Vulnerability scanning refers to the scanning of systems, network component or application which may expose to the external world or hosted internally to detect the vulnerabilities or security weakness in them. Vulnerability scanners are the tool used to perform the vulnerability scanning. Vulnerability scanners have a database of vulnerabilities based on which it performs the check on the remote host. The vulnerability database contains all the information required (service, port, packet type, a potential path to exploit, etc.) to check the security issue. They can scan the network and websites against thousands of vulnerabilities, provide the list of issues based on the risk and suggest the remediation as well. Vulnerability scanners can be used by:
- The security auditors while doing the security assessment.
- Malicious attacker or hackers with the intention to harm the asset or to gain unauthorized access.
- Application development team before deploying the application in the production environment.
Some of the features included in popular scanners are:
- Maintain an updated database for latest vulnerabilities.
- Ability to detect vulnerabilities with less false positive.
- Ability to scan multiple targets simultaneously.
- Ability to provide a detailed report with vulnerable request and response pair.
- Recommendation to fix the vulnerabilities.
Components of Scanner
Vulnerability scanner is divided into four components:
- User Interface: This is the interface with which user interacts to run or configure a scan. This can be a Graphical user interface (GUI) or a command-line interface (CLI).
- Scan Engine: Scan engines executes the scan based on the installed and configured plug-ins.
- Scan Database: The scan database stores the data required by the scanner. This may contain vulnerability information, plug-ins, steps to mitigate the vulnerability, CVE-ID mapping (Common Vulnerability and Exposures), scan results, etc.
- Report Module: The report module provides the options to generate the different type of reports like a detailed report, a list of vulnerabilities, a graphical report, etc.
Scanning can be divided into two categories:
- External: There are some assets which are exposed to the internet. Most of the organizations have either port 80 or port 443 open so that anyone from the internet can connect to their websites. Many admins think that they have implemented a perimeter firewall, so they are secure, but this is not true in all the cases. A firewall can protect against unauthorized access to the network based on the rule and policy defined for it but what if an attacker finds a way to attack the other systems via these open ports i.e. 80 or 443. In this case, the firewall may not be able to protect you because by connecting to these ports the attacker is automatically past the firewall and are inside your network.
The external scan is important as it is required to detect the vulnerabilities to those internet facing assets through which an attacker can gain internal access. The external scan is done by running a vulnerability scanner on the host from the internet. It is always a good idea to eliminate the open issues/loopholes before it can be used and exploited by a malicious user or an attacker.
- Internal: Not all attacks come from the external network. Hackers and malware can be present in internal network as well. There are some ways through which someone can gain access to the internal network.
- It can be through Malware or virus that is downloaded onto a network through internet or USB.
- It can be a disgruntled employee who has the internal network access.
- It can be through the outside attacker who has gained the access to the internal network.
Hence, it is equally important to run the vulnerability scanner on the internal network as well. The internal scan is done by running the vulnerability scanner on the critical components of the network from a machine which is a part of the network. This important component may include core router, switches, workstations, web server, database, etc.
How often should I run the scan?
There are a lot of new vulnerabilities being discovered every day. Each new vulnerability discovered increases the level of risk. Hence, it is important to scan the assets on a regular interval. The early identification of security issue helps the organization to close the security holes and help defend against attack.
There is no defined number on how often to run a vulnerability scan. It varies from organization to organization. The frequency of the scans may depend on the following points:
- Criticality of the asset: More critical assets should be scanned more often so that they can be patched against the latest vulnerabilities.
- Exposure: Identify and scan the components which are exposed to a greater number of the user. This may include external or internal assets.
- Modification in an existing environment: Any modification in the existing environment, be it the addition of a new component, asset, etc. should be followed by a vulnerability scan.
PCI and vulnerability scanner
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirement to maintain a secure environment by all the companies that process, store or transmit the credit card information. The Payment Card Industry Security Standard Council (PCI SSC) was launched on September 7, 2006, to improve the security of the transaction process. The PCI DSS requires all the merchant accepting credit card conduct regular vulnerability scan to identify the potential security flaw within their business network and applications.
As per the PCI DSS Requirement and Security Assessment Procedures document:
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
External Scan: The PCI requires all Internet-facing IP addresses to be scanned for the vulnerabilities. These scans should be performed from outside the organization’s network. The scan must be performed by PCI SSC Approved Scanning Vendor (ASV) only.
Internal Scan: The PCI requires a vulnerability scan for all the internal component within the cardholder data environment. This provides an internal view of the current security and points out the weakness that an attacker could exploit after gaining the internal access. The internal scan must be performed by the qualified person and may not require an ASV.
External and Internal scanning involves an automated non-intrusive scan by a vulnerability scanner to identify the vulnerabilities in operating systems, devices, and applications. Some of the scanners used by ASVs includes Qualys and Nessus. We will look into each of them later in this article. To comply with the standards, the vulnerabilities reported by the scanner must be fixed. For the external scan, all the vulnerabilities rated as “Medium” and higher must be remediated. For the internal scan, only the “Critical” and “High” vulnerabilities have to be remediated. This is followed by re-running the vulnerability scan to confirm the closure of the reported vulnerabilities. As per the PCI DSS standards, the PCI scan must be performed on a quarterly basis. Most organizations perform the scan on the more regular basis to identify the latest security flaw.
