Cover

Table of Content

  1. What Is a Vulnerability?
  2. Vulnerability Scanners
  3. Scanning for Vulnerabilities
  4. Fuzzing for Vulnerability Discovery
  5. Gaining Control: Exploiting Buffer Overflows
  6. Identifying a Vulnerability
  7. Utilizing Metasploit
  8. Metasploit Auxiliary Modules
  9. Exploitation DatabaseTop of Form
  10. About Social Engineering
  11. After Exploitation
  12. Breaking Website: Web Architecture
  13. Common Web Application Attacks
  14. Testing Strategies

 

This eBook is based on Penetration Testing Fundamentals-2 that has been collected from different sources and people. For more information about this ebook. Kindly write to deviprasad77058@gmail.com. I will happy to help you.

Copyright 2023 by Devi Prasad

This eBook is a guide and serves as a next part of first guide.
Previous Part Penetration Testing Fundamentals-1 has already been published. This book has been written on the advice of many experts and sources who have good command over Ethical hacking, network an programming. They are listed at the end of this book.
All images used in this book are taken from the LAB which is created by experts. All rights reserved, including the right to reproduce this book or portions thereof in any form whatsoever. For any query reach out to the author through email.

What Is a Vulnerability?

A vulnerability is a weakness in a system, whether it's a software application, a hardware design, or a network. Vulnerabilities can arise from various factors, and understanding them is crucial for maintaining system security. Here are some common reasons for vulnerabilities:

  1. Misconfigurations: Unintended or improper settings can lead to vulnerabilities. For example, enabling anonymous FTP without proper restrictions can expose a system to unauthorized data uploads or extraction.

  2. Software Bugs: Bugs or flaws in the software's design or implementation can create vulnerabilities. Exploitable bugs can allow attackers to perform unauthorized actions or gain access to sensitive information.

  3. Buffer Overflow: A buffer overflow is a type of software bug where excessive data input can overflow a designated memory buffer. This overflow can lead to unintended consequences, such as manipulating the program's flow of execution. One classic example is exploiting the stack in a buffer overflow.

In the diagram, the buffer at the top is filled with data from the user. If the data exceeds the allocated space, it overflows into other parts of memory, potentially reaching the return address stored in the stack. Attackers can manipulate this process to control the program's execution flow.

Countermeasures against buffer overflows include making the stack non-executable and using stack canaries, which are random values checked before returning execution to the calling area.

While buffer overflow is a classic and enduring vulnerability, there are various other types, including race conditions, heap overflows, integer overflows, and injection attacks. Anytime a program accepts user input, it should be treated as untrustworthy, but developers may overlook this, creating opportunities for exploitation.

The Open Web Application Security Project (OWASP) maintains a list of common vulnerabilities each year, primarily focusing on web application security. OWASP's list covers vulnerability classes that exist across different application types.

Other organizations, such as the Computer Emergency Response Team (CERT), track top vulnerabilities based on reported attacks. CERT's list includes specific vulnerabilities and is derived from real-world attack data. Addressing vulnerabilities promptly is essential for maintaining system security and protecting against known threats.

Vulnerability Scanners

Vulnerability scanners play a crucial role in identifying weaknesses in systems and software. They automate the process of running tests against various aspects of a system to discover potential vulnerabilities. Here are some key points about vulnerability scanners:

Evolution of Vulnerability Scanners:

  • SATAN: One of the earliest vulnerability scanners was the Security Administrator Tool for Analyzing Networks (SATAN), developed in the mid-1990s by Dan Farmer and Wietse Venema. SATAN included specialized checks for vulnerabilities and later became the basis for commercial scanners like SAINT.

  • SARA: The Security Auditor's Research Assistant (SARA) was another tool that followed SATAN.

How Vulnerability Scanners Work:

  • Tests and Scans: Vulnerability scanners conduct tests against systems and software. This may involve port scans to identify open ports and listening applications.

  • Operating System Detection: Scanners determine the operating system in use.

  • Vulnerability Assessment: Based on the gathered data, the scanner assesses potential vulnerabilities in the system.

    Impressum

    Verlag: BookRix GmbH & Co. KG

    Texte: Devi Prasad
    Bildmaterialien: Devi Prasad
    Cover: Himanshu Sachan
    Lektorat: Rohit Patil
    Korrektorat: Ragha Jha
    Übersetzung: Akhil Gupta
    Satz: Devi Prasad
    Tag der Veröffentlichung: 30.11.2023
    ISBN: 978-3-7554-6249-1

    Alle Rechte vorbehalten

Nächste Seite
Seite 1 /