WEBVTT

00:00.000 --> 00:02.610
>> Vulnerability assessments.

00:02.610 --> 00:05.040
The learning objectives
for this lesson are to

00:05.040 --> 00:07.695
define the different vulnerability
assessment approaches,

00:07.695 --> 00:10.890
to explore various
vulnerability analysis methods,

00:10.890 --> 00:12.540
and to evaluate different types

00:12.540 --> 00:14.040
of vulnerability analysis tools.

00:14.040 --> 00:16.800
Let's get started. When we're

00:16.800 --> 00:18.555
talking about
vulnerability analysis,

00:18.555 --> 00:21.600
what we're trying to do is
find the bugs or holes,

00:21.600 --> 00:24.680
or vulnerabilities before
an attacker does so

00:24.680 --> 00:26.180
this lesson is geared
towards showing you

00:26.180 --> 00:28.355
the many different ways
that we can do that.

00:28.355 --> 00:30.200
Sometimes it's going to
deal with source code,

00:30.200 --> 00:32.105
sometimes it's going
to deal with networks,

00:32.105 --> 00:33.530
but they're all trying

00:33.530 --> 00:34.970
to achieve the same
goal and that's

00:34.970 --> 00:39.015
finding a vulnerability
before an attacker does.

00:39.015 --> 00:40.835
I also want to note that

00:40.835 --> 00:43.505
penetration testing
is a subset of this,

00:43.505 --> 00:44.765
where we would engage

00:44.765 --> 00:47.330
either an internal team
such as a red team or

00:47.330 --> 00:49.760
a third party
company to simulate

00:49.760 --> 00:51.320
an attack on our environment

00:51.320 --> 00:52.835
the way an attacker might do.

00:52.835 --> 00:54.410
Some of the areas
of this lesson are

00:54.410 --> 00:56.020
specific to penetration testing,

00:56.020 --> 00:57.170
and when we get to those areas,

00:57.170 --> 00:58.700
I'll let you know that these are

00:58.700 --> 01:00.805
specific to a penetration test.

01:00.805 --> 01:03.605
We're going to get started
with a static analysis.

01:03.605 --> 01:06.215
This is when we manually
review source code

01:06.215 --> 01:08.930
looking for any errors or bugs,

01:08.930 --> 01:10.400
and we can also use

01:10.400 --> 01:12.630
software to help us
automate this process,

01:12.630 --> 01:14.570
but the key is we're
looking at the source code

01:14.570 --> 01:18.125
itself and not the application
while it's in use.

01:18.125 --> 01:21.890
But a dynamic analysis is when
the application is in use.

01:21.890 --> 01:23.390
We will be able to go

01:23.390 --> 01:25.100
through and see if there
are any issues with

01:25.100 --> 01:28.670
the program or the system
and collect data that way.

01:28.670 --> 01:31.310
A side-channel analysis
is when we inspect

01:31.310 --> 01:33.910
a system or the software
while it's running,

01:33.910 --> 01:37.310
but we do this by analyzing
the data that it produces.

01:37.310 --> 01:38.960
A good example of
this would be to use

01:38.960 --> 01:41.210
a sniffer to capture
network traffic from

01:41.210 --> 01:43.010
an application so
that we can see

01:43.010 --> 01:46.455
what information that app is
putting onto the network.

01:46.455 --> 01:49.990
Reverse engineering is when
we deconstruct software,

01:49.990 --> 01:52.855
but sometimes hardware
to see how it functions.

01:52.855 --> 01:54.940
When malware is
being deconstructed

01:54.940 --> 01:56.970
to see what exploits
are included with it,

01:56.970 --> 01:59.960
this is a good example
of reverse engineering.

02:00.390 --> 02:03.500
We can also do a wireless
vulnerability scan.

02:03.500 --> 02:05.020
This is to help us look for

02:05.020 --> 02:07.015
any misconfigurations
we might have,

02:07.015 --> 02:10.315
but we can also use it to
find our signal coverage.

02:10.315 --> 02:12.055
Oftentimes people think that

02:12.055 --> 02:14.020
the wireless signal stops where

02:14.020 --> 02:16.490
the walls of the building
stop, but that's not the case.

02:16.490 --> 02:18.550
We want to find
out how far beyond

02:18.550 --> 02:21.010
the building does our
wireless signal emanate.

