Vulnerability scanning. Scanning for vulnerabilities: how to check your device and protect yourself from potential threats. Network vulnerability scanner: why you need it

Now is the time to get acquainted with another type of software designed to protect against Internet threats. Vulnerability scanners- it complex solutions which can be either hardware or software designed to continuously scan state corporate network, for the action of viruses or suspicious processes. Their main task is to assess the security of processes and search for vulnerabilities and eliminate them.

Vulnerability scanner or a vulnerability scanner, gives the administrator the ability to search for "holes" or "backdoors" existing in the network, with the help of which hackers and fraudsters can gain access to the company's network and confidential data. In addition, scanners include tools for scanning running services and processors, as well as port scanners.

Based on this, the following functions of vulnerability scanners can be distinguished:

• Search for vulnerabilities and their analysis.
• Checking all resources on the network, devices, operating system, ports, applications, processes, etc.
• Generate reports that identify the vulnerability, its propagation path and nature.

How do vulnerability scanners work?

The scanner is based on two mechanisms. The first mechanism is called - sounding... It is not very fast, but the most effective active analysis tool. Its essence lies in the fact that it launches attacks itself, and monitors where these attacks can go. During probing, possible guesses and the possibility of passing attacks in certain directions are confirmed.

Another mechanism is scanning... In this case, the tool works quickly, but only a superficial analysis of the network is performed, for the most frequent and possible "holes" in the security of the network. The difference between the second method is that it does not confirm the existence of a vulnerability, but only notifies the administrator about its possibility, based on indirect indications. For example, a port scan is performed, their headers are determined, and then they are compared with reference tables and rules. In the event of a discrepancy between the values, the scanner notifies that a potential vulnerability has been found, which the administrator should check in more reliable ways.

Basic Principles of Vulnerability Scanners

Collection of all information on the network, identification of all services, devices and processes.

Search for potential vulnerabilities

Use of specialized techniques and simulation of attacks to confirm the vulnerability (not available in all network scanners)

A selection of the best vulnerability scanners

Nessus. Quite a long time ago, back in 1998, Tenable Network Security began developing its own vulnerability scanner, thanks to which it has extensive experience and is far ahead in its field. Their scanner has been commercial software for many years. Key feature scanner Nessus, is the ability to expand functionality using plugins. Thus, powerful tests such as penetration tests or others are not installed along with the main module, but are connected separately if necessary. All plugins can be divided into 42 categories. This means that, for example, to conduct a pintest (penetration test), it is not necessary to run a full scan, but you can select only tests from a certain category or select tests manually. In addition, Nessus has its own special scripting language so that administrators can write the tests they need.

Symantec Security Check. The main functions of this scanner are to search for worms, Trojans, viruses, as well as scan the local network to detect infections. This product installs without difficulty and has a main control center in the browser. The solution includes two modules: SecurityScan and VirusDetection. The first one deals with network scanning, the second one scans and checks the device for viruses. Some experts advise using a solution from Symantec for additional scanning.

Xspider. As stated by the developer, their solution is able to identify a third of all possible vulnerabilities, called "zero day". The main advantage of this scanner is the ability to identify the maximum number of "holes" in the security system before hackers can detect them. This scanner does not require additional software. After the analysis, it generates a full report with the vulnerabilities found and possible ways to eliminate them.

Rapid 7 NeXpose. Rapid 7 is statistically the fastest growing company in Lately... More recently, the company bought the Metaspoilt Fremawork project, which created the now popular NeXpose. To use the commercial version of the product, you will need to pay not a small amount for a license, but there is also a more accessible Community version, which has more meager functionality. The product integrates easily with Metaspoilt. Scheme of work this decision not simple, first you need to launch NeXpose, after that the Metaspoilt control console, and only after that, you can start scanning, which, with all this, is configured not through the control panel, but using special teams... A special feature is the ability to run various Metaspoilt modules with NeXpose.

