From 37954ac6c5ddb397ff31f72d6070f6e5ef5e2b29 Mon Sep 17 00:00:00 2001 From: Ajay Dhangar Date: Sun, 26 Oct 2025 15:37:04 +0530 Subject: [PATCH] added docs --- .../autopsy-introduction.mdx | 182 +++++++++++- .../volatility-memory-analysis.mdx | 275 +++++++++++++++++- .../nessus-basics.mdx | 137 ++++++++- .../openvas-setup.mdx | 162 ++++++++++- .../vulnerability-scanning-tips.mdx | 106 ++++++- 5 files changed, 852 insertions(+), 10 deletions(-) diff --git a/docs/cybersecurity/cybersecurity-tools/digital-forensics/autopsy-introduction.mdx b/docs/cybersecurity/cybersecurity-tools/digital-forensics/autopsy-introduction.mdx index 0d399cd..ae4ef43 100644 --- a/docs/cybersecurity/cybersecurity-tools/digital-forensics/autopsy-introduction.mdx +++ b/docs/cybersecurity/cybersecurity-tools/digital-forensics/autopsy-introduction.mdx @@ -1,3 +1,181 @@ -import ComingSoon from '@site/src/components/ComingSoon'; +--- +title: "Autopsy — Introduction to Digital Forensics" +description: "Learn the fundamentals of Autopsy — an easy-to-use digital forensics platform for analyzing disk images, recovering files, timeline analysis, and creating forensic reports." +tags: [autopsy, digital-forensics, dfir, tools, incident-response, forensics] +--- - \ No newline at end of file +**Autopsy** is a user-friendly, open-source digital forensics platform that helps examiners investigate disk images, recover deleted files, analyze timelines, and build reproducible forensic reports. It wraps powerful command-line tools (Sleuth Kit, log parsers, file carvers) in an intuitive web-based UI so beginners and experienced analysts can work efficiently. + +This page gives a practical introduction: what Autopsy does, why it’s useful, how to install and start an investigation, core workflows, hands-on lab ideas, and reporting tips — all written in a clear, instructor-style voice. + +## What Is Autopsy and When to Use It + +Autopsy is a forensic graphical interface for analyzing: +* Disk images (E01, raw/dd, AFF) +* Logical file dumps and exported directories +* Memory captures (in some flows) +* File system artifacts (Windows Registry, event logs, browser history, $MFT) + +Use Autopsy when you need to: +* Investigate a compromised machine in an incident response (IR) case +* Recover deleted or hidden files from evidence media +* Build a timeline of user/system activity for root cause analysis +* Produce an evidence-backed report for remediation or legal processes + +## Why Autopsy Is Helpful + +* **Accessible UI** that lowers the entry barrier for new analysts +* **Modular architecture**: ingest modules for web history, email, timelines, hash sets, and more +* **Extensible** via plugins (ingest modules and modules for parsing new artifacts) +* **Reporting**: export case details, alerts, and evidence in formats useful to managers or legal teams +* **Reproducible investigations**: stores metadata and findings so you can re-open and re-run analysis + +Autopsy speeds up DFIR work by automating repetitive parsing and by making complex artifacts searchable. + +## Installing Autopsy (Quick) + +Autopsy runs on Windows, Linux, and macOS (via packages or installers). Basic steps: + +### Windows +1. Download the installer from the Autopsy website. +2. Run the installer — it bundles Java and the Sleuth Kit often. +3. Launch **Autopsy** from Start Menu. + +### Linux (Ubuntu / Debian example) + +```bash +# Install Java and dependencies first (if required) +sudo apt update +sudo apt install default-jre sleuthkit -y + +# Download autopsy tarball or use a package repo if available +# Example (community builds vary): extract and run the autopsy script +./autopsy/bin/autopsy +``` + +### macOS + +* Use available binaries or build from source depending on the release. Check installation notes for Java versions. + +:::tip +Use the latest stable Autopsy release and ensure Sleuth Kit tools (fls, mmls, icat, etc.) are present in PATH for full functionality. +::: + +## Core Forensic Workflow in Autopsy + +1. **Create a Case** + + * New case → case name, examiner, base directory. Autopsy stores analysis artifacts under the case folder. + +2. **Add Data Source** + + * Supported sources: disk image (E01/RAW), logical files, directories, or device images. + * Choose ingest modules to run (file type identification, hash lookup, timeline, email parsing, web history, etc.). + +3. **Run Ingest** + + * Ingest parses the data source, extracts artifacts (files, registry keys, timelines), and categorizes findings (e.g., notable files, keywords hits). + +4. **Review Results** + + * Use the left navigation: **Data Sources → File Types → Recent Activity → Web History → Email → Registry**. + * Search and filter by keywords, hash