Network security scanners: possibilities, principle of operation and advanced solutions. Scanning vulnerabilities: How to check the device and secure yourself from potential threats Search for vulnerabilities in the local network

The problem of the epidemic of network worms is relevant for any local network. Sooner or later, the situation may occur when a network or postal worm penetrates in LAN, which is not detected by an antivirus used. Network virus spreads through the LAN through not closed at the time of infection of the vulnerability of the operating system or through available for recording shared resources. Postal virusas follows from the title, applies by email provided that it is not blocked by the client antivirus and antivirus on mail server. In addition, the epidemic in the LAN can be organized from the inside as a result of an insider. In this article, we will consider practical techniques for the operational analysis of the LAN computers using various funds, in particular with the help of the author utilities AVZ..

Formulation of the problem

In the event of an epidemic detection or certain inset activity in the network, the administrator must quickly solve the minimum of three tasks:

• detect infected PCs on the network;
• find samples of a malicious program to send to the anti-virus laboratory and develop a counteraction strategy;
• take measures to block the spread of the virus in the LAN and its destruction on infected computers.

In the case of an insider activity, the main steps of the analysis are identical and most often reduced to the need to detect an established insider of foreign software on the LAN computers. As an example, this software can be called remote administration utilities, keyboard spies And various Trojans bookmarks.

Consider the solution of each of the tasks set.

Search for infected PCs

To search for infected PCs in the network you can use at least three techniques:

• automatic remote analysis of the PC - receiving information about running processes, downloaded libraries and drivers, search for characteristics - for example, processes or files with specified names;
• pC traffic examination with the help of a sniffer - this method is very effective for the collection of spam bots, postal and network worms, however, the main complexity in the use of sniffer is related to the fact that modern LAN is based on switches and, as a result, the administrator cannot monitor traffic monitoring all network. The problem is solved in two ways: running a sniffer on the router (which allows you to monitor the exchange of data of PC data with the Internet) and the use of monitoring functions of switches (many modern switches allow you to assign a monitoring port to which the traffic of one or more switch ports specified by the administrator duplicates;
• loading on the network - In this case, it is very convenient to use intelligent switches that allow not only to evaluate the load, but also to remotely disable the ports specified by the administrator. This operation It is essentially simplified if the network card administrator has data on which PCs are connected to the corresponding switcher ports and where they are located;
• the use of traps (Honeypot) - on the local network it is highly recommended to create several traps that will allow the administrator to detect the epidemic in a timely manner.

Automatic PC analysis on the network

Automatic PC analysis can be reduced to three main stages:

• conduct a full PC study - running processesloaded libraries and drivers, autorun;
• conducting an operational survey - for example, a search for characteristic processes or files;
• quarantine objects according to certain criteria.

All listed tasks can be solved using the AVZ author's utility, which is designed to run from the network folder on the server and supports the scripting language for automatic PC examination. To start AVZ on user computers you need:

1. Place AVZ in open to read a network folder on the server.
2. Create log and Qurantine subdirectories in this folder and allow users to record in them.
3. Run AVZ on LAN computers using the Rexec utility or the logon script.

The AVZ launch in step 3 should be made with such parameters:

\\\\ My_Server \\ Avz \\ Avz.exe priority \u003d -1 nw \u003d y nq \u003d y hiddenmode \u003d 2 script \u003d \\\\ My_Server \\ Avz \\ My_Script.txt

In this case, the PRIORITY \u003d -1 parameter lowers the priority of the AVZ process, the parameters NW \u003d Y and NQ \u003d Y switch the quarantine to the "Network Start" mode (in this case, a subdirectory name is created in the quarantine folder for each computer, the name of which coincides with the PC network name) , Hiddenmode \u003d 2 prescribes to prohibit the user with access to the GUI and AVZ management, and finally the most important parameter Script Specifies the full name of the script with commands that AVZ will run on the user's computer. The AVZ scripting language is quite simple for use and is focused solely on solving the tasks of the computer survey and its treatment. To simplify the script writing process, you can use a specialized script editor, which contains an operational tip, a wizard of creating typical scripts and verification means of the written script written without starting it (Fig. 1).

Fig. 1. AVZ script editor

Consider three typical scripts that can be useful during the fight against the epidemic. First, we will need a script for PC study. The task of the script is to study the system and create a protocol with results in a given network folder. The script has the following form:

ActivateWatchDog (60 * 10);

// Start Scan and Analysis

// System Study

ExecuteSysCheck (GetAvzdirectory +

'\\ Log \\' + getcomputername + '_ log.htm');

// Completion of AVZ

During the execution of this script in the LOG folder (it is assumed that it is created in the AVZ directory on the server and is available to user users) will be created by HTML files with the results of the network computer research, and to ensure uniqueness in the protocol name, the name of the computer under study is activated. At the beginning of the script, there is a command to turn on the guard timer, which will force the PCCC AVZ in 10 minutes if the script occurs during the execution of the script.

