Vulnerability Scan Assessment CS/IT 463 Bryan Dean Jonathan Ammons.

Slides:



Advertisements
Similar presentations
By Bruce Ellis Western Governors University. Demonstrate the need for updating information systems Build security awareness Inform management of the risk.
Advertisements

3D Tool Examples Dave Breslin Tenable Discussions Forum)
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
Vulnerability Assessments with Nessus 3 Columbia Area LUG January
Vulnerability Scanning at NU Robert Vance NUIT-Telecom & Network Services.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
VULNERABILITY SCANNERS By Ranga Roy Chowdary koduru Raveesh Chilakapati.
Nessus – A Vulnerability Scanning Tool SUNY Technology Conference June 2003.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard.
Computer Security and Penetration Testing
Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard 12/5/2010Greg Williams CS591.
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
| University of Missouri Copyright ©2007 MOREnet and The Curators of the University of Missouri Statenet Security on the cheap and easy Beth.
Vulnerability Types And How to Use Them.
The Business of Penetration Testing
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.
0 Kluge Burch Zimmerling GRC Advisors Commodity Services Specification Penetration Testing & Application Security Assessment January 2015.
1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Shadow Security Scanner Li,Guorui. Introduction Remote computer vulnerabilities scanner Runs on Windows Operating Systems SSS also scans servers built.
MIS Week 6 Site:
Chapter 11: Managing a Secure Network
Port Scanning and Enumeration (NMAP)
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
GCSC August Backup Exec Critical Vulnerability Cannot offer tcp/6101, tcp/6106 & tcp/10000 to offsite Will be scanning from offsite soon Strongly.
Welcome To Hackaholic Nmap Level 2 Instructor: Kumar Shubham.
MIS Week 6 Site:
Security measures across the software development process Dr. Holger Peine Slide 1 Security vulnerabilities are clearly.
Retina Network Security Scanner
Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.
Hadoop Joshua Nester, Garrison Vaughan, Calvin Sauerbier, Jonathan Pingilley, and Adam Albertson.
IT 463 – Scanning Assignment Shane Knisley Erik Bennett.
ICS312 Introduction to Compilers Set 23. What is a Compiler? A compiler is software (a program) that translates a high-level programming language to machine.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Vulnerability Scanning Michael Overton, Jason Ferris, Erik Brown.
Enumeration March 2, 2010 MIS 4600 – MBA © Abdou Illia.
-SHAMBHAVI PARADKAR TE COMP  PORT SCANNING.  DENIAL OF SERVICE(DoS). - DISTRIBUTED DENIAL OF SERVICE(DDoS). REFER Pg.637 & Pg.638.
GFI LANguard Matt Norris Dave Hone Chris Gould. GFI LANguard: Description Through the performances of the three (3) cornerstones of vulnerability management:
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Thomas Bowen Jerrod Mirabal Derek Smith. Application Wizard-like ASP.NET web application running on.NET Framework 3.0 View output as tables Charts Output.
Top 10 Hacking Tool Welcome TO hackaholic Kumar shubham.
A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.
Penetration Test Debrief
Nessus Vulnerability Scan
Exploiting Metasploitable 2 with Metasploit in Kali-Linux 2016
Metasploit a one-stop hack shop
Metasploit assignment
PT0-001 Dumps PDF CompTIA PenTest+ Exam Exam Code Exam Name.
Penetration Testing 10/12/2018 Penetration Testing.
Penetration Testing 10/12/2018 Penetration Testing.
Intro to Ethical Hacking
Intro to Ethical Hacking
Analysis Report Kali Linux Metasploit
Metasploit Assignment
Nessus Vulnerability Scan
Metasploit Analysis Report Overview
Metasploit assignment – Arkadiy Kantor – Mis-5212
Penetration Testing & Network Defense
Presentation transcript:

Vulnerability Scan Assessment CS/IT 463 Bryan Dean Jonathan Ammons

Scanners Tenable Nessus Tenable Nessus GFI LANGuard GFI LANGuard Nmap Nmap eEye Retina 5 eEye Retina 5 Shadow Security Scanner Shadow Security Scanner

Network Scanned CS network, IP range Scanned CS network, IP range Scanners found between hosts active Scanners found between hosts active Low host count could be attributed to the timing of our scans, after 5 pm. Low host count could be attributed to the timing of our scans, after 5 pm.

Results All together, scanners found 87 vulnerabilities on scanned hosts All together, scanners found 87 vulnerabilities on scanned hosts Critical: 4, High: 40, Medium: 11, Low: 11 (Only one scanner gave the ‘critical’ rating) Critical: 4, High: 40, Medium: 11, Low: 11 (Only one scanner gave the ‘critical’ rating) Some vulnerabilities given different CVSS ratings by different scanners. Some vulnerabilities given different CVSS ratings by different scanners.

Analysis Methods Wrote unique parser in perl for each scanner’s output. Wrote unique parser in perl for each scanner’s output. Parse results were standardized. Parse results were standardized. Standardized results were consolidated using another perl script. Standardized results were consolidated using another perl script. Output to a comma delimited file. Output to a comma delimited file.

Majority Voting Looked for same vulnerability found by different scanners on same machine Looked for same vulnerability found by different scanners on same machine Only two vulnerabilities were identified by more then one scanner on the same machine. Only two vulnerabilities were identified by more then one scanner on the same machine.

Criticality Voting 4 critical vulnerabilities on 4 hosts. 4 critical vulnerabilities on 4 hosts. 40 high vulnerabilities on 25 hosts. 40 high vulnerabilities on 25 hosts. 11 medium vulnerabilities on 11 hosts. 11 medium vulnerabilities on 11 hosts. 32 low vulnerabilities on 32 hosts. 32 low vulnerabilities on 32 hosts.

SANS Top Twenty Created a list of 2006 SANS top twenty CVE codes. Created a list of 2006 SANS top twenty CVE codes. A script compared that list to our vulnerability found lists. A script compared that list to our vulnerability found lists. Only 1 vulnerability that we found was on the SANS top twenty: CVE Only 1 vulnerability that we found was on the SANS top twenty: CVE

Metasploit Didn’t want to use Metasploit on the CS network. Didn’t want to use Metasploit on the CS network. Ran Nessus on our private network, then used that data to use Metasploit for most likely vulnerability. Ran Nessus on our private network, then used that data to use Metasploit for most likely vulnerability. Weren’t able to penetrate. Weren’t able to penetrate. Completely Manual. Completely Manual.

Discussion of Scanners Nessus and Retina gave CVE codes for vulnerabilities found Nessus and Retina gave CVE codes for vulnerabilities found Nessus, Retina, and GFI Languard gave Bugtraq codes for some vulnerabilties found Nessus, Retina, and GFI Languard gave Bugtraq codes for some vulnerabilties found NMap gave only port information, no real vulnerabilties NMap gave only port information, no real vulnerabilties Shadow Security Scanner didn’t give meangingful data. Shadow Security Scanner didn’t give meangingful data.

Final Process Scanner creates individual output file Scanner creates individual output file Scanner output is parsed into our own standardized format Scanner output is parsed into our own standardized format Parsed output from multiple scanners is consolidated by hand using Excel, then outputted to comma-deliminated file. Parsed output from multiple scanners is consolidated by hand using Excel, then outputted to comma-deliminated file. Final analysis (criticality, majority, and SANS top twenty) are performed by final scripts. Final analysis (criticality, majority, and SANS top twenty) are performed by final scripts.

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.