Category: Scanning

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about vulnerability scanning. In this article, you will learn about Nuclei, a high performance, fast and customizable vulnerability scanner that uses YAML based templates. Its features include,

• Simple YAML format for creating and customizing vulnerability templates.
• Contributions from thousands of security professionals to tackle trending vulnerabilities.
• Reduced false positives by simulating real-world steps to verify a vulnerability.
• Ultra-fast parallel scan processing and request clustering.
• Integration into CI/CD pipelines for vulnerability detection and regression testing.
• Supports multiple protocols like TCP, DNS, HTTP, SSL, WHOIS JavaScript, code and more.
• Integration with Jira, Splunk, GitHub, Elastic, GitLab.

Let’s see how this tool works. For this, we will be using Kali Linux as attacker system as Nuclei is available by default in its repositories. As target, we will be using Metasploitable 2. Both these systems are part of our Simple Hacking Lab. Nuclei can be installed on Kali as shown below.

Scanning (-u, -t)

Nuclei can be specified with a target URL or IP to scan as shown below.

Here’s how its output looks like.

See all available templates (-tl)

While studying about its features, you have read that Nuclei uses lot of vulnerability templates for performing a vulnerability scan. At the time of scan initialization, Nuclei installs and uses these templates. Templates form a very important part of Nuclei. You can see all the available templates of Nuclei using command shown below.

nuclei -tl

As already mentioned, these templates are in YAML format.

Run a particular template (-t)

If you want to run a specific template instead of all the templates, you can do so with this option. For example, let’s just run phpmyadmin-misconfiguration template as shown below.

List all tags (-tgl)

The templates of Nuclei are also divided based on tags. A tag can be all the templates belonging to a specific software or technology. For example, let’s say WordPress, SSH etc. All the tags in Nuclei can be searched using command shown below.

nuclei -tgl

Run templates belonging to a specific tag (-tags)

This option can be used to run all templates belonging to a specific tag. For example, let’s say we want to run all templates belonging to tag “ftp” on our target, we can do it as shown below.

Here’s its output.

Run code based templates (-Code)

This option can be used to run all “Code” protocol based templates.

Here’s its output.

Run file based templates (-file)

Just like code related templates, Nuclei has file based templates. This option can be used to run them.

Run templates based on severity (-s)

We can also run Nuclei templates based on the severity of vulnerabilities. The possible values it can take is info, low, medium, high and unknown. You have seen in the above scan results of Nuclei that vulnerabilities are being classified from info to critical etc.

For example, let’s just run templates with severity “critical”.

As you can see in the above image, it is only running templates with critical severity.

Silent mode (-silent)

Silent mode of Nuclei just displays results.

Scan multiple targets at once (-L)

Nuclei can also be used to scan multiple targets. For this, all you have to do is save all targets in a text file and use the command shown below.

nuclei -l <target_file>

Saving output (-o)

The output of Nuclei’s vulnerability scan can be saved to a file using the option as shown below.

Next, learn about Nessus vulnerability scanner.

Hello aspiring Ethical Hackers. In this blogpost, you will learn about vulnerability scanning. Before you learn what a vulnerability scan is, you need to know what a vulnerability is? A vulnerability is a weakness, flaw, error or a misconfiguration in a software or network that allows hackers to gain unauthorized access to the organization by exploiting it.

What is vulnerability scanning?

Now that you have understood what is a vulnerability, let’s see what is scanning. Vulnerability scanning is the process of identifying the security vulnerabilities in a software or a network of the organization. Vulnerability scanning is usually performed to protect the organization from hackers although it is also performed by hackers to gain access to the organization.

Types of vulnerability scans

Vulnerability scanning can be categorized into different types. They are,

1. External Vulnerability Scan
2. Internal vulnerability scan
3. Environmental scans
4. Intrusive Scans
5. Non-Intrusive scan.
6. Credentialed scan
7. Non-credentialed scan

1. External vulnerability scan:

In an external vulnerability scan, the external facing resources of an organization are scanned. These include, websites, systems, ports and services.