The AVZ protocol is convenient for studying manually, however, it is small for automated analysis. In addition, the administrator is often known the name of the malicious program file and only check for the presence or absence this file, if you have - put in quarantine for analysis. In this case, you can apply the script for the following type:

// Turning on the watchdog timer for 10 minutes

ActivateWatchDog (60 * 10);

// Search for malicious program named

Quarantinefile ('% windir% \\ smss.exe', 'suspicion of ldpinch.gen');

Quarantinefile ('% windir% \\ csrss.exe', 'suspicion on ldpinch.gen');

// Completion of AVZ

This script is activated by the QuarantineFile function, which makes an attempt by quarantine of these files. The administrator remains only to analyze the contents of the quarantine (QUARANTINE \\ network_word folder \\ Date_Carachina \\) for the presence of files placed in quarantine. It should be noted that the QuarantineFile function automatically blocks the room in quarantine files identified by the safe AVZ database or based on Microsoft EDS. For practical application, this script can be improved - to organize file names from an external text file, check the found files from AVZ bases and form a text protocol with the results of work:

// File search with specified name

function Checkbyname (FName: String): Boolean;

Result: \u003d FileExists (FName);

iF Result then Begin

case Checkfile (Fname) of

1: S: \u003d ', access to the file is blocked';

1: S: \u003d ', identified as Malware (' + GetLastchecktxt + ')';

2: S: \u003d ', suspected by a file scanner (' + getlastchecktxt + ')';

3: EXIT; // Safe Files ignore

ADDTOLOG ('File' + NormalFileName (FName) + 'has a suspicious name' + S);

// Addition specified File in quarantine

QuarantineFile (FName, 'suspicious file' + s);

SuspNames: TstringList; // List of suspicious file names

// Check files on the updated database

if FileExists (GetAvzdirectory + 'Files.db') Then Begin

SuspNames: \u003d TstringList.Create;

Suspnames.loadfromfile ('Files.db');

AddTolog ('Name Base Downloads - Number of Records \u003d' + INTTOSTR (Suspnames.Count));

// Search cycle

for i: \u003d 0 to suspnames.count - 1 Do

CheckByname (Suspnames [i]);

AddTolog ('' error download file name list ');

SaveLog (GetAvzdirectory + '\\ Log \\' +

GetComputerName + '_ Files.txt');

To work this script, you must create in the AVZ folder available to users to record Quarantine and Log directories, as well as the text file Files.db - each line of this file will contain the name of a suspicious file. File names may include macros, the most useful of which is% windir% (path to the Windows folder) and% Systemroot% (path to the System32 folder). Another direction of analysis can be an automatic study of the list of processes running on users' computers. Information on the running processes is in the system research protocol, but for automatic analysis it is more convenient to apply the following script fragment:

procedure ScanProcess;

S: \u003d ''; S1: \u003d '';

// update the list of processes

Refreshprocesslist;

AddTolog ('Number of processes \u003d' + INTTOSTR (getProcessCount));

// Received List Analysis Cycle

for i: \u003d 0 to GetProcessCount - 1 Do Begin

S1: \u003d S1 + ',' + extractname (I);

// Process search by name

iF POS ('Trojan.exe', LowerCase (GetProcessName (I)))\u003e 0 THEN

S: \u003d S + GetProcessName (i) + ',';

iF S.<> '' Then.

AddLinetotxtFile (GetAvzdirectory + '\\ Log _alarm.txt', DateTimetostr (NOW) + '' + GetComputerName + ':' + S);

AddLinetotxtFile (GetAvzdirectory + '\\ Log _all_Process.txt', DateTimetostr (NOW) + '' + GetComputerName + ':' + S1);

The study of processes in this script is made in the form of a separate SCANPROCESS procedure, so it is easy to place in your own script. ScanProcess procedure builds two list of processes: full list Processes (for subsequent analysis) and a list of processes that, from the point of view of the administrator, are considered dangerous. In this case, the process named 'trojan.exe' is considered to demonstrate as a dangerous. Information about hazardous processes is added to the text file _Alarm.txt, data about all processes is to the _all_process.txt file. It is easy to note that it is possible to complicate the script, adding to it, for example, checking the files of the database of secure files or check the names of the executable processes of processes by external base. This procedure is used in the AVZ scripts used in SmolenskEnergo: the administrator periodically studies the collected information and modifies the script, adding the processes of processes prohibited by program security policies, such as ICQ and MailRu.Agent, which allows you to quickly check the presence of prohibited software on the studied PC . Another application of the processes list is a PC search, which does not have a mandatory process, for example, antivirus.

In conclusion, consider the last of the useful analysis scripts - the script of the automatic quarantine of all files that are not recognized based on the basis of Safe AVZ and on the basis of Microsoft's EDS:

// Performing autocarentine

Executeautoquarantine;

Automatic quarantine is examined by running processes and downloaded libraries, services and drivers, about 45 ways of autorun, browser expansion modules and conductor, SPI / LSP handlers, schedule tasks, printing system handlers, and the like. A peculiarity of quarantine is that the files are added to the repeat control, so the autocartine function can be called repeatedly.

The advantage of automatic quarantine is that with its help, the administrator can promptly collect potentially suspicious files from all network computers to study them. The simplest (but very effective in practice) the form of studying files may be the test of the resulting quarantine by several popular antiviruses in the maximum heuristics mode. It should be noted that the simultaneous launch of autocartine on several hundreds of computers can create a high load on the network and on the file server.