02:21.010 --> 02:23.050
But a wireless
vulnerability scan can also

02:23.050 --> 02:24.880
help us to find any areas of

02:24.880 --> 02:26.380
our network that might
be vulnerable to

02:26.380 --> 02:29.270
common attacks such
as Reaver or Krack.

02:29.270 --> 02:32.360
We can also do a software
composition analysis

02:32.360 --> 02:33.605
and this is when we're

02:33.605 --> 02:35.560
inspecting the source
code of an app

02:35.560 --> 02:39.020
but we're looking for the
open-source components that

02:39.020 --> 02:40.580
we might have included with it

02:40.580 --> 02:42.845
and they themselves may
have vulnerabilities.

02:42.845 --> 02:44.240
Oftentimes when you're coding,

02:44.240 --> 02:46.550
you might include
third-party libraries.

02:46.550 --> 02:48.080
If those third-party libraries

02:48.080 --> 02:49.205
haven't been properly checked,

02:49.205 --> 02:50.840
they may have their
own vulnerabilities

02:50.840 --> 02:52.595
and then when we include
those with our app,

02:52.595 --> 02:55.800
we're introducing those
into our application.

02:56.980 --> 03:01.060
Fuzzing is a black-box
testing method that

03:01.060 --> 03:05.060
it on purpose injects malformed
data into an application.

03:05.060 --> 03:06.350
The purpose of this is to

03:06.350 --> 03:09.065
see how the application
is going to handle it.

03:09.065 --> 03:11.195
Is it going to reveal
sensitive information?

03:11.195 --> 03:13.415
Is it going to cause the
application to crash?

03:13.415 --> 03:15.320
We need to find these
things out ahead of

03:15.320 --> 03:16.910
time because fuzzing tools

03:16.910 --> 03:18.560
are very common for attackers

03:18.560 --> 03:20.240
to launch against web apps,

03:20.240 --> 03:22.475
and we need to do
this ahead of time.

03:22.475 --> 03:24.350
Pivoting is one of
those items that's

03:24.350 --> 03:26.170
specific to a penetration test

03:26.170 --> 03:27.920
and this is once an attacker has

03:27.920 --> 03:30.470
exploited one particular
system on a network,

03:30.470 --> 03:32.510
they will use that
to target others,

03:32.510 --> 03:34.550
but the goal is
to move closer to

03:34.550 --> 03:37.115
their own goal
inside that network.

03:37.115 --> 03:39.350
For example, maybe a workstation

03:39.350 --> 03:41.540
was compromised because
of a phishing attack,

03:41.540 --> 03:43.460
but the end goal for
this attacker is

03:43.460 --> 03:45.440
to get to the Active Directory.

03:45.440 --> 03:48.260
So they will pivot to
another target that is

03:48.260 --> 03:52.290
closer in the network to that
Active Directory server.

03:54.470 --> 03:57.560
Post exploitation and
persistence are also

03:57.560 --> 04:00.170
examples of parts of
a penetration test.

04:00.170 --> 04:02.510
The post exploitation is
when the attacker will

04:02.510 --> 04:04.670
use additional work to
ensure that they are

04:04.670 --> 04:06.860
maintaining their
access and also

04:06.860 --> 04:09.250
to get additional data or
resources on the network.

04:09.250 --> 04:12.140
Whereas persistence is
ensuring that they are able

04:12.140 --> 04:15.400
to stay in the environment
and remain undetected.

04:15.400 --> 04:17.105
Once an attacker gets in,

04:17.105 --> 04:18.950
they've exploited a
particular vulnerability,

04:18.950 --> 04:20.225
and they're on a device.

04:20.225 --> 04:21.560
They want to ensure
that they have

04:21.560 --> 04:22.910
another way into the network.

04:22.910 --> 04:26.440
In case that one vulnerability
is ever patched,

04:26.440 --> 04:27.350
they want to make sure they have

04:27.350 --> 04:28.700
another way of getting in.

04:28.700 --> 04:31.590
That would be an
example of persistence.

04:32.560 --> 04:35.855
Let's talk about some
vulnerability analysis tools.

04:35.855 --> 04:37.880
First, we have the
protocol analyzer.

04:37.880 --> 04:40.775
This is used to capture
network traffic for analysis.

