WEBVTT

00:00.210 --> 00:06.480
No matter how hard you work no matter how much you patch no matter how many security controls you apply

00:06.840 --> 00:11.690
you're not going to know that you're really out of the woods until you check.

00:11.940 --> 00:16.530
And that is what a vulnerability assessment is all about.

00:16.530 --> 00:23.670
A vulnerability assessment is an action we do and we use vulnerability assessment tools to actually

00:23.670 --> 00:25.320
go about that process.

00:25.320 --> 00:31.380
So what I want to do in this episode is actually go through some of the tools we use to reform a vulnerability

00:31.380 --> 00:33.210
assessment.

00:33.220 --> 00:37.870
Now the challenge we run into is that today's infrastructures are complicated.

00:37.870 --> 00:43.460
Not only do we have our local area networks we have wireless we've got cloud servers.

00:43.630 --> 00:50.980
We've got phones we've got all kinds of stuff that can make a aggressive vulnerability assessment very

00:50.980 --> 00:52.140
very challenging.

00:52.150 --> 00:56.600
However there's a lot of tools that are incredibly simple when it comes to vulnerability assessment.

00:56.710 --> 00:57.770
Let me show you right here

01:02.360 --> 01:07.270
so here I'm just running trace route if you take a look I've done a trace route of that total sim dot

01:07.280 --> 01:08.140
com.

01:08.360 --> 01:12.460
And if you look out you can see you know what my internal LAN addresses.

01:12.500 --> 01:17.510
You can see what my forward facing IP addresses my public address.

01:17.510 --> 01:19.670
That's why I've got to Great out.

01:19.670 --> 01:25.190
And you could also see things like for example I'm using Comcast so even a simple tool like trace route

01:25.220 --> 01:32.650
gives me a lot of good information about the network and I can use that as a tool to be part of my assessment.

01:32.750 --> 01:38.300
Now simple tools like this are great but a lot of times we find ourselves in a situation where we want

01:38.300 --> 01:40.050
to use scanning tools.

01:40.100 --> 01:43.370
Now we use the word scanner fairly loosely here.

01:43.370 --> 01:50.420
A lot of times we hear the word port scanner or port analyzer these are all fairly inter connecting

01:50.420 --> 01:51.120
terms.

01:51.230 --> 01:52.730
But let's take a look at a couple of them.

01:52.730 --> 01:56.880
The first one I want to show you is called the Advanced IP scanner.

01:56.990 --> 01:59.700
This is a wonderful freeware tool it's been around forever.

01:59.900 --> 02:03.950
And what I've done is I've had it go through and scanned this network because I ran the traceroute so

02:03.950 --> 02:08.750
I know what the internal network ideas so I'm going to have to run that.

02:08.870 --> 02:13.970
And tools like this will actually not only let me see the systems but it'll tell me what kind of Nic

02:13.970 --> 02:20.790
I got in their MAC address IP address whatever the windows name is for that particular system.

02:20.990 --> 02:25.790
And I can even get a pulldown like this and I can see that this particular system is running a web server

02:25.790 --> 02:27.810
and it's sharing a couple of folders.

02:28.130 --> 02:30.190
Now is this a good thing or a bad thing.

02:30.200 --> 02:34.460
I don't know but I'm going to have to go to that system and actually check it out.

02:34.460 --> 02:40.130
Now Port scanners are not unique to Windows in fact probably one of the most famous ones out there is

02:40.130 --> 02:41.990
the cool Unmap.

02:41.990 --> 02:45.320
So I've got a map running over here on my Linux box.

02:45.470 --> 02:50.810
So and that's a bit of a challenge because unmap to simply call it a port scanners almost unfair it's

02:50.810 --> 02:56.150
an incredibly powerful network discovery tool unfortunately and that takes a little bit of learning.

02:56.150 --> 03:01.940
So you can see you have to type in these fairly esoteric commands and I'm basically telling IMAP to

03:01.940 --> 03:07.230
go out there find everybody on the network and tell me what open ports they're running.

03:07.400 --> 03:13.540
And as you go through it you can see it does all kinds of amazing output as it's going through look

03:13.540 --> 03:20.880
at all these open ports it's discovered lots and lots of open ports and even got different certificates

03:20.880 --> 03:24.920
out there which I'm going to scroll through because I don't want you guys seen my certificates.

03:25.020 --> 03:28.860
But the bottom line is was that these types of tools perform.

03:28.920 --> 03:35.730
Network Discovery Network Discovery is great but network discovery by itself is not really a vulnerability

03:35.730 --> 03:36.410
assessment.

03:36.450 --> 03:42.880
If we go back over and take a look at advanced IP scanner one more time you'll see it's running HTP

03:43.070 --> 03:44.390
but you'll see that it's running.

03:44.390 --> 03:47.650
I guess so it's running the Windows web server.

03:47.660 --> 03:53.020
So is it running the latest version of I guess are we using good passwords.

03:53.060 --> 03:54.760
I don't know that kind of stuff.

03:54.770 --> 04:01.190
So what I need is a more advanced tool beyond a simple port scanner that can actually go into the system

04:01.340 --> 04:03.260
and check this stuff out in detail.

04:03.410 --> 04:05.750
Luckily for us that's a Windows system.

04:05.750 --> 04:13.340
And luckily for us Microsoft provides an amazing tool called the Microsoft baseline security analyzer.

04:13.340 --> 04:18.430
So I've already run and BSA on this system.

04:18.470 --> 04:22.300
So what we're looking at is the Microsoft baseline security analyzer.

04:22.310 --> 04:27.600
Microsoft has built up the famous Microsoft Knowledge Base for decades now.