Free Vs. paid
There is no direct answer when it comes to deciding whether to use free, open-source vulnerability scanner or commercial scanner. A lot of vulnerability scanners are available to download on the internet. Some are free, and some are paid version. The free version of tools like Burp, Nessus, etc. are frequently used in penetration testing engagements but at some places, it is mandatory to have a commercial version. The free version of vulnerability scanners are a good place to start with the security, but they might have some limitations:
Scan Coverage: Free scanners have a limitation on the coverage of the scan. The scan is on a high level and may not cover all the parts of the application.
Accuracy: This may lead to a false-negative where the scanner is failed to identify or report an existing security flaw. This is a more serious concern compare to a false-positive, where a scanner reports an issue which does not exist in the application.
Total attack and input payload support: The attacks and input payload supported by free scanners are less compare to the paid version. The vulnerability and payload database in the paid version are updated on a regular interval of time to check for new vulnerabilities.
Support for a detailed report: Many scanners supports the reporting featuring but free scanner may not generate a detailed report along with the request-response pair, mitigation, and patch download link.
Additional Features: This includes interactive administration console for better tracking, on-demand monitoring, professional software support, Vulnerability management and compliance.
Nessus: Nessus is one of the most popular vulnerability scanners. It is used for authenticated and unauthenticated vulnerability scans. Along with network vulnerability scanning, it also supports external and internal PCI scans, Malware scan, Mobile device scan, policy compliance auditing, web application test, Patch audit, etc. It uses more than 70,000 plug-ins to scan a target host.
Nessus comes in two versions i.e. Free or Home feed version and Professional version. The free version has some limitation like it cannot be used in a professional environment (i.e. at work), less number of plug-ins, professional support, etc.
The user manual can be downloaded from http://static.tenable.com/documentation/nessus_6.4_user_guide.pdf
The Nessus scanner can be downloaded from http://www.tenable.com/products/nessus/select-your-operating-system
OpenVAS: The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. It is open source and available for free. It has a client-server architecture with a web interface. The server component is used for scheduling the scan and managing the plugins, and a client component is used to configure the scan and access the report.
Some of the features includes:
- Support for customized plugin: The OpenVAS scanner supports customized plugins where a user can write a plugin with Nessus Attack Scripting Language (NASL).
- Authenticated scan: In authentication scan, a user provides the credentials of the target host so that scanner can log in and scan for vulnerabilities in the installed components (Adobe reader, Wireshark, etc.) of the host.
- Report Export: The OpenVAS scanner comes with multiple options to extract the report. A user can generate and download the report in HTML, XML, TXT and PDF format.
- Port scanner: The
OpenVAS scanner comes with multiple options for port scanning. It includes TCP scan, SYN scan, IKE-scan to locate IPSec, VPN, etc.
- Safe checks: The OpenVAS scanner supports scan with safe check enabled. In this mode, the scanner will rely on the banner of the remote host instead of sending all the payloads to the remote host. This is a good option for a critical or old host which can crash during the default scan.
The OpenVAS scanner can be downloaded from http://www.openvas.org/download.html
A tutorial on setting up and running OpenVAS on Kali Linux can be found at https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/
QualysGuard: QualysGuard is a private cloud-based Software as a Service (SaaS). The web based UI can be used to login to the web portal and use the service from anywhere. The tool includes Network discovery, asset mapping, vulnerability assessment, reporting, and remediation tracking. Internal network scan is handled by Qualys appliances which communicate to the cloud-based system.
Qualys subscription packages can be found at https://www.qualys.com/qualysguard-subscription-plans/
Once the subscription is confirmed, the access to the cloud-based service is given through the web portal. The web portal is located at https://qualysguard.qualys.com/qglogin/index.html
Burp Suite: Burp Suit is a Java based tool to perform web application security testing. Different tools required for the testing are integrated into a single platform. It is available in free and commercial versions. The free version of Burp Suit have the following features:
- An Intercepting proxy act as a proxy server to analyze and fiddle with the backend request and response.
- Burp Spider to crawl the pages and link of the target application.
- Burp Repeater for manipulating and resending the request multiple time.
- Burp Sequencer to analyze the randomness and strength of the session token.
- Burp Intruder to perform customized automated attack to find and exploit vulnerabilities.
There are some features which are only present in the professional version. These feature includes:
- An advanced web application scanner to automatically detect the vulnerabilities in the web applications.
- Burp Extension allows you to write own plug-ins to perform the complex and customized task with Burp.
- The ability to save the current state and use it later.
- The ability to generate scan report.
The video tutorials can be found at https://portswigger.net/burp/tutorials/
The free and professional version of Burp Suit can be downloaded from https://portswigger.net/burp/download.html
OWASP ZAP: OWASP ZAP is a Java based cross platform open source web application security assessment tool. The main feature includes:
- Intercepting proxy: The intercepting proxy feature can be used manually to explore and fiddle with the application and its parameters. It captures the request going to the server so that a user can manipulate the URL, hidden parameters, headers, etc. to analyze the behavior and security of the application. Similarly, the response coming from the server can be modified.