Traffic study

The study of traffic can be carried out in three ways:

• manually with the help of sniffers;
• in semi-automatic mode - in this case, the sniffer collects information, and then its protocols are processed either manually or some software;
• automatically using intrusion detection systems (IDS) type SNORT (http://www.snort.org/) or their software or hardware analogs. In the simplest case, the IDS consists of a sniffer and the system analyzing the information collected by the snuffer.

The intrusion detection system is the optimal means, as it allows you to create sets of rules to detect an anomaly in network activity. The second advantage is as follows: most of the modern IDS allow you to place traffic monitoring agents on several nodes of the network - agents collect information and transmit it. In the case of the use of the sniffer, it is very convenient to use the Console Unix-Sniffer TCPDUMP. For example, to monitor activity by port 25 (SMTP protocol), it is sufficient to start a sniffer with a command line of the species:

tCPDUMP -I EM0 -L TCP PORT 25\u003e SMTP_LOG.TXT

In this case, the packages are captured through the EM0 interface; Information about captured packages will be saved in the file SMTP_LOG.TXT. The protocol is relatively simply analyzed manually, in this example, the analysis of activity by port 25 allows you to calculate a PC with active spam bots.

Honeypot application

As a trap (Honeypot), you can use an outdated computer, the performance of which does not allow it to be used to solve production tasks. For example, in the author's network as a trap successfully used Pentium Pro C 64 MB random access memory. To this PC, you should install the most common operating system in the LAN and select one of the strategies:

• Install the operating system without update packages - it will be an indicator of the appearance of an active network worm in the network operating any of the known vulnerabilities for this operating system;
• install the operating system with updates that are installed on other PC network - Honeypot will be analogous to any of the workstations.

Each of the strategies has both its advantages and disadvantages; The author basically applies the option without updates. After creating a Honeypot, you should create a disk image to quickly restore the system after damage to malicious programs. Alternatively, a disk image can be used to roll back the shadowuser changes and its analogues. Buing Honeypot, it should be noted that a number of network worms are looking for infected computers by scanning an IP range, counted from the IP address of an infected PC (common typical strategies - XXX *, XXX + 1. *, XXX-1 *) - Consequently, Ideally, Honeypot should be in each of the subnets. As additional elements of preparation, you must open access to multiple folders on the Honeypot system, and several sample files of various formats should be put in these folders, the minimum set is EXE, JPG, MP3.

Naturally, by creating a Honeypot, the administrator must track its work and respond to any anomalies discovered on this computer. As a means of registration of changes, the auditors can be applied, a sniffer can be used to register network activity. An important point It is that most of the Sniffers have the ability to configure the sending of the administrator's alert in the event of a detection of a given network activity. For example, in the COMMVIEW Sniffer, the rule implies the "Formula" instructions, which describes the network package, or the task of quantitative criteria (sending a more specified number of packets or bytes per second, sending packets to unidentified IP or MAC addresses) - Fig. 2.

Fig. 2. Creating and configuring network activity warning

As a warning, it is more convenient to use email messages sent to the administrator's mailbox - in this case, you can get operational alerts from all traps on the network. In addition, if the sniffer allows you to create several warnings, it makes sense to differentiate network activity, highlighting work with email, FTP / HTTP, TFTP, TELNET, MS NET, increased traffic more than 20-30 packages per second on any protocol (Fig. 3).

Fig. 3. Letter-notification sent
In case of detection of packets corresponding to the specified criteria

When organizing traps, it is not bad to place several vulnerable applicable on the network network Services Or install their emulator. The simplest (and free) is the authorship of the APS utility, which is not installed. The principle of APS is reduced to listening to the set of TCP and UDP ports described in its database and issuing a predetermined or randomly generated response (Fig. 4) at the moment of connection.

Fig. 4. Main Window Utilities APS

The figure shows the screenshot shot during the real response of APS in the LAN "Smolenskenergo". As can be seen in the figure, an attempt to connect one of the client computers by port 21 is recorded. An analysis of the protocols has shown that attempts are periodic, fixed by several traps on the network, which makes it possible to conclude a network scan to search and hack FTP servers by selecting passwords. APS conducts protocols and can send message administrators with reports on registered connections to controlled ports, which is convenient for operational network scan detection.

When creating HoneyPot, it is also useful to read online resources on this topic, in particular with the site http://www.honeynet.org/. In the Tools section of this website (http://www.honeynet.org/tools/index.html), you can find a number of tools for registering and analyzing attacks.

