General Scanners

 < Day Day Up > 

A vulnerability scanner performs the following steps:

1.

Scans a network or host to determine if it is active

2.

Looks for services that are running on the network or host

3.

Categorizes vulnerabilities for each service running

4.

Reports on any vulnerabilities found

The sections that follow cover five popular vulnerability scanners:

  • Nessus

  • SAINT

  • SARA

  • ISS

  • NetRecon

Nessus

Nessus (http://www.nessus.org) is an open-source vulnerability scanner created by Renaud Deraison in 1998. Originally a Linux tool, there is now a Windows version. Nessus is free to use under the GPL, but it does require an activation key, which is sent to a validated e-mail address. This validation helps track who is using the tool, which might deter some malicious hackers from using Nessus.

Nessus is a powerful scanner with its own scripting language called Nessus Attack Scripting Language (NASL). Nessus scans your target for standard ports but also checks nonstandard ports for services. For example, if you have a web server running on port 8080 instead of port 80, Nessus is powerful enough to detect this by checking each port, not just the common ports, for common services such as web and FTP.

Nessus has more than 7600 plug-ins available for downloading. Reports are done through a secure web interface. You can generate your own web certificate through the nessus-mkcert utility or import one from a trusted certificate authority. Certificates help to secure the web interface by both verifying the authenticity of the server and providing encrypted communications between the web browser and the Nessus server.

Before you use Nessus, create a user using the nessus-adduser utility. You can even specify which hosts a user is allowed to scan. This way, you can prevent users from mistakenly (or intentionally) scanning unauthorized hosts.

Figure 13-1 shows an example of a Nessus report.

Figure 13-1. Sample Nessus Report


Tip

If you use the Linux version of Nessus you will need to install uudecode which is part of the sharutils suite. You can obtain this from http://www.gnu.org/software/sharutils/sharutils.html.


SAINT

Security Administrators Integrated Network Tool (SAINT) is available through the SAINT Corporation at http://www.saintcorporation.com/products/saint_engine.html. SAINT is a commercial scanner based on SATAN, an older vulnerability scanner developed by Dan Farmer and Wietse Venema in 1995 (http://www.porcupine.org/satan/). Although SAINT was originally designed for Linux, it is now available on SunOs 5.6/Solaris 2.6, HP-UX 11.00, FreeBSD, and MacOS.

As a penetration tester, companies often employ you to test a target for compliancy with federal regulations, such as the Graham-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). (See Chapter 2, "Legal and Ethical Considerations," for more about these regulations.) SAINT demonstrates compliance with these and other federal regulations. SAINT even supports scheduled scans so that you can arrange routine scanning for regulatory compliance.

If cost is an issue, you can opt for the WebSAINT option. This is a paid service performed across the Internet where you pay for a subscription with the SAINT Corporation. Results are sent back to you via e-mail.

Tip

For best operation, it is recommended that you have the following utilities installed when running SAINT:

  • Perl 5.00

  • NMap

  • Samba Utilities

  • Xprobe2

  • OpenSSL

Also, turn off TCPd wrappers, because this causes inaccurate results.


SARA

The Security Auditor's Research Assistant (SARA) is an open-source scanner released under GPL by the Advanced Research Corporation (http://www-arc.com/sara/). Sara is available on Linux, UNIX, Mac, and on Windows using Cooperative Linux (http://www.colinux.org), a distribution of Linux that runs on top of Windows.

SARA checks for the SysAdmin, Audit, Network, Security (SANS) Institute top 20 vulnerabilities and supports the Common Vulnerabilities and Exposures (CVE) standards (http://cve.mitre.org). SARA updates itself twice a month and downloads the latest vulnerabilities.

SARA does not test for DoS vulnerabilities, which makes it safe to test on corporate networks. However, older systems might still crash during some tests, so make sure all parties are aware that although a DoS attack will not intentionally be performed, it is still possible for one to occur inadvertently.

Figure 13-2 shows a sample SARA report.

Figure 13-2. Sample SARA Report


You can export reports in spreadsheet, XML, or Microsoft Word format. SARA categorizes the seriousness of detected vulnerabilities by color, as shown in Table 13-1.

Table 13-1. SARA Color Categories

Color

Category

Red

Serious vulnerability

Yellow

Vulnerability probable but not certain, or a less serious vulnerability was found

Brown

Service was found that could help hackers but is not necessarily serious


Like SAINT, SARA supports scheduled scans. You can perform these scheduled scans through the command line or by modifying the timing rules in the sara.cf file.

You manage SARA in three ways:

  • The easiest method is interactive, which you do through a web browser.

  • The second method is through a command line, which makes it easy to script or run in the background.

  • The third method of controlling SARA is remotely. From the command line, you can make a connection to a remote server that is running SARA. By default, SARA uses port 666. Only one user can be connected remotely at a time.

ISS

The Internet Security Scanner (ISS) is a Windows-based commercial scanner available at http://www.iss.net that has rich reporting features. ISS provides three different reports, depending on the level of detail needed:

  • Executive reports are high-level reports designed for upper-level management and are void of much technical detail.

  • Line management reports are designed for security analysts and IT managers who need more technical information as to the exact type of vulnerability discovered on a system.

  • Technical reports are provided for technical staff and include detailed information about the vulnerability and suggested methods of fixing the vulnerability.

Example 13-1 shows a sample technical report.

Example 13-1. Sample ISS Technical Report
IP Address {DNS Name} Operating System 172.16.1.2 {HMN}Cisco IOS C2900XL-H2-M accountblankpw: User account has blank password (CAN-1999-0504)     Additional Information     More Information     vlb     An account has been detected with a blank password. Some vendors ship Windows NT pre-installed with a blank password on the Administrator or other user accounts. This misconfiguration is an extremely high risk vulnerability, and should be corrected immediately. This vulnerability is typically detected on a computer where there is also no minimum password length required. If the Guest account has a blank password, it allows anyone to log in with any username and a blank password. If the file and registry permissions are not very tightly restricted, this situation can give any attacker the ability to access sensitive information and systems. Internet Scanner users: This check finds local and domain accounts that are part of the Domain Users group. Any local account found that is part of a non-Windows built- in group will also appear vulnerable. Enabling this check automatically enables password checking in the NT Logon Sessions common settings. If no password checking method is specified, then the method defaults to 'Check Accounts by Logon,' otherwise the method(s) selected by the user takes affect. The password-checking source 'Use Blank Password' is then enabled in addition to any sources selected by the user.

NetRecon

NetRecon is a Windows-based commercial scanner from Symantec (http://www.symantec.com). NetRecon includes a patent-pending progressive scanning technology that scans hosts in parallel and adapts its penetration strategy based on previously gathered results. NetRecon is unique in this sense as it actively learns and adapts to the environment it is testing. For example, if it is able to crack a password on one system it will remember that password and attempt it on other systems.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net