- Active and Passive Scanning: Zap supports both active and passive scanning technique. In Passive scanning, the tool scans all the request and response collected via spider or proxy. The scan runs in the backend hence doesn’t affect the actual testing. In active scanning, the scanner sends the payload to discover the potential vulnerabilities. The active scan can be controlled by the user where the scanner can be manually configured for the scan aggressiveness.
- The ability to save the current session and reuse it later.
- The ability to generate the scan report. ZAP support HTML reporting.
- Other feature includes a port scanner, fuzzer, and support for web Sockets.
The user guide is available at https://github.com/zaproxy/zap-core-help/wiki
The OWASP ZAP tool can be downloaded from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Acunetix Web Vulnerability Scanner: Acunetix web vulnerability scanner is an automated application security testing tool. It is specifically designed to scan the web applications for security issues like SQL Injection, Cross-site scripting, directory traversal, OS command injection, etc. The scanner allows the user to scan for SANS top 20 or OWASP top 10 vulnerabilities. Acunetix comes in 2 versions i.e. Free and Commercial. The free version is a 14 days evaluation version which scans for all vulnerabilities, but exact location will not be shown. You can scan acunetix test website to review a sample of vulnerability scan details. The installation is quite easy and straightforward. The main features includes:
- Scanner: The main component of Acunetix is the scanner. It is fully customizable scanner where a user can configure the scan as per the need. It uses scan profile where a user can define types of vulnerability to be checked. The scan time depends on the size of the application and profile selected.
- Vulnerability detection: Apart from scanning normal web application, Acunetix can scan websites based on HTML5/JS technology.
- The Scheduler: Acunetix allows you to schedule a scan for single or multiple sites. This is a good feature where a user can schedule a scan to run at night or the weekends.
- Site Crawler: Here we can configure the file types to be included or excluded when the crawler fetches the files and directories.
- Subdomain scanner: Acunetix can search for the subdomain based on the DNS record.
- Target Finder: This allows the user to scan the subnet to look for web services on ports like 80,443, etc.
- HTTP Editor: This tool is for creating customized request and response for analyzing specific vulnerabilities. This includes encoder-decoder to encode or decode the parameter values. It also allows the used to modify the request parameters like URL, Cookie, request data, etc.
The user manual can be found at http://www.acunetix.com/resources/wvsmanual.pdf
The trial version of Acunetix web vulnerability scanner can be downloaded from http://www.acunetix.com/vulnerability-scanner/download/
NetSparker: Netsparker is again a web application security scanner for detection and exploitation of vulnerabilities. One of the unique features of this scanner is internal confirmation engine that tries to reduce the false positive findings by successfully exploiting or testing in another way. If the scanner can exploit the issue, then it will list the issue under “Confirmed” section of the report. It comes in three versions i.e. Community, Standard, and Professional. The community version is free to evaluate the product. The standard version is limited to 3 websites means we are allowed to scan only three websites. Professional version includes unlimited websites for scanning. Pricing and comparison chart can be found at https://www.netsparker.com/pricing/?ce=1.
Some of the features includes:
- Ease of use: We can start a scan by simply providing the URL of the website. More advanced options are present where a user can record a login sequence by using a login macro so that scanner can log into the application while scanning. It supports form authentication, NTLM/Basic/Digest authentication, and Client certificate authentication. When the user chooses this option, the scanner opens a new tab where it records the login sequence which includes the user credentials. On the same configuration section, we can configure the scope of the scan and vulnerabilities to be scanned.
- Crawling: The scanner comes with an advanced crawler where a user can crawl for the new links and attack at the same time.
- Accuracy: As mentioned above, one of the unique features of the scanner is internal confirmation engine. This allows the scanner to reduce the false positive by safely exploiting a reported vulnerability. If exploited, the scanner marks the vulnerability as confirmed.
- Reporting: Netsparker supports verity of report formats that includes Detailed scan report, PCI Compliance report, OWASP top 10 reports, etc.
The user manual can be downloaded from https://netsparker.zendesk.com/entries/20938312-Download-PDF-Manual
The free version of the scanner is available at https://www.netsparker.com/web-vulnerability-scanner/download/
The standard and professional versions of the scanner are available at https://www.netsparker.com/pricing/?ce=1
Vulnerability scanners are fast and can save you time, but we can’t completely rely on them. No single tool is capable of finding each and every vulnerability exist in network or web application. If possible use multiple automated scanners to reduce the chances of false positive and false negative. The web vulnerability scanners can’t find the issues related to business logic in the application. These vulnerabilities are critical and need a manual approach. The good approach is to run a vulnerability scanner along with the manual testing.
Getting the list of security flaws by running a scanner is of no use unless you can do something about it. The scan should be run by skilled professional who can configure the scan safely, understand the findings, underlying risks and mitigation technique.