This article is about Vulnerability scanners.Vulnerability scanning refers to scanning systems, network components, or applications that may be exposed to the outside world or hosted internally for a vulnerability or security weakness. Vulnerability scanners are a tool used to perform vulnerability scans. Vulnerability scanners have a database of vulnerabilities based on which it performs a scan on a remote host. The vulnerability database contains all the information required (service, port, packet type, potential exploit path, etc.) to check for a security issue. They can scan the network and websites for thousands of vulnerabilities, provide a list of issues based on risk, and also suggest a fix.
Vulnerability scanners can use:
- Security auditors when conducting security assessments.
- A malicious attacker or hackers with the intent to damage an asset or gain unauthorized access.
- The application development team before deploying the application in a production environment.
- Some of the features included in popular scanners are:
- Maintain an updated database for the latest vulnerabilities.
- Ability to detect vulnerabilities with fewer false positives.
- Ability to scan multiple targets simultaneously.
- Ability to provide a detailed report with a pair of vulnerable requests and responses.
- Recommendations to fix vulnerabilities.
The vulnerability scanner is divided into four components:
- User Interface: This is the interface that the user interacts with to run or configure the scan. It can be a graphical user interface (GUI) or a command line interface (CLI).
- Scanning Engine: Scanning engines perform a scan based on installed and configured plugins.
- Scan database: The scan database stores the data required by the scanner. It may contain vulnerability information, plugins, vulnerability mitigation steps, CVE-ID (Common Vulnerability and Threat) mapping, scan results, etc.
- Report Module: The report module provides options for generating different types of reports such as detailed report, vulnerability list, graphical report, etc.
Scanning can be divided into two categories:
External: There are certain assets that are exposed to the Internet. Most organizations have port 80 or 443 open so that anyone from the Internet can connect to their website. Many administrators think that they have implemented a perimeter firewall so they are secure, but this is not true in all cases. A firewall can protect against unauthorized access to the network based on the rules and policies defined for it, but what if an attacker finds a way to attack other systems through these open ports, such as 80 or 443. In this case, a firewall may not be able to protect you, because by connecting to these ports, the attacker automatically crosses the firewall and is inside your network.
External scanning is important because it is necessary to detect vulnerabilities in those Internet assets through which an attacker can gain internal access. External scanning is performed by running a vulnerability scanner on the host from the Internet. It is always a good idea to remove open issues/vulnerabilities before they can be used and exploited by a malicious user or attacker.
Internal: Not all attacks originate from an external network. Hackers and malware can also be present in the internal network. There are several ways that someone can gain access to an internal network.
This can be through malware or a virus that is downloaded to the network via the Internet or USB.
It could be a disgruntled employee who has access to the internal network.
This could be through an external attacker who gained access to the internal network.
Therefore, it is equally important to run a vulnerability scanner on the internal network as well. Internal scanning is performed by running a vulnerability scanner on critical network components from a machine that is part of the network. This important component may include a core router, switches, workstations, web server, database, etc.
How often should I run the scan?
Lots of new vulnerabilities appear every day. Each new vulnerability discovered increases the level of risk. That’s why it’s important to scan assets at regular intervals. Early identification of a security issue helps an organization close security holes and help defend against attacks.
There is no defined number for how often to run a vulnerability scan. It varies from organization to organization. The frequency of scanning may depend on the following points:
Criticality of the asset: More critical assets should be scanned more frequently so that they can be patched against the latest vulnerabilities.
Exposure: Identify and scan components that are exposed to more users. This can include external or internal assets.
Modification in an existing environment: Any modification to an existing environment, be it adding a new component, asset, etc., should be followed by a vulnerability scan.
PCI and vulnerability scanner
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements for maintaining a secure environment by all companies that process, store or transmit credit card information. The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to improve the security of the transaction process. PCI DSS requires all merchants accepting credit cards to conduct regular vulnerability scans to identify a potential security flaw in their merchant network and applications.
According to the PCI DSS Requirement and Security Assessment Procedures document:
11.2 Run internal and external network vulnerability scans at least quarterly and after each significant change to the network (such as installation of new system components, network topology changes, firewall rule modifications, product updates).
External scanning: PCI requires that all Internet-facing IP addresses be scanned for vulnerabilities. These checks should be performed outside the organization’s network. Scanning must only be performed by a PCI SSC Approved Scanning Vendor (ASV).
Internal Scanning: PCI requires vulnerability scanning for all internal components in the cardholder data environment. This provides an internal view of current security and points to a weakness that an attacker could exploit after gaining internal access. An internal scan must be performed by a qualified person and may not require an ASV.
External and internal scanning includes automated non-intrusive scanning using a vulnerability scanner to identify vulnerabilities in operating systems, devices and applications. Some of the scanners used by ASV include Qualys and Nessus. We will look at each of them later in this article. Vulnerabilities reported by the scanner must be patched to comply with the standards. All vulnerabilities rated “medium” and higher must be patched for external scanning. Only “critical” and “high” vulnerabilities need to be patched for internal scanning. This is followed by a rerun of the vulnerability scan to confirm the closure of the reported vulnerabilities. According to PCI DSS standards, PCI scans must be performed quarterly. Most organizations scan more regularly to find the latest security flaw.
