Nessus
Official developer’s website: www.nessus.org/plugins/index.php
Distribution: Paid and Free (trial) version
Platform: Win / Unix / Mac
If someone has not tried Nessus, he has at least heard of it. One of the most famous security scanners has a rich history: once an open source project, the program stopped being distributed in open source. Fortunately, there is a free version left, which was initially severely deprived of access to vulnerability database updates and new plugins, but later the developers took pity and only limited it in the frequency of updates.
Plugins are a key feature of the application’s architecture: any penetration test is not hardwired into the program, but takes the form of a plugin. Addons are categorized into 42 different types: in order to perform a pentest, you can activate individual plugins or all plugins of a certain type – for instance, to perform all local checks on an Ubuntu system. And no one restricts you in writing your own penetration tests: a special scripting language – NASL (Nessus Attack Scripting Language) – was implemented in Nessus for this purpose, which was later borrowed by other utilities as well.
The developers achieved even more flexibility by separating the server part of the scanner, which performs all the actions, from the client program, which is no more than a graphical interface. In the latest 4.2 version, the daemon on port 8834 opens a Web server; with it, you can control the scanner through a convenient Flash-based interface with just a browser.
After installing the scanner, the server one starts automatically as soon as you specify the activation key: you can request it for free on the Nessus homepage. However, to log in, both locally and remotely, you will need to create a user beforehand: in Windows this is done with two mouse clicks via the GUI interface of the Nessus Server Manager, with which you can also start and stop the server.
Any penetration test starts with the creation of so-called Policies, i.e. the rules to be followed by the scanner during the scan. Here you select the types of port scanning (TCP Scan, UDP Scan, Syn Scan, etc.), the number of simultaneous connections, and the typical Nessus-specific options such as Safe Checks. The latter enables safe scanning by deactivating plugins that could harm the system being scanned.
An important step in creating rules is connecting the right plugins: you can activate entire groups, say Default Unix Accounts, DNS, CISCO, Slackware Local Security Checks, Windows, etc. The choice of possible attacks and checks is huge! What makes Nessus stand out is the clever plugins. The scanner will never scan a service only by its port number. You won’t fool Nessus by moving a web-server from the standard port number 80 to, say, 1234. If an anonymous user is disabled on the FTP-server, and some plugins use it for checking, the scanner will not run them, knowing full well that they will be useless.
If a plugin exploits a vulnerability in Postfix, Nessus will not try its luck with tests against sendmail, etc. It is clear that to run the tests on the local system, you have to give the scanner Credentials (logins and passwords for access) – this is the final part of the rule configuration.
OpenVAS
Official developer’s website: www.openvas.org
Distribution: Free (trial) version
Platform: Win / Unix / Mac
Despite the fact that the source codes of Nessus have been closed, the Nessus 2 engine and some of its plugins are still distributed under the GPL license as the OpenVAS project (OpenSource Vulnerability Assessment Scanner). Now the project is developing quite independently of its big brother and is making good progress: the last stable version was released just before this issue went to print.
Not surprisingly, OpenVAS also uses client-server architecture where all scanning operations are performed by the server part – it works only under nix. To run it, you will need to download openvas-scanner packages, as well as a set of openvas-libraries. As a client part for OpenVAS 3.0 is only available as a nix GUI-program, but I think that, as with previous versions, soon will appear port for the Windows.
In any case, the easiest way to use OpenVAS is to use the notorious LiveCD Backtrack (4th version), where it is already installed. All basic operations to get started are placed in menu items: OpenVAS Makecert (create SSL certificate to access the server), Add User (create a user to access the server), NVT Sync (update plugins and vulnerabilities databases), and finally OpenVAS Server (start the server through menu item). Then it remains only to run the client part and connect to the server to start a pentest.
Openness and extensibility of OpenVAS allowed it to strongly pimp the program. In addition to plugins for security analysis, it integrates many well-known utilities: Nikto for finding vulnerable CGI scripts, nmap for port scanning and other things, ike-scan for detecting IPSEC VPN hosts, amap for identifying services on ports using fingerprinting, sovaldi for supporting OVAL – a standard language for describing vulnerabilities – and many others.
