Retina

Retina is a remote vulnerability scanner that runs on Windows platforms. It is not free, but a short-term evaluation of the product is available from http://www.eeye.com/html/Products/Retina/index.html.

Retina, like STAT, does not natively function via the client/server model. An additional (yet separate) product, called Retina Remote Manager, allows you to manage several Retina instances remotely from a single point. The Retina scanner itself comes with additional tools or modules that can be used to gather more information about the machines you are scanning. In concept, however, Nessus, STAT, and Retina aren’t all that different.

Implementation

On the first run, Retina lets you use a wizard to help set up and execute your first scan. However, the wizard isn’t what you might expect. It’s actually more of a “help wizard,” telling you how to set up and execute the scan yourself. This may be preferable, though, because it forces you to learn instead of oversimplifying the task at hand. Once you’ve read through the wizard, you’re ready to start. You’ll see a screen like the one in Figure 12-16.

Figure 12-16: Retina main window

Before beginning the scan, you can explore some of the options and preferences.

1. Choose Tools | Options to open the Options window, shown next.

   

   In this window, you can control scan performance settings, logging and alert options, logging to an OPSEC device (Open Platform for Security), and even scheduling, so that you can scan for vulnerabilities on a regular basis. Clicking the Schedule icon in the left panel of the window will allow you to configure Retina’s schedule, as shown in the following illustration.

   

2. Choose Tools | Reports to open the Reports window. You can customize the reports that Retina can generate.

   

3. Choose Tools | Policies to configure the different policies that Retina uses when it performs its scans. You can control the port ranges that Retina covers as well as the types of audits (or vulnerability checks) that it performs. The following illustration shows a list of the available audits.

   

4. You can also choose Tools | Audit Search to look for particular vulnerability checks by name or other categories. The following illustration shows a list of buffer overflow audits.

   

In addition, the full version of Retina allows you to use wizards to set up your audit, making the process somewhat easier on beginners.

Now that we’ve looked at the configuration options, let’s run an example vulnerability scan using the default (complete scan) policy.

1. In the Retina main window (see Figure 12-16), select the Scanner option from the left pane, and specify an IP address in the Address field at the top of the window. The full version of Retina allows you to scan ranges of IP addresses.

2. Choose Action | Start to start the scan. You’ll see the progress of the scan in the bottom-left corner. Retina first scans for open ports and attempts to obtain information about those ports (similar to Nessus).

3. After it’s mapped out the system, Retina figures out which vulnerability checks it should try and starts running them against the system.

4. Retina claims it is one of the fastest vulnerability scanners on the market, and it delivers. In about a minute, Retina has finished its scan. The results are shown in Figure 12-17. You can navigate through a plethora of information including running services, user and domain information, OS information, and system vulnerabilities. Retina also has a “fix it” feature, similar to STAT’s AutoFix, that allows it to patch Windows registry changes and file permissions automatically. When you’re ready to generate a report, choose Tools | Reports to access the reporting options. Although the evaluation version comes with only a sample HTML report, you can see the amount of detail and professionalism that is included in the reports.

   
   Figure 12-17: Retina scan results

Retina provides other modules (in the left pane of the Retina main window) to assist you in your scan:

• Browser   A mini web browser that lets you navigate the web site located at a particular IP address. This is useful for checking out the web servers on the hosts you scan.

• Miner   Tries to guess hidden HTML filenames or log into standard password- protected locations on a web site using a slew of usernames and passwords stored in a file.

• Tracer   A graphical traceroute that shows the path taken between you and the machine you are auditing.