• Subscribe to the low volume list for updates.


Vulnerability Scanner

Identifying the vulnerability scanner requirement is a key point in getting value from these tools. From an introduction to expert tips anyone tasked with security testing should get something from this overview.

What is a Vulnerability Scanner?

A vulnerability scanner is software that can detect vulnerabilities within a network, system or application. This is a simple definition for a not so simple process.

For the majority of organisations having a good understanding of your assets along with regular vulnerability scanning is the best bang for buck in getting your security under control.

Once you know where the vulnerabilities are you can assess the risk and work on mitigation (a fancy way of saying reduce the assessed risk).

With the big budget spending around cyber security, the humble vulnerability scanner can be passed over for more sexy terms such as threat intelligence, red teams, security analytics, threat hunting and even penetration testing. All these technologies and processes might have their place within your security strategy but without an understanding of your vulnerability exposure these can be a distraction.

"Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers."

– Center for Internet Security Control 4: Continuous Vulnerability Assessment and Remediation
Vulnerability scanner matrix

The Assessment Cycle

A vulnerability scanner is the tool that enables the vulnerability assessment process. There is no start and end to the security assessment process it is an ongoing effort.

New vulnerabilities are discovered in software on a daily basis and networks change. These two facts make the need for a continuous process essential.
Vulnerability Assessment Cycle
Know Your Network
Hosted Open Source Vulnerability Scanners

Types of Vulnerability Scanner

Due to the broad range of vulnerabilities that need to be assessed there are a wide range of different tools to perform different types of testing.

What can a vulnerability scanner detect?

  • Known Software Vulnerabilities (unpatched or unsupported software)
  • Insecure configuration within Networks and Systems (poor default security or simply user error)
  • Default or weak passwords (a top access vector for attackers)
  • Web Application Vulnerabilities such as SQL injection (SQLi) and Cross Site Scripting (XSS)
  • Information Leaks (revealing too much configuration or other information can open doors for attackers)

With the wide range of types of vulnerabilities, there are a range of tools that can be used to detect these different vulnerability types.

Web Application Vulnerability Scanners

Web application scanning involves looking for insecure code that introduces vulnerabilities such as those from the OWASP Top 10. These vulnerabilities such as SQL Injection and Cross Site Script are not always in packaged software. Other than commercial applications these types of vulnerabilities can also be found in open source software and internally developed applications.

These types of scanners range from intercepting proxies such as the popular Burp Suite to the focused SQLmap a highly accurate SQL Injection testing tool. Enterprise level tools such as IBM Appscan also exist that spider an application searching for vulnerabilities. These tools are often used internally by large web application development teams as part of the secure software development life cycle (SDLC).

Network Vulnerability Scanners

A network vulnerability scanner can go very wide but will not necessarily go deep on all vulnerability types. With these types of scanners you can have a database of over 50'000 known vulnerabilities. These will attempt to detect old server versions that have known vulnerabilities, check for default credentials and scan for known scripts. A good example of a network vulnerability scanner is the open source OpenVAS system. We use this open source tool in our suite of hosted online vulnerability scanners. Other well known examples include the commercial Nessus, NexPose from Rapid7 and Retina tools.

A different example of a Network Vulnerability Scanner is the Nmap Port Scanner. This tool does not go as broad in its detection, but it is more focused mapping open ports (services) across a network. An open port that should not be accessible can still be a vulnerability.

Running a network vulnerability scanner from within your network is a good way to understand how well systems management is undertaken within the organisation. Ideally these types of Internal scans are conducted using what is known as a credentialed scan, that is the scanner has valid credentials and is able to log onto the systems it is testing in order to accurately assess whether known vulnerabilities within the software and operating system have been patched.

External vulnerability scans are often conducted from outside the network perimeter and assess the external exposure of the network. That is a picture of the network from an external attackers point of view. These types of external scans are often used to complement the Internal testing. Using a different vulnerability scanner for the Internal and External scanning is generally best practice as it ensures you get the best coverage of vulnerabilities. No vulnerability scanner is perfect as it all comes down to the database of checks and the ability for the scanner to accurately match the checks with the identified attack surface.

False positives are common with most vulnerability scanners, and they can take time to confirm, but a false negative is worse. In this case the rather than detecting a vulnerability that is not present, the scanner fails to identify an actual vulnerability. By using multiple tools you are better able to avoid missing the false negative.

Attack Surface Identification

A key to keeping your vulnerability exposure under control is to have an accurate asset register. In theory this should detail all the end points, services and web sites. However, this is rarely the case even in an organisation with a mature security practice. An attack surface discovery process emulates the attacker, and can identify gaps in the asset register.