As you can see, there are enough of them and they are all very dangerous for the systems affected by them. It is important not only to update the system in time to protect against new vulnerabilities, but also to be sure that your system does not contain vulnerabilities that have been fixed for a long time, which can be exploited by hackers.

This is where Linux vulnerability scanners come in. Vulnerability analysis tools are one of the most important security components of every company. Checking applications and systems for old vulnerabilities is a must. In this article, we will look at best scanners open source vulnerabilities that you can use to detect vulnerabilities in your systems and programs. All of them are completely free and can be used by both ordinary users and the corporate sector.

OpenVAS, or Open Vulnerability Assessment System, is a complete open source vulnerability scanning platform. The program is based on the source code of the Nessus scanner. Initially, this scanner was distributed open source, but then the developers decided to close the code, and then, in 2005, on the basis of the open version of Nessus, OpenVAS was created.

The program consists of a server and a client part. The server that does the main job of scanning systems runs only on Linux, and client programs support including Windows, the server can be accessed through the web interface.

The scanner kernel has more than 36,000 different vulnerability checks and is updated every day with the addition of new ones that were recently discovered. The program can detect vulnerabilities in running services, as well as look for incorrect settings, for example, lack of authentication or very weak passwords.

2. Nexpose Community Edition

This is another open source linux vulnerability search tool being developed by Rapid7, the same company that released Metasploit. The scanner can detect up to 68,000 known vulnerabilities and perform over 160,000 network checks.

The Comunity version is completely free, but it has a limitation to simultaneously scan up to 32 IP addresses and only one user. Also, the license must be renewed every year. There is no web application scanning, but it supports automatic updating of the vulnerability database and obtaining information about vulnerabilities from Microsoft Patch.

The program can be installed not only on Linux, but also on Windows, and management is performed via a web interface. With it you can set scan parameters, ip addresses and other necessary information.

After the scan is complete, you will see a list of vulnerabilities, as well as information about the installed software and operating system on the server. You can also create and export reports.

3. Burp Suite Free Edition

Burp Suite is a web vulnerability scanner written in Java. The program consists of a proxy server, a spider, a tool for generating requests and performing stress tests.

With Burp, you can check web applications. For example, using a proxy server, you can intercept and view the message of passing traffic, as well as modify it if necessary. This will allow you to simulate many situations. The spider will help you find web vulnerabilities, and the query generation tool will help you find the strength of the web server.

4. Arachni

Arachni is a full-featured web application testing framework written in Ruby that is open source. It allows you to assess the security of web applications and sites by performing various penetration tests.

The program supports scanning with authentication, customizing headers, support for Aser-Agent spoofing, support for 404 detection. In addition, the program has a web interface and an interface command line, the scan can be paused and then re-paved and in general, everything works very quickly.

5. OWASP Zed Attack Proxy (ZAP)

OWASP Zed Attack Proxy is another comprehensive tool for finding vulnerabilities in web applications. All features that are standard for this type of program are supported. You can scan ports, check the structure of the site, look for many known vulnerabilities, check the correctness of processing repeated requests or incorrect data.

The program can work over https, and also supports various proxies. Since the program is written in Java, it is very easy to install and use. In addition to the basic features, there are a large number of plugins that can greatly increase the functionality.

6. Clair

Clair is a linux vulnerability search tool in containers. The program contains a list of vulnerabilities that can be dangerous for containers and warns the user if such vulnerabilities have been found on your system. The program can also send notifications if new vulnerabilities appear that can make containers unsafe.

Each container is checked once and does not need to be started to check. The program can extract all the necessary data from the shutdown container. This data is stored in a cache to be able to notify of future vulnerabilities.

7. Powerfuzzer

Powerfuzzer is a full-featured, automated and highly customizable web crawler that allows you to check the response of a web application to invalid data and repeated requests. The tool only supports the HTTP protocol and can detect vulnerabilities such as XSS, SQL injection, LDAP, CRLF and XPATH attacks. Tracking for 500 errors is also supported, which can indicate misconfiguration or even danger, such as a buffer overflow.