matches, or specific artifact types. + +5. **Timeline & Analysis** + + * Use Autopsy’s timeline features to order events (file creation, modification, access, MFT entries) to reconstruct user/system activity. + +6. **File Recovery & Carving** + + * Recover deleted files using file carving and by viewing unallocated space. Export extracted files for deeper analysis. + +7. **Generate Report** + + * Export findings, notable items, and timelines in HTML, PDF, or other formats for stakeholders or legal use. + +## Key Modules & Features to Know + +* **File Type Identification & Hashing** — fingerprints files and compares to known-good or blacklists (NSRL, custom hash sets). +* **Keyword Search** — search entire evidence for terms (usernames, exfil keywords, IP addresses). +* **Email & Browser History Parsers** — extract email files, attachments, browsing history, and cookies. +* **Timeline / Recent Activity** — visualize events to spot suspicious behavior. +* **Registry Examiner** — parse Windows registry hives to find installed programs, startup keys, and user activity. +* **File Carver** — extract files from unallocated space based on headers/signatures. +* **SQLite Viewer** — inspect app databases (Chrome, Firefox, Slack, others). +* **Exif & Metadata** — view file metadata (image EXIF, document metadata). + +## Example: Quick Investigation Walkthrough + +**Scenario:** A user reports suspicious outbound connections and deleted documents. + +1. Create a new case: `CaseName = "IR_2025-10-26_EndpointA"`. +2. Add the disk image `endpointA.E01`. +3. Select ingest modules: File Type ID, Hash Lookup (NSRL), Recent Activity, Web History, and Keyword Search (keywords: `invoice`, `exfil`, `rclone`, `ftp`). +4. Run ingest and wait for parsing to complete. +5. Open **Results** → **Recent Activity**. Sort by time and look for suspicious processes or new accounts. +6. Inspect **Deleted Files** and **Unallocated Space** for documents: recover and export any `*.docx` or `*.pdf` matching `invoice`. +7. Check **Network Artifacts** (browser history, saved sessions) for external IPs or suspicious domains. +8. Use **Timeline** to correlate file deletion time with outbound connection timestamps. +9. Export relevant files and generate a concise report (findings, evidence exported, recommended containment steps). + +## Hands-On Labs (Safe Practice) + +### Lab A — Recover Deleted Documents + +* Prepare: Create a VM and a disk image. Create a few documents, delete them, then shutdown and image the disk. +* Steps: + + 1. Load image into Autopsy. + 2. Use **File Types** / **Deleted Files** to locate deleted documents. + 3. Recover and export files; verify contents. + +### Lab B — Timeline Correlation + +* Prepare: On a Windows test VM, create files, open webpages, run known benign tools, then create an image. +* Steps: + + 1. Parse the image with Recent Activity and Timeline ingest modules. + 2. Use the timeline view to correlate file timestamps with browser visits and process execution. + 3. Document the sequence of events. + +### Lab C — Hashset Matching + +* Prepare: Collect a set of known-good hashes (e.g., system files) and a custom hashset of suspicious files. +* Steps: + + 1. Configure Autopsy to use the hash sets (NSRL + custom). + 2. Run hash lookup and surface notable matches (known-bad or known-good). + 3. Review false positives and contextualize matches. + +## Legal & Chain-of-Custody Considerations + +* Always **document** evidence acquisition: who imaged the device, tool versions, dates/timestamps, and commands used. +* Maintain **read-only** access to evidence (mount images read-only) to avoid contaminating the data. +* Keep **hash values** (MD5/SHA1/SHA256) of original images and exported files to prove integrity. +* Use Autopsy’s logging and case metadata to support chain-of-custody documentation if evidence is needed in legal proceedings. + +:::tip Best Practices & Practical Tips +* Work on **copies** of evidence images; never analyze on the original media. +* Keep Autopsy and Sleuth Kit **up to date** to benefit from new parsers and bug fixes. +* Build **ingest profiles** that fit your common case types (IR, eDiscovery, malware triage). +* Combine Autopsy with specialized tools (Volatility for memory, VirusTotal for quick file checks, and YARA for custom signatures). +* Use **keyword lists** tailored to your environment (company names, app identifiers, known exfil tools). +::: + +## Reporting from Autopsy + +When reporting, include: + +* Case metadata (examiner, date, evidence ID). +* Summary of findings (executive summary). +* Technical detail: artifacts, timestamps, recovered files, hashes, and exported evidence paths. +* Impact and suggested remediation (containment, credential resets, patching). +* Appendices: exported files, screenshots of key artifacts, and command logs. + +Autopsy can export many items directly; include those exports as annexes for investigators or legal teams. + +## Final Thoughts + +Autopsy is an approachable and powerful platform for digital forensics and incident response. It enables analysts to move from raw images to actionable intelligence quickly while keeping investigations reproducible and well-documented. + +Start with small, controlled labs to learn modules and workflows. Over time, integrate Autopsy into your IR playbooks and pair it with memory forensics and network data sources to build full-spectrum investigations. \ No newline at end of file diff --git a/docs/cybersecurity/cybersecurity-tools/digital-forensics/volatility-memory-analysis.mdx b/docs/cybersecurity/cybersecurity-tools/digital-forensics/volatility-memory-analysis.mdx index 0d399cd..e0f35a2 100644 --- a/docs/cybersecurity/cybersecurity-tools/digital-forensics/volatility-memory-analysis.mdx +++ b/docs/cybersecurity/cybersecurity-tools/digital-forensics/volatility-memory-analysis.mdx @@ -1,3 +1,274 @@ -import ComingSoon from '@site/src/components/ComingSoon'; +--- +title: "Volatility — Memory Forensics and Analysis" +description: "Learn how to use Volatility for deep memory forensics — extract running processes, detect malware, uncover persistence, and analyze live system behavior from RAM dumps." +tags: [volatility, memory-forensics, digital-forensics, dfir, malware-analysis, incident-response] +--- - \ No newline at end of file +**Volatility** is a powerful, open-source **memory forensics framework** used to analyze volatile data captured from a system’s RAM. It allows investigators to dig into what was happening *in memory* at the time of acquisition — processes, network connections, registry hives, loaded DLLs, and even hidden malware. + +Unlike disk forensics, memory forensics gives **a snapshot of the live system state**, including activities that never touch the disk — making Volatility essential for malware detection, incident response, and threat hunting. + +## What Is Memory Forensics? + +Memory forensics focuses on analyzing the **contents of RAM** captured during or shortly after an incident. This volatile data reveals: +* Running processes and their hierarchy +* Command-line history and open files +* Network connections (open ports, remote IPs) +* Injected code, in-memory malware, or rootkits +* User activity, clipboard data, cached credentials +* Decrypted content from encrypted sessions (sometimes) + +Memory evidence is often the *missing link* in understanding advanced attacks — ransomware, APTs, and live malware infections. + +## What Is Volatility? + +Volatility is a Python-based framework created to **analyze memory dumps** from Windows, Linux, and macOS systems. It extracts forensic artifacts using plugins (modular commands) and supports multiple image formats like `.raw`, `.vmem`, `.mem`, `.dmp`, or `.lime`. + +:::note +The Volatility project has two main versions: +* **Volatility 2** (stable, Python 2/3 compatible) +* **Volatility 3** (next-generation rewrite, Python 3 only, improved plugin structure and speed) +::: + +## Installing Volatility + +### Windows / macOS / Linux (Python environment) + +#### Volatility 3 (recommended) + +```bash +# Clone the Volatility3 repository +git clone https://github.com/volatilityfoundation/volatility3.git +cd volatility3 + +# Install dependencies +python3 -m venv venv +source venv/bin/activate # or .\venv\Scripts\activate on Windows +pip install -r requirements.txt +``` + +Run Volatility: + +```bash +python3 vol.py -h +``` + +#### Volatility 2 (legacy) + +```bash +git clone https://github.com/volatilityfoundation/volatility.git +cd volatility +python vol.py -h +``` + +## Acquiring Memory Dumps + +Volatility works on memory images captured with tools like: + +| OS | Memory Capture Tools | +| ----------- | --------------------------- | +| **Windows** | FTK Imager, DumpIt, WinPMem | +| **Linux** | LiME, AVML, fmem | +| **macOS** | osxpmem | + +Example: + +```bash +winpmem.exe -o memory_dump.raw +``` + +Once captured, verify the hash (MD5/SHA256) for integrity before analysis. + +## Basic Workflow: Analyzing Memory with Volatility + +1. **Identify the image information** + + ```bash + python3 vol.py -f memory_dump.raw windows.info + ``` + + → Determines OS version, architecture, and build number. + +2. **List running processes** + + ```bash + python3 vol.py -f memory_dump.raw windows.pslist + ``` + + → Displays process IDs, parent processes, and creation times. + +3. **Detect hidden/malicious processes** + + ```bash + python3 vol.py -f memory_dump.raw