The Vulnerability Scanner

The primary use for a vulnerability scanner is to perform a sanity check against the Attack Surface. The goal is to determine if there were any security issues missed during deployment or ongoing operations.

INFO

What is a Vulnerability Scanner?


A vulnerability scanner is software that can detect vulnerabilities and weaknesses within a network, system, or application. Although the concept may seem straightforward, the process itself is more complex.

For most organisations, having a thorough understanding of assets and conducting regular vulnerability scanning is the most cost-effective approach to getting security under control.

Once vulnerabilities are detected, it's time to evaluate and assess the risk. This allows you to priortise and work on mitigation (a fancy way of saying reduce the assessed risk).

With the big budget spending around cyber security, the humble vulnerability scanner can be passed over for buzzwords like threat intelligence, red teams, security analytics, threat hunting, and even penetration testing. All these technologies and processes have their place within a security strategy, but without a clear understanding of vulnerability exposure and potential attack surface, these can become a distraction.

"Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers."
– Center for Internet Security Control 4: Continuous Vulnerability Assessment and Remediation
Laptop with Matrix Imagery
A CONTINUOUS PROCESS

The Assessment Cycle


A vulnerability scanner is the tool that enables the vulnerability assessment process. There is no start and end to the security assessment process it is an ongoing effort.

New vulnerabilities are discovered in software on a daily basis and networks change. These two facts make the need for a continuous process essential.

TEST EVERYTHING

Vulnerability Scanner Capabilities


Due to the broad range of vulnerabilities that need to be assessed there are a wide range of different tools to perform different types of testing.

What can a vulnerability scanner detect?

  • Known Software Vulnerabilities (unpatched or unsupported software)
  • Insecure Configuration within Networks and Systems (poor default security or user error)
  • Default or Weak Passwords (a top access vector for attackers)
  • Web Application Vulnerabilities such as SQL injection (SQLi) and Cross Site Scripting (XSS)
  • Information Leaks (revealing too much configuration or other information can open doors for attackers)

With the wide range of types of vulnerabilities, there are a range of tools that can be used to detect these different vulnerability types.

Web Application Vulnerability Scanners

Web application scanning involves looking for insecure code that introduces vulnerabilities such as those from the OWASP Top 10. These vulnerabilities such as SQL Injection and Cross Site Script are not always in packaged software. Other than commercial applications these types of vulnerabilities can also be found in open source software and internally developed applications.

These types of scanners range from intercepting proxies such as the popular Burp Suite to the focused SQLmap a highly accurate SQL Injection testing tool. Enterprise level tools such as IBM Appscan (now known as HCL AppScan) also exist that spider an application searching for vulnerabilities. These tools are often used internally by large web application development teams as part of the secure software development life cycle (SDLC).

Network Vulnerability Scanners

A network vulnerability scanner can go very wide but will not necessarily go deep on all vulnerability types. With these types of scanners you can have a database of over 50'000 known vulnerabilities. These will attempt to detect old server versions that have known vulnerabilities, check for default credentials and scan for known scripts. A good example of a network vulnerability scanner is the open source OpenVAS system. We use this open source tool in our suite of hosted online vulnerability scanners. Other well known examples include the commercial Nessus, and NexPose from Rapid7.

A different example of a Network Vulnerability Scanner is the Nmap Port Scanner. This tool does not go as broad in its detection, but it is more focused on mapping open ports (services) across a network. An open port that should not be accessible can still be a vulnerability.

Running a network vulnerability scanner within your network is a useful way to understand how well systems management is undertaken within the organisation. Ideally, these types of Internal scans are conducted using a credentialed scan. The scanner has valid credentials and can log onto the systems it is testing to accurately assess whether known vulnerabilities within the software and operating system have been patched.

External vulnerability scans are often conducted from outside the network perimeter and assess the external exposure of the network. That is a picture of the network from an external attacker's point of view. These types of external scans are often used to complement Internal testing. Using a different vulnerability scanner for the Internal and External scanning is generally best practice as it ensures you get the best coverage of vulnerabilities. No vulnerability scanner is perfect as it all comes down to the database of checks and the ability for the scanner to accurately match the checks with the identified attack surface.

False positives are common with most vulnerability scanners, and they can take time to confirm, but a false negative is worse. In this case, rather than detecting a vulnerability that is not present, the scanner fails to identify an actual vulnerability. By using multiple tools you are better able to avoid missing the false negative.

Attack Surface Discovery

A key to keeping your vulnerability exposure under control is to have an accurate asset register. In theory, this should detail all the endpoints, services, and web sites. However, this is rarely the case even in an organisation with a mature security practice. An attack surface discovery process emulates the attacker and can identify gaps in the asset register.

Domain Profiler Example Result

Recently several tools have become available that go deep into the process of Attack Surface Discovery.