XSpider 7
Official developer’s website: www.ptsecurity.ru/xs7download.asp
Distribution: Paid version
Platform: Win
The first lines of XSpider code were written on December 2, 1998, and in the 12 years since then this scanner has become known to every Russian information security specialist. Generally speaking, Positive Technologies is one of the few companies in the domestic market of information security whose employees know how to really break something, not just sell services beautifully.
The product was written not by programmers, but by IS specialists, who know how and what to check. What did we end up with? We have a very high quality product with only one major drawback: XSpider has to be paid for! For free, the developers offer a limited demo version that lacks a whole bunch of checks, including heuristic ones, as well as online updates for the vulnerability database. Moreover, the developers’ efforts are now fully focused on another product – information security monitoring system MaxPatrol, for which, alas, there is not even a demo version.
Even with all its limitations, XSpider is one of the most convenient and efficient tools for analyzing network and host security. Like Nessus, the scan settings are made up as a special set of rules, only in this case they are not called Policies, but Profiles. You can set both general parameters for network analysis and scanner behavior for specific protocols: SSH, LDAP and HTTP.
The type of daemon on each port is determined not by the conventional classification, but by using heuristic fingerprinting algorithms – one click on the scanning profile option. Particular mention should be made of the full identification of RPC services (Windows and *nix), which allows identifying vulnerabilities in different services and detailed computer configuration in general.
The weak passwords scan performs optimized password matching for almost all services that require authentication and helps identify weak passwords. The result of the scan is presented in a handy report, and for each potential vulnerability found, there is a tiny description and an external link where you can go for details.
GFI LANguard
Official developer’s website: www.gfi.com/lannetscan
Distribution: Paid and Free (trial) version
Platform: Win
What I particularly like about this product is the set of preset scanning profiles. In addition to the full remote system scan, which includes all kinds of available scans (by the way, there is a special version for slow connections – for example, for slow VPN connections over the States), there are many individual groups of scans.
For example, you can quickly check dozens of hosts for vulnerabilities from the Top20, compiled by the well-known security corporation SANS. You can also activate here the search of machines with uninstalled patches or service packs, select a profile for the pentest of web applications, etc. Moreover, besides the profiles directly aimed at searching for vulnerabilities, there are also a number of tools for auditing: balloon search, smart port scanner, including for searching for open malware connections, computer configuration detection, etc. It turns out, a lot of useful utilities can coexist in one product.
The GFI LANguard vulnerability database contains more than 15000 entries, allowing scanning of most different systems (Windows, Mac OS, Linux), including those installed on virtual machines. The scanner automatically pulls up updates for the database, which, in its turn, are generated according to reports from BugTraq, SANS and other companies.
As usual, you can implement your own checks yourself. To do that you are provided with a special scripting language compatible with Python and VBScript and, for full comfort, with a handy editor and debugger – you get a real IDE. Another unique LANguard feature is the ability to detect if a machine is running in a virtual environment (supported by VMware and Virtual PC for now) – this is one of the scanner’s unique features.
Retina Network Security Scanner
Official developer’s website: www.eeye.com
Distribution: Paid version
Platform: Win
The main disappointment of this legendary scanner befell me immediately after launching it. The installer of the latest version swore and said that I couldn’t run Retina on Windows 7 or Windows Server 2008 R2 at the moment. Not very polite, I had to open a virtual machine, but I knew it was worth it.
Retina is one of the best scanners that identifies and analyzes hosts on a local network. Physical and virtual servers, workstations and laptops, routers and hardware firewalls – Retina will give you a complete list of devices connected to the network, displaying information about wireless networks. It is going to probe each of them in every way to detect even a hint of vulnerability, and it does it very fast. It takes about 15 minutes to scan a class C local network.
Retina detects operating system and application vulnerabilities, potentially dangerous settings and parameters. The result is a network overview that shows potential vulnerabilities. The vulnerability database, according to the developers’ assurances, is updated hourly and information about vulnerabilities is added to the database no later than 48 hours after the first bug-track about it appears. However, the very fact that it is a product of the eEye factory is already a kind of quality guarantee.
Microsoft Baseline Security Analyzer
Official developer’s website: www.microsoft.com
Distribution: Free (trial) version
Platform: Win
What is it? A security analyzer from Microsoft that checks computers on the network for compliance with Microsoft requirements, of which there are quite a few. The most important criterion is, of course, the presence of all installed updates on the system.