windows.psscan + ``` + + → Scans for processes not linked in standard structures (often malware). + +4. **View network connections** + + ```bash + python3 vol.py -f memory_dump.raw windows.netstat + ``` + + → Shows active TCP/UDP connections, local/remote IPs, and ports. + +5. **Analyze DLLs loaded by processes** + + ```bash + python3 vol.py -f memory_dump.raw windows.dlllist --pid 1234 + ``` + +6. **Dump suspicious processes for malware analysis** + + ```bash + python3 vol.py -f memory_dump.raw windows.memmap --pid 1234 + python3 vol.py -f memory_dump.raw windows.dumpfiles --pid 1234 + ``` + +7. **Check for registry keys in memory** + + ```bash + python3 vol.py -f memory_dump.raw windows.registry.printkey --key "Software\\Microsoft\\Windows\\CurrentVersion\\Run" + ``` + +8. **Command history (useful for attack reconstruction)** + + ```bash + python3 vol.py -f memory_dump.raw windows.cmdline + ``` + +## Advanced Plugins & Use Cases + +### Malware Detection + +* `malfind` — Identify injected code in process memory. +* `modules` — List kernel modules to find unauthorized drivers. +* `ldrmodules` — Detect unlinked DLLs (common stealth technique). +* `svcscan` — List running services. + +### User Activity + +* `consoles` — View console commands entered by users. +* `clipboard` — Retrieve clipboard content. +* `shellbags` — Track folder browsing activity. +* `iehistory` — Analyze Internet Explorer browsing data. + +### Network & Persistence + +* `netscan` — Discover network connections (Volatility 3). +* `autoruns` — Detect persistence mechanisms (startup entries, services). +* `handles` — Examine open files, mutexes, and registry handles. + +## Example Investigation Scenario + +**Scenario:** A suspicious binary is executed on a user machine. The system is imaged and a memory dump is captured. + +### Step-by-step: + +1. Identify system info: + + ```bash + python3 vol.py -f infected.raw windows.info + ``` +2. List all processes: + + ```bash + python3 vol.py -f infected.raw windows.pslist + ``` + + You find `suspicious.exe` running under `explorer.exe` (PID 3260). +3. Check for injected code: + + ```bash + python3 vol.py -f infected.raw windows.malfind --pid 3260 + ``` + + → Volatility reports injected memory sections. +4. Dump the process memory: + + ```bash + python3 vol.py -f infected.raw windows.dumpfiles --pid 3260 + ``` + + → Extract to analyze with antivirus or YARA. +5. Review network connections: + + ```bash + python3 vol.py -f infected.raw windows.netstat + ``` + + → Detects a connection to a suspicious external IP: `185.142.213.50:443`. +6. Generate a quick timeline: + + ```bash + python3 vol.py -f infected.raw timeliner + ``` + + → Cross-reference activity times with other forensic data. + +## Volatility 3 Highlights + +Volatility 3 brings: + +* Python 3 support and modular architecture +* Cleaner plugin design and better cross-platform coverage +* Faster scanning and reduced memory footprint +* Easier creation of custom plugins + +:::note +Example Volatility 3 command: + +```bash +python3 vol.py -f mem.raw windows.pslist +``` +::: + +## Hands-On Lab Ideas + +### Lab 1: Process Enumeration + +* Capture memory from a Windows VM with several open programs. +* Use Volatility to list processes, identify parents/children, and spot anomalies. + +### Lab 2: Hidden Malware Discovery + +* Run a sample malware in a sandbox VM (e.g., Meterpreter payload). +* Dump memory and use `malfind` and `psscan` to detect hidden processes. + +### Lab 3: Command History & Network Tracing + +* Execute commands in PowerShell and open web connections. +* Analyze with `cmdline`, `netscan`, and `consoles` plugins. + +## Combining Volatility with Other Tools + +| Purpose | Tool | +| ------------------ | -------------------- | +| Disk Analysis | Autopsy / Sleuth Kit | +| Malware Sandboxing | Cuckoo Sandbox | +| YARA Rule Scanning | YARA | +| Memory Imaging | WinPMem / LiME | +| Log Correlation | ELK / Timesketch | + +Volatility data integrates well with **Autopsy** (via case linking), enabling a full DFIR workflow: disk + memory + network. + +## Legal & Operational Best Practices + +* Capture memory **immediately** after isolating the system — delays can lose critical data. +* Always **hash memory dumps** before and after transfer to preserve integrity. +* Use **write-blockers** and **read-only mounts** when analyzing extracted files. +* Document every action (commands, timestamps, tool versions) for chain of custody. + +## Summary + +| Concept | Key Point | +| ----------- | ------------------------------------------------------------ | +| Tool | Volatility (memory forensics framework) | +| Input | RAM image (.raw, .vmem, .dmp, .lime) | +| Output | Processes, network, code