Programs for scanning networks for vulnerabilities. Best Pen Tester Tools: Security Scanners. Basic principles of vulnerability scanners
Each of the ][ team has their own preferences regarding software and utilities for
pentest. After consulting, we found out: the choice varies so much that it is possible to draw up
a real gentleman's set of proven programs. That's what we decided on. To
Don’t make a hodgepodge; we’ve divided the entire list into topics. Today we will touch
The holy of holies of any pentester is the vulnerability scanner.
Nessus
Website:
www.nessus.org/plugins/index.php
Distribution: Free/Shareware
Platform: Win/*nix/Mac
If anyone hasn't tried it yet Nessus, then at least heard about it.
One of the most famous security scanners has a rich history: being
once an open source project, the program is no longer distributed in the open
source codes. Fortunately, I stayed free version, which was originally
severely deprived of access to updates for the vulnerability database and new plugins,
but later the developers took pity and only limited it in the frequency of updates.
Plugins are a key feature of the application architecture: any test for
penetration is not sewn tightly inside the program, but is formalized in the form
plugin. Addons are distributed among 42 various types: to
conduct a pentest, you can activate both individual plugins and all plugins
of a certain type - for example, to perform all local checks on
Ubuntu system. And no one limits you from writing your own tests
for penetration: for this purpose, a special scripting language was implemented in Nessus
- NASL (Nessus Attack Scripting Language), which later
borrowed other utilities as well.
The developers achieved even greater flexibility by separating server part scanner,
performing all actions from the client program, which is not
more than GUI. In the latest 4.2 version the daemon is on port 8834
opens a web server; with it you can control the scanner through a convenient interface on
Flash"e, having only one browser. After installing the scanner, the server starts
automatically, as soon as you specify the activation key: you can
request it on the home site Nessus. True, for entry, and local,
and remote, you will need to first create a user: in Windows this
done in two mouse clicks through the GUI admin panel of Nesus Server Manager, from its
You can use it to start and stop the server.
Any penetration test begins with the creation of so-called Policies -
rules that the scanner will adhere to during scanning. This is where
types of port scanning are selected (TCP Scan, UDP Scan, Syn Scan, etc.),
number of simultaneous connections, as well as typical purely for Nessus
options such as Safe Checks. The latter includes secure scanning,
deactivating plugins that may harm the system being scanned. Important step
in creating rules is connecting the necessary plugins: you can activate entire
groups, say, Default Unix Accounts, DNS, CISCO, Slackware Local Security
Checks, Windows, etc. The choice of possible attacks and checks is huge! Distinctive
Nessus feature is smart plugins. The scanner will never scan the service only
by its port number. Moving the web server from the standard port 80 to, say,
on the 1234th, it will not be possible to deceive Nessus - he will determine this. If on an FTP server
anonymous user is disabled, and some plugins use it for verification,
then the scanner will not run them, knowing that they will be of no use. If
the plugin exploits a vulnerability in Postfix, Nessus won't torture
happiness, trying tests against sendmail - etc. It is clear that to perform
scans on the local system, you must provide the scanner with Credentials
(logins and passwords for access) - this is the final part of setting up the rules.
OpenVAS
Website: www.openvas.org
Distribution: Freeware
Platform: Win/*nix/Mac
Despite the fact that the Nessus source codes have become closed, the Nessus 2 engine and
Some plugins are still distributed under the GPL license as a project
OpenVAS (OpenSource Vulnerability Assessment Scanner). Now the project
develops completely independently of its older brother and makes considerable
successes: the latest stable version was released just before the number was sent to
seal. No wonder that OpenVAS also uses client-server
architecture, where all scanning operations are performed by the server part - it
works only under niks. To start you will need to download packages
openvas-scanner, as well as a set of openvas-libraries. As
client part for OpenVAS 3.0 only the niks GUI program is available,
but I think it's like previous versions, a port for Windows will appear soon. In any
case, the easiest way is to use OpenVAS with the help of a well-known
LiveCD Bactrack (4th version), in which it is already installed. All major
operations to get started are placed in the menu items: OpenVAS Make Cert (creating
SSL certificate to access the server), Add User (creating a user to access
server), NVT Sync (updating plugins and vulnerability databases), and, finally,
OpenVAS Server (start the server via menu item). Then all that remains is
launch the client part and connect to the server to start the pentest.
