security trends, newly discovered threats, attack surfaces, attack vectors and techniques
▪ To find weaknesses in the OS and applications and alert the network administrator before a network attack
▪ To understand information that helps prevent security problems ▪ To know how to recover from a network attack ▪ To prioritize and apply security patches and updates effectively, mitigating risks before they can be exploited
▪ To adhere to industry best practices for security, ensuring systems are not just compliant, but also secured according to the highest standards
▪ To perform accurate risk assessments, identifying and prioritizing the most critical threats to address

An ethical hacker needs to keep up with the most recently discovered vulnerabilities and exploits to stay one step ahead of attackers through vulnerability research, which includes: 
▪ Discovering the system design faults and weaknesses that might allow attackers to compromise a system
▪ Staying updated about new products and technologies and reading news related to current exploits
▪ Checking underground hacking web sites (Deep and Dark websites) for newly discovered vulnerabilities and exploits
▪ Checking newly released alerts regarding relevant innovations and product improvements for security systems
▪ Anticipating how a system might be attacked and take steps to mitigate those risks ▪ Helping organizations develop robust defensive strategies that protect against specific threats
▪ Tailoring security solutions to the unique needs and risk profiles of the organizations ▪ Conducting thorough audits that identify compliance issues and security gaps

Security experts and vulnerability scanners classify vulnerabilities by: 
▪ Severity level (low, medium, or high) ▪ Exploit range (local or remote)
Ethical hackers need to conduct intense research with the help of information acquired in the footprinting and scanning phases to find vulnerabilities.


Resources for Vulnerability Research The following are some of the websites used to perform vulnerability research. 
▪ Microsoft Security Response Center (MSRC) Source: https://msrc.microsoft.com The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services, and it provides information as part of an ongoing effort to help security professionals manage security risks and keep organizational systems protected
▪ Packet Storm (https://packetstormsecurity.com) ▪ Dark Reading (https://www.darkreading.com) ▪ Trend Micro (https://www.trendmicro.com) ▪ Security Magazine (https://www.securitymagazine.com) ▪ PenTest Magazine (https://pentestmag.com) ▪ SC Magazine (https://www.scmagazine.com) ▪ Exploit Database (https://www.exploit-db.com) ▪ Help Net Security (https://www.helpnetsecurity.com) ▪ HackerStorm (https://www.hackerstorm.co.uk)
▪ Computerworld (https://www.computerworld.com) ▪ D’Crypt (https://www.d-crypt.co


Vulnerability Scanning and Analysis 

Vulnerability scanning involves analyzing protocols, services, and configurations to discover vulnerabilities and design flaws that may expose an operating system and its applications to exploitation, attack, or misuse. Vulnerability analysis is the systematic process of identifying, evaluating, and prioritizing security weaknesses in systems, networks, applications, or protocols. Vulnerabilities are classified based on severity level (low, medium, or high) and exploit range (local or remote). The goal of this analysis is to understand the nature of these vulnerabilities, assess their potential impact, and develop strategies to mitigate or eliminate them. Additionally, vulnerability scanning and analysis assist security professionals in securing the network by identifying security loopholes or vulnerabilities in the current security mechanisms before attackers can exploit them. Typically, vulnerability-scanning tools search network segments for IP-enabled devices and enumerate systems, operating systems, and applications to identify vulnerabilities arising from vendor negligence, system or network misconfigurations, or daily operations. Vulnerability-scanning software compares the scanned systems against the Common Vulnerabilities and Exposures (CVE) index and security bulletins provided by software vendors.

There are two approaches to network vulnerability scanning: 
▪ Active scanning: The attacker interacts directly with the target network to find vulnerabilities. Active scanning helps in simulating an attack on the target network to uncover vulnerabilities that can be exploited by the attacker. Example: An attacker sends probes and specially crafted requests to the target host in the network to identify vulnerabilities.
▪ Passive scanning: The attacker tries to find vulnerabilities without directly interacting with the target network. The attacker identifies vulnerabilities via information exposed by systems during normal communications. Passive scanning identifies the active operating systems, applications, and ports throughout the target network, monitoring activity to determine its vulnerabilities. This approach provides information about weaknesses but does not provide a path for directly combating attacks.