Remote removal of malicious programs

Ideally, after detecting samples of malware, the administrator sends them to the anti-virus laboratory, where they are promptly studied by analysts and the corresponding signatures are applied to the antivirus base. These signatures through automatic update Find on user PCs, and antivirus makes automatic removal of malicious programs without administrator intervention. However, this chain does not always work as it should be, in particular, the following causes of failure are possible:

• for a number of people independent of the administrator, the causes of the image may not reach the anti-virus laboratory;
• insufficient efficiency of the anti-virus laboratory - ideally for the study of samples and their introduction to the base goes no more than 1-2 hours, that is, within the working day, you can get updated signature databases. However, not all antivirus laboratories work so quickly, and updates can be waited for several days (in rare cases - even weeks);
• high performance of antivirus - a number of malicious programs after activation destroy antiviruses or violate their work in every possible way. Classic examples - introduction to hosts file Records blocking the normal operation of the anti-virus auto-update system, delete processes, services and drivers of antiviruses, damage to their settings, etc.

Consequently, in the listed situations will have to fight for malicious programs manually. In most cases, it is easy, since the contaminated PCs are known from the results of the study of computers, as well as the full names of malware files. It remains only to produce their distance removal. If a malicious program is not protected from removal, then it is possible to destroy it with the following AVZ script:

// Delete file.

DeleteFile ('file name');

ExecuteSSClean;

This script removes one specified file (or several files, since the deleteFile commands in the script may be an unlimited number) and then automatically clean the registry. In a more challenged case, the malicious program can be protected from deletion (for example, re-smearing its files and registry keys) or disguised by rootkit technology. In this case, the script is complicated and will have the following form:

// Anti-Court

SearchRotkit (True, True);

// Office Avzguard

SETAVZGUARDSTATUS (TRUE);

// Delete file.

DeleteFile ('file name');

// Enabling BootCleaner Logging

BC_LogFile (getAvzdirectory + 'Boot_clr.log');

// Import to the job BootCleaner list of files remote script

Bc_importdeletedlist;

// Activation BootCleaner

// Heuristic Cleaning System

ExecuteSSClean;

RebootWindows (True);

This script includes actively countering roottam, the use of the AvzGuard system (this is a malicious program activity block) and BootCleaner system. BootCleaner is a driver that removes the specified objects from kernelmode during a reboot, at an early system loading stage. Practice shows that a similar script is able to destroy the overwhelming majority of existing malicious programs. The exception is Malware, changing the names of their executable files with each reboot, - in this case, the files detected during the study can be renamed. In this case, the computer is necessary for manually or creating your own malware signatures (an example of an existing signal search script is described in AVZ Help).

Conclusion

In this article, we considered some practical methods of combating the LAN epidemic manually, without using antivirus products. Most of the described techniques can also be used to search for foreign PCs and Trojans on users' computers. If you have difficulty finding a malware or creating treatment scripts, the administrator can use the "Help" section of the forum http://virusinfo.info or the "Fighting Warming" section of the forum http://forum.kaspersky.com/index.php?showForum\u003d eighteen. Study of the Protocols and treatment assistance is carried out at both forums for free, the PC analysis is conducted according to AVZ protocols, and in most cases the treatment is reduced to the AVZ script infected PC, compiled by experienced forum data specialists.

I introduced in detail with various types of vulnerabilities, but now it's time to get acquainted with the scanners of these vulnerabilities.

Vulnerability scanners are software or hardware that serve to diagnose and monitor network computersallowing you to scan networks, computers and applications for detection possible problems In the security system, evaluate and troubleshoot vulnerabilities.

Vulnerability scanners allow you to check various applications in the system for the presence of "holes" that attackers can take advantage. Low-level means can also be used, such as port scanners, to identify and analyze possible applications and protocols running in the system.

Thus, scanners are aimed at solving the following tasks:

• identification and analysis of vulnerabilities;
• resource inventory such as operating system, software and network device;
• formation of reports containing a description of vulnerabilities and elimination options.

How it works?

Vulnerability scanners with their work use two main mechanisms.
First - Sounding is not too prompt, but accurate. This is an active analysis mechanism that launches imitation attacks, thereby checking the vulnerability. During the probe, the methods of implementing attacks that help confirm the presence of vulnerability and detect previously not identified "failures" are applied.

Second Mechanism - scanning - faster, but gives less accurate results. This is a passive analysis in which the scanner is looking for a vulnerability without confirming its presence using indirect signs. Using scanning are determined open ports and collected related headlines. They are further compared with the definition rules table network devices, operating system and possible "holes". After comparison network scanner Security reports on the presence or absence of vulnerability.

Most modern network security scanners work on principles:

• collection of network information, identification of all active devices and services running on them;
• detection of potential vulnerabilities;
• confirmation of selected vulnerabilities, for which specific methods are used and attacks are simulated;
• reporting;
• automatic elimination of vulnerabilities. Not always this stage It is implemented in network security scanners, but often occurs in system scanners.

The best scanners of vulnerabilities

Now let's analyze the most relevant scanners heading expert ratings.

Nessus.

The project was launched back in 1998, and in 2003 the developer of TENABLE NETWORK Security made a network security scanner commercial. A regularly updated base of vulnerabilities, simplicity in installing and use, a high level of accuracy is its advantages over competitors. A key feature is the use of plugins. That is, any penetration test is not sewn tightly inside the program, but is drawn up in the form of a plug-in plug-in. Addons are distributed on 42 of various types: To conduct a pensture, you can activate both separate plugins and all defined plugins - for example, to perform all local checks on the Ubuntu system. An interesting point - users will be able to write their own tests using a special scripting language.