Openness and extensibility OpenVAS allowed me to pump up a lot
program. In addition to direct plugins for security analysis, it includes
many well-known utilities are integrated: Nikto for searching for vulnerable CGI scripts,
nmap for port scanning and a sea of other things, ike-scan for IPSEC detection
VPN nodes, amap to identify services on ports using fingerprinting,
ovaldi to support OVAL - a standard language for describing vulnerabilities - and
many others.
XSpider 7
Website:
www.ptsecurity.ru/xs7download.asp
Distribution: Shareware
Platform: Windows
First lines of code XSpider were written on December 2, 1998, and for
In the 12 years since then, this scanner has become known to every Russian
specialist in information security. In general, Positive Technologies is one
one of the few companies in the domestic information security market whose
employees know how to really break something, and not just sell services beautifully.
The product was written not by programmers, but by information security specialists who know how and
what needs to be checked. What's the result? We have a very high quality product with only one thing,
but a very serious disadvantage for us: XSpider paid! For free
the developers offer a stripped-down demo version that does not implement a number of
checks, including heuristic ones, as well as online updates for the database
vulnerabilities. Moreover, the efforts of developers are now entirely directed towards another
product - MaxPatrol information security monitoring system, for
which, alas, doesn’t even have a demo.
But even with all the restrictions XSpider is one of the most convenient
and effective tools for analyzing the security of the network and specific nodes.
Scan settings, as in the case of Nessus, are presented in the form of a special
a set of rules, only in this case they are called not Policies, but profiles.
Configured as general parameters for network analysis and scanner behavior
for specific protocols: SSH, LDAP, HTTP. Type of demon being researched on each
port is determined not according to the generally accepted classification, but using
heuristic fingerprinting algorithms - the option is enabled with one click in
scanning profile. Single word deserves processing of RPC services (Windows
and *nix) with full identification, thanks to which it is possible to identify vulnerabilities
various services and detailed configuration of the computer as a whole. Examination
weaknesses password protection implements optimized password selection practically
in all services that require authentication, helping to identify weak passwords.
The scanning result is presented in the form of a convenient report, and for each
When a potential vulnerability is found, a tiny description and an external link are provided,
Where can I go for details?
GFI LANguard
Website:
www.gfi.com/lannetscan
Distribution: Freeware/Shareware
Platform: Windows
What I especially love about this product is the set of preinstalled
profiles to scan. In addition to a full scan of the remote system,
implying all types available checks(by the way, there is a special version
for a slow connection - for example, for a slow VPN connection through the States),
There are a lot of separate groups of checks. For example, you can quickly check tens
hosts for vulnerabilities from the Top20, compiled by the well-known
security corporation SANS. You can also activate the search for cars with
uninstalled patches or service packs, select a profile for pentest
web applications, etc. Moreover, in addition to profiles directly aimed at
search for vulnerabilities, there are also a number of tools for auditing: search ball, smart scanner
ports, including for searching for connections opened by malware, identifying
computer configuration, etc. It turns out that a lot of products coexist in one product
useful utilities.
Constantly updated vulnerability database GFI LANguard includes more than
15,000 records, allowing you to scan the most different systems(Windows, Mac OS, Linux),
including those installed on virtual machines Oh. Scanner automatically
pulls up updates for the database, which in turn are generated based on reports
BugTraq, SANS and other companies. Implement your own checks like
As a matter of fact, you can do it yourself. For this you are provided with a special script
a language compatible with Python and VBScript (what a bunch!), and for complete convenience
also convenient editor with a debugger - you get a real IDE. One more
LANguard's unique feature is the ability to determine that the machine is running
in a virtual environment (as long as VMware and Virtual PC are supported) - this is one of
unique scanner features.
Retina Network Security Scanner
Website: www.eeye.com
Distribution: Shareware
Platform: Windows
The main disappointment of this legendary scanner befell me immediately after
launch. Installer latest version, cursing, said that he would launch
Retina on Windows 7 or Windows Server 2008 R2 is currently not possible. Not
very polite, I had to open the virtual machine, but I knew that it was worth it
costs. Retina- one of the best scanners that identifies and analyzes
hosts local network. Physical and virtual servers, workstations and
laptops, routers and hardware firewalls - Retina will present
a complete list of devices connected to the network, will display information about wireless
networks. She will torture each of them in every possible way in search of at least some hint of
vulnerability, and does it very quickly. To scan a class C local network
takes approximately 15 minutes. Product Retina identifies OS vulnerabilities,
applications, potentially dangerous settings and parameters. As a result, you can
get an overview of the network showing potential vulnerabilities. Base with
vulnerabilities, according to the developers, are updated hourly, and information about
vulnerabilities are added to the database no later than 48 hours after the first notification about it
bagtruck. However, the very fact that this is a product of the eEye factory is already its own
a kind of quality guarantee.