Example: An attacker guesses the operating system information, applications, and application/service versions by observing the TCP connection setup and teardown.
Attackers scan for vulnerabilities using tools such as Nessus, Qualys, GFI LanGuard, and OpenVAS.


Types of Vulnerability Scanning 

Given below are the different types of vulnerability scanning:








Vulnerability Assessment Tools


Vulnerability assessment solutions are important tools for information security management as they identify all potential security weaknesses before an attacker can exploit them. There are different approaches and solutions available to perform a vulnerability assessment. Selecting an appropriate assessment approach plays a major role in mitigating the threats that an organization faces.
This section outlines the various approaches, solutions, and tools used to perform a vulnerability assessment.
Comparing Approaches to Vulnerability Assessment There are four types of vulnerability assessment solutions: product-based solutions, service-based solutions, tree-based assessment, and inference-based assessment. 
▪ Product-Based Solutions Product-based solutions are installed in the organization’s internal network. They are installed either on a private or non-routable space or in the Internet-addressable portion of an organization’s network. If they are installed on a private network (behind the firewall), they cannot always detect outside attacks. 
▪ Service-Based Solutions
Service-based solutions are offered by third parties, such as auditing or security consulting firms. Some solutions are hosted inside the network, while others are hosted outside the network. A drawback of this solution is that attackers can perform network vulnerability scans from the Internet/external network.

▪ Tree-Based Assessment
In a tree-based assessment, the auditor selects different strategies for each machine or component of the information system. For example, the administrator selects a scanner for servers running Windows, databases, and web services but uses a different scanner for Linux servers. This approach relies on the administrator to provide a starting piece of intelligence, and then to start scanning continuously without incorporating any information found at the time of scanning.
▪ Inference-Based Assessment In an inference-based assessment, scanning starts by building an inventory of the
protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

Types of Vulnerability Assessment Tools There are six types of vulnerability assessment tools: host-based vulnerability assessment tools, application-layer vulnerability assessment tools, depth assessment tools, scope assessment tools, active and passive tools, and location and data-examination tools. 
▪ Host-Based Vulnerability Assessment Tools The host-based scanning tools are appropriate for servers that run various applications, such as the Web, critical files, databases, directories, and remote accesses. These host-based scanners can detect high levels of vulnerabilities and provide required information about the fixes (patches). A host-based vulnerability assessment tool identifies the OS running on a particular host computer and tests it for known deficiencies. It also searches for common applications and services.
▪ Depth Assessment Tools
Depth assessment tools are used to discover and identify previously unknown vulnerabilities in a system. Generally, tools such as fuzzers, which provide arbitrary input to a system’s interface, are used to identify vulnerabilities to an unstable depth. Many of these tools use a set of vulnerability signatures to test whether a product is resistant to a known vulnerability or not.

