The best pen tester tools: security scanners. Efficient search for network vulnerabilities with Nessus Scanner Search for vulnerabilities in network devices

Vulnerability scanners automate security auditing and can play an important role in your IT security by scanning your network and websites for various security risks. These scanners can also generate a prioritized list of the ones you need to fix, as well as describe vulnerabilities and provide remedial actions. It is also possible that some of them can automate the process of fixing vulnerabilities
Top 10 Vulnerability Assessment Tools

• Comodo HackerProof
• OpenVAS
• Nexpose Community
• Nikto
• Tripwire IP360
• Wireshark
• Aircrack
• Nessus Professional
• Retina CS Community
• Microsoft Baseline Security Analyzer (MBSA)

1. Comodo HackerProof
   Comodo HackerProof is considered to be a revolutionary vulnerability scanning tool that allows you to overcome security issues. Below are some of the main benefits you can get from HackerProof:

• Daily Vulnerability Scan
• PCI scan tools included
• Drive-by attack prevention

2.OpenVAS
It is an open source tool that serves as a central service that provides vulnerability assessment tools for vulnerability scanning and vulnerability management.

• OpenVAS supports various operating systems
• The OpenVAS scanning engine is constantly updated with network vulnerability tests
• OpenVAS Scanner is a comprehensive vulnerability assessment tool that identifies security-related issues on servers and other network devices
• OpenVAS services are free and usually licensed under the GNU General Public License (GPL)

3. Nexpose Community
Nexpose Vulnerability Scanner developed by Rapid7 is an open source tool used for vulnerability scanning and performing a wide range of network checks.

• Nexpose can be built into the Metaspoilt framework
• It takes into account the age of the vulnerability, such as what malware suite it uses, what benefits it uses, etc. and fixes the issue based on its priority
• It is able to automatically detect and scan new devices and assess vulnerabilities when accessing the network
• It monitors vulnerabilities in real time, familiarizing itself with the latest dangers with new data
• Most vulnerability scanners typically categorize risks using a medium or high or low scale

4. Nikto
Nikto is a very popular open source web crawler used to assess likely issues and vulnerabilities.

• It is also used to check for outdated versions of the server, as well as to check for any particular issue that is affecting the operation of the server.
• Nikto is used to run various tests on web servers to scan various items such as several dangerous files.
• It is not considered a "silent" tool and is used to test a web server in a minimum amount of time.
• It is used to scan various protocols like HTTPS, HTTP, etc. This tool allows you to scan multiple ports of a specific server.

5.Tripwire IP360
Tripwire IP360, developed by Tripwire Inc, is considered the best vulnerability assessment solution used by various enterprises to manage their security risks.

• It uses a wide-ranging view of networks to reveal all vulnerabilities, configurations, applications, network hosts, and more.
• It uses open standards to help integrate risk and vulnerability management across multiple business processes.

6 Wireshark
Wireshark is a widely used network protocol analyzer and is considered the most powerful tool in the security professional's toolkit.

• Wireshark is used in various streams such as government agencies, enterprises, educational institutions, etc. to peer into networks at a low level
• It fixes problems online and performs analysis offline
• It runs on different platforms like Linux, masOS, Windows, Solaris, etc.

7.Aircrack
Aircrack, also known as Aircrack-NG, is a set of tools used to assess the security of a WiFi network.

• Tools used in network audit
• It supports multiple OS such as Linux, OS X, Solaris, NetBSD, Windows, etc.
• It focuses on various areas of WiFi security such as packet and data monitoring, driver and card testing, replay attacks, hacking, etc.
• Aircrack can retrieve lost keys by capturing data packets

8. Nessus Professional
The Nessus tool is a proprietary and proprietary vulnerability scanner created by Tenable Network Security.

• It prevents networks from being infiltrated by hackers by assessing vulnerabilities as soon as possible
• It can scan for vulnerabilities that allow sensitive data to be remotely hacked from the system
• It supports a wide range of OS, Dbs, applications and several other devices among cloud infrastructure, virtual and physical networks
• It has been installed and used by millions of users around the world to assess vulnerabilities, configuration issues, etc.

9. Retina CS Community
Retina CS is an open source console and web dashboard that has helped simplify and centralize vulnerability management.

• With its capabilities such as compliance reporting, patching and configuration compliance, Retina CS provides cross-platform vulnerability assessment
• It includes automatic vulnerability assessment for databases, web applications, workstations and servers
• Retina CS is an open source application that provides full support for virtual environments such as vCenter integration, virtual application scanning, etc.

10.Microsoft Baseline Security Analyzer (MBSA)
MBSA is a free Microsoft tool that is ideal for securing a Windows computer based on specifications or guidelines set by Microsoft.

