This document presents a training guide on vulnerability detection, covering definitions, sources, the vulnerability management cycle, and automated scanning tools. It reviews various scanners such as Nessus, OpenVAS, and Burp Suite, alongside their capabilities and applications in identifying risks and managing vulnerabilities. The document emphasizes the importance of using intelligence data collected from systems to understand and utilize discovered vulnerabilities effectively.

1. www.prismacsi.com
© All Rights Reserved.
1
Practical White Hat Hacker Training #4
Vulnerability Detection
This document may be quoted or shared, but cannot be modified or used for commercial purposes.
For more information, visit https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr

2. www.prismacsi.com
© All Rights Reserved.
2
Topics
• What’s a vulnerability?
• What are the sources of vulnerabilities?
• Vulnerability Management Cycle
• Automated Vulnerability Scanners
• Vulnerability Databases
• Frequently used tools
• Applications

3. www.prismacsi.com
© All Rights Reserved.
3
What is a Vulnerability?
• Vulnerabilites are defined as conditions in an application, service or protocol, previously or
recently discovered in research work, that give a cyber attacker the opportunity to execute any
type of attack which may affect the normal operation of a system.
• [Senaryo]

4. www.prismacsi.com
© All Rights Reserved.
4
What are the sources of vulnerabilities?
• Old versions/ out of date applications and services
• Patch failures
• Incorrect configurations
• Secure software development process shortcomings
• Insecure Network Architecture Designs
• Insider, unintentional actions

5. www.prismacsi.com
© All Rights Reserved.
5
Vulnerability Management Cycle

6. www.prismacsi.com
© All Rights Reserved.
6
Vulnerability Scanners
• Netsparker
• Acunetix
• Burpsuite
• Appscan
• Webinspect
• W3af
• Arachni
• Nikto
• Sqlmap
• Nessus
• Nexpose
• OpenVAS
• Qualys
• Core Impact
• Vega
• Skipfish
• Commix
• nmap

7. www.prismacsi.com
© All Rights Reserved.
7
What’s the point of Vulnerability Scanning?
• Identify risks!
• Manage risks!
• Prevent possible cyber attacks!
• The case of Wannacry!
• Learn lessons from past cyber attack incidents!

8. www.prismacsi.com
© All Rights Reserved.
8
Key Words
• POLICY: It is the name given to special configurations done before performing a scan. For
example the POLICY used in network scanning and the POLICY used in web application scanning
are different.
• PLUGIN: Small tools / scripts developed for security checks.
• SCAN: The scanning process.

9. www.prismacsi.com
© All Rights Reserved.
9
Vulnerability Databases
• Vulnerability databases are storage
points where discovered
vulnerabilities are kept.
• https://nvd.nist.gov/
• https://www.cvedetails.com/

10. www.prismacsi.com
© All Rights Reserved.
10
Security Scanners
• All In One logic
• Better for discovering vulnerabilities on a network
• More often used in controlling server/client based vulnerabilities
• Compatibility, configuration vulnerability tests
• Counters false positive events
• Significantly shortens test time

11. www.prismacsi.com
© All Rights Reserved.
11
OpenVAS Security Scanner - DEMO
• Open-source vulnerability scanning tool.
• Contains advanced features.
• Can be used as an alternative to Nessus.

12. www.prismacsi.com
© All Rights Reserved.
12
Nmap NSE - DEMO
• Vulnerability scanning with Nmap Scripting
Engine is possible.
• Open source software. You can also
contribute and develop modules on top of
it.
• Allows fast scanning.
• Generally, all tests begin with nmap
vulnerability scans.

13. www.prismacsi.com
© All Rights Reserved.
13
Nessus - Demo
• The most commonly used vulnerability
scanning tool.
• Return to Penetration testing and
vulnerability scanning!
• Licensed and Free versions are available.
• You can also perform many security checks
with the free version.
• Includes options like Web, Network, SCADA
Compatibility Scanning.
• Often used in network scans.