▪ Application-Layer Vulnerability Assessment Tools
Application-layer vulnerability assessment tools are designed to serve the needs of all kinds of operating system types and applications. Various resources pose a variety of security threats and are identified by the tools designed for that purpose. Observing system vulnerabilities through the Internet using an external router, firewall, or webserver is called an external vulnerability assessment. These vulnerabilities could be external DoS/DDoS threats, network data interception, or other issues. The analyst performs a vulnerability assessment and notes vulnerable resources. The network vulnerability information is updated regularly into the tools. Application-layer vulnerability assessment tools are directed towards web servers or databases.
▪ Scope Assessment Tools
Scope assessment tools provide an assessment of the security by testing vulnerabilities in the applications and operating system. These tools provide standard controls and a reporting interface that allows the user to select a suitable scan. These tools generate a standard report based on the information found. Some assessment tools are designed to test a specific application or application type for vulnerability.
▪ Active and Passive Tools
Active scanners perform vulnerability checks on the network functions that consume resources on the network. The main advantage of the active scanner is that the system administrator or IT manager has good control of the timing and the parameters of vulnerability scans. This scanner cannot be used for critical operating systems because it uses system resources that affect the processing of other tasks.
▪ Location and Data Examination Tools Listed below are some of the location and data examination tools:
o Network-Based Scanner: Network-based scanners are those that interact only with the real machine where they reside and give the report to the same machine after scanning.
o Agent-Based Scanner: Agent-based scanners reside on a single machine but can scan several machines on the same network.
o Proxy Scanner: Proxy scanners are the network-based scanners that can scan networks from any machine on the network.
o Cluster scanner: Cluster scanners are similar to proxy scanners, but they can simultaneously perform two or more scans on different machines in the network.

Network vulnerability scanners help to analyze and identify vulnerabilities in the target network or network resources by using vulnerability assessment and network auditing. These tools also assist in overcoming weaknesses in the network by suggesting various remediation techniques. The following are some of the most effective vulnerability assessment tools: 

▪ Nessus Essentials Source: https://www.tenable.com Nessus Essentials is an assessment solution for identifying vulnerabilities, configuration issues, and malware, which can be used to penetrate networks. It also helps ethical hackers perform vulnerability, configuration, and compliance assessment. It supports various technologies such as OSes, network devices, hypervisors, databases, tablets/phones, web servers, and critical infrastructure. Features: o High-speed asset discovery o Vulnerability assessment o Malware and botnet detection o Scanning and auditing virtualized and cloud platforms
▪ GFI LanGuard Source: https://www.gfi.com
GFI LanGuard scans for, detects, assesses, and rectifies security vulnerabilities in a network and its connected devices. This is done with minimal administrative effort. It scans the operating systems, virtual environments, and installed applications through vulnerability check databases. It enables analysis of the state of network security, identifies risks, and offers solutions before the system can be compromised. Features: o Patch management for operating systems and third-party applications o Vulnerability assessment o A Web reporting console o Track latest vulnerabilities and missing updates o Integration with security applications o Network device vulnerability checks o Network and software auditing o Support for virtual environments
▪ OpenVAS Source: https://www.openvas.org OpenVAS is a framework of several services and tools that offer a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Network’s commercial vulnerability management solution, developments from which have been contributed to the open-source community since 2009. The actual security scanner is accompanied by a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total.
Features: o SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL) o A full HTTP proxy support o Checks for outdated server components o Saves reports in plain text, XML, HTML, NBE or CSV o A Template engine to easily customize reports o Scans multiple ports on a server, or multiple servers via input file o LibWhisker’s IDS encoding techniques o Identifies installed software via headers, favicons, and files o Host authentication with Basic and NTLM o Subdomain guessing o Apache and cgiwrap username enumeration o Scan tuning to include or exclude entire classes of vulnerability checks o Guesses credentials for authorization realms (including many default ID and password combinations)
▪ Qualys Vulnerability Management Source: https://www.qualys.com Qualys VM is a cloud-based service that gives immediate, global visibility into where IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps to continuously identify threats and monitor unexpected changes in a network before they turn into breaches. Features: o Agent-based detection Also works with the Qualys Cloud Agents, extending its network coverage to unscannable assets.
o Constant monitoring and alerts
When VM is paired with Continuous Monitoring (CM), InfoSec teams are proactively alerted about potential threats, so problems can be tackled before they turn into breaches.
o Comprehensive coverage and visibility Continuously scans and identifies vulnerabilities for protecting IT assets on-premises, in the cloud, and at mobile endpoints. Its executive dashboard displays an overview of the security posture and gives access to remediation details. VM generates custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors.
o VM for the perimeter-less world
As enterprises adopt cloud computing, mobility, and other disruptive technologies for digital transformation, Qualys VM offers next-generation vulnerability management for these hybrid IT environments whose traditional boundaries have been blurred.
o Discover forgotten devices and organize the host assets
Qualys can help quickly determine what is running in different parts of the network—from the perimeter and corporate network to virtualized machines and cloud services. It can also identify unexpected access points, web servers, and other devices that can expose the network to attack.
o Scan for vulnerabilities everywhere, accurately and efficiently
Scan systems anywhere from the same console, including the perimeter, the internal network, and cloud environments.
o Identify and prioritize risks
Qualys, using trend analysis, Zero-Day, and Patch impact predictions, can identify the highest business risks.
o Remediate vulnerabilities
Qualys’s ability to track vulnerability data across hosts and time produces interactive reports that provide a better understanding of the security of the network.

