Vulnerability Scanners Part 1

[CyberSorcerer]

Hello Everyone

Well I searched for a tutorial on these I think 5 pages but didn't find any. I will try to put up a good one even though I don't do much writing..LOL

Where did Vulnerability Assessment Scanners come from?

Well IMHO, it all started with ISS and SATAN. ISS (Internet Security Scanner), which was written by a computer science student back in 1992 named Chris Klaus, looked for a few dozen common security holes and flagged them for the administrator to look at so they could be resolved. Most administrators, although a little nervous about this technology getting into the wrong hands, welcomed the new program. After all this would save them alot of work looking at logs which most didn't even do that.

Next we have SATAN (Security Administrator Tool for Analyzing Networks). This tool, written by Dan Farmer and Wietse Venema, basically did the same thing as ISS except with a few advancements. First off it had a much better scanning engine, a web based interface, and a much larger assortment of checks. Unlike ISS which was released without much attention. SATAN came to the masses like a media-crazed event of today. TIME magazine wrote and article about it, CERT even issued an advisory on its abilities (CA-1995-06). This is what started the explosion of Vulnerability Scanners.

What do they do?

A Vulnerability Scanners in its basic form is a port-scanner that has access to a database of vulnerabilities. This is the point that I was wanting to reach in this tutorial. This is were administrators get all secure in the comfort that everything is ok and being taken care off. This is how your more advanced hackers/crackers get into your network. Just keep in mind that these products must be constantly updated just like your AV programs (you DO up-date those don't you?). If you add up all the known vulnerabilities (maybe 3,000 or 4,000) keeping a system up so it can properly identify and track ALL these product vulnerabilities is a fairly hugh task. So I have listed below what basically is the guts of a vulnerability scanner.

Vulnerability Data: These scanners have to have some kind of internal database of vulnerablilty information that helps to accurately identify remote system exposures.

Scanning Mechanism: The technical part of a scanner lies in its capability to propertly scan ports, identify services and subsystems, and compare this information with the data stored in the database.

Reporting Mechanism: After performing all of this and finding a problem, it needs to report this so that the problem and be taken care off. This is a place usually that will separate scanners. Some products are stronger than others when it comes to clearly stating what they've discovered.

In part 2 I will cover what to look for when choosing a scanner!

CyberSorcerer

[MrLinus]

I'm not sure if you are going to address this later on but I thought I'd comment for now.

Might want to go a bit newer since, AFAIK, SATAN isn't supported. It would be better to use SARA as a more recent example of SATAN (there were two direct "children" of SATAN, SAINT and SARA. SAINT went commercial and SARA is still Open Source). SATAN won't have more recent vulnerabilities.

Additionally, other tools like nessus are way different than ISS or SATAN incarnations.

[CyberSorcerer]

Yes I will be covering more up-to-date scanners. I wanted this to be basically an intro into where it started. Part 2 will be much bigger and more indepth.

One of the reasons I will go more indepth is I believe admins replying strickly on these programs is the biggest problem today with un-fixed or un-patched networks.

[R0n1n]

This is a good start. You may want to address the fact that scanners initially started as standalone apps but now all seem to be adopting the client-server model (ISS 7 does this now, as does Foundscan, Nessus etc...) and what the pros/cons of this are. You also have appliances now that handle the scanning.

You could also look at the specialist scanning tools such as Database scanners and application scanners, you may end up with a very long post....

I would try and drive home the point that relying on scanners alone does create a false sense of security as they all seem to have different vulnerabilitiy databases and also seem to miss obvious holes, so manual checks are still required.