8. nmap

Nmap is not really a Linux vulnerability scanner. This program allows you to scan the network and find out which nodes are connected to it, as well as determine which services are running on them. This does not provide exhaustive information about the vulnerabilities, but you can guess which of the software may be vulnerable, try to brute force passwords. It is also possible to execute special scripts that allow you to identify some vulnerabilities in specific software.

conclusions

In this article, we have covered the best linux vulnerability scanners, they allow you to keep your system and applications completely safe. We have considered programs that allow you to scan both the operating system itself or web applications and sites.

To complete, you can watch a video about what vulnerability scanners are and why they are needed:

A process called vulnerability scanning is the examination of individual hosts or networks for potential threats.

And the need to check security arises quite often - especially when it comes to large organizations that have valuable information that cybercriminals may need.

Administrators of small networks should not neglect such scanning, especially since in 2017, hundreds of thousands of computers were subjected to serious attacks from hackers.

Application of vulnerability scanners

To scan networks for weaknesses in their security systems, specialists information security apply appropriate software.

Such programs are called vulnerability scanners.

The way they work is to check applications that work and look for so-called "holes" that could be exploited by outsiders to gain access to important information.

Smart use of software that can detect network vulnerabilities can help IT professionals avoid problems with stolen passwords and solve such problems:

• search for malicious code that has entered your computer;
• inventory of software and other system resources;
• creation of reports containing information about vulnerabilities and ways to eliminate them.

The main advantage of the second option is not only confirmation of those problems that can be detected by a simple scan, but also the detection of problems that cannot be found using a passive technique. Verification is performed with with the help of three mechanisms - headers checks, active probing checks and attack simulations.

Checking headers

The mechanism whose name is English language sounds like "Banner check", consists of a number of scans and makes it possible to obtain certain conclusions based on the data transmitted to the scanner program in response to its request.

An example of such a check would be a header scan. using the Sendmail app which allows you to both determine the version of the software, and to verify the presence or absence of problems.

The technique is considered the simplest and fastest, but has whole line disadvantages:

• Check efficiency is not very high. Moreover, attackers can change the information in the headers by removing version numbers and other information that is used by the scanner to obtain conclusions. On the one hand, the likelihood of such a change is not too high, on the other, it should not be neglected.
• The inability to determine exactly whether the data contained in the header is evidence of a vulnerability. First of all, this applies to programs that come with the source code. When fixing their vulnerabilities, the version numbers in the headers have to be changed manually - sometimes the developers simply forget to do it.
• V The likelihood of a vulnerability appearing in the next versions of the program, even after it was eliminated from previous modifications.

Meanwhile, despite certain drawbacks and the lack of a guarantee of detecting "holes" in the system, the process of checking headers can be called not only the first, but also one of the main stages of scanning. Moreover, its use does not disrupt the operation of either services or network nodes.

Active probing checks

The technique, also known as "active probing check", is based not on checks in the headers, but on the analysis and comparison of digital "snapshots" of programs with information about already known vulnerabilities.

How it works a bit like the algorithm, which involves comparing scanned fragments with virus databases.

The same group of techniques includes checking the date of creation of the scanned software or checksums, allowing you to verify the authenticity and integrity of the programs.

To store information about vulnerabilities, specialized databases are used that also contain information that allows you to eliminate the problem and reduce the risk of threats of unauthorized access to the network.

This information is sometimes used by both security analysis systems and software designed to detect attacks. In general, the active probing technique used by large companies such as ISS is significantly faster than other methods - although it is more difficult to implement than checking headers.

Simulated attacks

Another method in English is called "Exploit check", which can be translated into Russian as "Simulated attacks".

The verification performed with its help is also one of the probing options and is based on the search for program defects with the help of their amplification.

The technique has the following features:

• some security holes cannot be detected until a real attack against suspicious services and nodes is simulated;
• Scanners check software headers during a fake attack;
• when scanning data, vulnerabilities are detected much faster than in normal conditions;
• by imitating attacks, you can find more vulnerabilities (if they were originally) than using the two previous methods - while the detection rate is quite high, but using this method is not always advisable;
• situations that do not allow launching "simulated attacks" are divided into two groups - the threat of problems with servicing the tested software or the fundamental impossibility of attacking the system.