Listed below are some of the additional vulnerability assessment tools: ▪ InsightVM (https://www.rapid7.com) ▪ Acunetix Web Vulnerability Scanner (https://www.acunetix.com) ▪ Nexpose (https://www.rapid7.com) ▪ Sniper (https://sn1persecurity.com) ▪ Tripwire IP360 (https://www.tripwire.com) ▪ SAINT Security Suite (https://www.carson-saint.com) ▪ BeSECURE (https://www.beyondsecurity.com) ▪ Core Impact Pro (https://www.coresecurity.com) ▪ Intruder (https://www.intruder.io) ▪ ManageEngine Vulnerability Manager Plus (https://www.manageengine.com) ▪ Astra Pentest (https://www.getastra.com) ▪ Skybox (https://www.skyboxsecurity.com) ▪ MaxPatrol TM (https://www.ptsecurity.com)




AI-Powered Vulnerability Assessment Tools



Traditional vulnerability scanning tools often struggle to keep up with rapidly evolving cyber threats because of their reliance on predefined rules and signatures, leading to inefficient and error-prone processes. By contrast, AI-powered vulnerability assessments revolutionize security risk management by leveraging advanced technologies to automate and enhance vulnerability detection and remediation processes. AI-driven scanners can adapt to new threats, reduce false positives, provide more accurate and actionable insights, empower ethical hackers and security teams to address vulnerabilities proactively, and strengthen an organization's overall cybersecurity posture. By contrast, AI-powered vulnerability scanners can continuously learn from new data, including emerging threats and attack technique patterns. This allows them to adapt and improve their detection capabilities over time. By leveraging machine-learning algorithms, these scanners can identify patterns, anomalies, and potential vulnerabilities more effectively than traditional tools. Furthermore, AI-powered scanners can adapt to the specific needs and requirements of an organization by tailoring their scanning strategies and detection methods to a unique environment. This flexibility allows for more accurate and targeted vulnerability assessments, thereby reducing the number of false positives and negatives.


AI-Powered Vulnerability Assessment Tool: Equixly Source: https://equixly.com
Equixly is an advanced AI-powered tool designed specifically for vulnerability assessment with a focus on securing APIs. It uses AI and ML to identify and eliminate blind spots, thereby ensuring robust protection against potential threats.
Key Features of Equixly for vulnerability management are as follows: ▪ AI-Driven Vulnerability Detection Equixly uses machine-learning algorithms to scan and identify vulnerabilities within APIs, ensuring that no potential threats are overlooked. ▪ Automated Threat Analysis
This tool automates the process of analyzing threat data, enabling quicker identification and response to emerging security risks.
▪ Real-Time Security Monitoring
It provides continuous monitoring of API environments, and offers real-time updates and alerts regarding potential vulnerabilities.
▪ Adaptive Learning
Machine-learning models continuously learn from new data, improving the accuracy and efficiency of vulnerability detection over time.

