Commonalities Among Scanning Tools
Most "scanning" security tools have many commonalities. Here's a rough list of features that are found in most scanning applications, regardless of their particular focus:
- Network discovery scan: Search a given range of IP addresses and find active hosts.
- Name resolution: Resolve host names and correlate to IP addresses.
- Port scan/service enumeration: Scan identified active hosts for open ports, indicating possible active services.
- Banner grabbing: Attempt to determine system services based on banners supplied upon connection attempts.
- OS identification (TCP and ICMP fingerprinting): A "best guess" at the host operating system based on behavioral patterns and performance.
Once active systems are identified, various tests can be run against the system, either against active services or against the system itself if proper authentication information has been provided. These checks include the following:
- Registry enumeration (Windows, with authentication)
- Comparison of application settings with stored target settings
- Comparison of registry settings with stored target settings
- Determination of existence/omission of files
- Determination of file attributes (size, date, internal version, hash value)
- Determination of ACLs on files and folders
Various other checks and/or tests can be performed, as well. The software can attempt to identify missing security-related patches, hot fixes, and service packs. Password attacks can be attempted, looking for default or weak username/password combinations. Application testing can be performed against known services or Web-based applications.