Microsoft Baseline Security Analyzer
Website: www.microsoft.com
Distribution: Freeware
Platform: Windows
What is it? Security Analyzer from Microsoft, which
checks computers on the network for compliance with Microsoft requirements, which
a considerable number have accumulated. The most important criterion is, of course, the presence
on everyone's system installed updates. No need to remind me what I did
Conficker, using the MS08-67 flaw, the patch for which was released 2 months before
epidemics. In addition to patches missing from the system, MBSA also detects some
Common configuration holes. Before scanning the program
downloads updates for its databases, so you can be sure: Microsoft
Baseline Security Analyzer knows everything about the latest updates for Windows. By
results of scanning (domain or range of IP addresses) are given a summary
report. An already visual report can be transferred to conditional diagram networks,
displaying the scan results in Visio. For this purpose, it is available on the program website
a special connector that will display various LAN nodes with symbols,
will fill in the parameters of the objects, adding information about scanning there, and in
in the most convenient form will allow you to see what problems there are on a particular computer.
SAINT
Website:
http://www.saintcorporation.com
Distribution: Shareware
Platform: -nix
Just two IP addresses you can target SAINT V
during the trial period, they are hardwired into the key, and it is sent to you
email Not a step left, not a step right - but this product is definitely worth it
try, even with such draconian restrictions. Scanner Control
implemented via a web interface, which is not surprising - solutions SAINT
are sold, including, in the form of servers for rack installation (SAINTbox), and here
you need to follow fashion. Using an ascetic web interface, you can very easily
run testing and use many years of experience to search
potential vulnerabilities in the system. I’ll say more: one of the SAINTexploit modules
allows you not only to detect, but also to exploit the vulnerability! Let's take
the notorious error MS08-67. If the scanner detects an uncovered hole and knows
how to exploit it, then right next to the description of the vulnerability it gives a link with
close to the heart word EXPLOIT. In one click you get a description of the exploit and,
Moreover, - the Run Now button to launch it. Further, depending on the exploit,
are indicated various parameters, for example, the exact OS version on the remote host,
shell type and port on which it will be launched. If exploitation of the target is successful
completed, then the IP address appears in the Connections tab of the SAINTexploit module
sacrifices and choice of actions that became available as a result of the launch
exploit: working with files on a remote system, command line, etc.!
Imagine: a scanner that breaks itself! No wonder the product slogan: “Examine.
Expose. Exploit". The check system is the most diverse, and in the last 7th
version, a module for pentesting web applications and additional features appeared
for database analysis. By designating a target via the web interface, you can monitor
actions of the scanner with all the details, knowing exactly what and how the scanner does in
current moment.
X-Scan
Website: http://www.xfocus.org
Distribution: Freeware
Platform: Windows
The latest version of this scanner was released back in 2007, which does not interfere at all
use it now thanks to the system of plug-ins and scripts,
written in NASL, the same language used in Nessus/OpenVAS. Find
and it’s easy to edit existing scripts - they are all located in the scripts folder.
To start the scanner you need to specify the scanning parameters through the menu
Config -> Scan Parameter. The scanning object can be:
a specific IP or a range of addresses, but in the latter case one must be moral
prepared for the testing to be lengthy. The scanner, alas, is not the best
fast. The speed is proportionally affected by the number of connected modules:
add-ons that check password strength for SSH/VNC/FTP are some of the most
gluttonous. Externally X-Scan looks more like a homemade product created by someone
for their own needs and released to the public on free swimming. Perhaps he would
and did not gain such popularity if not for the support of Nessus scripts, which
activated using the Nessus-Attack-Scripts module. On the other hand, it's worth
look at the scan report, and all doubts about the usefulness of the scanner go away
second plan. It will not be designed according to one of the official information security standards, but
will definitely tell you a lot of new things about the network.
Rapid 7 NeXpose
Website: www.rapid7.com
Distribution: Freeeware version
Platform: nix/Win
Rapid 7 is one of the fastest growing companies specializing in
on information security in the world. It was she who recently acquired the project
Metasploit Framework, and it is her handiwork - the project NeXpose. Price
"entrance" for using the commercial version is almost $3000, but
For enthusiasts there is a Community version with slightly reduced capabilities.
