PenTest+ Module 13 - Discovering Vulnerabilities

Discovering Vulnerabilities

Finding the weak spots in the software systems

Application Scanning

Involves using tools and techniques to identify security vulnerabilities in software applications

Dynamic Application Security Testing (DAST)

Method of testing web applications from the outside in. Does not need access to the source code. Think sending sending inputs on the frontend and seeing what the outputs are

Interactive Application Security Testing (IAST)

Combines the elements of both static and dynamic testing by analyzing applications in real-time while being executed. Think like, attaching a debugger and whatnot

Works from within the application

Software Analysis

Examines the components, code, and architecture of an application to identify security vulnerabilities, license compliance issues, and risks

Software Composition Analysis (SCA)

Method used to identify and manage open-source components within a software application

Primarily focuses on known vulnerabilities and does not analyze the custom code written by developers

Static Application Security Testing (SAST)

Analyzes an application’s source code, bytecode, or binary code (rev baby) for security vulnerabilities without executing the program

Host-Based Scanning

Examination of individual computers or servers to identify vulnerabilities, misconfigurations, and potential threats

Authenticated Scans

Conducted with valid credentials, allowing in-depth analysis of the host

Unauthenticated Scans

Performed without credentials to look at systems from an attacker’s point of view

Secrets Scanning

Searches for exposed sensitive information like passwords, API keys, and encryption keys within host files and environment variables

TruffleHog

Scans Git repositories for potential secrets

Network Scanning

Involves using tools and techniques to discover devices on a network, identify open ports, and gather information about the services and protocols

Transmission Control Protocol (TCP) Scans

Common type of network scan that works by sending TCP packets to a range of ports on a target system

SYN Scans / Half-Open Scans

One of the fastest and stealthiest ways to scan TCP ports

Doesn’t send the last ACK to initialize the three way handshake. Only sends a SYN

Full-Connect Scans / Connect Scans

Involve completing the three-way handshake to establish a full connection to the target port

FIN Scans

Type of stealth scan that sends a FIN (finish) packet to a target port

User Datagram Protocol (UDP) Scans

Connectionless protocol that sends UDP packets to target ports and analyzes the responses

Null Scans

Exploit how different operating systems respond to unusual TCP packets

Send packets with no flags set

Fragmented Scans

Help bypass simple filtering rules that inspect entire packets

Idle Scans / Zombie Scans

Uses a third-party system to send packets to the target

Mobile Scanning

Involves using tools and techniques to analyze mobile applications and devices to identify security vulnerabilities, misconfigurations, and potential threats

Static Application Security Testing (SAST) for Mobile Apps

Involves analyzing the source code, bytecode, or binary code of an application without executing it

Dynamic Application Security Testing (DAST) for Mobile Apps

Involves analyzing the application while it is running

Quick Android Review Kit (QARK)

Can analyze the configuration settings of mobile apps to identify common security misconfigurations

Trivvy

Used to scan docker containers for vulnerabilities

Sidecar

Secondary container that runs alongside the main one in the same pod

Infrastructure as Code (IaC)

Manages and provisions the IT infrastructure using code and automation tools

• Terraform

• AWS CloudFormation

• Ansible

IaC Static Code Analysis

Involves examining the code without executing it

CloudFormation Guard

Tool for AWS CloudFormation that allows to define and enforce rules on the IaC templates

Policy-as-Code

Involves defining security and compliance policies in code, which can be automatically applied to IaC templates

Drift Detection

Involves monitoring the deployed infrastructure for changes that deviate from the defined IaC templates

Industrial Control Systems (ICS) Vulnerability Scanning

Using tools to identify security weaknesses in industrial control systems

Manual Assessment

Involves hands-on inspection and evaluation of ICS components by cybersecurity professionals

Vulnerability Testing

Involves testing the ICS components for known vulnerabilities using specialized tools and techniques

Port Mirroring

Technique used to monitor network traffic by duplicating the data from one or more ports on a network switch to a designated monitoring port

Service Set Identifier (SSID)

The name of a wireless network broadcasted by access points to help devices identify and connect to the network

SSID Scanning

Detecting and listing all the available wireless networks within a certain range

Helps detect and list rogue access points

Channel Scanning

Involves analyzing the use of these channels to identify congestion, interference, and optimal channel selection for access points

SonarQube

A tool that helps developers identify bugs, security vulnerabilities, and code smells (bugs in code)