Log In

Blog

  • Gene Littel
  • 02/19/2021

Let’s understand the concept of a vulnerability scanner. Vulnerability scanner allows you to check various systems, applications and networks for possible vulnerabilities that can be exploited by an attacker to compromise your data and systems, check open ports, assess and propose a way to fix the vulnerability.

I have divided the scanner’s work into the following steps:

  • Checking open ports, detecting running services and OS.
  • Vulnerability detection.
  • Security assessment.
  • Writing a report.
  • Exploitation of a vulnerability (requires permission from the administrator of the system being scanned, as it may result in a security breach).

Scanning types

Vulnerability scanning is one of the initial stages of the penetration testing (pentest) task. Vulnerability scanning, like pentest or any testing, can be divided into several types. Let’s look at each through the lens of a vulnerability scanner:

WhiteBox. The scanner is executed inside the analyzed network, which enables a more complete and complex study of vulnerabilities, there is no need to “guess” the type of service or operating system. The advantage of this method is in its full and complex approach to investigation, but its disadvantage is that it is less close to a real attack of an intruder.

BlackBox. “BlackBox. The scanner is run from outside the network under investigation, which makes it necessary to work through publicly accessible interfaces. The application needs to analyze the open ports, “guess” the services, and detect vulnerabilities based on the information obtained. This variant is as close to the real situation as possible: the scanner has only the IP or domain name to check as the initial data. On the downside, you might mention that the applications used in the DMZ will remain undetected.

Of course, you can argue for a long time about the pros and cons of different types of scanning, but hardly anyone will argue against the necessity of testing. And practice shows that the combination of both methods yields the best results. It seems to me that it makes more sense to first do the BlackBox scan and then the WhiteBox scan. By the way, we are now working on creating a service for clients, which will allow us to check the infrastructure located in the Cloud4Y data center using BlackBox scanning. The service will save from unpleasant accidents when due to human error ports were not closed or other potentially dangerous “holes” were left.

Selecting the product – the basis for service

In order to select a product intelligently, you need to set criteria that it must meet:

Mandatory:

  • Free or limited to a paid version that fits the parameters.
  • High-quality search of open ports.
  • Works with IP addresses.
  • Looks for vulnerabilities – CVE base references, CVSS metrics threat level or similar.
  • Flexible customization.
  • Report output.

Optional:

  • Availability of technical documentation, technical forums.
  • GUI.
  • Output of the report in a convenient format.
  • Sending results to email.
  • API.

Not every product on the market complies with such a set of criteria, especially in the segment of free software, but the task is there and we will find a solution. Let’s analyze what is fashionable nowadays in IS circles as free solutions. After searching and analyzing the solutions we have chosen several products to investigate:

  • OpenVas.
  • Tenable Nessus.
  • Gobysec / Goby.
  • Tsunami-security-scanner.
  • Flan Scan.
  • D9scan.
  • Rustscan.
  • Owasp ZAP.
  • W9Scan.
  • Nmap.