Nessus is an excellent vulnerability scanner. But he has two drawbacks. The first - when the "Safe Checks" option is disabled, some vulnerabilities tests can lead to disorders in the operation of scanned systems. The second is the price. Annual license can cost 114 thousand rubles.

Symantec Security Check.

Free manufacturer's scanner of the same name. The main functions are the detection of viruses and Trojans, Internet worms, malicious programs, search for vulnerabilities on the local network. This is an online product consisting of two parts: Security Scan. which checks the security system and Virus Detection.performing a complete computer check for viruses. It is installed quickly and easily, works through the browser. According to the latest reviews, this network scanner is better to use for additional check.

XSpider.

The XSpider program, which, according to the Developer's application, can identify a third of the vulnerability of tomorrow. The key feature of this scanner is the ability to detect the maximum number of "failures" on the network even before they are seen hackers. In this case, the scanner works remotely without requiring an additional software. Having worked, the scanner sends a full report and tips on the elimination of "holes". The license cost for this scanner begins from 11 thousand rubles for four hosts per year.

QUALYSGUARD

Multifunctional scanner of vulnerabilities. It provides extensive reports that include:

• assessment of the criticality level of vulnerabilities;
• estimating the time required to eliminate them;
• checking the degree of their impact on business;
• analysis of security trends.

The QUALYSGUARD cloud platform and the built-in set of applications allow enterprises to simplify the security process and reduce the cost of compliance with various requirements, while giving important information About security and automating the entire spectrum of audit tasks, complex control and protection of IT systems and web applications. With this software You can scan corporate websites and receive automated notification and reports for timely detection and elimination of threats.

Rapid 7 Nexpose

Rapid 7 is one of the fastest growing companies specializing in information security in the world. It was she who recently acquired the project Metasploit Framework, and it was her hand that the Nexpose project. The cost of "entry" for the use of the commercial version is without a small $ 3000, but for enthusiasts there is a community version with a slightly trimmed possibilities. Such free version Easily integrates with metasploit. The work scheme is quite tricky: Nexpose starts first, then Metasploit Console (MSFCONSOLE), after which you can run the scanning process and adjust it with a number of commands (Nexpose_Connect, Nexpose_Scan, Nexpose_Discover, Nexpose_DOS and others). You can combine the functionality of Nexpose and other Metasploit modules.

X-Scan.

Externally, X-SCAN is more reminded by a self-made self-made as someone for their own needs and pushed into a public on free swimming. It may not have received such popularity if not supporting the Nessus scripts that are activated using the Nessus-Attack-Scripts module. On the other hand, it is worth a scanning report, and all doubts about the usefulness of the scanner are departed into the background. It will not be issued according to one of the official standards of IB, but will definitely tell a lot about the network.

Each of the team] [- its preferences in terms of software and utilities for
Pentest. Having consisted, found out: the selection varies so much that you can make
Real Gentlemansky Set of Verified Programs. On that and decided. To
Do not do the Solunka team, we broke the entire list on topics. Today we will touch
The holy of holy of any pengester is a scanner of vulnerabilities.

Nessus.

Website:
www.nessus.org/plugins/index.php.
Distribution: FREE / Shareware
Platform: WIN / * NIX / MAC

If someone has not tried Nessus., at least heard about him.
One of the most famous security scanners has a rich history: being
Once open project, the program has ceased to spread in open
source code. Fortunately, the free version remained, which was originally
It is very deprived of access to updates for the base of vulnerabilities and new plugins,
But later, the developers were compressed and only limited it in the frequency of updates.
Plugins - key feature of the application architecture: any test for
penetration is not sewn tightly inside the program, but is issued as
plug-in plugin. Addons are distributed on 42 different types:
Pentend, you can activate both separate plugins and all plugins.
a certain type - for example, to perform all local checks on
Ubuntu system. And no one limits you in writing your own tests.
On penetration: For this, special scripting language was implemented in Nessus
- NASL (Nessus Attack Scripting Language) who later
Borrowed other utilities.

Even greater flexibility, developers have achieved, separating the server part of the scanner,
performing all actions from the client program representing not
more than graphic interface. In the last 4.2 version of the demon on 8834 port
opens a web server; You can control the scanner through convenient interface on the
Flash "e, having one browser only. After installing the scanner, the server starts
automatically as soon as you specify the key to activate: you can free
Request it on a home website Nessus.. True, for the entrance, and local
and remote, you will need to pre-create a user: in Windows it is
It is done in two mouse clicks through the Nesus Server Manager GUI-admin, with her
You can start and stop the server.