This free version easily integrates with Metasploit (you need a version not
below 3.3.1). The scheme of operation is quite tricky: first NeXpose is launched, then
Metasploit Console (msfconsole), after which you can start the scanning process
and configure it using a number of commands (nexpose_connect, nexpose_scan,
nexpose_discover, nexpose_dos and others). It's cool that you can combine
functionality NeXpose and other Metasploit modules. The simplest, but
an effective example: look for computers with a certain vulnerability and immediately
exploit it using the appropriate Metasploit module - we get
auto-routing at a new quality level.
WARNING
Pentesting servers and resources of the resource owner without his will is a criminal act
punishable. In case of using the acquired knowledge for illegal purposes, the author and
the editors are not responsible.
As you can see, there have been a lot of them and they are all very dangerous for the systems exposed to them. It is important not only to update your system on time to protect yourself from new vulnerabilities, but also to be sure that your system does not contain vulnerabilities that have been fixed long ago that hackers can exploit.
This is where Linux vulnerability scanners come to the rescue. Vulnerability analysis tools are one of the most important components security systems of each company. Checking applications and systems for old vulnerabilities is a mandatory practice. In this article we will look at the best vulnerability scanners, with open source source code, which you can use to detect vulnerabilities in your systems and programs. All of them are completely free and can be used by both ordinary users and the corporate sector.
OpenVAS or Open Vulnerability Assessment System is a complete platform for searching for vulnerabilities, which is distributed as open source. The program is based on the Nessus scanner source code. Initially, this scanner was distributed as open source, but then the developers decided to close the code, and then, in 2005, based on open version Nessus was created by OpenVAS.
The program consists of a server and client part. The server, which performs the main work of scanning systems, runs only in Linux, and client programs also support Windows; the server can be accessed through the web interface.
The scanner core contains more than 36,000 different vulnerability checks and is updated every day with the addition of new, recently discovered ones. The program can detect vulnerabilities in running services, and also look for incorrect settings, for example, lack of authentication or very weak passwords.
2. Nexpose Community Edition
This is another open source Linux vulnerability scanning tool developed by Rapid7, the same company that released Metasploit. The scanner can detect up to 68,000 known vulnerabilities, as well as perform more than 160,000 network scans.
The Comunity version is completely free, but it has a limitation of simultaneously scanning up to 32 IP addresses and only one user. The license also needs to be renewed every year. There is no web application scanning, but it does support automatic updating of the vulnerability database and receiving information about vulnerabilities from Microsoft Patch.
The program can be installed not only on Linux, but also on Windows, and management is performed through the web interface. Using it, you can set scanning parameters, IP addresses and other necessary information.
After the scan is completed, you will see a list of vulnerabilities, as well as information about the installed software and operating system on the server. You can also create and export reports.
3. Burp Suite Free Edition
Burp Suite is a web vulnerability scanner written in Java. The program consists of a proxy server, a spider, a tool for generating requests and performing stress tests.
With Burp, you can audit web applications. For example, using a proxy server, you can intercept and view passing traffic, as well as modify it if necessary. This will allow you to simulate many situations. The spider will help you find web vulnerabilities, and the query generation tool will help you find the strength of the web server.
4. Arachni
Arachni is a full-featured web application testing framework written in Ruby that is open source. It allows you to evaluate the security of web applications and sites by performing various penetration tests.
The program supports scanning with authentication, customizing headers, support for Aser-Agent spoofing, support for 404 detection. In addition, the program has a web interface and an interface command line, scanning can be paused and then started again and in general, everything works very quickly.
5. OWASP Zed Attack Proxy (ZAP)
OWASP Zed Attack Proxy is another comprehensive tool for finding vulnerabilities in web applications. All standard features for this type of program are supported. You can scan ports, check the site structure, look for many known vulnerabilities, and check whether repeated requests or incorrect data are processed correctly.
The program can work over https and also supports various proxies. Since the program is written in Java, it is very easy to install and use. In addition to the basic features, there are a large number of plugins that can greatly increase functionality.
6. Clair
Clair is a tool for finding Linux vulnerabilities in containers. The program contains a list of vulnerabilities that can be dangerous for containers and warns the user if such vulnerabilities have been discovered in your system. The program can also send notifications if new vulnerabilities appear that could make containers unsafe.
Each container is checked once and there is no need to launch it to check it. The program can retrieve all the necessary data from a disabled container. This data is stored in a cache to be able to notify about vulnerabilities in the future.