It is undesirable to use this technique if the objects of the scan are protected servers with valuable information.

An attack on such computers can lead to serious data loss and failure of important network elements, and the cost of restoring operability can be too serious, even taking into account.

In this case, it is advisable to use other methods of verification - for example, active probing or checking headers.

Meanwhile, in the list of vulnerabilities there are some that cannot be detected without attempts to simulate attacks - these include, for example, susceptibility to attacks like "Packet Storm".

By default, such verification methods are disabled on the system.

The user will have to enable them on their own.

Scanning programs that use the third method of scanning for vulnerabilities include systems such as Internet Scanner and CyberCop Scanner... In the first application, the checks are highlighted into a separate category "Denial of service"... When using any function from the list, the program informs about the danger of failure or reboot of the scanned node, warning that the responsibility for starting the scan lies with the user.

The main stages of checking vulnerabilities

Most programs that scan for vulnerabilities works like this:

1 Gathers all the necessary information about the network by first identifying all active devices in the system and the software running on them. If the analysis is carried out only at the level of one PC with a scanner already installed on it, this step is skipped.

2 Tries to find potential vulnerabilities using special databases in order to compare the information received with the already known types of "holes" in security. The comparison is done using active probing or headers checking.

3 Confirms found vulnerabilities using special techniques- imitation of a certain type of attack capable of proving the presence or absence of a threat.

4 Generates reports based on the information collected during scanning describing the vulnerabilities.

The final stage of the scan is an automatic fix or attempt to correct problems. This feature is present in almost every system scanner, and is absent from most network vulnerability scanning applications.

Differences in the operation of different programs

Several scanners share vulnerabilities.

For instance, NetSonar system divides them into network, capable of affecting routers, therefore more serious, and local, affecting workstations.

Internet Scanner divides threats into three levels - low, high and medium.

The same two scanners have a few more differences.

With their help, reports are not only created, but also divided into several groups, each of which is intended for specific users - from to the leaders of the organization.

Moreover, for the former, the maximum number of numbers is issued, for the management - beautifully designed graphs and diagrams with a small amount of detail.

The reports generated by the scanners include recommendations on how to eliminate the vulnerabilities found.

Most of this information is contained in the data generated by the Internet Scanner program, which produces step by step instructions to solve the problem, taking into account the peculiarities of different operating systems.

The troubleshooting mechanism is also implemented differently in scanners. So, in the System Scanner, there is a special script for this, which is run by the administrator to solve the problem. At the same time, a second algorithm is being created, which can correct the changes made, if the first led to a deterioration in performance or failure of individual nodes. In most other scanners, there is no way to revert changes back.

Administrator actions to detect vulnerabilities

To find "holes" in security, the administrator can be guided by three algorithms.

The first and most popular option- checking the network for only potential vulnerabilities. It allows you to get a preliminary look at the system data without disrupting the operation of the nodes and ensuring the maximum analysis speed.

Second option- scanning with verification and confirmation of vulnerabilities. The technique takes more time and can cause malfunctions in the software of computers on the network during the implementation of the attack simulation mechanism.

Method number 3 involves the use of all three mechanisms (moreover, with the rights of both an administrator and a user) and an attempt to eliminate vulnerabilities on individual computers. Due to the low speed and the risk of disabling the software, this method is used less often - mainly, when there is serious evidence of the presence of "holes".

Capabilities of modern scanners

The main requirements for a scanner program that checks the system and its individual nodes for vulnerabilities, are:

• Cross-platform or support for multiple operating systems. With this feature, you can scan a network consisting of computers with different platforms. For example, with or even with systems like UNIX.
• Ability to scan multiple ports at the same time- this function significantly reduces the time for checking.
• Scanning all types of software that are usually susceptible to attacks from hackers. Such software includes the company's products and (for example, the MS Office suite of office applications).
• Checking the network as a whole and its individual elements without the need to start scanning for each node of the system.

