- Why ISO27001 Internal Audit Should Not Be CheckList Based? - 02/11/2022
- Comparison of Hardware and Software Firewall - 07/01/2022
- What is dynamic web page for VAPT - 13/12/2021
Title: Top 10 Security Vulnerability Scanners
Scope of article
Gone are the days when a network administrator would sit in his cozy datacenter room, sip coffee and look at monitors showing datacenter stats. Today’s cyber world forces admin teams to deal with challenges which are beyond just the machine related problems. Modern datacenters deploy firewalls and managed networking components, but still possess with a feel of insecurity because of cyber hackers. This imposes a crucial need to have network vulnerability assessment tools which will perform a daunting job of finding needle in a haystack. From the cyber security standpoint, network and web vulnerabilities plague today’s infrastructure and this article brings top 10 assessment tools to address the issues. These tools are categorized based on their popularity, functionality and ease of use, which make them the “must have” software gadgets in every network administrator’s toolbox.
Revisiting vulnerabilities and scanners
Vulnerabilities are an unfortunate integral part of every software and hardware system. A bug in operating system, a loophole in a commercial product or a misconfiguration of critical infrastructure component makes it susceptible to attacks. Evil technocrats can write a malicious code such as a virus, or intentionally attempt to penetrate through the system by making use of these vulnerabilities for personal or commercial gains. While technically it is not a very easy job, successful attempts to break through multiple systems seem to have proven this theory wrong over time. Though it was believed that all this would be true only for commercial products, lately open source systems are found to be hacked into, and data theft and reputational or monetary loss to the corporations is observed. Not just the local area networks, but the websites are also found to be vulnerable, and hence become first target of prying eyes of hackers. So in short, the vulnerabilities can be exploited from within the organization, as well from over internet by an unknown person.
On a good side, with a number of attacks increasing, there are a whole slew of tools to detect and stop these malwares and hacking attempts. In the open source world, many CLI based and GUI based utilities are available for various distros. It is very important at this point to mention Backtrack Linux which has gained global fame by incorporating a wide range of vulnerability assessment and digital forensics software utilities. The most recent version of Backtrack also contains powerful wireless vulnerability testing tools too. Though there are literally hundreds of tools to name, we set our mind on only those top 10 tools which are worth mentioning, simply because no other tool can really replace them. The selection criteria primarily focuses on the feature set, their spread in the cyber security community and their simplicity. Please refer to Fig 1 which shows the top 5 tools we chose for network assessment, and Fig 2 shows those for the web vulnerability scanning. Since we all belong to an “open source” world, only the FOSS tools are mentioned and not the commercial ones. We also present the tools in the order of expected usage to detect vulnerabilities; this should provide a systematic approach to the readers who wish to make a career as a certified penetration tester.
Top 5 Network Security Assessment Tools
While performing a vulnerability scanning against a network, it needs to be done from within the network as well as from external, or simply put, from either sides of the firewall protecting the network. A methodical approach suggested is to start from network evaluation phase where sniffing and primary attacks are performed. The data thus gathered is used in the attack phase to exploit the exposed the vulnerabilities.
Wireshark – The very first step in vulnerability assessment process is to have a clear picture of what is happening on the network. Wireshark (previously named Ethereal) works in promiscuous mode to capture all traffic of a TCP broadcast domain. Customized filters can be set to intercept specific traffic, for example, to capture communication between two IP addresses, or capture UDP based DNS queries on the network etc. Traffic data gathered can be dumped into a capture file, which can be reviewed later. Additional filters can also be set during the review mode. Typically the person performing assessment is looking for stray IP addresses, spoofed packets, un-necessary packet drops, and suspicious packet generation from a single IP address etc. Wireshark gives a wide and clear picture of what is happening on the network; however it does not have its own intelligence and hence should be used as a data provider. Due to its great GUI, any person with primitive knowledge can use it.
Nmap – This is probably the only tool available which maintained its fame for almost a decade. Nmap is mainly a scanner which is capable of crafting packets and performing scans to a granular TCP level such as SYN scan, ACK scan etc. It has built in signature checking algorithms to detect or guess the operating system and its version, based on the network responses received such as a TCP handshake. Nmap is effective enough to detect the remote devices and in most cases correctly identifies firewalls, routers and their make and model. Network administrators can use NMAP to check which ports are open, and also if those ports can be exploited further to simulate an attack. The output is plain text and verbose, hence this tool can be seamlessly used along with a script to automate routine tasks, and also to grab evidence for an audit report.
Metasploit – Once the sniffing and scanning is performed using the two tools above, it is a time to go under the skin of IT infrastructure to reach to the operating system and application level. Metasploit provides a fantastic and yet powerful open source framework to perform rigorous scans against a set of IP addresses. Unlike many other frameworks, it can also be used for anti-forensics. Expert programmers can write a price of code exploiting a particular vulnerability, and test it with Metasploit, to see if it is detected. Reversing this process technically, upon the spread of Day0 virus using some unknown vulnerability, Metasploit can be used to test the patch fix for it. While this tool is known as a commercial one, we mention it here because the community edition is free and does not compromise on feature set.