14. www.prismacsi.com
© All Rights Reserved.
14
Nessus - Demo
• Starting a New Scan
• Policy
• Advanced Scan
• Configurable
• You can customize the
scan and make advanced
configurations.

15. www.prismacsi.com
© All Rights Reserved.
15
Nessus - Demo
• New Scan
• Target Systems
• Plugins
• Schedule configurations
• Brute-force attacks
• Advanced settings

16. www.prismacsi.com
© All Rights Reserved.
16
Nessus - Demo
• Scan results are presented in
many different formats. A large
network can be easily analyzed
with these outputs.
• Detailed Analysis
• Criticality Levels

17. www.prismacsi.com
© All Rights Reserved.
17
Nessus - Demo

18. www.prismacsi.com
© All Rights Reserved.
18
Nessus - Demo

19. www.prismacsi.com
© All Rights Reserved.
19
Nessus - Demo
• The scan report is available in
the following formats and can
be integrated with other
penetration testing tools.
• Formats
• XML
• HTML
• Nessus

20. www.prismacsi.com
© All Rights Reserved.
20
Core Impact - Demonstration
• Security Scanner
• Includes a lot of advanced security checkers
and has its own unique tools.
• Contains special exploits.
• Has its very own special Zeroday team.
• It’s a licensed tool J

21. www.prismacsi.com
© All Rights Reserved.
21
Web Security Scanners
• Used for security scans of web applications and services
• There are several that also allow users manual tests
• Netsparker is accepted worldwide as one the most successful vulnerability scanner.
• Burp suite is the most critical tool!

22. www.prismacsi.com
© All Rights Reserved.
22
Netsparker - Demo
• Web application security scanning tool
• Licensed and Free version available
• Specifically developed for web
technologies.
• Is a more advanced and integrated
solution with Netsparker Cloud

23. www.prismacsi.com
© All Rights Reserved.
23
Burpsuite - Demo
• Web application Proxy tool and Security
Scanner
• Licensed and Free version available
• Specific to Web technologies
• Most frequently used tool.
• Hackers and Pentesters’ most valuable tool

24. www.prismacsi.com
© All Rights Reserved.
24
Nikto Security Scanner - Demo
• Web application and server security
scanner.
• Frequently used practical application.
• Used via command line.

25. www.prismacsi.com
© All Rights Reserved.
25
W3af Web Scanner - Demo
• Is a web application security scanner.
• Developed by OWASP.
• Includes various policies and customized
scans can be performed.
• Even though not frequently utilized it is very
useful.

26. www.prismacsi.com
© All Rights Reserved.
26
Sqlmap – SQL Injection Scanner – Demo
• Developed specifically for SQL Injection
attacks..
• Developed in Python programming
language.
• Open source
• Contains advanced parameters and attack
methods

27. www.prismacsi.com
© All Rights Reserved.
27
Are vulnerabilities only scanned remotely?
• A scan does not only have to be performed remotely for web applications or for a server.
• It is also possible to gain entry into a server and scan the operating system. (RDP, SSH login ->
internal scanning)
• Compatibility or configuration checks can be performed.
• Static code analysis can be done

28. www.prismacsi.com
© All Rights Reserved.
28
Summary:
• We have a lot of intelligence data we've collected from the beginning..
• Now we know existing systems that are up.
• We discovered open ports in these systems and we know the software running on these ports.
• We have noted the vulnerabilities we have discovered on the applications that are running on
these software or that we have discovered on the services.
• Now we need to understand how to use these vulnerabilities to our advantage!

29. www.prismacsi.com
© All Rights Reserved.
29
Applications

30. www.prismacsi.com
© All Rights Reserved.
30
Questions?

31. www.prismacsi.com
© All Rights Reserved.
31
www.prismacsi.com
info@prismacsi.com
0 850 303 85 35
/prismacsi
Contacts