Most modern scanning programs have intuitive menus and are fairly easy to customize according to the task at hand.

So, almost every such scanner allows you to compile a list of scanned nodes and programs, specify applications for which updates will be automatically installed when vulnerabilities are detected, and set the frequency of scanning and generating reports.

After receiving the reports, the scanner allows the administrator to launch the threat fix.

Among the additional features of scanners, one can note the possibility of saving traffic, which is obtained by downloading only one copy of the distribution kit and distributing it to all computers on the network. Another important function involves saving the history of past checks, which allows you to evaluate the operation of nodes in certain time intervals and assess the risks of new security problems.

Network vulnerability scanners

The range of scanners is quite large.

They all differ from each other in functionality, vulnerability search efficiency and price.

To assess the capabilities of such applications, it is worth considering the characteristics and features of the five most popular options.

GFI LanGuard

The manufacturer GFI Software is considered one of the leaders in the global information security market, and its products are included in the ratings of the most convenient and effective programs for vulnerability testing.

One such application for securing the network and individual computers is GFI LanGuard, which features include:

• quick assessment of the status of ports in the system;
• search for unsafe settings on network computers and prohibited for installation of programs, add-ons and patches;
• the ability to scan not only individual computers and servers, but also those included in the system virtual machines and even connected smartphones;
• drawing up a detailed report based on the results of scanning, indicating vulnerabilities, their parameters and methods of elimination;
• intuitive control and customization automatic operation- if necessary, the scanner is launched at a certain time, and all fixes are performed without administrator intervention;
• the ability to quickly eliminate found threats, change system settings, update permitted software and remove prohibited programs.

The difference between this scanner and most of its counterparts is the installation of updates and patches for almost any operating system.

This feature and other advantages of GFI LanGuard allow it to be at the top lines of the ratings of programs for searching for network vulnerabilities.

At the same time, the cost of using the scanner is relatively small and affordable even for small companies.

Nessus

The Nessus program was first released 20 years ago, but only since 2003 it becomes paid.

Monetizing the project did not make it less popular - due to the efficiency and speed of work, every sixth administrator in the world uses this particular scanner.

The benefits of choosing Nessus include:

• constantly updated database of vulnerabilities;
• easy installation and user-friendly interface;
• effective detection of security problems;
• use of plugins, each of which performs its own task - for example, provides scanning of Linux OS or starts checking only headers.

Additional scanner feature- the ability to use tests created by users using special software. At the same time, the program has two serious drawbacks. The first is the possibility of failure of some programs when scanning using the "attack simulation" method, the second is a rather high cost.

Symantec Security Check

Security Check is a free scanner from Symantec.

Among its functions, it is worth noting the search for not only vulnerabilities, but also viruses - including macro viruses, Trojans and Internet worms. In fact, the application consists of 2 parts - the Security Scan scanner, which ensures network security, and the Virus Detection antivirus.

The advantages of the program include easy installation and the ability to work through a browser. Among the disadvantages, they note the low efficiency - the versatility of the product, which allows it to also search for viruses, makes it not very suitable for checking the network. Most users recommend using this scanner only for additional checks.

XSpider

The XSpider scanner is produced by Positive Technologies, whose representatives claim that the program not only detects already known vulnerabilities, but is able to find threats that have not yet been created.

The features of the application include:

• effective detection of "holes" in the system;
• opportunity remote work without installing additional software;
• creation of detailed reports with tips for troubleshooting;
• updating the database of vulnerabilities and software modules;
• simultaneous scanning of a large number of nodes and workstations;
• saving the history of checks for further analysis of problems.

It is also worth noting that the cost of using the scanner is more affordable compared to the Nessus program. Although higher than that of GFI LanGuard.

QualysGuard

The scanner is considered multifunctional and allows you to get a detailed report with an assessment of the level of vulnerability, time to eliminate them and the level of impact of the "threat" on the business.