Openvas – Nessus scanner is a famous commercial utility, from which OpenVAS branched out few years back to remain on the open source platform. Though metasploit and OpenVAS go parallel in most of the cases, there is still a distinct difference between them. OpenVAS is split into two major components, a scanner and a manager, whereby a scanner may reside on the target to be scanned and feed the vulnerability findings to the manager. The manager collects inputs from such multiple scanners and applies its own intelligence to create a report. In the cyber security world, OpenVAS is believed to be very stable and reliable in terms of detecting latest security loopholes and providing reports and inputs to fix those. A built-in Greenbone security assistant provides a GUI dashboard to list all vulnerabilities and impacted machines on the network. Creating detailed reports is one thing that makes OpenVAS a favored tool by infrastructure security managers.
Aircrack – The list of network scanners would be incomplete if we do not take into account the wireless security scanners. Today’s infrastructure contains wireless devices in the data center as well as in the corporate premises, to facilitate mobile users. While having WPA-2 security is believed to be adequate for 802.11, the mis-configurations and use of simple passwords makes such networks open to attacks. Aircrack is a suite of software utilities which act as a sniffer, packet crafter and packet decoder. First a wireless network is targeted, which is then subjected to packet traffic in order to capture vital details about the underlying encryption. A decryptor is then used to brute force the capture file, and find out passwords. Aircrack is capable of working on most of the Linux distros, but the one running on Backtrack Linux is highly preferred.
Top 5 Web Security Assessment Tools
Scanning websites is an entirely different ballgame than the network scans. In case of websites the scope of things to scan range from layer 2 to 7, considering the intrusiveness of latest vulnerabilities. The correct approach to scan websites starts from web level access, right up to the scanning all backend components such as databases. While most of the web security scanners are automated, there could be a need for manual scripting based on the vulnerability situations.
Nikto – We must start with this tool because of the features it provides. Nekton is an open source tool widely used to scan websites mainly because it supports HTTP and HTTPS, and also provides findings in an interactive fashion. Nikto can crawl a website just the way a human would do and that too in the least amount of time. It uses a technique called mutation whereby it creates combinations of various HTTP tests together to form an attack, based on the web server configurations and the hosted code. Thus it results in finding critical loopholes such as file upload mis-configurations, improper cookie handling, cross scripting errors etc. Nikto dumps all of its findings in a verbose mode which helps in knowing about web vulnerabilities in details; however it can also result in notification of too many things which would be misinterpreted as false alarms. Hence care should be taken while interpreting Nikto logs.
Samurai Framework – Once a baseline check is performed by Nikto, the next step is have a deep dive approach. Samurai is a framework, meaning a bunch of powerful utilities, each one targeted for a specific set of vulnerabilities to be detected. It comes in the form of a Linux distribution purely focusing on penetration testing tools such as Webscarab for HTTP mapping, W3AF plugins for application based attacks and also the tools to test browser based exploits. It is amazing to note that the most recent version of Samurai is capable of finding vulnerabilities, which are usually not detected even by few commercial software products.
Websecurify – Though very similar to Samurai, Websecurify also brings application level assessment into the play. In case of a large web farm where the code is being maintained by a team of developers, it is seldom a practice to follow standards which can result into insecure code. Examples are to mention passwords in code, put physical file paths in the libraries etc. Websecurify can traverse entire code and find such loopholes swiftly. A nice feature is to create screenshots of the problem areas automatically which helps in preparing audit reports. It is one of the very few platform independent tools and also supports mobile coding, which is helping it to gain fame in the cyber security assessment world.
Sqlmap—Unless we mention a tool to detect SQL injection attack, this article just cannot be complete. Though this is a very old and first generation attack, it is still observed that many public websites still miss to fix it. SQLmap is capable of not just exploiting the SQL injection faults, but also can take over the database server. Since it is focused only for a specific task, it works at great speeds to fingerprint databases, find out details of underlying file system and operating system and eventually fetch data from the server. It supports almost all famous database engines and also can perform password guessing attacks. This tool can be combined with the rest 4 tools above, to scan a website aggressively.
A vulnerability assessment should include appropriate tools for network scanning as well as website vulnerability exploitation. Open source software is prone to hacking attacks too, and hence the network administrators must take enough precautions to know the famous scanners and use in their daily tasks, to make their infrastructure secure and stable.
Tools mentioned in this article are purely from study perspective. Please remember it is unlawful to hack or scan networks without consent, and you can get prosecuted for doing so. The order in which these tools are mentioned is our own perspective, it is not intended to undermine any tool’s ratings or features.
About the author
The author has over 18 years of experience in the field of IT hardware, networking, web technologies and IT security. Prashant is MCSE, MCDBA certified and also F5 load balancer expert. In the IT security world he is an ethical hacker and net-forensic specialist.
Prashant runs his own firm named Valency Networks in India (www.valencynetworks.com) providing consultancy in IT security design, security audit, infrastructure technology and business process management. He can be reached at firstname.lastname@example.org.