Vulnerability Assessment

Overview

• Divided into two areas, one is scanning for known vulns. The other is analyzing the results to determine a path forward
• Analysis can be broken down further into
  • Descriptive - describes data set based on characteristics
  • Diagnostic - ex. reviewing data to determine root cause of vulnerability
  • Predictive - evaluating historical and current data to determine future probabilities or detect trends
  • Prescriptive - narrow down what actions to take to eliminate a problem or trigger a certain action

Finding Vulnerabilities

There are manual methods and automated methods in finding vulnerabilites. For the OSCP, automated methods are forbidden

Automated Scanning

# nmap version detection can fingerprint versions on open ports for use in finding vulnerabilities
nmap -sV <target-ip> -oA <output>

# web vuln scan
nikto -h http://<target> -o output.txt

Finding Exploits

# install command for searchsploit
sudo apt install exploitdb -y

# finding available PoCs for an app with searchsploit
searchsploit -www <appname> <version>
searchsploit openssh 7.2

# searching via metasploit
msfconsole
msf6 > search exploit <name>