Any penetration test begins with the creation of the so-called Policies -
Rules that the scanner will stick during scanning. Here and
Selected port scanning (TCP Scan, UDP Scan, Syn Scan, etc.),
the number of simultaneous connections, as well as typical pure for Nessus.
Options, such as Safe Checks. The latter includes a safe scanning,
Deactivating plugins that can harm the scanned system. An important step
In the creation of rules is the connection of the necessary plug-ins: you can activate integers
Groups, Say, Default Unix Accounts, DNS, Cisco, Slackware Local Security
Checks, Windows, etc. Choosing possible attacks and checks - huge! Distinctive
The feature of Nessus is smart plugins. Scanner will never scan the service only
By his port number. Moving a web server from the standard 80th port, let's say
On the 1234th, to deceive Nessus will not be able - it will determine this. If on the FTP server
An anonymous user is disabled, and part of plugins use it to verify,
That scanner will not run them, knowingly knowing that it will not be any sense. If a
Plugin exploits vulnerability in PostFix "E, Nessus. Will not torture
happiness, trying tests against sendmail "A -, etc. It is clear that for execution
Checks on the local system, you need to provide Credentials scanner
(Logins and passwords for access) is the final part of the rules setting.

OpenVas.

Site: www.openvas.org.
Distribution: Freeware.
Platform: WIN / * NIX / MAC

Despite the fact that the original Nessus codes became closed, the engine Nessus 2 and
Part of the plugins are still distributed under the GPL license in the form of a project.
OpenVas. (OpenSource Vulnerability Assessment Scanner). Now project
develops completely independently of his older brother and makes considerable
Successes: the last stable version came out just before sending the number in
Print. No wonder that OpenVas. also uses client-server
Architecture where all scan operations are performed by the server part - it
It works only under Niksami. To start you will need to download packages.
OpenVAS-Scanner, as well as a set of OpenVas-Libraries libraries. As
Client part for OpenVas. 3.0 only a nixic GUI program is available,
But, I think, like previous versionsSoon the port will appear for Windows. In any
case, the easiest to take advantage OpenVas. With the help of not expensive
LiveCD BACTRACK (4th version) in which it is already installed. All major
Operations to start work are made in menu items: OpenVas Make Cert
SSL certificate to access the server), Add User (Creating a Jouzer for Access to
server), nvt sync (update plug-ins and base vulnerabilities), and in the end
OpenVas Server (Start Server Via Menu item). Next remains only
Run the client part and connect to the server to start the pentest.

Openness and expansion OpenVas. allowed to pump hard
program. In addition to directly plugins for analyzing security, in it
Many well-known utilities are integrated: Nikto to search for vulnerable CGI scenarios,
NMAP for scanning ports and sea other things, IKE-SCAN to detect IPSec
VPN nodes, AMAP to identify services on ports using FingerPrinting,
Ovaldi to support OVAL - standard language to describe vulnerabilities - and
Many others.

XSpider 7.

Website:
www.ptsecurity.ru/xs7download.asp
Distribution: Shareware.
Platform: WIN.

First lines of code XSpider. were written on December 2, 1998, and for
Since then 12 years, this scanner has become known to each Russian
Information security specialist. Generally, Positive Technologies - one
Of the few companies in the domestic information security market, whose
The staff can actually break something, and not only beautifully sell services.
The product was not written by programmers, but by IB experts who know, like
What to check. What is the result? We have a very high quality product with one,
But very serious for us minus: XSpider. Ply! Task
Developers offer a trimmed demo version in which a whole range has not been implemented.
checks, including heuristic, as well as online updates for the base
vulnerabilities. Moreover, the forces of the developers are now entirely directed to another
Product - Maxpatrol Information Security Monitoring System for
Which, alas, there is not even demos.

But even with all restrictions XSpider.is one of the most convenient
and effective tools Network security analysis and specific nodes.
Scan settings, as in the case of Nessus, are made in the form of a special
The set of rules, only in this case, they are not called POLICIES, but profiles.
Customize both general parameters for network analysis and scanner behavior
For specific protocols: SSH, LDAP, HTTP. Type of the studied daemon on each
port is determined not by the generally accepted classification, but using
Euristic algorithms fingerprinting "A - option is included with one click in
Scan profile. Separate words Deserves RPC service processing (Windows
and * NIX) with full identification, thanks to which it is possible to determine vulnerabilities
Different services and detailed computer configuration as a whole. Check
The weakness of password protection implements the optimized selection of passwords practically
In all services requiring authentication, helping to identify weak passwords.
Scan result is drawn up in the form of a convenient report, and for each
found potential vulnerability A tiny description and external link is issued,
Where you can seek details.

GFI Languard

Website:
www.gfi.com/lannetscan.
Distribution: Freeware / Shareware
Platform: WIN.

For which I especially love this product is for a set of pre-installed
Profiles for scanning. In addition to the full scanning of the remote system,
implying all types of available checks (by the way, there is a special version
for slow connect - for example, for brake VPN connections through states),
There are a lot of separate groups of checks. For example, you can quickly check tens
hosts for the presence of vulnerabilities from the Top20 compiled by the famous
Sans Security Corporation. Immediately you can activate and search for machines with
Unidentified Patches or Service Packs, choose a profile for Pentests
web applications, etc. Moreover, except for profiles directly directed to
Search for vulnerabilities, there are a number of means for Audit: Search Ball, Smart Scanner
ports, including to find the compounds open by small car
Computer configurations, etc. It turns out in one product the mass
Useful utilities.

