Vulnerability Analysis is the process of scanning target resources, enumerating potential vulnerabilities, and identifying potential attack vectors (physical and electronic). Authorized and unauthorized personnel (hackers) may use footprinting (open source intelligence), active reconnaissance (scanning), and enumeration techniques to gather information on target resources. Data gathered may include physical location layouts, network addresses, open ports, software versions, patch levels, user information, controls, configuration information, hosted services, and other.
The analysis will compare the target information against publicly disclosed vulnerabilities (CVEs) to identify potential exposures. The analysis may be used in authorized penetration tests and/or to help mitigate potential issues and exposures (action plans).
- Foot printing (aka reconnaissance) – process of collecting as much as information from publicly available resources as possible about the target organization and their systems before scanning. See the Open Source Intelligence page for more info
- Scanning (passive and active) – passive scanning is the process of monitoring all network activity and while active scanning involves sending requests to a specific range of addresses on a target host to find the active ports and associated services. Passive scanning is harder to detect by the target organization while active scanning can be detected (see the Scanning page for more info).
- Enumeration – Probing the target for specific information that will identify potential vulnerabilities (e.g., software versions, patch levels, available services, usernames, config details, etc.). This step may require some can also include reviewing code and data files for vulnerabilities (reverse engineering).
- Exploitation – Taking advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic
Enumeration & Exploitation Steps
- Use the target configration information collected from the scanning phase
- Use tools like metasploitable to run scripts to assess the target configuration for known vulnerabilities
Code Evaluation Steps
Below are some example of Linux commands to reverse executable files into a readable format (enumerate) so you can identify vulnerabilities or bypass controls (exploit).
- Download file(s) into a safe place – Be very careful of files coming from non-verifiable source and run virus detection software as needed.
- Determine File Type: Run ‘$ file [filename]‘ command to determine the type:
- ELF (Executable Link Format) – Linux pgm
- PE (Portable Executable) – Windows pgm
- AIF ( ARM Image Format ) – Embedded System
- Display Visible Text – Run ‘$ strings [filename]‘ command to see if it exposes helpful text strings.
- Use Hex editor (e.g., hex it) – View Raw data to see it exposes helpful info. Focus on the top of the file and bottom of the file.
- Make the code Executable: Run ‘$ chmod +x [filename]‘
- Execute the code: Run ‘$ ./[filename]‘ to analyze its behavior.
- ‘Fuzz’ the Code – Cause the program to fail ungracefully (using unexpected input).
- Review Source code (if available): review for exploit opportunities and opportunites to bypass controls (ie. imbedded passwords, etc.)
- Enumerate the code (if source is not available):
- Run ‘objdump -d‘ to display assembler contents of executable or display header of an executable.
- Try to uncompile to code (i.e., uncompyle6 for python)
- Try tools to review (e.g., Ghidra, etc. )
- Exploit the code:
- Try altering the code input to cause a failure (buffer overflow)
- Try tools to alter the code input de (e.g., pwntools, etc. )
- Other: tbd
- ‘File‘ Command – Linux command to view determine a file type (to include executables)
- ‘Strings‘ Command – Linux command to view text (ASCII) and Unicode comments in an executable file.
- Hex Editor – program used to view and edit the raw hex in a binary file.
- Metasploitable –
- xxd -r Command – convert a hex dump back to its original binary form
- Ghidra – open source reverse engineering tool developed by the NSA (GitHub). Similar to tools like IDA, Radare, and Binary Ninja.
- ‘nm’ command – provides info on the symbols being used in an object file or executable file. The default is : Virtual address of the symbol. A character which depicts the symbol type
- Objdump -d – Linux command line dis-assembler; Also used to Display header of an executable: .
- Netcat – utility that reads and writes data across network connections, using the TCP or UDP protocol. It is a reliable “back-end” tool used directly or driven by other programs and scripts.
- uncompyle6 – translates Python bytecode back into equivalent Python source code:
- sudo pip install uncompyle6
- uncompyle6 file.pyc
- GDB – Linux command line debug tool ; inspect memory w/n the code being debugged, control the execution state, detect the execution of particular sections of code, etc.
- Pwntools – a CTF framework and exploit development library. Written in Python, designed for rapid prototyping and development, and intended to make exploit writing as simple as possible..
- PicoCTF Learning Guide: Binary Exploitation (3 pages)
- PicoCTF Learning Guide: Reverse Engineering: Time to get with the Program (5 pages)
- Youtube: Basics of Hacking – Enumeration (6:18)
- Youtube: Discovering And Enumerating Targets – Metasploit Minute (8:01)
- Youtube: Solving CTF Challenges: Reverse Engineering, Part 1 (1:01:26 )
- Youtube: Reverse Engineering Basics (1:57:24) – Windows platform
- Youtube: Pull apart an EXE file with Ghidra (NSA Tool) (Reverse Engineering) (45:27)
- Youtube: Fork Bombs and Other Malware (xx:xx)