7.Powerfuzzer
Powerfuzzer is a full-featured, automated, and highly customizable web crawler that allows you to test how a web application responds to invalid data and repeated requests. The tool only supports the HTTP protocol and can detect vulnerabilities such as XSS, SQL injection, LDAP, CRLF and XPATH attacks. It also supports tracking for 500 errors, which could indicate a misconfiguration or even a danger such as a buffer overflow.
8. Nmap
Nmap is not exactly a vulnerability scanner for Linux. This program allows you to scan the network and find out which nodes are connected to it, as well as determine what services are running on them. This does not provide comprehensive information about vulnerabilities, but you can guess which one. software may be vulnerable, try to crack weak passwords. It is also possible to run special scripts that allow you to identify certain vulnerabilities in certain software.
Conclusions
In this article, we have reviewed the best Linux vulnerability scanners, they allow you to keep your system and applications completely secure. We looked at programs that allow you to scan the operating system itself or web applications and sites.
Finally, you can watch a video about what vulnerability scanners are and why they are needed:
I introduced you in detail to various types vulnerabilities, but now it’s time to get acquainted with scanners for these vulnerabilities.
Vulnerability scanners are software or hardware tools used for diagnostics and monitoring network computers, allowing you to scan networks, computers and applications for detection possible problems in the security system, assess and eliminate vulnerabilities.
Vulnerability scanners allow you to check various applications in your system for holes that could be exploited by attackers. Low-level tools, such as a port scanner, can also be used to identify and analyze possible applications and protocols running on the system.
Thus, scanners are aimed at solving the following tasks:
- identification and analysis of vulnerabilities;
- inventory of resources such as operating system, software and network devices;
- generation of reports containing a description of vulnerabilities and options for their elimination.
How does this work?
Vulnerability scanners use two main mechanisms to operate.
First- probing - not very fast, but accurate. This is an active analysis mechanism that runs simulated attacks, thereby testing the vulnerability. Probing uses attack implementation methods that help confirm the presence of vulnerabilities and detect previously undetected “failures.”
Second the scanning mechanism is faster, but gives less accurate results. This is a passive analysis in which the scanner looks for a vulnerability without confirming its presence, using indirect signs. Scanning determines open ports and the associated headers are collected. They are further compared with the table of determination rules network devices, operating system and possible "holes". After comparison, the network security scanner reports the presence or absence of a vulnerability.
Majority modern scanners Network security works according to the principles:
- collecting information about the network, identifying all active devices and services running on them;
- detection of potential vulnerabilities;
- confirmation of selected vulnerabilities, for which specific methods are used and attacks are modeled;
- generation of reports;
- automatic elimination of vulnerabilities. This stage is not always implemented in network security scanners, but is often found in system scanners.
The best vulnerability scanners
Now let's look at the most current scanners that top expert ratings.
Nessus
The project was launched back in 1998, and in 2003 the developer Tenable Network Security made the network security scanner commercial. Regularly updated vulnerability database, easy to install and use, high level accuracy - its advantages over competitors. And the key feature is the use of plugins. That is, any penetration test is not tightly stitched inside the program, but is designed as a plug-in. Addons are divided into 42 different types: to conduct a pentest, you can activate both individual plugins and all plugins of a certain type - for example, to perform all local checks on an Ubuntu system. An interesting point is that users will be able to write their own tests using a special scripting language.
Nessus is an excellent vulnerability scanner. But it also has two drawbacks. The first is that if the “safe checks” option is disabled, some vulnerability tests may lead to disruptions in the operation of the scanned systems. The second is the price. An annual license can cost 114 thousand rubles.
Symantec Security Check
Free scanner from the same manufacturer. Main functions - detection of viruses and Trojans, Internet worms, malware, searching for vulnerabilities in the local network. This is an online product consisting of two parts: Security Scan, which checks the security of the system, and Virus Detection, performing full check computer for viruses. Installs quickly and easily, works through a browser. According to recent reviews, this network scanner is best used for additional scanning.
XSpider
The XSpider program, which, according to the developer, can identify a third of tomorrow's vulnerabilities. Key Feature This scanner is able to detect the maximum number of “failures” in the network before hackers see them. At the same time, the scanner works remotely, without requiring the installation of additional software. After working, the scanner sends a full report and advice on how to eliminate the “holes” to the security specialist. The cost of a license for this scanner starts from 11 thousand rubles for four hosts per year.