injections, registry, user activity | +| Use Case | Malware investigation, IR, APT detection | +| Strength | Visibility into volatile, in-memory evidence | +| Skill Level | Intermediate to advanced (with practice) | + +Volatility gives unparalleled visibility into what was *actually happening* at runtime — information that disk forensics alone can’t provide. Mastering Volatility means you can reconstruct live attacks, identify stealthy implants, and make evidence-based decisions in your IR workflows. \ No newline at end of file diff --git a/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/nessus-basics.mdx b/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/nessus-basics.mdx index 0d399cd..b382366 100644 --- a/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/nessus-basics.mdx +++ b/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/nessus-basics.mdx @@ -1,3 +1,136 @@ -import ComingSoon from '@site/src/components/ComingSoon'; +--- +title: "Nessus Basics of Vulnerability Scanning" +description: "Learn the fundamentals of Nessus, a popular vulnerability scanner, including installation, basic scanning setup, interpreting scan results, and best practices for secure network assessment." +tags: [nessus, vulnerability-assessment, pentesting, cybersecurity-tools, network-security] +--- - \ No newline at end of file +**Nessus** is one of the most widely used vulnerability scanners in cybersecurity. Developed by Tenable, it helps security professionals and system administrators **discover vulnerabilities, misconfigurations, and compliance gaps** across systems, networks, and applications. + +This guide covers **installation, configuration, basic scanning, interpreting results, and best practices** for beginners and intermediate users. + +:::warning +Always scan only systems you **own** or have explicit permission to test. Unauthorized scanning can be illegal and unethical. +::: + +## Why Nessus Is Popular + +* Extensive vulnerability plugin library updated daily +* Supports compliance audits and configuration checks +* Easy-to-use web-based interface +* Generates detailed, customizable reports +* Integrates with SIEMs and other security tools for enterprise use + +Nessus is ideal for **network security assessments, vulnerability management programs, and penetration testing preparation**. + +## Installing Nessus + +Nessus can be installed on **Windows, Linux, and macOS**, and comes in multiple editions: **Nessus Essentials (free)**, **Professional**, and **Tenable.io** (cloud-based). + +### 1. Download Nessus +* Go to [Tenable Downloads](https://www.tenable.com/downloads/nessus) +* Select your platform and edition + +### 2. Install on Linux (Example: Ubuntu/Debian) +```bash +# Download .deb package +sudo dpkg -i Nessus--debian9_amd64.deb + +# Start Nessus service +sudo systemctl start nessusd +sudo systemctl enable nessusd +``` + +### 3. Access Web Interface + +* Open browser: `https://localhost:8834/` +* Create an account and follow registration for plugin updates + +:::tip +Nessus uses SSL; accept the self-signed certificate if prompted. +::: + +## Basic Workflow in Nessus + +### 1. Update Plugins + +* Plugins define the vulnerabilities Nessus can detect +* Navigate: **Settings → Software Update → Check for Updates** + +### 2. Create a Target + +* Go to **New Scan → Basic Network Scan** +* Enter: + + * Scan name (e.g., `Lab-VM Scan`) + * Target IP addresses or ranges (e.g., `192.168.1.100`) + * Optional: credentials for authenticated scans + +### 3. Configure Scan Options + +* Port scan: default or specify custom range +* Scan policy: use default for first scan or create a custom policy +* Schedule: immediate or recurring scans + +### 4. Launch Scan + +* Click **Save → Launch** +* Monitor progress in **My Scans** + +## Understanding Scan Results + +Nessus provides a **rich, categorized report**: + +| Severity | Description | +| -------- | --------------------------------------------------------------------------------- | +| Critical | Vulnerabilities that allow remote code execution or full compromise | +| High | Exploitable vulnerabilities with significant impact | +| Medium | Vulnerabilities that may expose sensitive information or allow partial compromise | +| Low | Minor weaknesses or misconfigurations | +| Info | Informational items or best practice recommendations | + +* Each finding includes: + + * CVE ID and description + * Affected host/service + * Evidence and proof of concept + * Recommended mitigation or patch instructions + +### Example: + +* **Vulnerability:** CVE-2023-12345 – OpenSSH outdated version +* **Impact:** Remote attackers may gain unauthorized access +* **Recommendation:** Upgrade OpenSSH to the latest stable version + +## Common Use Cases + +* **Network vulnerability assessment** – Scan IP ranges, routers, servers +* **Web application assessment** – Identify misconfigurations, SSL issues, weak ciphers +* **Compliance checks** – PCI-DSS, HIPAA, ISO standards verification +* **Patch management** – Identify missing patches and updates + +## Hands-On Labs + +### Lab 1: Scan a Local VM + +1. Set up a lab VM (Windows/Linux) +2. Add the VM IP as a target +3. Run a **Basic Network Scan** +4. Review and export the vulnerability report + +### Lab 2: Credentialed Scan + +* Configure SSH or Windows credentials for the target +* Run an authenticated scan to detect configuration issues and missing patches + +### Lab 3: Compliance Scan + +* Use a pre-defined policy (e.g., CIS Benchmarks) +* Review compliance report and note deviations\ + +## Best Practices + +* Only scan **authorized systems** to avoid legal issues +* Keep Nessus **plugins updated** regularly +* Use **credentialed scans** for more accurate results +* Segment scans to avoid overwhelming production networks +* Combine Nessus reports with **manual verification** for critical findings diff --git a/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/openvas-setup.mdx b/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/openvas-setup.mdx index 0d399cd..7b918d1 100644 --- a/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/openvas-setup.mdx +++ b/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/openvas-setup.mdx @@ -1,3 +1,161 @@ -import ComingSoon from '@site/src/components/ComingSoon'; +--- +title: "OpenVAS Setup & Configuration" +description: "Step-by-step guide to setting up OpenVAS (Greenbone Vulnerability Management) for vulnerability scanning, network assessment, and reporting. Covers installation, configuration, and initial scan setup." +tags: [openvas, vulnerability-assessment, pentesting, cybersecurity-tools, network-security] +--- - \ No newline at end of file +**OpenVAS** (Open Vulnerability Assessment System) — now part of **Greenbone Vulnerability Management (GVM)** — is a full-featured, open-source framework for scanning networks, hosts, and applications for known vulnerabilities. It allows security professionals and system administrators to identify security weaknesses, misconfigurations, and compliance gaps efficiently. + +This guide walks through **installation, configuration, and first scan setup**, with clear instructions and hands-on lab examples. + +:::warning + +Always scan only systems you **own** or have explicit permission to test. Unauthorized scanning can be illegal. + +::: + +## Why Use OpenVAS + +* Detect known vulnerabilities in hosts, networks, and services +* Schedule regular vulnerability scans to maintain security posture +* Generate comprehensive reports for IT teams and auditors +* Open-source and actively maintained by Greenbone +* Integrates with SIEMs or security dashboards for enterprise environments + +## Installing OpenVAS + +OpenVAS can be installed on **Linux** (Debian/Ubuntu/Kali) or run in a **Docker container**. + +### 1. Installing on Kali Linux (Recommended) +```bash +# Update repositories +sudo apt update && sudo apt upgrade -y + +# Install OpenVAS / GVM +sudo apt install -y gvm + +# Setup and initialize the database and feeds +sudo gvm-setup + +# Check installation status +sudo gvm-check-setup +``` + +:::note + +`gvm-setup` may take 20–30 minutes as it downloads the latest vulnerability feeds. + +::: + +### 2. Installing on Ubuntu/Debian + +```bash +sudo apt update && sudo apt install -y gvm +sudo gvm-setup +sudo gvm-check-setup +``` + +### 3. Running OpenVAS in Docker (Alternative) + +```bash +docker pull greenbone/gvm +docker run -d -p 8080:9392 --name openvas greenbone/gvm +``` + +* Access the web interface at `https://localhost:8080/` +* Default credentials are usually printed in container logs. Change immediately. + + +## Initial Configuration + +After installation: + +1. **Create Admin User** + +```bash +sudo gvm-manage-certs -a +sudo gvm-manage-certs -c +``` + +2. **Start Services** + +```bash +sudo gvm-start +``` + +3. **Access Web Interface** + +* Default: `https://127.0.0.1:9392/` +* Log in using the admin credentials from setup + +## Setting Up Your First Scan + +### 1. Add Target Host(s) + +* Go to **Configuration → Targets → New Target** +* Provide: + + * Name (e.g., `Lab-Server`) + * IP address or range + * Port range (default: `1-65535`) + +### 2. Configure Scan Task + +* Go to **Scans → Tasks → New Task** +* Name your task and select the target +* Select a **Scan Config** (e.g., Full and Fast, Discovery, or Custom) +* Assign schedule (optional for recurring scans) + +### 3. Launch Scan + +* Click **Start** next to your task +* Monitor