Free vs. paid
There is no straight answer when it comes to deciding whether to use a free, open source vulnerability scanner or a commercial scanner. Many vulnerability scanners are available for download on the Internet. Some are free and some are paid versions. The free version of tools like Burp, Nessus etc. are often used in penetration testing, but in some places it is mandatory to have the commercial version. The free version of vulnerability scanners is a good place to start with your security, but they can have some limitations:
Scan coverage: Free scanners have limitations on scan coverage. The scan is high level and may not cover all parts of the application.
Accuracy: This can lead to a false negative if the scanner is unable to identify or report an existing security flaw. This is a more serious problem compared to a false positive where the scanner reports a problem that does not exist in the application.
Overall Attack and Input Payload Support: The attacks and input payload supported by free scanners are less compared to the paid version. The vulnerability and payload databases in the paid version are regularly updated to check for new vulnerabilities.
Support for detailed report: Many scanners support the reporting feature, but the free scanner may not generate a detailed report along with the request-response pair, the mitigation, and a link to download the patch.
Additional features: This includes an interactive management console for better monitoring, on-demand monitoring, professional software support, vulnerability management and compliance.
The best list
Nessus: Nessus is one of the most popular vulnerability scanners. Used for authenticated and unauthenticated vulnerability scans. Along with network vulnerability scanning, it also supports external and internal PCI scanning, malware scanning, mobile device scanning, policy compliance audit, web application test, patch audit, etc. It uses more than 70,000 plugins to scan the target host.
Nessus is available in two versions i.e. Free or Home feed version and Professional version. The free version has some limitations, such as the inability to use in a professional environment (ie at work), less plugins, professional support, etc.
The user guide can be downloaded from http://static.tenable.com/documentation/nessus_6.4_user_guide.pdf
The Nessus scanner can be downloaded from http://www.tenable.com/products/nessus/select-your-operating-system
OpenVAS: The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools that offer a comprehensive and powerful solution for vulnerability scanning and management. It is open source and available for free. It has a client-server architecture with a web interface. The server component is used to schedule scanning and manage plugins, and the client component is used to configure scanning and report access.
Some of the features include:
Custom Plugin Support: The OpenVAS scanner supports custom plug-ins in which the user can write a plug-in using the Nessus Attack Scripting Language (NASL).
Authenticated scan: In an authenticated scan, the user provides the credentials of the target host so that the scanner can log in and search for vulnerabilities in the installed components (Adobe reader, Wireshark, etc.) of the host.
Report export: The OpenVAS scanner comes with several options for extracting the report. User can generate and download report in HTML, XML, TXT and PDF format.
The OpenVAS scanner comes with several options for port scanning. It includes TCP scan, SYN scan, IKE scan to find IPSec, VPN etc.
Secure Scans: OpenVAS Scanner supports scanning with secure scan enabled. In this mode, the scanner will rely on the remote host’s banner instead of sending all payloads to the remote host. This is a good choice for a critical or old host that may fail during the default scan.
The OpenVAS scanner can be downloaded from http://www.openvas.org/download.html
Instructions for setting up and running OpenVAS on Kali Linux can be found at https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/
QualysGuard: QualysGuard is a private cloud software as a service (SaaS). The web user interface can be used to log into the web portal and use the service from anywhere. The tool includes network discovery, asset mapping, vulnerability assessment, reporting and remediation tracking. Control of the internal network is provided by Qualys devices that communicate with the cloud system.
Qualys subscription plans can be found at https://www.qualys.com/qualysguard-subscription-plans/
After confirming the subscription, access to the cloud service is provided through the web portal. The web portal is located at https://qualysguard.qualys.com/qglogin/index.html
Burp Suite: Burp Suite is a Java-based tool for performing security testing of web applications. The various tools needed for testing are integrated into a single platform. It is available in free and commercial versions. The free version of Burp Suit has the following features:
The capture proxy acts as a proxy server to parse and process the backend request and response.
Burp Spider to browse the pages and link of the target app.
Burp Repeater to manipulate and resend the request multiple times.
Burp Sequencer for analyzing session token randomness and strength.
Burp Intruder to perform a customized automated attack to find and exploit the vulnerability.
Some features are only available in the professional version. These features include:
An advanced web application scanner that automatically detects web application vulnerabilities.
The Burp extension allows you to write your own plugins to perform complex and customized tasks with Burp.
Option to save the current state and use it later.
Ability to generate scan report.
Video tutorials can be found at https://portswigger.net/burp/tutorials/
You can download the free and professional version of Burp Suit from https://portswigger.net/burp/download.html
OWASP ZAP: OWASP ZAP is an open source web application security assessment tool based on the Java platform. Key features include:
Capture Proxy: The capture proxy feature can be used manually to examine and manipulate the application and its parameters. It captures the request to the server so that the user can manipulate URLs, hidden parameters, headers, etc. to analyze the behavior and security of the application. Similarly, the response coming from the server can be modified.