AI-Powered Automated Vulnerability Scanner: SmartScanner Source: https://www.thesmartscanner.com
SmartScanner is an AI-powered automated vulnerability scanner designed to enhance website security. Advanced ML algorithms are used to monitor websites continuously for potential vulnerabilities and threats.
The key features of SmartScanner include: ▪ Supervised and Unsupervised ML: SmartScanner analyzes vast amounts of data using both supervised and unsupervised ML algorithms. This allows it to learn the patterns of benign and malicious activities, allowing it to distinguish between them.
▪ Baseline Establishment: AI models in SmartScanner establish baselines of normal behavior for each website it monitors. These baselines were then used to identify deviations that may indicate potential threats.
▪ Anomaly Detection: SmartScanner employs anomaly detection algorithms to flag activities that deviate from established baselines. This helps to identify and alert suspicious behaviors in real time.
▪ Real-time Analytics and Response: The AI-driven systems in SmartScanner provide real-time analytics of the websites it monitors. It can automatically respond by quickly mitigating the identified threats, thereby reducing the risk of successful attacks.


Additional AI-powered Vulnerability Assessment Tools ▪ CodeDefender Source: https://codedefender.ro CodeDefender is an AI-powered vulnerability assessment tool that helps organizations automatically detect, prioritize, and fix security vulnerabilities in their code bases. It integrates existing security tools to provide a comprehensive vulnerability-management solution.
▪ Corgea Source: https://corgea.com
Corgea is an AI-powered platform that automatically generates and deploys security fixes for vulnerabilities detected in software code. It leverages machine-learning models to analyze vulnerability data and write secure code patches, thereby reducing the manual effort required by security teams.
▪ Fluxguard Source: https://fluxguard.com
Fluxguard employs AI algorithms to automatically scan and detect vulnerabilities across diverse IT infrastructures, including networks, applications, and systems. It utilizes ML to conduct a behavioral analysis of network traffic and system interactions and identifies anomalous behaviors that could indicate potential vulnerabilities or attacks.

▪ DryRun Security Source: https://www.dryrun.security
DryRun Security is a vulnerability assessment and penetration-testing platform that uses AI and automation to identify and validate security weaknesses in web applications and infrastructure.
▪ Pentest Copilot Source: https://copilot.bugbase.ai The Pentest Copilot is an AI-powered penetration-testing assistant that helps security teams conduct more efficient and effective vulnerability assessments. It automates various penetration-testing tasks, from reconnaissance to exploitation, and provides actionable insights for prioritizing and remediating identified vulnerabilities.
▪ Beagle Security Source: https://beaglesecurity.com
Beagle Security is a comprehensive web application security testing platform that combines automated scanning and manual penetration testing. It uses AI and ML to detect a wide range of vulnerabilities, including the top 10 OWASP risks, and provides detailed reports to help organizations improve their application security.
▪ Hackules Source: https://hackules.com
Hackules is an AI-powered vulnerability assessment and penetration-testing platform that helps organizations identify and mitigate security weaknesses in their web applications and infrastructures. It uses advanced techniques such as NLP and ML to provide accurate and actionable security insights.
▪ Coderbuds Source: https://coderbuds.com
CoderBuds are AI-driven code security platforms that help developers and security teams detect, prioritize, and fix vulnerabilities in their codebases. Its AI algorithm is integrated seamlessly with mainstream development tools, and CoderBuds conducts automated vulnerability scans, performs comprehensive risk assessments, and offers tailored remediation recommendations.



Vulnerability Assessment using AI 


Attackers can leverage AI-powered technologies to enhance and automate their vulnerability scanning tasks. With the aid of AI, attackers can effortlessly perform vulnerability scanning to identify the potential vulnerabilities on target. An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: Example #1: “Launch nikto to execute a scan against the URL www.certifiedhacker.com to identify potential vulnerabilities.”
The command scans the URL www.certifiedhacker.com for potential vulnerabilities using the Nikto web server scanner. nikto -h www.certifiedhacker.com ▪ `nikto`: This command invokes Nikto, a web server scanner that performs comprehensive tests against web servers for potential vulnerabilities.
▪ `-h www.certifiedhacker.com`: This option specifies the target URL (www.certifiedhacker.com) to scan for vulnerabilities. Nikto will perform various checks and tests against the specified URL to identify potential security issues and vulnerabilities.