progress and view logs in the **Tasks** section + +## Understanding Scan Results + +OpenVAS produces detailed vulnerability reports, including: + +* Vulnerability ID and severity (CVSS score) +* Description and affected service or application +* Steps to reproduce / test vulnerability +* Recommended mitigation or patching advice +* Export options: PDF, CSV, HTML, or XML + +> Use findings to prioritize patching and security hardening. + +## Common Scan Configurations + +| Scan Config | Description | +| ------------------ | -------------------------------------------------------------- | +| Full and Fast | Covers all known vulnerabilities but optimized for speed | +| Full and Very Deep | Maximum coverage; can be slower | +| Host Discovery | Detect live hosts without performing full vulnerability checks | +| Custom | Select specific plugins, ports, or scan types |d d d + +## Hands-On Lab Ideas + +### Lab 1: Scan a Local VM + +1. Spin up a lab VM (Ubuntu or Windows test machine) +2. Add the VM’s IP as a target +3. Run **Full and Fast** scan +4. Review the report for vulnerabilities like open ports, outdated packages, or weak configurations + +### Lab 2: Targeted Service Scan + +1. Scan only specific services (e.g., HTTP, SSH) +2. Use **Custom Scan Config** +3. Observe CVSS scores and prioritize patching + +### Lab 3: Scheduled Scans + +* Configure recurring scans to practice monitoring changes over time +* Compare results after patching or applying updates + +## Best Practices + +* Always scan **authorized targets** +* Keep vulnerability **feeds up to date** (`greenbone-nvt-sync`) +* Use **segmented test environments** to avoid impacting production +* Combine OpenVAS results with other tools (e.g., Nessus, Nmap, Metasploit) for comprehensive assessment +* Export reports regularly for documentation and auditing \ No newline at end of file diff --git a/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/vulnerability-scanning-tips.mdx b/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/vulnerability-scanning-tips.mdx index 0d399cd..1fdfe49 100644 --- a/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/vulnerability-scanning-tips.mdx +++ b/docs/cybersecurity/cybersecurity-tools/vulnerability-assessment/vulnerability-scanning-tips.mdx @@ -1,3 +1,105 @@ -import ComingSoon from '@site/src/components/ComingSoon'; +--- +title: "Vulnerability Scanning" +description: "Maximize the effectiveness of your vulnerability assessments with advanced tips on credentialed scanning, asset prioritization, impact mitigation, and effective remediation strategies." +tags: [vulnerability-assessment, vulnerability-scanning, cybersecurity-tools, risk-management, security-best-practices] +--- - \ No newline at end of file +Vulnerability scanning is more than just running a tool; it's a foundational security process. By following advanced best practices, you can ensure your scans are **accurate, comprehensive, and actionable**, leading to a stronger overall security posture. + +## 1. Meticulous Planning and Scoping + +Effective scanning begins with preparation. A clear scope prevents resource wastage and ensures regulatory compliance. + +### The Importance of Asset Inventory + +Before scanning, you must have a complete, current, and accurate **Asset Inventory**. Assets that are unmanaged (shadow IT) will be completely missed, creating dangerous blind spots. + +:::tip Automate Asset Discovery +Integrate your vulnerability scanner with an **Asset Management System (AMS)** or **Configuration Management Database (CMDB)**. This ensures that as soon as a new server or device joins the network, it is automatically added to the scan scope. +::: + +### Defining the Scanning Schedule + +While monthly or quarterly scans cover general risk, critical systems require more frequent attention. + +| Asset Type | Recommended Cadence | Rationale | +| :--- | :--- | :--- | +| **Internet-Facing Servers** | Weekly | Highest exposure; primary target for zero-day attacks. | +| **Internal Workstations** | Monthly | Account for user-installed software and configuration drift. | +| **New Deployments/Major Changes** | Immediate (Out-of-Band) | Ensure no new vulnerabilities are introduced into production. | + +:::caution Legal and Operational Sign-Off +Always obtain **written approval** from system owners and IT operations teams *before* scanning production environments. This confirms acceptance of potential, though unlikely, service disruption. +::: + +## 2. Choosing the Right Depth: Credentialed Scanning + +The single most impactful decision in vulnerability scanning is whether to use credentials. Credentialed scans offer a dramatically superior assessment. + +### Why Credentialed Scans are