QualysGuard
Multifunctional vulnerability scanner. It provides extensive reports that include:
- assessing the level of criticality of vulnerabilities;
- estimation of the time required to eliminate them;
- checking the extent of their impact on the business;
- analysis of trends in the field of security problems.
QualysGuard's cloud-based platform and built-in suite of applications enable enterprises to simplify the security process and reduce compliance costs while providing important information about security and automating the entire range of audit tasks, complex control and protection of IT systems and web applications. With this software, you can scan corporate websites and receive automated alerts and reports to identify and eliminate threats in a timely manner.
Rapid 7 NeXpose
Rapid 7 is one of the fastest growing information security companies in the world. It was she who recently acquired the Metasploit Framework project, and it was she who created the NeXpose project. The cost of “entry” to use the commercial version is almost $3000, but for enthusiasts there is a Community version with slightly reduced capabilities. This free version easily integrates with Metasploit. The scheme of operation is quite tricky: first NeXpose is launched, then Metasploit Console (msfconsole), after which you can start the scanning process and configure it using a number of commands (nexpose_connect, nexpose_scan, nexpose_discover, nexpose_dos and others). You can combine the functionality of NeXpose and other Metasploit modules.
X-Scan
Outwardly, X-Scan looks more like a homemade product created by someone for their own needs and released into the public domain for free floating. Perhaps it would not have gained such popularity if not for the support of Nessus scripts, which are activated using the Nessus-Attack-Scripts module. On the other hand, once you look at the scan report, all doubts about the usefulness of the scanner fade into the background. It will not be designed according to one of the official information security standards, but it will definitely tell you a lot of new things about the network.
A process called vulnerability scanning is the process of checking individual hosts or networks for potential threats.
And the need to check security arises quite often - especially when we are talking about large organizations that have valuable information that could be needed by attackers.
Administrators of small networks should not neglect such scanning, especially since in 2017 hundreds of thousands of computers were subjected to serious attacks by hackers.
Using vulnerability scanners
Information security specialists use appropriate software to scan networks for weaknesses in their security systems.
Such programs are called vulnerability scanners.
The principle of their operation is to check applications that are running and search for so-called “holes” that could be used by outsiders to gain access to important information.
Proper use of programs that can detect network vulnerabilities allows IT specialists to avoid problems with stolen passwords and solve the following problems:
- searching for malicious code that has entered your computer;
- inventory of software and other system resources;
- creating reports containing information about vulnerabilities and ways to eliminate them.
The main advantage of the second option is not only the confirmation of those problems that can be detected by a simple scan, but also the detection of problems that cannot be found using a passive technique. The check is performed with with the help of three mechanisms - header checking, active probing checks and simulating attacks.
Checking Headers
The mechanism, whose name is English sounds like "banner check", consists of a number of scans and makes it possible to obtain certain conclusions based on the data transmitted to the scanner program in response to its request.
An example of such a check would be scanning headers using the Sendmail application, which allows you to determine software versions and verify the presence or absence of problems.
The technique is considered the simplest and fastest, but has a number of disadvantages:
- Not very high verification efficiency. Moreover, attackers can change the header information, removing version numbers and other information that is used by the scanner to obtain conclusions. On the one hand, the probability of such a change is not too high, on the other hand, it should not be neglected.
- Inability to accurately determine whether the data contained in the header constitutes evidence of a vulnerability. First of all, this applies to programs that come with original text. When fixing their vulnerabilities, the version numbers in the headers have to be changed manually - sometimes developers simply forget to do this.
- IN the likelihood of a vulnerability occurring in next versions programs, even after it was eliminated from previous modifications.
Meanwhile, despite certain disadvantages and the lack of a guarantee of detecting “holes” in the system, the process of checking headers can be called not only the first, but also one of the main stages of scanning. Moreover, its use does not disrupt the operation of either services or network nodes.
Active probe checks
The technique, also known as “active probing check”, is based not on header checks, but on the analysis and comparison of digital “imprints” of programs with information about already known vulnerabilities.
The principle of its operation a bit like an algorithm, which involves comparing scanned fragments with virus databases.
The same group of techniques also includes checking the creation date of the software being scanned or checksums, which allows you to verify the authenticity and integrity of the programs.
To store information about vulnerabilities, specialized databases are used, which also contain information that allows you to eliminate the problem and reduce the risk of unauthorized access to the network.
This information is sometimes used by both security analysis systems and software whose task is to detect attacks. In general, the active probing testing technique used by large companies like ISS and ISS works much faster than other methods - although it is more difficult to implement than header checking.