04:27.830 --> 04:34.880
And the Microsoft Knowledge Base is a list of problems within the Microsoft Windows product line and

04:34.910 --> 04:39.770
the types of patches and fixes that Microsoft has applied over yé these many years.

04:39.800 --> 04:47.540
So tools like inby as a can actually refer to the Microsoft knowledge database and look at the system

04:47.540 --> 04:51.660
that it's run on and make a determination of what vulnerabilities it has.

04:51.830 --> 04:58.300
So as we take a look at this you'll see that it's run security scan and you can see it has the severity

04:58.300 --> 04:59.830
index is red is really bad.

04:59.830 --> 05:02.190
Yellow is be aware this is here.

05:02.230 --> 05:03.890
Green is just informative.

05:03.900 --> 05:05.350
Sophie take a look in great detail.

05:05.350 --> 05:10.350
You can see it says a security update is missing or lots of security updates are missing.

05:10.350 --> 05:14.720
In fact if we come down here automatic updates feature hasn't even been configured.

05:14.720 --> 05:19.480
You're absolutely right because I've turned it off and they're letting me know that there is a problem.

05:19.570 --> 05:23.170
Here's good information for example Windows Firewall is enabled.

05:23.410 --> 05:25.960
But there are exceptions configured Well yeah there is.

05:25.960 --> 05:30.460
Because I needed this system to run some exceptions for some of the programs that it's running.

05:30.610 --> 05:36.140
But what we have here is a tool that knows the Windows operating system knows the applications.

05:36.160 --> 05:42.910
If the Microsoft applications running on it and can give us a report that allows us to do a really good

05:43.000 --> 05:46.710
vulnerability assessment on this particular system.

05:46.810 --> 05:52.750
So tools like MBIA say are fantastic when you've got an individual windows system that you want to check

05:52.750 --> 05:53.420
out.

05:53.530 --> 05:58.680
The problem that we run into though is what are we going to do if I've got an entire network.

05:58.750 --> 06:05.260
What are we going to do if I've got not only Windows systems but Linux boxes and Cisco routers and wireless

06:05.260 --> 06:08.170
access points and all kinds of stuff out there.

06:08.320 --> 06:14.590
In that case we have to turn to what are known generically as vulnerability assessment tools vulnerability

06:14.590 --> 06:20.740
assessment tools are incredibly powerful tools that can go out and look at your entire infrastructure

06:21.040 --> 06:26.120
while none of them are perfect but some of them are pretty good and give you just as we saw with NCSA

06:26.140 --> 06:30.310
for one system it can do it for your entire infrastructure.

06:30.340 --> 06:31.960
There's lots of them out there.

06:31.960 --> 06:37.660
But when we're talking about a simple normal network one like here total seminars We've got one broadcast

06:37.660 --> 06:43.450
domain and we've got a internet service provider connection and we've got a couple of wireless access

06:43.450 --> 06:45.060
points for folks like that.

06:45.060 --> 06:50.170
There's probably three tools that you're going to turn to Nessus by tenable network security.

06:50.170 --> 06:56.760
Next suppose by rapid seven an open VHS which is freeware so it's from the open VHS community.

06:56.920 --> 06:58.520
Now these are all great tools.

06:58.630 --> 07:03.780
To me they're highly interchangeable but I want to show you one in particular and that is open VHS.

07:03.880 --> 07:10.420
Now this is the green bone Security Assistant the green dreamboat security assistant is simply the web

07:10.510 --> 07:17.140
front end for open VHS open VHS itself is running somewhere on my network in a virtual machine.

07:17.140 --> 07:18.340
I don't even care about that.

07:18.400 --> 07:23.320
But what I do is I can get to it and do whatever I need to through this web interface.

07:23.320 --> 07:23.730
All right.

07:23.890 --> 07:29.620
Now what I've done is you see I've actually already scanned one system open VHS would allow me to scan

07:29.620 --> 07:32.650
my entire network it would take a while but it could do it.

07:32.680 --> 07:36.850
However I just scanned one system and I want you to be able to see the output.

07:36.850 --> 07:42.870
So let's take a look at the output here and you'll see just like we saw within the essay you see we've

07:42.870 --> 07:48.460
got the severity indexes but you'll notice that these problems are very very different.

07:48.540 --> 07:53.040
And be the one unspecified remote code execution shadow brokers.

07:53.640 --> 07:56.580
OK where do they get all this stuff.

07:56.580 --> 08:01.510
Basically what takes place is that organizations like for example let me show you right here.

08:01.800 --> 08:09.380
The national vulnerability database create databases of vulnerabilities tens of thousands of vulnerabilities

08:09.750 --> 08:16.110
and these powerful tools like open vs access these databases which are completely free and open to the

08:16.110 --> 08:22.470
public and they will scan a system look for problems that are known for a Windows system.

08:23.460 --> 08:26.970
Check those out and then make a determination of what we need to do.

08:26.970 --> 08:29.630
So it's a very very clever way of handling these things.

08:29.850 --> 08:32.880
And that's where open VHS gets this information.

08:32.880 --> 08:37.080
So does Ness's soda's and Expo's everybody uses these same databases.

08:38.330 --> 08:47.160
The cool part to all this is that a true tool like this isn't going to necessarily fix this stuff.

08:47.160 --> 08:51.810
Remember what we're going to be doing is a vulnerability assessment not a vulnerability repair.

08:51.810 --> 08:57.140
And the only job that these tools have is to let you know that these things are taking place.

08:57.150 --> 09:02.820
It's up to you as an I.T. person to actually make those fixes.