When attackers target a particular computer network, they use vulnerability-scanning tools to look for holes in the armor of the target machines. Vulnerability scanners are really based on a simple idea: Automate the process of connecting to a target system, and check to see if a vulnerability is present. By automating the process, we can quickly and easily check the target systems for many hundreds of vulnerabilities. A vulnerability-scanning tool knows what many system vulnerabilities look like and goes out across the network to check to see if any of these known vulnerabilities are present on the target. A vulnerability-scanning tool will automatically check for the following types of vulnerabilities on the target system:
Common configuration errors—Numerous systems have poor configuration settings, leaving various openings for an attacker to gain access.
Default configuration weaknesses—Out of the box, many systems have very weak security settings, often including default accounts and passwords.
Well-known system vulnerabilities—Every day, volumes of new security holes are discovered and published in a variety of locations on the Internet. Vendors try to keep up with the onslaught of newly discovered vulnerabilities by creating security patches. However, once the vulnerabilities are published, a flurry of attacks against unpatched systems is inevitable.
For example, a vulnerability-scanning tool will check to see if you are running an older, vulnerable version of the BIND DNS server that allows an attacker to take control of your machine. It will also check to see if you’ve misconfigured your Windows NT system to allow an attacker to gather a complete list of users through a NULL session. These are only two examples of the hundreds or thousands of checks that the tool will automatically conduct during a scan. The attacker will use a vulnerability-scanning tool that includes automated programs to check for each of these kinds of vulnerabilities. Many vulnerability scanners also include network-mapping programs and port scanners. While particular implementations vary, most vulnerability-scanning tools can be broken down to the following common set of elements, as shown in Figure 1.
Vulnerability database—This element is the brain of the vulnerability scanner. It contains a list of vulnerabilities for a variety of systems and describes how those vulnerabilities should be checked.
User-configuration tool—By interacting with this component of the vulnerability scanner, the user selects the target systems and identifies which vulnerability checks should be run.
Scanning engine—This element is the arms and legs of the vulnerability scanner. Based on the vulnerability database and user configuration, this tool formulates packets and sends them to the target to determine whether vulnerabilities are present.
Knowledge base of current active scan—This element acts like the short-term memory of the tool, keeping track of the current scan, remembering the discovered vulnerabilities, and feeding data to the scanning engine.
Results repository and report-generation tool—This element is the mouth of the vulnerability scanner, where it says what it found during a scan. It generates pretty reports for its user, explaining which vulnerabilities were discovered on which targets.
Figure 1 A generic vulnerability scanner.
A Whole Bunch of Vulnerability Scanners
A large number of very effective vulnerability scanners are available on a free, open source basis, including these:
SARA, by Advanced Research Organization
SAINT, by World-wide Digital Security
VLAD the Scanner, by Razor
Nessus, by the Nessus Project Team (headed by Renaud Deraison)
SARA and SAINT are both descendents of one of the early vulnerability-scanning tools, SATAN (the Security Administrator Tool for Analyzing Networks), by Wietse Venema and Dan Farmer. While the original SATAN is certainly showing its age, its spirit lives on in SAINT and SARA. In addition to these wonderful freeware offerings, many commercial vulnerability scanners are also available, including these:
Network Associates’ CyberCop Scanner
ISS’s Internet Scanner
Cisco’s Secure Scanner (formerly NetSonar)
E-eye’s Retina Scanner
Qualys’ QualysGuard, a subscription-based scanning service that scans customers’ systems across the Internet on a regular basis
Vigilante’s SecureScan, another subscription-based scanning service
It is important to note that each of these commercial tools is highly effective and also includes technical support from a vendor. While all of these tools have their merits, my favorite vulnerability-scanning tool is the free, open-source Nessus because of its great flexibility and ease of use. In addition, commercial support is available from the folks who created Nessus at http://www.nessus.org. Because it is a superb illustration of vulnerability-scanning tools, we will analyze the capabilities of Nessus in more detail.