Simulated attacks
Another method in English is called "exploit check", which can be translated into Russian as "simulated attacks".
The check performed with its help is also one of the probing options and is based on searching for program defects by strengthening them.
The technique has the following features:
- some security holes cannot be detected until a real attack is simulated against suspicious services and nodes;
- scanner programs check software headers during a fake attack;
- When scanning data, vulnerabilities are detected much faster than under normal conditions;
- by simulating attacks, you can find more vulnerabilities (if they existed initially) than using the two previous methods - and the detection speed is quite high, but using this method is not always advisable;
- situations that do not allow launching “imitation attacks” are divided into two groups - the threat of problems with the maintenance of the software being tested or the fundamental impossibility of attacking the system.
It is undesirable to use the technique if the objects of inspection are protected servers with valuable information.
An attack on such computers can lead to serious data losses and failure of important network elements, and the costs of restoring functionality may be too serious, even taking into account.
In this case, it is advisable to use other verification methods - for example, active probing or header checking.
Meanwhile, the list of vulnerabilities also includes those that cannot be detected without attempts to simulate attacks - these include, for example, susceptible to Packet Storm attacks.
By default, such verification methods are disabled in the system.
The user will have to enable them independently.
Scanner programs that use the third method of scanning for vulnerabilities include systems like Internet Scanner And CyberCop Scanner. In the first application, checks are highlighted in a separate category “Denial of service". When using any function from the list, the program reports the danger of failure or reboot of the scanned node, warning that responsibility for starting the scan lies with the user.
Main stages of vulnerability checking
Most programs that scan for vulnerabilities works like this:
1 Collects all the necessary information about the network, first identifying all active devices in the system and the software running on them. If the analysis is carried out only at the level of one PC with a scanner already installed on it, this step is skipped.
2 Tries to find potential vulnerabilities, using special databases to compare the information received with already known types of security holes. Comparison is performed using active probing or header checking.
3 Confirms found vulnerabilities using special techniques– imitation of a certain type of attack that can prove the presence or absence of a threat.
4 Generates reports based on information collected during scanning, describing vulnerabilities.
The final scanning stage is automatic correction or attempting to troubleshoot problems. This feature is available in almost every system scanner, and is missing from most network vulnerability scanning applications.
Differences in the work of different programs
Some scanners share vulnerabilities.
For example, NetSonar system divides them into network ones, which can affect routers, therefore more serious, and local ones, affecting workstations.
Internet Scanner divides threats into three levels - low, high and medium.
These two scanners have several other differences.
With their help, reports are not only created, but also divided into several groups, each of which is intended for specific users - from up to the managers of the organization.
Moreover, for the former, the maximum number of numbers is given, for management - beautifully designed graphs and diagrams with a small amount details.
The reports generated by the scanners contain recommendations for eliminating the vulnerabilities found.
Most of this information is contained in the data issued Internet program Scanner issuing step by step instructions to solve the problem, taking into account the characteristics of different operating systems.
The troubleshooting mechanism is also implemented differently in scanners. So, in the System Scanner there is a special script for this, launched by the administrator to solve the problem. At the same time, a second algorithm is being created that can correct the changes made if the first one led to deterioration in performance or failure of individual nodes. In most other scanner programs there is no option to revert changes back.
Administrator actions to detect vulnerabilities
To find security holes, the administrator can use three algorithms.
The first and most popular option– checking the network for only potential vulnerabilities. It allows you to preview the system data without disturbing the operation of the nodes and providing maximum speed analysis.
Second option– scanning to check and confirm vulnerabilities. The technique takes more time and can cause malfunctions in the software of computers on the network during the implementation of the mechanism for simulating attacks.
Method No. 3 involves using all three mechanisms (with both administrator and user rights) and attempting to eliminate vulnerabilities on individual computers. Due to the low speed and the risk of damaging the software, this method is used least often - mainly when there is serious evidence of the presence of “holes”.
Capabilities of modern scanners
The main requirements for a scanner program that checks the system and its individual components for vulnerabilities are: are:
- Cross-platform or support for multiple operating systems. If you have this feature, you can scan a network consisting of computers with different platforms. For example, with or even with systems like UNIX.
- Ability to scan multiple ports simultaneously– this function significantly reduces the time required for verification.
- Scanning all types of software that are usually susceptible to attacks by hackers. Such software includes the company's products (for example, the MS Office suite of office applications).
- Checking the network as a whole and its individual elements without the need to run a scan for each system node.