Example #2: “Perform vulnerability scan on target url http://testphp.vulnweb.com with nikto and save the results in output.txt.” nikto -h http://testphp.vulnweb.com -o output.txt
▪ `nikto`: This command invokes Nikto. ▪ `-h http://testphp.vulnweb.com`: This option specifies the target URL (http://testphp.vulnweb.com) to scan for vulnerabilities.
▪ `-o output.txt`: This option specifies the file where the scan results will be saved. In this case, the results will be saved in a file named "output.txt".


Vulnerability Scan using Nmap with AI 


Attackers can leverage AI-powered technologies to enhance and automate their vulnerability scanning tasks. With the aid of AI, attackers can effortlessly perform vulnerability scanning using Nmap to identify the potential vulnerabilities on target. For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Perform a vulnerability scan on target url www.moviescope.com with nmap and save the results in output.txt”

nmap -sV –script=vuln www.moviescope.com -oN output.txt ▪ `nmap`: This command invokes Nmap. ▪ `--script=vuln`: This option specifies the Nmap script to run, which focuses on vulnerability scanning.
▪ `www.moviescope.com`: This is the target URL where the vulnerability scan will be performed.
▪ `-oN output.txt`: This option specifies the file where the scan results will be saved. In this case, the results will be saved in a file named "output.txt"

Vulnerability Assessment using Python Script with AI 

Attackers can leverage AI-powered technologies to enhance and automate their vulnerability scanning tasks. With the aid of AI, attackers can effortlessly create and run custom vulnerability scanning scripts and identify potential vulnerabilities on targets. By developing such custom scripts, attackers can efficiently execute a series of vulnerability scanning and associated commands to identify potential vulnerabilities on targets. Using this script, an attacker can run fast, but comprehensive, Nmap scans followed by vulnerability scanning using Nikto against multiple IP addresses. For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Create a python script to run a fast but comprehensive Nmap scan on the IP addresses in scan1.txt and then execute vulnerability scanning using nikto against each IP address in scan1.txt”

The following Python script automates network scanning and vulnerability assessment tasks on the IP addresses listed in the scan1.txt file: 
import subprocess # Read the list of IP addresses from scan1.txt with open('scan1.txt', 'r') as file: ip_addresses = file.read().splitlines()
# Run Nmap scan on each IP address for ip in ip_addresses: 
subprocess.run(['nmap', '-T4', '-A', '-v', ip])
# Run Nikto vulnerability scan on each IP address subprocess.run(['nikto', '-h', ip]) 
▪ The script first reads the list of IP addresses from the scan1.txt file. ▪ It then iterates through each IP address and executes an Nmap scan with the specified options (in this case, -T4 for timing template and -A for aggressive scan) using the subprocess.run() function.
▪ After completing the Nmap scan, it proceeds to execute a Nikto vulnerability scan on each IP address using the subprocess.run() function again.
▪ The results of both scans will be displayed in the console output.


Vulnerability Scan using Skipfish with AI 

Attackers can leverage AI-powered technologies to enhance and automate their vulnerability scanning tasks. With the aid of AI, attackers can effortlessly perform vulnerability scanning using Skipfish to identify potential vulnerabilities on a target.

For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Perform a vulnerability scan on target url http://testphp.vulnweb.com with Skipfish and display the output file index.html in Firefox.”

