Host-based vulnerability scanning targets individual devices on the network. These scans analyze the software configurations, settings, and applications running on the host device to identify vulnerabilities, misconfigurations, or other security issues that could be exploited.
Many of the tools used to perform network vulnerability scans can also be used to scan individual hosts. For example, Greenbone’s OpenVAS is an open-source vulnerability scanner that offers host-based scanning capabilities.
OpenVAS
Once OpenVAS is installed and running, the PenTester can specify a host device on the network. When the scan is complete, OpenVAS will compile a report listing potential vulnerabilities based on the severity ranking.
BloodHound
BloodHound is a powerful tool used to identify vulnerabilities in Active Directory domain environments. BloodHound starts by mapping the relationships between users, groups, computers, and other objects within an AD environment. It then analyzes the permissions, trust relationships, and group memberships to identify potential attack paths that can be exploited.
Once this is done, BloodHound generates a graphical representation of the relationships and permissions discovered, making it easy to analyze these relationships and identify areas that can be exploited. This information can be used to perform privilege escalation and lateral movement through the network.
PowerSploit
PowerSploit is a collection of PowerShell scripts that can be used to perform a variety of tasks on a Windows-based system such as the following:
-
Script modification
-
Gain persistence
-
Bypass antivirus
Industrial Control Systems
Scanning and discovering vulnerabilities in industrial control systems (ICSs) can present unique challenges for the PenTester. These systems control and monitor critical processes in industries such as manufacturing, transportation, and water treatment. It is important to test these systems during a PenTest, as any discovered vulnerabilities can have devastating consequences.
Some of the unique challenges these systems can pose include the following:
-
ICSs may use legacy systems that were not initially developed with security in mind, which makes them more vulnerable to attack.
-
ICSs are often now integrated fully with the traditional network, which can create additional attack vectors for the network.
-
Many ICSs operate under a real-time constraint, which essentially means that an operation or task must be completed within a specified period of time. This can make testing them and implementing additional security measures even more complicated.
The PenTester needs to know if ICSs are included in the scope of the PenTest; if they are, the PenTester will need to work with the client to determine the best way to test these systems with minimal impact to production.
Because these systems are so sensitive, using port mirroring can help with vulnerability scanning. Port mirroring, also known as SPAN (Switched Port Analyzer), is a technique used to copy network traffic from one or more ports on a network switch to another port where it can be monitored and analyzed.
Instead of scanning the devices directly, the PenTester can configure the switch using port mirroring to send a copy of all traffic to and from the device to a separate port where the vulnerability scanner is connected. The scanner can then analyze this traffic without directly interacting with the programmable logic controller (PLC), identifying any potential vulnerabilities safely.