Notes

Sec12 - Analyzing Scans

2 min read

Analyzing Scans

Process of interpreting collected scan data to distinguish real threats from noise.

  • Purpose: Identify genuine vulnerabilities; plan targeted attacks
  • Importance: Reduces false positives/negatives; informs risk-based prioritization

Domain: Vulnerability Discovery & Analysis (3) & Attacks & Exploits (4)

Lesson Previews

  • Positive vs Negative Results
    • True Positives: Confirmed real vulnerabilities (e.g., exploitable SQLi)
    • True Negatives: Confirmed absence of issues
    • False Positives/Negatives: Scanner errors; require manual verification
  • Validation Techniques: Cross-tool checks (Nmap, Netcat), manual tests (SSH, Apache version)
  • Vulnerability Prioritization: CVEs, CVSS, EPSS, target criteria (high-value assets, EOL, defaults)
  • Automation: Scripting for result validation
  • Documentation: Clear record of scan config, findings, attack plan
  • Other Considerations: Dependencies, scope limits, labeling sensitive systems

Positive & Negative Results

  • True Positives: e.g., CVE-2022-123 SQL injection confirmed
  • True Negatives: Manual review verifies no issues
  • False Positives: Scanner flags sanitized XSS form
  • False Negatives: Missed buffer overflow

Validating Scan Results

  • Combine automated scans with manual tests
  • Commands:
    • SSH check: ssh user@host -p 22
    • Apache version: apache2 -v or httpd -v
  • Cross-check data with OSINT tools (theHarvester, Hunter.io)

Using CVEs & CVSS

  • CVE: Unique IDs for known vulnerabilities
  • CVSS: Severity score (0–10: Low→Critical)
  • Resources: JPCERT, NVD, CERT, CWE, CAPEC
  • Use: Map scan findings to CVEs; prioritize by CVSS

Exploit Prediction Scoring System (EPSS)

  • Predicts exploitation likelihood vs CVSS’s impact focus
  • Integration: Combine EPSS with asset criticality for triage

Target Prioritization

  • High-Value Assets: Customer DBs, financial servers
  • EOL Systems: Windows XP, Flash Player
  • Default Configs: admin/admin, open services
  • Encryption Flaws: MD5, SHA-1, POODLE
  • Defense Gaps: Bypass IDS/IPS using stealth scans

Scripting for Validation

Automate result checks:

for host in $(nmap -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}'); do
  ssh -oBatchMode=yes -p22 user@$host echo ok;
done

Capability & Tool Selection

  • Correct Tool: Nmap/Nessus (network), Burp/ZAP/Nikto (web), Metasploit/exploitdb (exploit)
  • Consider environment (internal vs external), target, and learning curve
  • Code analysis & public exploits from GitHub in sandboxed environment.
  • Scan completeness: to cover all potential vulns
  • Troubleshooting scans: to provide accurate and reliable results

Attack Documentation

  • Attack Path: Step-by-step record (recon to exploit)
  • Diagrams: Network layouts (draw.io)
  • Storyboard: Screenshots + captions for stakeholders

Other Attack Considerations

  • Dependencies: DBs, APIs, services
  • Scope Limits: Define off-limits systems and actions
  • Sensitive Systems: Label PII/financial servers; handle with care

Takeaway: Effective scan analysis transforms raw data into prioritized, actionable insights for precision attacks.

Graph View