I don’t need to remind you what Conficker did with the MS08-67 patch, which was released two months before the outbreak. In addition to missing patches in the system, MBSA also detects some common configuration flaws.
The program downloads updates for its databases before scanning, so you can be sure that Microsoft Baseline Security Analyzer knows everything about the latest updates for the Windows system. The results of the scan (of a domain or a range of IP addresses) are summarized in a report.
Even without that intuitive report, it can be transferred to a fictitious network diagram and the scan results can be displayed in Visio. For this purpose, a special connector is available on the program’s website, which will display various nodes of the local network with symbols, fill in the object parameters, add the information about the scan, and in the most convenient way allow you to see what problems there are on this or that computer.
SAINT
Official developer’s website: http://www.saintcorporation.com
Distribution: Paid version
Platform: Unix
Only two IPs you can send SAINT to during the trial period are hardwired into the key, and it’s sent to your email address. Not one step to the left, not one step to the right, but it’s definitely worth trying, even with these draconian restrictions. The scanner is controlled through a web interface, which is not surprising – SAINT solutions are also sold as rack servers (SANDbox), but here you have to follow fashion.
It is very easy to run tests with an ascetic web interface and use the years of experience to find potential vulnerabilities in the system. Let me tell you more: one of the SAINT exploit modules allows not only detecting but also exploiting vulnerabilities! Take the notorious bug MS08-67. If the scanner detects an uncovered hole and knows how to exploit it, it provides a link with the word EXPLOIT right next to the vulnerability description.
In one click, you get a description of the vulnerability and, moreover, a Run Now button to launch it. Then, depending on the sploit, you will get different parameters, such as the exact OS version on the remote host, the shell type and the port on which it will be launched. If the exploit is successful, the Connections tab in the SAINT exploit module shows the IP address of the victim and the selection of actions that became available as a result of running the exploit: working with files on a remote system, the command line, etc.!
Just imagine: a scanner that breaks itself! That’s why the product slogan reads: “Examine. Expose. Exploit. The system of checks is very diverse, with the latest version 7 adding a module for pentesting web applications and additional features for database analysis. By specifying a target via the web interface, you can monitor the scanner’s actions in all the details, knowing exactly what and how the scanner is doing at the current moment.
X-Scan
Official developer’s website: http://www.xfocus.org
Distribution: Free (trial) version
Platform: Win
The last version of this scanner was released back in 2007, which does not prevent it from being used now thanks to a system of plugins and scripts written in NASL, the same language used in Nessus/OpenVAS. It is easy to find and edit existing scripts – all of them are located in the scripts folder.
To start the scanner, specify the scan parameters through the menu Config -> Scan Parameter. The object for scanning may be either a specific IP or a range of addresses, but in the latter case you should be morally prepared for the duration of the test. The scanner, alas, is not the fastest.
The speed is proportionally affected by the number of plugins connected: the add-ons that check password strength for SSH/VNC/FTP are among the most voracious ones. Externally, X-Scan looks more like a home-made tool created by someone for their own needs and released to the public for free floating. Maybe it wouldn’t be so popular if it weren’t for the support of Nessus scripts, activated with the Nessus-Attack-Scripts module.
On the other hand, you should look at the scan report, and all doubts about the usefulness of the scanner recede into the background. It will not be designed according to one of the official IS standards, but it will definitely tell us a lot about the network.
Rapid7 NeXpose
Official developer’s website: www.rapid7.com
Distribution: Free (trial) version
Platform: Unix / Win
Rapid 7 – is one of the fastest growing information security companies in the world. It recently acquired the Metasploit Framework project, and it is the company that is responsible for the NeXpose project.
The cost of “entry” to use the commercial version is almost $3000, but for enthusiasts, there is a Community-version with slightly reduced features. This free version can be easily integrated with Metasploit (you need version 3.3.1 or later).
The scheme is quite tricky: first you start NeXpose, then Metasploit Console (msfconsole), then you can start the scanning process and configure it with a number of commands (nexpose_connect, nexpose_scan, nexpose_discover, nexpose_dos and others).
The most fascinating thing is that you can combine the functionality of NeXpose and other modules in Metasploit. The simplest but the most effective example: search for computers with some vulnerability and immediately exploit it with the corresponding Metasploit module – we get auto-routing at a new qualitative level.