Constantly updated base of vulnerabilities GFI Languard Includes more than
15000 entries, allowing you to scan the most different systems (Windows, Mac OS, Linux),
Including installed on virtual machines. Scanner automatically
pulls up updates for the base, which in turn are formed by reports
Bugtraq, Sans and other companies. Implement your own checks as
Went, you can and you yourself. For this you are provided with a special script
language compatible with Python and VBScript (what a bunch!), and for full amenities
Even a convenient editor with a debager - a real IDE is obtained. One more
Languard's unique chip "A - the ability to determine that the machine is launched
in a virtual environment (while the VMware and Virtual PC is supported) - this is one of
Unique scanner chips.

RETINA NETWORK Security Scanner

Site: www.eeye.com.
Distribution: Shareware.
Platform: WIN.

The main disappointment of this legendary scanner has suffered me immediately after
launch. Installer latest versionstealing, said that run
Retina. On Windows 7 or Windows Server 2008 R2 is currently impossible. Not
Very politely, I had to open virtual Machinebut I knew: it was
worth it. Retina. - one of the best scanners that defines and analyzes
Local host hosts. Physical I. virtual servers, workstations and
laptops, routers and hardware firewalls - Retina. present
A complete list of devices connected to the network will display information about wireless
networks. Each of them will be in every way to tootte in the search at least some hint of
Vulnerability, and makes it very smart. On scanning a local network class with
It takes about 15 minutes. Product Retina. determines the vulnerabilities of the OS,
Applications, potentially dangerous settings and parameters. As a result, you can
Get a review network plan with a display of potentially vulnerable places. Base C.
vulnerabilities, according to developers, is updated hourly, and information about
Vulnerabilities falls into the database no later than 48 hours after the first appearance
Bagratrica. However, the fact that this is an EEYE factory product is already its
Quality guarantee.

Microsoft Baseline Security Analyzer

Site: www.microsoft.com.
Distribution: FreeWare.
Platform: WIN.

What it is? Microsoft security analyzer, which
checks computers on the network for compliance with the requirements of Microsoft, which
Spent a considerable amount. The most important criterion is, of course, availability
On the system of all installed updates. Do not remind what I did
Conficker using MS08-67 Break, the patch for which came out 2 months before
epidemics. In addition to the missing patches, MBSA detects some
Common bars in configuration. Before scanning the program
downloads updates for their bases, so you can be sure: Microsoft.
Baseline Security Analyzer He knows all about the published updates for Windows. By
The results of the scan (domain or range of IP addresses) are issued
report. Already a visual report can be transferred to a conditional network scheme,
Displays the scan results in Visio. For this, the program has access to
Special connector that will display characters different locked nodes,
Fill the object parameters by adding information about scanning, and
Beautiful form will allow you to see what problems are on a particular computer.

Saint.

Website:
http://www.saintcorporation.com
Distribution: Shareware.
Platform: -Nix

Just two IP addresses to which you can raise Saint. in
the course of the trial period is rigidly isolated to the key, and he goes to you on
E-mail. Neither step left or step to the right - but this product is necessarily worth
Try, even with such draconic restrictions. Scanner management
implemented through a web interface that is not surprising - solutions Saint.
Sold, including, in the form of servers for installation in a rack (SaintBox), and here
You need to follow fashion. With the help of a ascetic web interface, it is very easy
Run testing and use long-term search for search
Potentially vulnerable areas in the system. I will say more: one of the SaintexPloit modules
Allows not only to detect, but also to exploit vulnerability! Take
MS08-67 notorious error. If the scanner detects an uncomplicated hole and knows
how to exploit it, then right next to the description of the vulnerability gives a link with
To the close heart to the word Exploit. In one click you get a description of solid and,
Moreover, the RUN NOW button to start it. Next, depending on the split,
different parameters are specified, for example, an accurate version of the OS on the remote host,
Shell type and port on which it will be launched. If the goal exploitation is successfully
Completed, then an IP address appears in the Connections section of the SainTexPLOIT module
Victims and selection of actions that have become accessible as a result of launch
Exploit: Working with files on a remote system, command line etc!
Imagine: Scanner, which himself breaks! No wonder the slogan product: "Examine.
Expose. Exploit ". The system of inspections is the most diverse, and in the last 7th
Version appeared module for web application penzets and additional features
To analyze databases. Recalling the goal through the web interface, you can watch
the actions of the scanner with all the details, knowing exactly what and how the scanner does in
this moment.

X-Scan.

Site: http://www.xfocus.org.
Distribution: Freeware.
Platform: WIN.

The latest version of this scanner came out in 2007, which does not interfere with
use it now thanks to the system of plug-ins and scripts,
Written in the NASL language, as used in Nessus / OpenVAS. To find
And edit the available scripts is easy - all of them are in the Scripts folder.
To start the scanner, you must designate the scan settings through the menu
Config -\u003e Scan Parameter. As an object of scanning can act as
Specific IP and the range of addresses, but in the latter case it is necessary to be moral
Ready for the testing will be long. Scanner, alas, not the most
fast. The number of connected modules is also proportion to the speed:
Supplements that check password resistance for SSH / VNC / FTP, one of the most
Voracious. Externally X-Scan. more reminiscent of the homemade created by someone
For your own needs and pushed into a public on free swimming. Maybe he would
and did not get such popularity if not supporting the SESSUS scripts that
Activate using the Nessus-Attack-Scripts module. On the other hand, it is worth
View scanning report, and all doubts about the usefulness of the scanner are departed on
second plan. It will not be issued according to one of the official standards of IB, but
It will definitely tell a lot of new on the net.

