← Back Published on

Web Vulnerability Scanning

Let's do some web service vulnerability scanning!

We are going to go over many tools in this exercise.

-nikto

-wapiti

-Nmap

-Qualys SSL labs

-pentest tools scanner

-legion


Let's start with Nikto



Here you can see MANY vulnerabilities on this host. Some major Ones that stick out to me are the possibility for XS scripting, a public viewable root page that redirects to a login page, Possible directories being found with directory indexing, And an admin login page!

nikto simply put the scan into a file for me due to the syntax I used.

Next, let's move to Wapiti

And now an HTML view/output for us

Several vulnerabilities were found and put in a nice application view.

Now nmap’s time to shine

The syntax breakdown for this scan is:

-vv: These are options or flags for the Nmap command:

- `-v` stands for "verbose" and increases the level of detail in the output, providing more information about the scan.

- The double `-vv` means an even higher level of verbosity, offering extensive details about the scan.

--script=ssl-enum-ciphers: This is another option that tells Nmap to use a specific Nmap script called "ssl-enum-ciphers." This script is used to enumerate or list the SSL/TLS cipher suites supported by the target server. Cipher suites are sets of encryption algorithms and protocols used for securing network communications.

-oN CYBERMEDICRULES.txt: This option specifies the output format and filename for the scan results:

- -oN indicates that the output should be saved to a file.


In the picture above you can see TLS.v1.2 is being used. TLSv1.2 is considered less secure due to known vulnerabilities, weak cipher suites, and lack of modern security features, making it less suitable for safeguarding internet communications compared to TLSv1.3.

TLSv1.1 was also found in this scan TLSv1.1 is considered insecure due to its susceptibility to specific cryptographic vulnerabilities like the BEAST and POODLE attacks. These vulnerabilities undermine its ability to provide robust encryption and security, making it less trustworthy for protecting data compared to newer TLS versions.

The next tool is a free online scanning tool focusing on SSL security

Qualys SSL Labs

SSL Test is an online tool that evaluates the security of SSL/TLS configurations on web servers. It grades from A+ to F, checks for vulnerabilities like Heartbleed, analyzes certificates for validity, tests protocols and ciphers, and simulates client handshakes. The tool provides detailed reports with recommendations for improving security, making it invaluable for web administrators, security professionals, and for educational purposes in understanding SSL/TLS security. https://www.ssllabs.com/

After that, lets take a look at a Vulnerabily scanner. Web based, and free for up to 2 scans. It is called pentest tools. 

Part of the Pentest-Tools.com pentesting arsenal, the Website Vulnerability Scanner is a custom web application scanner that our team of security researchers and engineers developed from scratch.

Designed to be both powerful and easy to use, the scanner accommodates the needs of both security teams and application security professionals.

https://pentest-tools.com/webs...



This tool made it very easy to view and download into a pdf. 

And finally the tool legion!

Legion is an automated network penetration testing tool included in Kali Linux, designed for network discovery and vulnerability scanning. It offers a user-friendly graphical interface, integrating several third-party tools for comprehensive scanning and analysis. With features for automated and concurrent scanning, custom script execution, and detailed reporting, Legion simplifies the process of identifying vulnerabilities and potential attack vectors in network environments. It's aimed at both novice and experienced penetration testers, facilitating efficient security assessments and educational purposes in cybersecurity.

Here, you can see i have scanned a target, Many ports are open, with versions and details on the port itself.


With the ability to filter by service as well



This tool can do so much more. I have ran it against Targets while pentesting and it allowed me to directory brute force, Password brute force, along with several other features.