2. Internal vulnerability scan:

In this type of scan, the vulnerability scan is performed on the internal network of the organization or on resources to which the users or employees of the organization have access to. This scan is performed to get information about the vulnerabilities which employees or malware which gained access to the network can exploit.

3. Environmental scan:

Environmental vulnerability scans are performed based on the target environment. For example, target environment can be cloud based, IOT, mobile devise, websites etc.

Vulnerability scans can also be classified as either Intrusive or Non-Intrusive.

4. Non- Intrusive scan:

In a non-intrusive vulnerability scan, vulnerabilities are just identified and reported.

5. Intrusive scan:

In an intrusive vulnerability scan, vulnerability is not just identified but also exploited.

Apart from these categorizations, vulnerability scan is also classified as credentialed scans and non-credentialed scans.

6. Credentialed scan:

Also known as authenticated scan, this vulnerability scan in performed using a set of credentials. This type of scan gives the trusted users view of the organization.

7. Non-credentialed scan:

Also known as non-authenticated scan, this vulnerability scan gives the external user’s view of the network or revenue of organization.

Uses of vulnerability scans

Vulnerability scanning can help cyber security personnel of the organization to get an idea about the vulnerabilities in the organization beforehand and to prevent them from being exploited by attackers. As hackers also perform vulnerability scans, vulnerability scanning gives an idea to the organization as to what hackers can see.

How are vulnerability scans performed?

Vulnerability scans can be performed manually or using tools (vulnerability scanner). See how to perform vulnerability scanning with Nikto and Nessus.

Vulnerability scan vs Vulnerability assessment

In vulnerability scanning, vulnerabilities are scanned and reported whereas in vulnerability assessment, apart from identifying vulnerabilities the impact of the vulnerabilities when exploited is also assessed. Learn more about vulnerability assessment.

Hello, aspiring Ethical Hackers. In this blogpost you will learn about OS Fingerprinting. Before you learn about OS fingerprinting, you should know what exactly is Fingerprinting. Fingerprinting is a form of biometrics that identifies a person with their fingerprint. Why Fingerprint? Because GOD has created humans in such a way that two people (no matter how much population rises) have same fingerprints.

What is OS Fingerprinting?

Just like every human has his own fingerprint, operating systems too have a unique fingerprint. Windows systems have a unique fingerprint whereas Linux systems have their unique fingerprint. The process of determining this fingerprint to determine the operating system of the target is known as Operating System fingerprinting.

What is this required?

If a hacker or pen tester can find out the operating system of the target system, he/she can know which vulnerabilities to exploit or which payloads to design to gain access to the target system (For example, Windows need EXE payloads whereas Linux systems require .sh payloads.

Types of OS Fingerprinting

Active OS Fingerprinting

In Active OS Fingerprinting, specially crafted packets are sent to the target system and its responses are analyzed to determine the operating system of target computers. This interaction can be as simple as a ping or a scanner like Nmap. Using ping, we can detect a target operating system by observing the Time To Live (TTL) values as shown below.

Time To Live (TTL) is the amount of time or “hops” that a packet is set to exist inside a network before discarded by a router. In simple words, it is the period of time that a packet or data should exist on a network before being discarded. This value differs from operating system to operating system. Here are the default TTL values of some operating systems. You can know about the default TTL values of more operating systems here.

Another way to perform Active Foot printing is by sending specially crafted packets to the target system. Among all Ethical Hackers use Nmap for OS fingerprinting.

Passive OS Fingerprinting

Although Active Fingerprinting is very effective and accurate at determining the target’s operating system, it is very noisy and can be easily spotted by Cyber security teams. Passive fingerprinting is a more effective way of detecting target system’s OS. Moreover, there is no chance of Firewalls blocking this type of fingerprinting. How is it possible?

In passive OS fingerprinting, a sample of packets coming from the target we are interested in are analyzed. For this purpose, we use a Packet Capture API. It relies on guessing the target OS by observing their TCP/IP implementation. Apart from TTL, this type of fingerprinting will observe window size, Don’t Fragment (DF) bit and Type Of Service (TOS).