Rapid 7 Nexpose

Site: www.rapid7.com
Distribution: FreeWare version
Platform: NIX / Win

Rapid 7. - One of the fastest growing companies specializing in
on information security in the world. It was she who recently acquired the project
Metasploit Framework, and it is her hands - a project Nexpose.. Cost
"input" to use the commercial version is without a small $ 3000, but
For enthusiasts there is a community version with a slightly trimmed possibilities.
This free version is easy to integrate with metasploit "Ohm (version is not necessary
below 3.3.1). The scheme of work is enough trick: first launches Nexpose, then
METASPLOIT CONSOLE (MSFCONSOLE), after which you can run the scanning process
and set it up with a number of commands (Nexpose_Connect, Nexpose_scan,
NEXPOSE_DISCOVER, NEXPOSE_DOS and others). Cool that you can combine
functionality Nexpose. and other METASPLOIT modules "a. The easiest, but
An effective example: look for computers with some vulnerability and immediately
operate it using the appropriate Metasploit module - get
Auto serving at a new quality level.

Warning

Pentest of servers and resources of resource owner without his will - act criminal
punched. In case of use of the knowledge gained in illegal purposes, the author and
The editorship of responsibility is not carried.

Security scanner is software For remote or local diagnostics of various network elements, various vulnerabilities are detected in them. The main users of such systems are professionals: administrators, security specialists, etc. Simple users can also use security scanners, but the information issued by such programs is usually specific, which limits the possibilities for its use by an unprepared person. Safety scanners facilitate the work of specialists, reducing the total time spent on the search for vulnerabilities.

For comparison, five different scanners were selected in a different price range and with different capabilities: ISS Internet Scanner., XSpider., Languard, ShadowSecurityScanner, X-Scan..

To compare similar systems It is not enough to run them enough. The number of allegedly verified vulnerabilities or their settings, as well as the size of the program or its appearance Could not be criteria for assessing the quality and funkional capabilities of a scanner. Therefore, in order to create a full-fledged idea of \u200b\u200bthe work of various security scanners, it was decided to hold them comparative Test to identify vulnerabilities in seven different operating systems, Frequently used by large banks and financial institutions: AS / 400, Solaris 2.5.1, Compaq / Tandem Himalaya K2006 (OS D35), Windows 2000 Server, Windows XP Professional, Linux Redhat 5.2, Bay Networks Router.

Versions of the test scanners (the latest available at the time of verification):

• ISS INTERNET SCANNER 6.2.1 with the latest updates
• XSpider 6.01
• Languard 2.0.
• ShadowSecurityScanner 5.31
• XFocus X-SCAN V1.3 GUI

The testing of each scanner was held twice, thereby excluding unwanted possible errors related for example, with a temporary problem on the network. All data obtained was placed in a table, clearly showing which vulnerabilities were found by one or another scanner. Yellow color indicates the vulnerability of medium gravity, which under certain circumstances may entail serious losses, and red serious vulnerabilities that can lead not only to serious losses, but also to the complete destruction of the system. Next, after the table, the scanners are evaluated with scanning results.

Table of vulnerabilities found:

To comprehend the results and come to any conclusion next system The calculation of points, which is less optimal (other options are possible, but they are all similar): For each vulnerability found, a certain amount of points will be added depending on the degree of danger of this vulnerability, and vice versa for issuing a false vulnerability scores will be deducted:

• serious vulnerability (+3 points)
• vulnerability of medium gravity (+2 points)
• information (+1 score)
• false serious vulnerability (-3 points)
• false vulnerability of medium gravity (-2 points)
• false information (-1 score)

Total table:

What as a result?

ISS Internet Scanner does not need a description. He showed himself as always at a high level, though this time giving waying the palm of the XSpider-y championship.

The XSpider turned out to be an undisputed leader, severely broke away from competitors, especially when looking for vulnerabilities in Windows and Solaris, which is especially pleasant with its small size and free distribution. There is a big minus: there is very little information when issuing a list of vulnerabilities, which involves a high level of knowledge and professionalism from a specialist using this program.

Languard with stretch can be called a security scanner. It works very well with NetBIOS, issuing a list of resources, services and users. This ability is very distinguished by the scanner from the rest, but this is just this. On this advantage of Languard end.

ShadowsecurityScanner practically dreamed of ISS. And this is at such a big difference in their price. The program has a simple interface similar to the Retina scanner interface. Detailed advice and recommendations to eliminate vulnerabilities easily make it possible to cope with problems. Cons: a small amount of recognizable vulnerabilities, much greater consumption of system resources when working compared to other scanners.

X-Scan Free Scanner for Languard similar to Languard, but a little superior. Cons: not very readable program interface, the absence of any comments about the found vulnerabilities.