04:40.775 --> 04:44.225
A common example of this
is Wireshark or Tcpdump.

04:44.225 --> 04:46.855
A network traffic analyzer

04:46.855 --> 04:49.445
is a little different
from a protocol analyzer,

04:49.445 --> 04:52.790
but it's designed to analyze
data captured by a sensor.

04:52.790 --> 04:55.400
A good example of this is Zeek.

04:55.400 --> 04:58.040
A port scanner looks
for services that are

04:58.040 --> 05:00.190
running on ports on
a specific system.

05:00.190 --> 05:02.840
We want to see if
port 80 is open,

05:02.840 --> 05:05.090
if port 443 is open,

05:05.090 --> 05:07.550
but we can also scan to see
if other ports were left

05:07.550 --> 05:09.260
open that didn't intend

05:09.260 --> 05:11.285
to be left open by
the administrator.

05:11.285 --> 05:13.490
A good example of a
port scanner is Nmap,

05:13.490 --> 05:15.760
and that's actually what's
shown in the screen here.

05:15.760 --> 05:20.530
HTTP interceptor; this will
capture the HTTP or HTTPs

05:20.530 --> 05:23.060
traffic between hosts and

05:23.060 --> 05:25.295
the web server to
inspect that data.

05:25.295 --> 05:26.750
What we're trying to do is,

05:26.750 --> 05:28.370
can we see any of

05:28.370 --> 05:31.250
that information that maybe
normally shouldn't be seen,

05:31.250 --> 05:33.050
and are we able to use that

05:33.050 --> 05:34.610
to help us exploit the server?

05:34.610 --> 05:37.830
A good example of this
software would be Burp Suite.

05:39.080 --> 05:41.685
Next we have the SCAP scanner.

05:41.685 --> 05:43.520
This uses SCAP to compare

05:43.520 --> 05:46.750
a scanned device
against SCAP baselines.

05:46.750 --> 05:49.020
What we're trying to do is we

05:49.020 --> 05:51.230
have our established
SCAP baselines,

05:51.230 --> 05:52.820
and we want to see
where our systems

05:52.820 --> 05:54.260
are in comparison to that.

05:54.260 --> 05:57.515
The DoD SCAP scanner is
a good example of this.

05:57.515 --> 06:00.350
A vulnerability scanner
will scan devices

06:00.350 --> 06:03.320
for a database of
known vulnerabilities,

06:03.320 --> 06:05.540
some misconfiguration issues,

06:05.540 --> 06:08.525
and any other numerous issues.

06:08.525 --> 06:10.510
A good example of
this is Nessus.

06:10.510 --> 06:12.095
I highly recommend you

06:12.095 --> 06:14.420
download Nessus and play
with it because it will

06:14.420 --> 06:16.880
really show you a
lot of areas of

06:16.880 --> 06:18.410
your network that maybe you

06:18.410 --> 06:20.870
didn't think about that
might need to be addressed.

06:20.870 --> 06:22.405
Then we also have exploit

06:22.405 --> 06:24.500
frameworks and these
are a collection of

06:24.500 --> 06:26.060
tools that are designed

06:26.060 --> 06:28.255
for exploiting
systems and software.

06:28.255 --> 06:30.465
They have a large number

06:30.465 --> 06:34.550
of exploits already built
into them so that we

06:34.550 --> 06:37.340
can exploit vulnerabilities and

06:37.340 --> 06:38.510
the two most common are

06:38.510 --> 06:40.220
Metasploit and
PowerShell Empire but

06:40.220 --> 06:43.010
these will both contain
many ways to get

06:43.010 --> 06:44.330
into many different types of

06:44.330 --> 06:47.250
systems and different
applications.

06:49.070 --> 06:51.765
They also have
password crackers.

06:51.765 --> 06:53.570
These are designed
to help us crack

06:53.570 --> 06:55.880
passwords from a
variety of sources,

06:55.880 --> 06:58.010
and you might have
hashes that are

06:58.010 --> 07:00.470
collected from a Active
Directory server,

07:00.470 --> 07:03.200
you might have a
wireless password hash,

07:03.200 --> 07:05.180
but regardless,
all of those need

07:05.180 --> 07:07.699
to be cracked at some point.