Recently a number of new tools have become available that go deep into the process of Attack Surface Discovery. When presented with a target organisation, an attacker will want to discover as much about the target infrastructure as possible. Using open source intelligence resources, as well as non-intrusive or passive reconnaissance techniques the attacker is able to quickly identify end points, and web sites that belong to the target.

It is then a matter of mapping the attack surface and looking for vulnerabilities. This mapping moves from passive to active discovery with packets sent to the target network. Port scanning and visiting web sites to determine web applications in use are two examples of the mapping process.

Focused Scanners

Outside of the broad categories outlined above are a large number of more focused tools. A few examples of these are tools such as Nikto (web server and site scanner), WPScan (a WordPress testing tool), Aircrack-NG (wireless network testing) or one of the hundreds of tools included in the Kali Linux distribution.

Smaller more focused tools have the advantage of being able to go deeper on the particular vulnerability class they are attempting to find. Another advantage is that it is easier to understand what is being tested, making manual testing and verification an easier process.

What about Penetration Testing?

Everyone knows about Penetration Testing, it is exciting and involves hiring people in dark hoodies.

Well not really. A penetration test is a simulated attack with the goal of actually breaking into a system, often with a goal or trophy to prove the access. The focus of the test is to gain access rather than find all the vulnerabilities across the attack surface.

For most organisations, penetration testing should not even be considered until the vulnerability assessment and remediation process is active and has had time to work. Once you have a handle on the vulnerabilities now is the time to think about Penetration Testing and the budget that goes with it. A penetration test is expensive, usually costing tens of thousands of dollars. Without an understanding of your vulnerability exposure you are simply wasting your money.

Finding the Low Hanging Fruit

The vulnerability scanner being an automated test, is not perfect. What it can do well is to find the low hanging fruit. Whether that is simple configuration errors, default passwords or systems that missed the latest patch. Attackers target the low hanging fruit because if simple gets you in door why waste time on more sophisticated attacks. If you are looking to have a penetration test performed, make them use the sophisticated attacks and get your money's worth.
What They Say

About our Hosted Tools

At Hacker Target we host trusted open source security tools. This has a number of benefits; a primary one being simplicity. There is nothing to install or maintain, all the software is hosted on our remote servers. Tools can be tested against your infrastructure and web sites in a couple of clicks. This makes it an excellent solution for small security teams, as well as a great tool kit for larger more mature security practices that can complement existing solutions.

In addition to the selection of vulnerability scanners we also have Free access to a number of IP Tools that can be used for troubleshooting, research and information gathering when conducting a security assessment.

Knowing what services are running on your systems, and being able to identify if and when any of those services change, is the first step in securing your network.
Nmap Online Port ScannerOpen ports are checked with the leading port scanning tool Nmap. A great tool to test firewall for open ports and services. Identification of services is performed through banner checks and other methods.
OpenVas Vulnerability ScannerOpen network services are scanned and then analyzed for security vulnerabilities. The tool is plugin based with a database of over 20'000 known vulnerabilities. Reporting options include native html or an enhanced PDF option.
SQL Injection ScannerSQL Injection Test of GET parameters on a URL. Uses the open source tool SQLmap. Attempts to determine database version if SQL Injection is successful.
Nikto Web Server ScanNikto tests web servers for vulnerable configurations, scripts that have security issues and other known problems.
WhatWeb Web Site AnalysisDiscover installed web technologies from an examination of the html code. Reveals content management systems, javascript frameworks, web servers, server side scripting, geolocation and more.
Drupal Security ScanTest Drupal Installation Security from an external perspective through a handful of simple web requests. Checks for basic security misconfiguration, analysis of links and other security problems can be found with this non-intrusive tool.
Joomla Security ScanTest Joomla Installation Security from an external perspective; both passive (non-intrusive) and active scanning modes. The active scan utilises the Joomscan open source tool to perform a deeper security audit of a Joomla installation. Similar to the WordPress Security Test.
WordPress Security ScanTest WordPress Security from an external perspective, use the passive scan option quickly assess a wordpress site and gather information. The active scan using the WPscan tool performs a more in depth check of plugins and other vulnerabilities. Information is compiled and placed into an easy read report with recommended security fixes and improvements.
BlindElephant Website FingerprintDetermine version of content management systems and other web management frameworks using various techniques based around fingerprinting installed files.
Get Access to All The Tools
7 day money back guarantee. No questions asked.