Active and passive scanning: Zap supports both active and passive scanning techniques. In passive scanning, this tool scans all requests and responses collected through a spider or proxy. Scanning is done in the backend, so it does not affect the actual testing. During an active scan, the scanner sends a payload to detect potential vulnerabilities. Active scanning can be controlled by the user, where the scanner can be manually configured for scanning aggressiveness.
Option to save the current session and use it again later.
Ability to generate scan report. ZAP supports HTML reporting.
Other features include a port scanner, fuzzer, and web socket support.
The user manual is available at https://github.com/zaproxy/zap-core-help/wiki
The OWASP ZAP tool can be downloaded from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Acunetix Web Vulnerability Scanner: Acunetix Web Vulnerability Scanner is an automated application security testing tool. It is specifically designed to scan web applications for security issues such as SQL Injection, Cross-site scripting, directory traversal, OS command injection, etc. The scanner allows the user to scan SANS top 20 or OWASP top 10 vulnerabilities. Acunetix is available in 2 versions i.e. Free and Commercial. The free version is a 14-day trial that scans all vulnerabilities, but the exact location will not be displayed. You can scan the acunetix test web page to view a sample of the vulnerability scan details. Installation is quite easy and straightforward. Key features include:
Scanner: The main component of Acunetix is the scanner. It is a fully customizable scanner where the user can configure the scanning according to their needs. It uses a scan profile where the user can define the types of vulnerabilities to be scanned. The scan time depends on the size of the application and the selected profile.
Vulnerability detection: In addition to scanning common web applications, Acunetix can scan HTML5/JS-based websites.
Scheduler: Acunetix allows you to schedule an inspection of one or more locations. This is a good feature where the user can schedule the scan to run at night or on weekends.
Site Crawler: Here we can configure the file types to be included or excluded when the crawler loads files and directories.
Subdomain Scanner: Acunetix can lookup a subdomain based on a DNS record.
Target Finder: Allows the user to scan a subnet and look for web services on ports like 80,443, etc.
HTTP Editor: This tool is used to create customized requests and responses to analyze specific vulnerabilities. This includes an encoder-decoder to encode or decode parameter values. It also allows you to edit request parameters like URL, cookie, request data, etc.
The user manual can be found at http://www.acunetix.com/resources/wvsmanual.pdf
A trial version of Acunetix Web Vulnerability Scanner can be downloaded from http://www.acunetix.com/vulnerability-scanner/download/
NetSparker: Again, Netsparker is a web application security scanner for detecting and exploiting vulnerabilities. One of the unique features of this scanner is the internal confirmation engine that tries to reduce false positives by successfully exploiting or testing in another way. If the scanner is able to exploit the problem, it will list the problem in the “Confirmed” section of the report. It comes in three versions i.e. Community, Standard and Professional. The community version is free to evaluate the product. The standard version is limited to 3 websites, which means we can only scan three websites. The professional version includes an unlimited number of sites to scan. The price list and comparison table can be found at https://www.netsparker.com/pricing/?ce=1.
Some of the features include:
- Ease of use: We can start a review by simply providing a website URL. More advanced options are available where the user can record a login sequence using a login macro to allow the scanner to log into the application while scanning. It supports forms authentication, NTLM/Basic/Digest authentication, and client certificate authentication. When the user selects this option, the scanner opens a new tab to record a login sequence that contains the user’s credentials. In the same configuration section, we can configure the scope of the scan and the vulnerabilities to be scanned.
- Browsing: The scanner comes with an advanced crawler where the user can browse new links and attack at the same time.
- Accuracy: As mentioned above, one of the unique features of the scanner is the internal confirmation module. This allows the scanner to reduce the number of false positives by safely exploiting the reported vulnerability. In case of abuse, the scanner marks the vulnerability as confirmed.
- Reporting: Netsparker supports real report formats that include detailed scan report, PCI compliance report, OWASP top 10 reports, etc.
- The user manual can be downloaded from https://netsparker.zendesk.com/entries/20938312-Download-PDF-Manual
A free version of the scanner is available at https://www.netsparker.com/web-vulnerability-scanner/download/
Standard and Professional versions of the scanner are available at https://www.netsparker.com/pricing/?ce=1
Vulnerability scanners are fast and can save you time, but we cannot completely rely on them. No tool can find every vulnerability in a network or web application. If possible, use multiple automated scanners to reduce the chance of false positives and false negatives. Web vulnerability scanners cannot find issues related to business logic in an application. These vulnerabilities are critical and require a manual approach. A good approach is to run a vulnerability scanner along with manual testing.
Getting a list of security errors by running a scanner is useless if you can’t do something about it. The scan should be performed by an experienced professional who can safely configure the scan, understand the findings, underlying risks and mitigation techniques.