07:07.699 --> 07:10.400
>> You can use several
methods to do this,

07:10.400 --> 07:11.780
but the two most common would be

07:11.780 --> 07:13.955
a brute force attack or
a dictionary attack.

07:13.955 --> 07:16.430
You can also do a combination
attack of the two.

07:16.430 --> 07:17.900
But a brute force will try

07:17.900 --> 07:20.270
every possible combination of

07:20.270 --> 07:21.890
whatever you've set it up to do.

07:21.890 --> 07:23.900
It could be all
numbers, all letters,

07:23.900 --> 07:27.320
all uppercase letters, or
however you set it up.

07:27.320 --> 07:29.120
This is very time-consuming,

07:29.120 --> 07:31.550
and for longer
passwords this can

07:31.550 --> 07:35.165
become very difficult and
almost impossible to do.

07:35.165 --> 07:37.595
That's why we have
dictionary attacks as well.

07:37.595 --> 07:40.910
There are large dictionary
files available online of

07:40.910 --> 07:42.530
the most common
passwords that have

07:42.530 --> 07:44.495
been captured through breaches.

07:44.495 --> 07:48.820
This is typically the
first method that is used.

07:48.820 --> 07:50.380
But again there's another
method where you can

07:50.380 --> 07:52.315
even custom tailor
the dictionary

07:52.315 --> 07:56.210
to be specific to who
you're targeting.

07:56.210 --> 07:57.785
If you have information
about them,

07:57.785 --> 08:00.500
such as your parents' name,

08:00.500 --> 08:01.610
children's name, birthdays,

08:01.610 --> 08:02.780
that type of thing, that you

08:02.780 --> 08:04.235
can feed in and then generate

08:04.235 --> 08:07.445
a password list to make it
more specific to a person.

08:07.445 --> 08:09.245
But good examples of

08:09.245 --> 08:11.960
password crackers are
Hashcat and John the Ripper.

08:11.960 --> 08:13.580
We also use Mimikatz,

08:13.580 --> 08:15.680
which is not itself
a password cracker,

08:15.680 --> 08:17.240
but it's a very good tool for

08:17.240 --> 08:19.055
being able to dump hashes from

08:19.055 --> 08:23.390
Windows machines so that we
can feed those into Hashcat.

08:23.390 --> 08:25.250
Dependency management is when

08:25.250 --> 08:26.750
we're evaluating the
vulnerabilities in

08:26.750 --> 08:28.640
third-party libraries
and components

08:28.640 --> 08:31.140
of software and hardware.

08:33.580 --> 08:37.850
Now these items are specific
to a penetration test.

08:37.850 --> 08:40.130
When you have a
penetration test you have

08:40.130 --> 08:42.200
several components that are

08:42.200 --> 08:44.870
outlining what you
can and can't do.

08:44.870 --> 08:46.940
We're going to start off
with the scope of work.

08:46.940 --> 08:50.270
What is allowed, what time
are you allowed to do it,

08:50.270 --> 08:52.025
and what are off-limits.

08:52.025 --> 08:53.690
Some devices on the network

08:53.690 --> 08:55.280
may be off-limits
because if they

08:55.280 --> 08:56.990
were to crash in the
penetration test

08:56.990 --> 08:58.625
it would do damage
to the network,

08:58.625 --> 09:00.905
and a company can't allow that.

09:00.905 --> 09:02.360
You also want to be able to

09:02.360 --> 09:05.030
know what time of day
you're allowed to work.

09:05.030 --> 09:06.530
Sometimes you may not want

09:06.530 --> 09:08.450
those attacks to take place
during business hours,

09:08.450 --> 09:09.620
or you might not
want them to take

09:09.620 --> 09:11.960
place outside of business hours.

09:11.960 --> 09:14.210
Next we have the
rules of engagement.

09:14.210 --> 09:16.235
This defines the manner in which

09:16.235 --> 09:18.800
all of the assessments
will occur.

09:18.800 --> 09:21.650
It includes the type of testing
that we're going to do.

09:21.650 --> 09:23.330
We also need the
contact information

09:23.330 --> 09:24.905
of all parties involved,

09:24.905 --> 09:27.830
and how the penetration
testers are going to handle

09:27.830 --> 09:29.780
any sensitive
information that they

09:29.780 --> 09:32.120
might come across while
performing their test.

