Vulnerability Scanning
As an attacker after surveying the victim's network and you've identified possible open ports its time to validate they are accessible and exploitable. Beginners resort to tools, and this is most common, but sophisticated manual penetration attempts are carried out by an experienced hacker. Aside from hackers using these network scanning tools professionals can use them to automate security checks. Tools provide both the attacker and the defender usability in testing large scale networks. However, understand tools have limitations, and both should know these limits.
Tool limitations
Tools can only check for known vulnerabilities and in most cases can not assert correlation among those vulnerabilities. Tools also analyze the attack surface and therefore can not find other vulnerable targets after exploiting the current system. Advanced penetration attempts use intelligence to reverse engineer an entire system from the inside out. When determining which tool to use as a security professional and hacker, you have many options.
- NexPose by Rapid7
- Nessus by Tenable
- BeyondTrust Retina from EEYE
- OpenVAS is a fork of the open source Nessus2
For those of you who don't want to manage software and prefer the subscription model, Qualys is a favorite among most.
Nessus is the most popular network scanning tool available at the time of this writing. Nessus is also a personal favorite because they offer both an at home and commercial additions. Qualys also offers a community edition as well if you prefer a serverless approach. The difference is Nessus's client, and the server can run from the same machine on your network allowing you to be somewhat anonymous. Qualys keeps records of its customers and their scans. To remain 100% anonymous, I would suggest OpenVAS. Nessus's server runs Windows, Linux, and OSX. Configuring the server is all done using the web facing G, and "Safe Checks" are turned on by default. To use what Nessus classifies as dangerous plugins disable "Safe Checks." Some plugins are known to crash systems and lock users accounts. DOS plugins are marked as dangerous. Nessus plugins are written in Nessus Attack Scripting Language (NASL) allowing you to craft your own however there are over 100,000 plugins at your disposal.
Defense and Identification
- Close all unused ports and unneeded services.
- Apply the most recent software patches
- Perform routine scans using Nessus or Qualys.
- Utilizing an intrusion detection system you can detect this type of scanning tool.