Identifying Vulnerabilities Using Internet wide Scanning Data
1. Identifying Vulnerabilities Using
Internet-wide Scanning Data
Jamie O’Hare, Rich Macfarlane & Owen Lo
12th International Conference on Global Security, Safety and Sustainability
17th January 2019
London, United Kingdom
2. Abstract
Through Contactless Active Reconnaissance it is
possible to identify services as being susceptible to
known-vulnerabilities.
The vulnerability identification functionality in these
Internet-wide scanning tools is currently limited.
Through the creation of Scout, which combines data from Censys and the National Vulnerability
Database, greater functionality can be achieved.
Identify vulnerabilities with an effectiveness score of up to 74 percent when compared to OpenVAS.
3. Background
Most common way to identify known-vulnerabilities in
a service is through the use of vulnerability
assessment tools such as OpenVAS and Nessus.
Typically as part of the active reconnaissance phase
of an engagement.
These tools aggressively scan networks and
interrogate operating network services. This can be
potentially disruptive to the target network taking
considerable time and resources required to perform.
Another way to identify known-vulnerabilities is
through the use of Internet-wide scanning projects
such as Shodan and Censys. These tools collate
lightweight active reconnaissance results from
services operating on publicly available IP addresses.
In an engagement this may be used in passive
reconnaissance.
Currently, these tools provide limited vulnerability
functionality.
4. Research Question
This piece of work looks at exploring and evaluating this type of vulnerability
identification by building on the functionality of the Internet-wide scanning projects.
6. Methodology(2)
How do you get from Apache httpd 2.47 to
cpe:/a:apache:http_server:2.4.7?
[ ‘apache’, ‘httpd’, ‘2.4.7’] ∩
[ ‘apache’, ‘http_server’, ‘2.4.6’]
[ ‘apache’, ‘http_server’, ‘2.4.7’]
[ ‘microsoft’, ‘iis’, ‘7.5’]
If no explicit match found, use levenshtein distance
7. Related Work
A series of works by Genge and Enăchescu introduced
the novel idea of identifying vulnerabilities passively
through Internet-wide scanning data, culminating in
their tool known as ShoVAT.
ShoVAT takes Shodan input and creates CPEs then
associates them with known- vulnerabilities.
The methodology implemented utilizes a vital
dependency on identifying version numbers, to
correspond with an entry in a hash table containing
possible CPEs.
In the evaluation of ShoVAT, several experiments were
undertaken however, these experiments can not be
reproduced due to the lack of data given.
A criticism of research published about ShoVAT is that
it focuses too heavily on the performance aspect of
the tool over the accuracy.
2.4.7
…,
2.4.6,
2.4.7,
2.4.8,
...
...
‘apache’, ‘cxf’,
‘apache’, ‘http_server’,
‘ffmpeg’,’ffmpeg’
...
8. Experiments
To comprehensively evaluate Scout, 3 separate
experiments were used.
● CPE Manual Assessment
○ Compared with human performance.
● CPE Comparative Assessment
○ Compared with industry tools.
● CVE Assignment Assessment
○ Scanning the same service with both
an active and contactless active
vulnerability assessment tool.
For a test bed, services on Amazon Web
Services were used. For industry tools,
OpenVAS was used.
9. Results
Manual CPE Assessment
Success rate of 75%
Highlights the problems currently present
in the Nation Vulnerability Database
Comparative CPE Assessment
Scout outperforms OpenVAS!
Neither can decipher incorrect information
11. Future Work
Further develop the effectiveness and
usefulness of Scout.
Greater effectiveness could be achieved through
performing text analysis on NVD to identify
configuration specific vulnerabilities.
Greater usefulness could be achieved through
adoption of more data sources.
12. Conclusion
This research explored and evaluated vulnerability identification through the creation of a
contactless active reconnaissance tool known as Scout.
Scout’s design is formed by critical analysis of current Internet-wide scanning and
Vulnerability Database literature.
Experiments undertook and analysis performed had a basis in recent literature.
Avenues of future work include improving efficiency and usefulness.