Scanning is an important part of penetration testing, but they are not the same thing. What is scanning? There are many types of scans used in a pen test, but we can broadly classify them into two categories: enumeration and vulnerability discovery.
Enumeration
The first type of scanning used in pen testing typically uses a port scanner that identifies what systems area alive (meaning turned on and responsive) within a range of IP addresses. Secondly, it detects what ports or services (TCP/UDP) they are advertising or will respond. The last thing that a port scanner is commonly used for is to identify system type: Is it a printer, Windows computer, network switch, firewall, etc.
This can usually be done all at once with the right switches or tests turned on in the scan. However, there are times in which a different combination of tests is necessary and sometimes the “go to” test does not work as expected, so the tester must change things up.
sudo nmap -sn -PS 192.168.0.1/24
With the “numbers” (enumerated systems), those turned on (responding to pings or other port scanning methods) can be sorted into groups of the different types. This is important in the next phase of the attack or testing. Depending on the purpose of the test or the motivation of the attacker, the next step might focus on one particular device. For example, a ransomware attack is targeted to a specific vulnerability such as Windows RDP and from this point on, the next step would be to determine if any of the Windows hosts, running RDP are vulnerable to exploit if so, launch the attack. If not, don’t bother or don’t make noise.
For a penetration tester, it’s about planning the next move.
Click here to download our free Penetration Testing: Scanning whitepaper.
Vulnerability Discovery
The vulnerability scanner goes to work by conducting a series of systematic tests; it is really just sending a bunch of data of certain type and seeing what the response is, to determine what it can about a host. It’s a lot like a seismograph used in geology and or sonar used to discover ships, torpedoes and submarines. The pings or sound-waves emitted bounce back (or not) and are then interpreted by the scanner’s software. It’s a bit like feeling your way around in a room in the dark; you could probably describe 60-90% of what is in the room based on stumbling around and feeling and even smelling and hearing sounds to determine what is there. But you could likely not determine the color on the walls or floor. Such is vulnerability scanning.
Click here to download our free Penetration Testing: Scanning whitepaper.
A Little Thing About Vulnerabilities
Vulnerability scanners typically find three types of vulnerabilities: unpatched software (missing patches), outdated/unsupported software such as Apache libraries, old or unsupported VMware versions, or unsupported operating systems such as Windows XP, to mention a few. The last category of vulnerabilities is configurations that are not secure. This includes self-signed, expired, re-used, and many other certificate misconfigurations, misuses, and abuses that undermine the security of the #SSL protocol the entire internet depends on. Cryptographic weaknesses such as using or permitting deprecated versions of #TLS (Transport Layer Security). But it also includes unnecessary services running on a server, misconfigurations of services such as permitting anonymous FTP, or simply giving up too much information that can be used by an attacker.