09:32.120 --> 09:33.650
Then it also describe

09:33.650 --> 09:36.290
the report formats that are
needed once the test is

09:36.290 --> 09:38.240
concluded how these
reports need to

09:38.240 --> 09:42.750
be put together so they can
be given to management.

09:43.030 --> 09:46.040
Invasive versus non-invasive is

09:46.040 --> 09:49.385
how far a test is allowed
to go on systems.

09:49.385 --> 09:50.855
Sometimes you might want to

09:50.855 --> 09:53.180
show that a
vulnerability is there,

09:53.180 --> 09:55.835
but you might not want to
have the testers exploit it,

09:55.835 --> 09:59.150
because exploiting it could
increase the risk that

09:59.150 --> 10:01.190
a device may crash or it

10:01.190 --> 10:03.725
may produce undesirable
side effects.

10:03.725 --> 10:05.690
We want to make sure
that we have all

10:05.690 --> 10:07.610
of that documented
ahead of time,

10:07.610 --> 10:10.745
that everyone knows how
far they're allowed to go.

10:10.745 --> 10:12.920
Then lastly we have our assets.

10:12.920 --> 10:16.880
The company would ideally
need to provide a list

10:16.880 --> 10:18.770
of the devices that they

10:18.770 --> 10:20.720
want the testers
to perform a test.

10:20.720 --> 10:23.630
But sometimes you also allow
them to do a blind test

10:23.630 --> 10:25.160
where the testers are

10:25.160 --> 10:27.110
not given any information
ahead of time,

10:27.110 --> 10:29.510
so that it more closely

10:29.510 --> 10:33.335
resembles what an attacker
in the wild would do.

10:33.335 --> 10:34.820
They don't really
know what the inside

10:34.820 --> 10:35.840
of your network looks like,

10:35.840 --> 10:37.805
so if you really
want to make sure

10:37.805 --> 10:40.670
that it's as realistic
as possible,

10:40.670 --> 10:42.395
oftentimes we do blind tests.

10:42.395 --> 10:44.300
But you want all of that

10:44.300 --> 10:46.490
defined upfront in the document,

10:46.490 --> 10:48.560
so that again, everyone is
on the same page on this.

10:48.560 --> 10:50.270
Because the ramifications of

10:50.270 --> 10:51.380
doing something incorrectly,

10:51.380 --> 10:52.775
attacking the wrong system,

10:52.775 --> 10:55.685
taking a system down that
is critical, are massive.

10:55.685 --> 10:57.650
We want to make sure that
all of that is defined

10:57.650 --> 11:00.185
ahead of time and everyone
knows what's going on.

11:00.185 --> 11:01.460
But this also serves as

11:01.460 --> 11:03.950
the typical get out of
the jail free card,

11:03.950 --> 11:06.050
where if you were caught

11:06.050 --> 11:08.285
doing something that you
have a way of saying,

11:08.285 --> 11:10.190
"Look, I'm supposed
to be doing this,

11:10.190 --> 11:11.720
I'm allowed to do this,"
so that you don't end

11:11.720 --> 11:14.250
up in a federal penitentiary.

11:18.940 --> 11:20.990
We also want to
make sure that we

11:20.990 --> 11:22.625
have permissions and access.

11:22.625 --> 11:24.080
Are there any materials that

11:24.080 --> 11:25.220
we're going to
need to provide to

11:25.220 --> 11:26.450
the testers so they complete

11:26.450 --> 11:28.355
their assessments
such as ID badges?

11:28.355 --> 11:29.540
Are we going to
make sure they have

11:29.540 --> 11:31.085
background checks ahead of time?

11:31.085 --> 11:33.440
All of that needs to
be documented as well.

11:33.440 --> 11:36.440
We also want to have our
facility considerations

11:36.440 --> 11:37.745
taken into account.

11:37.745 --> 11:40.445
Are the assessments going
to be done on site?

11:40.445 --> 11:41.300
Are we going to be doing

11:41.300 --> 11:43.445
any physical
penetration testing?

11:43.445 --> 11:45.545
Which we'll go into
the next item.

11:45.545 --> 11:49.070
But if we're having people
on-site to do things,

11:49.070 --> 11:50.975
do they need to be escorted
throughout the building?