Most modern scanning programs have an intuitive menu and are quite easy to configure according to the tasks being performed.
Thus, almost every such scanner allows you to create a list of hosts and programs to scan, specify applications for which updates will be automatically installed when vulnerabilities are detected, and set the frequency of scanning and generating reports.
After receiving the reports, the scanner allows the administrator to run threat remediation.
Among additional features scanners, one can note the possibility of saving traffic, which is obtained by downloading only one copy of the distribution and distributing it across all computers on the network. Another important function involves saving the history of past scans, which allows you to evaluate the operation of nodes in certain time intervals and assess the risks of new security problems.
Network vulnerability scanners
The range of scanner programs is quite large.
All of them differ from each other in functionality, efficiency of searching for vulnerabilities and price.
To evaluate the capabilities of such applications, it is worth considering the characteristics and features of the five most popular options.
GFI LanGuard
The manufacturer GFI Software is considered one of the leaders in the global information security market, and its products are included in the ratings of the most convenient and effective in checking for program vulnerabilities.
One such application that provides network security and individual computers, is GFI LanGuard, whose features include:
- quick assessment of the status of ports in the system;
- search for unsafe settings on network computers and prohibited installation of programs, add-ons and patches;
- the ability to scan not only individual computers and servers, but also virtual machines included in the system and even connected smartphones;
- drawing up a detailed report based on the scanning results, indicating vulnerabilities, their parameters and methods of elimination;
- intuitive operation and customization options automatic operation– if necessary, the scanner starts in certain time, and all corrections are performed without administrator intervention;
- the ability to quickly eliminate detected threats, change system settings, update permitted software and remove prohibited programs.
What sets this scanner apart from most analogues is the installation of updates and patches for almost any operating system.
This feature and other advantages of GFI LanGuard allow it to be at the top of the ratings of programs for searching network vulnerabilities.
At the same time, the cost of using the scanner is relatively low and is affordable even for small companies.
Nessus
The Nessus program was first released 20 years ago, but only since 2003 has it become paid.
Monetization of the project has not made it less popular - thanks to its efficiency and speed, every sixth administrator in the world uses this particular scanner.
The benefits of choosing Nessus include:
- constantly updated vulnerability database;
- easy installation and user-friendly interface;
- effective detection of security problems;
- the use of plugins, each of which performs its own task - for example, it scans the Linux OS or starts checking only headers.
Additional scanner feature– the ability to use tests created by users using special software. At the same time, the program also has two serious drawbacks. The first is the possibility of failure of some programs when scanning using the “simulated attacks” method, the second is the rather high cost.
Symantec Security Check
The Security Check program is free scanner Symantec company.
Among its functions, it is worth noting the search not only for vulnerabilities, but also for viruses - including macro viruses, Trojans and Internet worms. In fact, the application consists of 2 parts - the Security Scan scanner, which ensures network security, and the Virus Detection antivirus.
The advantages of the program include easy installation and the ability to work through a browser. Among the disadvantages, they note low efficiency - the versatility of the product, which allows it to also search for viruses, makes it not very suitable for scanning a network. Most users recommend using this scanner only for additional checks.
XSpider
The XSpider scanner is produced by Positive Technologies, whose representatives claim that the program not only detects already known vulnerabilities, but is capable of finding threats that have not yet been created.
Features of the application include:
- effective detection of “holes” in the system;
- opportunity remote work without installing additional software;
- creating detailed reports with tips for troubleshooting;
- updating the vulnerability database and software modules;
- simultaneous scanning of a large number of nodes and workstations;
- saving test history for further problem analysis.
It is also worth noting that the cost of using the scanner is more affordable compared to the Nessus program. Although higher than GFI LanGuard.
QualysGuard
The scanner is considered multifunctional and allows you to receive a detailed report assessing the level of vulnerabilities, the time to eliminate them and the level of impact of the “threat” on the business.
The product's developer, Qualys, Inc., supplies the program to hundreds of thousands of consumers, including half of the world's largest companies.
Conclusions
Taking into account the wide range of applications for scanning the network and its nodes for vulnerabilities, the administrator’s work is greatly facilitated.
Now he is not required to independently launch all scanning mechanisms manually - he just needs to find suitable application, select a verification method, configure and use the recommendations of the received report.
You should choose a suitable scanner based on the functionality of the application, the effectiveness of threat detection (which is determined by user reviews) - and, which is also quite important, at a price that should be comparable to the value of the information being protected.