Essential + +A **non-credentialed (unauthenticated)** scan can only see what a network-based attacker sees: open ports and banner versions. A **credentialed (authenticated)** scan logs into the target system using least-privilege accounts (like a regular user, not an administrator) and performs local checks. + +This deeper access allows the scanner to: + +1. **Check Patch Status:** Accurately determine if the OS and installed applications are missing critical security updates. +2. **Verify Configuration:** Audit system settings against security benchmarks (e.g., CIS benchmarks). +3. **Detect Software Bloat:** Find outdated, unsupported, or unnecessary software (e.g., end-of-life Java versions) not exposed externally. + +| Scan Type | Visibility | Analogy | +| :--- | :--- | :--- | +| **Non-Credentialed** | External/Shallow | Checking if the house door is locked. | +| **Credentialed** | Internal/Deep | Checking every room for hidden weak spots and maintenance needs. | + +:::tip Use Least-Privilege Service Accounts +Create dedicated, non-interactive **service accounts** for scanning. These accounts should only have the minimum permissions required to perform local vulnerability checks, following the **Principle of Least Privilege (PoLP)**. Do not use domain administrator accounts. +::: + +## 3. Mitigating Network and System Impact + +Scanning large networks can stress older equipment or consume significant bandwidth. Smart configuration is key to preventing outages. + +### Configuration Controls + +* **Adjust Scan Throttling:** Most professional scanners allow you to limit the number of simultaneous network connections or the packets per second. Start with a lower, conservative setting and gradually increase it during testing. +* **Target Specific Ports:** For very sensitive systems, create a custom scan policy that only checks high-risk services (e.g., ports 80, 443, 22, 3389) instead of a full port scan, reducing noise and load. + +:::caution Scanning Legacy Systems +**Industrial Control Systems (ICS), SCADA systems, or legacy mainframes** are often highly sensitive to port scanning. Never scan these systems without prior authorization and specialized, vendor-approved policies, as a routine scan could cause an operational shutdown. +::: + +## 4. Prioritization and Effective Remediation + +Raw scan data is often overwhelming. The true value is converting data into an actionable **Remediation Plan**. + +### Risk-Based Prioritization + +Do not remediate based purely on the scanner's CVSS score (Critical, High, Medium). Implement **Risk-Based Prioritization** by considering these three factors: + +$$ +\text{Risk} = \text{Vulnerability Score} \times \text{Asset Criticality} \times \text{Threat Context} +$$ + +1. **Vulnerability Score (CVSS):** The severity of the flaw itself. +2. **Asset Criticality:** How important is the affected server? (e.g., a customer database is more critical than a test server). +3. **Threat Context (Exploitability):** Is the vulnerability actively being exploited in the wild (e.g., is there a **Proof-of-Concept (PoC)** available)? + +:::info Focus on the "Chokepoints" +Prioritize vulnerabilities that exist on systems accessible to many users or directly exposed to the internet. Fixing one flaw on a **gateway server** eliminates more risk than fixing a hundred flaws on isolated internal workstations. +::: + +### Verification and Reporting + +* **False Positive Management:** If a scanner reports a vulnerability you know is mitigated (e.g., a service is detected but blocked by a firewall), document the mitigation and mark the finding as an **Accepted Risk** or **False Positive**. +* **Verification Scans:** Always run a **verification scan** (or patch validation scan) against the affected assets shortly after remediation to confirm the fix was successful and that no new issues were introduced. + +## 5. Maintenance and Program Maturity + +A vulnerability program is a continuous cycle, not a one-time activity. + +* **Regular Plugin Updates:** Ensure your scanner's **plugins, feeds, or signature files** are updated *daily*. A scanner with outdated plugins cannot detect the newest, most dangerous vulnerabilities (Zero-Days). +* **Integrate into the CI/CD Pipeline:** For application security, integrate vulnerability scanning tools (like SAST/DAST) directly into your **Continuous Integration/Continuous Deployment (CI/CD)** pipeline. This finds code vulnerabilities *before* they ever reach production. + +:::tip Think of Scanning as Quality Assurance (QA) +Just as QA checks code functionality, vulnerability scanning checks security functionality. It’s an essential, non-negotiable step in the deployment process. +::: \ No newline at end of file