11:50.975 --> 11:53.360
Are they going to be working
from one particular office,

11:53.360 --> 11:56.450
or are we going to allow them
more access to do things so

11:56.450 --> 11:58.070
that it more closely

11:58.070 --> 12:00.810
stimulates what an actual
attack would look like?

12:00.810 --> 12:03.460
Next we have our physical
security considerations.

12:03.460 --> 12:05.620
Are we assessing our
physical security

12:05.620 --> 12:07.135
in this particular assessment?

12:07.135 --> 12:09.410
If so we need to make

12:09.410 --> 12:11.840
sure we have that signed
get out of jail free card.

12:11.840 --> 12:13.970
It's so important to
have this ahead of time,

12:13.970 --> 12:16.580
because when you're physically
breaking into a building,

12:16.580 --> 12:19.355
whether you're picking the
lock on the back door,

12:19.355 --> 12:21.725
or you're trying
to bypass cameras,

12:21.725 --> 12:23.390
or any number of things.

12:23.390 --> 12:25.490
Those things look like

12:25.490 --> 12:27.800
what an actual burglar
would be doing,

12:27.800 --> 12:29.540
and a lot of people
may misinterpret it.

12:29.540 --> 12:31.640
Security guards may be
calling the police.

12:31.640 --> 12:32.930
If you're going to be doing

12:32.930 --> 12:34.729
any physical security
considerations

12:34.729 --> 12:36.005
you want to make sure that

12:36.005 --> 12:38.540
that get out of jail free
card is really front

12:38.540 --> 12:41.075
and center on this because
it's really important.

12:41.075 --> 12:43.385
It's equally important on
the network side as well.

12:43.385 --> 12:45.710
But with physical security
so many things could go

12:45.710 --> 12:48.050
wrong because people can
see what's happening.

12:48.050 --> 12:50.480
Whereas on a network assessment

12:50.480 --> 12:52.070
it's a lot harder for people to

12:52.070 --> 12:54.410
detect and see what's going
on as opposed to someone

12:54.410 --> 12:57.440
trying to pick the lock on
a backdoor on a dark night.

12:57.440 --> 12:59.420
Then afterwards we want
to make sure we have

12:59.420 --> 13:02.420
a consideration in for our
rescan for corrections.

13:02.420 --> 13:04.805
After the pen test
has been performed,

13:04.805 --> 13:07.790
we want the site to be able
to perform a remediation.

13:07.790 --> 13:09.680
After that remediation has been

13:09.680 --> 13:11.270
performed on their network,

13:11.270 --> 13:12.755
we will need to scan it again

13:12.755 --> 13:14.689
to show that those remediations

13:14.689 --> 13:16.280
actually solve the
problems that we

13:16.280 --> 13:19.170
identified in that
penetration test.

13:19.570 --> 13:22.550
Let's summarize. We went

13:22.550 --> 13:24.455
over vulnerability
analysis approaches,

13:24.455 --> 13:26.990
and we also discussed
vulnerability analysis methods

13:26.990 --> 13:28.355
and analysis tools.

13:28.355 --> 13:31.355
Then we discussed vulnerability
analysis dependencies.

13:31.355 --> 13:33.990
Let's do some example questions.

13:34.630 --> 13:39.620
Question 1, which type of
tool is used to capture HTTP

13:39.620 --> 13:44.760
or HTTPS traffic between hosts
to inspect or modify it?

13:44.950 --> 13:49.535
An HTTP interceptor. Question 2,

13:49.535 --> 13:51.500
blank describes how an attacker

13:51.500 --> 13:53.090
uses a system that has already

13:53.090 --> 13:54.920
been compromised to access

13:54.920 --> 13:57.660
another within the
same organization.

13:57.880 --> 14:02.075
Pivoting. Question 3.

14:02.075 --> 14:03.950
This type of analysis uses

14:03.950 --> 14:07.350
vulnerability scanning
while a system is running.

14:07.930 --> 14:13.070
Dynamic analysis. Question 4.

14:13.070 --> 14:14.840
Black box testing method that

14:14.840 --> 14:18.030
purposely inputs malformed data.

14:18.220 --> 14:21.320
Fuzz testing. Hope this lesson

14:21.320 --> 14:24.210
was helpful for you, and I'll
see you in the next one.