The following command automates vulnerability scanning on the target URL using Skipfish and displays the output file in Firefox:
skipfish -o /tmp/skipfish_output http://testphp.vulnweb.com && firefox tmp/skipfish_output/index.html ▪ The script executes the skipfish command to perform a vulnerability scan on the target URL http://testphp.vulnweb.com.
▪ The -o /tmp/skipfish_output option specifies the output directory for storing the scan results.
▪ After completing the vulnerability scan, the script opens the output file index.html in Firefox using the firefox command.

This prompt automates vulnerability scanning on the target URL http://testphp.vulnweb.com using Skipfish and displays the output file in Firefox for further analysis

Vulnerability Assessment Reports

 

In the vulnerability assessment process, once all the phases are completed, the security team will review the results and process the information to prepare the final report. In this phase, the security team will try to disclose any identified vulnerabilities, document any variations and findings, and include all these in the final report along with remediation steps to mitigate the identified risks.

A vulnerability assessment report is a comprehensive document that details the findings of a vulnerability assessment. This report includes information about identified security weaknesses, their potential impact, severity, and recommendations for remediation. The purpose of the report is to provide stakeholders with a clear understanding of the security posture of the assessed systems, applications, or networks and to guide them in taking corrective actions to mitigate risks. The report provides details of all the possible vulnerabilities with regard to the company’s security policies. The vulnerabilities are categorized based on severity into three levels: High, Medium, and Low risk. High-risk vulnerabilities are those that might allow unauthorized access to the network. These vulnerabilities must be rectified immediately before the network is compromised. The report describes different kinds of attacks that are possible given the organization’s set of operating systems, network components, and protocols. The vulnerability assessment report must include, but are not limited to, the following points: ▪ The vulnerability's name and its mapped CVE ID ▪ The date of discovery ▪ The score based on Common Vulnerabilities and Exposures (CVE) databases ▪ A detailed description of the vulnerability ▪ The impact of the vulnerability ▪ Details regarding the affected systems ▪ Details regarding the process needed to correct the vulnerability, including information patches, configuration fixes, and ports to be blocked.
▪ A proof of concept (PoC) of the vulnerability for the system (if possible) 




References


 In this module, we have discussed:

▪ Various types of vulnerabilities, the CVSS vulnerability scoring system, and databases

▪ The vulnerability-management life cycle and vulnerability research

▪ Vulnerability scanning, vulnerability analysis, and various types of vulnerability scanning techniques

▪ Various vulnerability assessment solutions, along with their characteristics

▪ Various tools that are used to test a host or application for vulnerabilities, along with the criteria and best practices for selecting the tool

▪ We concluded with a detailed discussion on how to analyze a vulnerability assessment report and how it discloses the risks detected after scanning the network

• In the next module, we will discuss the methods attackers, as well as ethical hackers and pen testers, utilize to hack a system based on the information collected about a target of evaluation; for example, footprinting, scanning, enumeration, and vulnerability analysis phases




https://blog.51sec.org


Via https://blog.51sec.org/2025/05/cehv13-notes-module-05-vulnerability.html
0 Comments

Execute Database (MySQL) Compliance Check Using Tenable Nessus

5/18/2025

0 Comments

 
Click to set custom HTML
0 Comments

Top 8 Security Metrics Matters In Current Cyber Landscape

5/12/2025

0 Comments

 
Click to set custom HTML
0 Comments
<<Previous

    Categories

    All
    Architecture
    Blog
    Checkpoint
    Cisco
    Cloud
    CyberArk
    F5
    Fortigate
    Guardium
    Juniper
    Linux
    Network
    Others
    Palo Alto
    Qualys
    Raspberry Pi
    Security
    SIEM
    Software
    Vmware
    VPN
    Wireless

    Archives

    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    October 2019
    September 2019
    June 2019
    July 2018
    May 2018
    December 2017
    August 2017
    April 2017
    March 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015

    Print Page:

    RSS Feed

    Email Subscribe
Powered by Create your own unique website with customizable templates.
  • Blog
  • Sitemap
    • Categories
  • Contact
  • About
  • Resources
  • Tools
  • 51sec.org