When presented with a target organisation, an attacker will want to discover as much about the target infrastructure as possible.

Using open source intelligence resources, as well as non-intrusive or passive reconnaissance techniques the attacker can quickly identify endpoints and web sites that belong to the target.

It is then a matter of mapping the attack surface and looking for vulnerabilities. This mapping moves from passive to active discovery with packets sent to the target network. Port scanning and visiting web sites to determine web applications in use are two examples of the mapping process.

The image shows a map of a target domain that was generated using the Domain Profiler tool. It works by querying large DNS datasets and other open source information to develop an attack surface mapping of a target domain.

Focused / Specialist Scanners

Outside of the broad categories outlined above are a large number of more focused tools. A few examples of these are tools such as Nikto (web server and site scanner), WPScan (a WordPress testing tool), Aircrack-NG (wireless network testing) or one of the hundreds of tools included in the Kali Linux distribution.

Smaller more focused tools have the advantage of being able to go deeper on the particular vulnerability class they are attempting to find. Another advantage is that it is easier to understand what is being tested, making manual testing and verification an easier process.

PENTEST

What about Penetration Testing?


Everyone knows about Penetration Testing, it is exciting and involves hiring people in dark hoodies .

Well not really. A penetration test is a simulated attack with the goal of actually breaking into a system, often with a goal or trophy to prove the access. The focus of the test is to gain access rather than find all the vulnerabilities across the attack surface.

For most organisations, penetration testing should not even be considered until the vulnerability assessment and remediation process is active and has had time to work. Once you have a handle on the vulnerabilities now is the time to think about Penetration Testing and the budget that goes with it. A penetration test is expensive, usually costing tens of thousands of dollars. Without an understanding of your vulnerability exposure you are wasting your money.

FRUIT PICKING

Finding the Low Hanging Fruit


The vulnerability scanner being an automated test, is not perfect. What it can do well is to find the low hanging fruit. Whether that is simple configuration errors, default passwords or systems that missed the latest patch. Attackers target the low hanging fruit because if simple gets you in door why waste time on more sophisticated attacks. Before having a Penetration Test performed, check the attack surface with vulnerability scanners. Remediate any issues found and make the penetration testers use more sophisticated attacks - in other words get your money's worth.

Laptop with Matrix Imagery
WHAT THEY SAY

We love the service and would like to upgrade our plan.
– John T. Security Analyst

OUR TOOLS

About our Hosted Tools


At Hacker Target, we host trusted open source security tools. This has a several benefits; a primary one being simplicity. There is nothing to install or maintain, all the software is hosted on our remote servers. Tools can be tested against your infrastructure and web sites in a couple of clicks. This makes it an excellent solution for small security teams, as well as a great tool kit for larger more mature security practices that can complement existing solutions.

In addition to the selection of vulnerability scanners we also have Free access to a number of IP Tools that can be used for troubleshooting, research and information gathering when conducting a security assessment.

Knowing what services are running on your systems, and being able to identify if and when any of those services change, is the first step in securing your network.

Scanner Description
Nmap Online Port Scanner Open ports are checked with the leading port scanning tool Nmap. A great tool to test firewall for open ports and services. Identification of services is performed through banner checks and other methods.
OpenVas Vulnerability Scanner Open network services are scanned and then analyzed for security vulnerabilities. The tool is plugin based with a database of over 20'000 known vulnerabilities. Reporting options include native html or an enhanced PDF option.
Nikto Web Server Scan Nikto tests web servers for vulnerable configurations, scripts that have security issues and other known problems.
WhatWeb Web Site AnalysisDiscover installed web technologies from an examination of the html code. Reveals content management systems, javascript frameworks, web servers, server side scripting, geolocation and more.
Drupal Security ScanTest Drupal Installation Security from an external perspective through a handful of simple web requests. Checks for basic security misconfiguration, analysis of links and other security problems can be found with this non-intrusive tool.
Joomla Security ScanTest Joomla Installation Security from an external perspective; both passive (non-intrusive) and active scanning modes. The active scan utilises the Joomscan open source tool to perform a deeper security audit of a Joomla installation. Similar to the WordPress Security Test.
WordPress Security ScanTest WordPress Security from an external perspective, use the passive scan option quickly assess a wordpress site and gather information. The active scan using the WPscan tool performs a more in depth check of plugins and other vulnerabilities. Information is compiled and placed into an easy read report with recommended security fixes and improvements.
Domain ProfilerAttack Surface Discovery is a primary objective when assessing an organsiation from the attackers perspective. Find external facing assets, networks and systems through analysis of open source intelligence. The Domain Profiler tool performs an initial overview of an organisation using a domain as the initial seed.

28 Tools and Vulnerability Scanners

7-day money-back guarantee. No questions asked.