Product developer Qualys, Inc. delivers the software to hundreds of thousands of consumers, including half of the world's largest companies.

conclusions

Taking into account a wide range of applications for scanning the network and its nodes for vulnerabilities, the work of the administrator is greatly facilitated.

Now he does not need to independently start all scanning mechanisms manually - you just need to find a suitable application, select a scan method, configure and use the recommendations of the received report.

The choice of a suitable scanner should be based on the functionality of the application, the effectiveness of the search for threats (which is determined by user feedback) - and, which is also quite important, at a price that should be comparable to the value of the protected information.

Security scanner is software tool for remote or local diagnostics of various network elements in order to identify various vulnerabilities in them. The main users of such systems are professionals: administrators, security specialists, etc. Ordinary users can also use security scanners, but the information produced by such programs is usually specific, which limits the possibilities for its use by an unprepared person. Security scanners facilitate the work of specialists, reducing the total time spent searching for vulnerabilities.

For comparison, five different scanners were selected in different price ranges and with different capabilities: ISS Internet Scanner, XSpider, LanGuard, ShadowSecurityScanner, X-Scan.

To compare such systems, it is not enough just to run them. The number of allegedly checked vulnerabilities or their settings, as well as the size of the program or its appearance cannot be used as criteria for evaluating the quality and functionality of a particular scanner. Therefore, in order to create a complete picture of the work of various security scanners, it was decided to conduct their comparative test to identify vulnerabilities in seven different operating systems commonly used by large banks and financial institutions: AS / 400, Solaris 2.5.1, Compaq / Tandem himalaya K2006 (OS D35), Windows 2000 Server, Windows XP Professional, Linux RedHat 5.2, Bay Networks Router.

Versions of the tested scanners (the latest available at the time of testing):

• ISS Internet Scanner 6.2.1 with latest updates
• XSpider 6.01
• LanGuard 2.0
• ShadowSecurityScanner 5.31
• XFocus X-Scan v1.3 GUI

Each scanner was tested twice, thereby eliminating unwanted possible mistakes, for example, related to a temporary problem in the network. All the data obtained was placed in a table that clearly shows which vulnerabilities were found by one or another scanner. Yellow color indicates vulnerabilities of moderate severity, which, under certain circumstances, can entail serious losses, and red, serious vulnerabilities, which can lead not only to serious losses, but also to complete destruction of the system. Next, after the table, there is an assessment of scanners with the calculation of scan results.

Vulnerability Found Table:

In order to comprehend the results and come to any conclusion, the following scoring system is proposed, which is more or less optimal (other options are possible, but they are all similar): for each vulnerability found, a certain number of points will be added, depending on the severity of this vulnerability, and vice versa, for issuing a false vulnerability, points will be deducted:

• serious vulnerability (+3 points)
• moderate vulnerability (+2 points)
• information (+1 point)
• false serious vulnerability (-3 points)
• false vulnerability of moderate severity (-2 points)
• false information (-1 point)

Summary table:

What is the result?

ISS Internet Scanner needs no description. He showed himself as always at a high level, though this time losing the palm to XSpider.

XSpider proved to be the undisputed leader, far ahead of the competition, especially when searching for vulnerabilities in Windows and Solaris, which is especially pleasant given its small size and free distribution. There is a big disadvantage: very little information is displayed when issuing a list of vulnerabilities, which implies a high level of knowledge and professionalism from a specialist using this program.

LanGuard can hardly be called a security scanner. It works very well with NetBios, listing resources, services, and users. This ability greatly distinguishes the scanner from the rest, but this one is the only one. This is where LanGuard's benefits end.

ShadowSecurityScanner practically doesn't lag behind ISS. And this is with such a big difference in their price. The program has a simple interface similar to that of a Retina scanner. Detailed tips and tricks for fixing vulnerabilities make it easy to deal with problems. Cons: few recognized vulnerabilities, much more consumption system resources when working in comparison with other scanners.

X-Scan is a free scanner with features similar to LanGuard, but slightly superior. Cons: not very readable interface of the program, lack of any comments about the vulnerabilities found.