read

Vulnerability Scanning vs Penetration Testing

By Sean Washington

Scanning a network to check for vulnerabilities is a vital exercise, but should not be confused with penetration testing.  Pen-testing is a process that looks for security weaknesses and launches various attacks in order to gain access to a system.  Although the two are closely related to each other, the purposes are different. A vulnerability scan checks for known vulnerabilities, and can be run by a security specialist, or even an average user.

A penetration test uses the vulnerability scan to try to gain access to a computer's system. In most cases, a penetration tester requires a broader range in knowledge, along with various levels of expertise in all aspects of computer systems, such as operating systems, databases, web servers, and network devices.

Once conducted, most Vulnerability Scanning tools will generate a written report that includes methodology and detailed findings, along with possible solutions to address the weaknesses in the system. Vulnerability scanning should be done on a regular basis, and discovered issues would be addressed as soon as possible to prevent an attack.

Penetration testing should be done once a year and uses many tools and techniques. However, the expertise of the tester is as essential as the tools. Many times, it is conducted by an outside firm. Let's compare and contrast the two. With a vulnerability scan, it can be conducted by and in-house security specialist.

Most professionals would agree that penetrations test should be schedule yearly.   In order to make the penetration a success for the organization, a great deal of preparation needs to be done. Preferably an IT Staff meeting should be called between the organization and the penetration testers.  There must be a clear objective for the penetration test to be conducted and all parties need to be on the same page.

Vulnerability scanning can be considered exploratory, that way we can discover what the vulnerabilities are. Penetration testing can be considered defensive. Given the discovered information, we can now take steps to reduce the risk.

Port scanning is a popular method for information gathering that identifies which ports and services are open.   This process records how the ports respond to the queries and gather information on the target. Because this information may be used as a catalyst for an attack, an effort should be made to prevent port scanning attempts.

A firewall or host will respond to a port scan in one of three ways:

  1.      Open and listening
  2.      Closed and denying
  3.      NO reply – in stealth mode.

In addition, alerts and alarms can be set to notify if they detect multiple connection requests on all ports from a single host. Hacking activity is often done under the radar by conducting either a scan in strobe or stealth mode.

In a sense, it's leaving the door wide open to an attack.  A netstat command could be used ("network statistics") is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics. To execute netstat go to command line and netstat -a, This may takes a few seconds and will easily identify all of the listening ports.

The Ethical Hacking and Three-way Handshake

It's important to understand the TCP Three-Way Handshake. That's because network scans use parts of the handshake to get responses. Transmission Control Protocol is a connection oriented protocol. It begins with a handshake and ends with a termination session. Normal TCP traffic begins with a three-way handshake, whereby a client initiates the conversation by requesting to have a session with the server.

The client sends a synchronization packet. This is called a SYN packet. This is used to synchronize sequence numbers. If the server accepts, it responds with a SYN ACK or synchronization acknowledgement. Then, the client responds with an acknowledgement, the session begins and a socket is created. Periodically services will be refused, and you'll see a reset. No response, may indicate a firewall. You may receive an ICMP Destination Unreachable packet. The code might indicate that the network was unreachable, or the host was unreachable, but most likely, the target port is firewalled.

So you the TCP or Transmission Control Protocol is a connection oriented protocol, which has a beginning and an end. And in ethical hacking, we can use those flags or some portions of that handshake in order to probe our targets.

Scanning Port & Three-Way Handshake

When scanning, we attempt to get a response from a port. There is a potential of 65,535 TCP and UDP ports. The port numbers are used to identify a specific application or process. Port numbers fall into three main groups. The Well-Known Ports. These are in the range of one to 1,023. And these are the Well-Known protocols such as FTP, DNS, and HTTP.

Registered Ports, these are in the range of 1,024 through 49151. These are registered for specific services such as SOCKS, OpenVPN, and gaming applications. In the really high level ports are Dynamic or Ephemeral. Those would be in the range of 49152 to 65535. When scanning, the Well-Known Ports are almost always tried, even some registered ports are tried as well.

When scanning, we mostly focus on TCP. That's because TCP has more opportunities to manipulate the header than UDP. UDP is a connectionless protocol based on speed. It will never get a response, and is therefore more difficult to probe than using TCP. A response from a UDP probe might be an ICMP type 3 code 3 port unreachable, or if the network is blocking ICMP, no message will be returned.

TCP however, is a connection-oriented protocol that establishes the connection to the remote host via a three-way handshake. UDP only has four fields, and no flags to manipulate. A TCP header has 11 fields and contains a one-byte field for the flags. Let's take a look at the flags and what they do. Reserved, for future use and should be set to zero. Nonce is experimental, possible use with Explicit Congestion Notification.

Congestion Window Reduced, this flag is set by the sending host to indicate that it received a TCP segment with the Explicit Congestion Notification flag set, and has responded in congestion-controlled mechanism. Explicit Congestion Notification notifies of end to end congestion without dropping packets. This is an optional feature that may be used between two Explicit Congestion Notification enabled endpoints.

Urgent, this would indicate that the packets should have priority - this flag is rarely set. Acknowledgement, is simply an acknowledgement of packets received. All packets after the initial synchronization packet sent by the client should have this flag set. Push is generally a buffer that holds data until it has a decent sized packet to send. This bit informs TCP that data should be sent immediately.

Finally, Reset is designed to allow a station to abort the TCP connection with another station. This can happen for a number of reasons.Many times the reset bit is used to close an abnormal connection. SYN, the SYN flag synchronizes the sequence number. Only the first packet sent from each end should have this flag set. That would be in the first two packets of the handshake. FIN, this means the process is complete.

At this point, there is no more data from the sender. TCP flags helps tell the story of the data transmission. Flags can be used when scanning the network and can also be used to avoid detection of an intrusion detection system. Nmap has many techniques. When using TCP flags for scans, we see we have a number of options. A Full Connect scan is the most reliable as it works with most systems, but it's the most obvious.

Open Ports respond with a SYN-ACK, whereas Closed Ports respond with a Reset ACK. A SYN Stealth scan, Half Open scan, is a half open scan where the connection is never established. It works with most systems, and it doesn't fully connect. A Closed Port will respond with a Reset. A FIN scan sends a FIN packet to the target port. Closed Ports should send back a Reset.

FIN packets can sneak through undetected. A Windows machine will send Resets regardless of the port state, so they are not as susceptible to this type of scan. A NULL scan, is where no flags are set. Closed Ports should return a Reset. An ACK scan sends Acknowledgements and if a Reset is returned, it gives the attacker data on the type of firewall present. An ICMP destination unreachable response indicates the port is most likely filtered.

And a XMAS tree scan. This is called a XMAS tree scan because it's said to be lit up like a Christmas tree. We see the FIN, URG, and Push flags set, and a Closed Port will respond with a Reset.

This concludes an overview of the relationship between vulnerability scanning and penetration testing.  

Mindcentric is an IT Consulting firm with offices in San Diego County.  We specialize in System engineering and management.  We work with our clients to lock down their data and keep intruders out.  Every organization has different needs, we help match technology to yours.  


 

 

Tags: Cloud Security

Related Articles

Contact Us

If you have any questions, we'd love to chat about how we can help your company.