• MBSA allows you to increase the level of security by examining a group of computers for any misconfiguration, missing updates and any security patches, etc.
• It can only scan for security updates, service packs, and cumulative updates, leaving critical and optional updates aside.
• It is used by medium and small organizations to manage the security of their networks.
• After scanning the system, MBSA will present several solutions or proposals related to the elimination of vulnerabilities

The problem of a network worm epidemic is relevant for any local network. Sooner or later, a situation may arise when a network or mail worm penetrates the LAN, which is not detected by the antivirus used. A network virus spreads over a LAN through operating system vulnerabilities that were not closed at the time of infection or through shared resources that are writable. A mail virus, as the name suggests, spreads via email provided that it is not blocked by the client's antivirus and the antivirus on the mail server. In addition, the epidemic in the LAN can be organized from within as a result of the activities of an insider. In this article, we will consider practical methods for the operational analysis of LAN computers using various tools, in particular, using the author's AVZ utility.

Formulation of the problem

In the event that an epidemic or some abnormal activity is detected on the network, the administrator must promptly solve at least three tasks:

• detect infected PCs on the network;
• find malware samples to send to the antivirus laboratory and develop a countermeasure strategy;
• take measures to block the spread of the virus on the LAN and destroy it on infected computers.

In the case of an insider's activity, the main analysis steps are identical and most often come down to the need to detect third-party software installed by the insider on LAN computers. Examples of such software include remote administration utilities, keyloggers, and various Trojan bookmarks.

Let us consider in more detail the solution of each of the tasks.

Search for infected PCs

At least three methods can be used to search for infected PCs on the network:

• automatic remote PC analysis - obtaining information about running processes, loaded libraries and drivers, searching for characteristic patterns - for example, processes or files with given names;
• studying PC traffic using a sniffer - this method is very effective for catching spam bots, mail and network worms, however, the main difficulty in using a sniffer is due to the fact that a modern LAN is built on the basis of switches and, as a result, the administrator cannot monitor traffic the entire network. The problem is solved in two ways: by running a sniffer on the router (which allows you to monitor PC data exchange with the Internet) and by using the monitoring functions of switches (many modern switches allow you to assign a monitoring port to which the traffic of one or more switch ports specified by the administrator is duplicated);
• study of network load - in this case, it is very convenient to use smart switches that allow not only to estimate the load, but also to remotely disable the ports specified by the administrator. This operation is greatly simplified if the administrator has a network map that contains data on which PCs are connected to the corresponding ports of the switch and where they are located;
• use of traps (honeypot) - it is strongly recommended to create several traps in the local network that will allow the administrator to detect the epidemic in a timely manner.

Automatic analysis of PCs in the network

Automatic PC analysis can be reduced to three main steps:

• conducting a complete study of the PC - running processes, loaded libraries and drivers, autorun;
• conducting an operational survey - for example, searching for characteristic processes or files;
• object quarantine according to certain criteria.

All of the above tasks can be solved using the AVZ author's utility, which is designed to be launched from a network folder on the server and supports a scripting language for automatic PC examination. To run AVZ on users' computers, you need to:

1. Place AVZ in a readable network folder on the server.
2. Create LOG and Qurantine subdirectories in this folder and allow users to write to them.
3. Launch AVZ on LAN computers using the rexec utility or a logon script.

Starting AVZ in step 3 should be done with the following parameters:

\\my_server\AVZ\avz.exe Priority=-1 nw=Y nq=Y HiddenMode=2 Script=\\my_server\AVZ\my_script.txt

In this case, the Priority=-1 parameter lowers the priority of the AVZ process, the nw=Y and nq=Y parameters switch the quarantine to the "network start" mode (in this case, a subdirectory is created in the quarantine folder for each computer, the name of which matches the network name of the PC) , HiddenMode=2 instructs to deny the user access to the GUI and AVZ control, and finally, the most important parameter Script specifies the full name of the script with commands that AVZ will execute on the user's computer. The AVZ scripting language is quite simple to use and is focused solely on solving the problems of examining a computer and treating it. To simplify the process of writing scripts, you can use a specialized script editor that contains a prompt, a wizard for creating typical scripts, and tools for checking the correctness of a written script without running it (Fig. 1).

Rice. 1. AVZ script editor

Let's consider three typical scripts that can be useful in the fight against the epidemic. First, we need a PC research script. The task of the script is to examine the system and create a protocol with the results in a given network folder. The script looks like this:

ActivateWatchDog(60 * 10);

// Start scanning and analysis

// Explore the system

ExecuteSysCheck(GetAVZDirectory+

‘\LOG\’+GetComputerName+’_log.htm’);

//Shutdown AVZ

During the execution of this script, in the LOG folder (it is assumed that it was created in the AVZ directory on the server and is available for users to write), HTML files with the results of the study of network computers will be created, and the name of the computer under study is included in the protocol name to ensure uniqueness. At the beginning of the script, there is a command to turn on the watchdog timer, which will forcibly end the AVZ process after 10 minutes in case there are failures during the script execution.

The AVZ protocol is convenient for manual study, but it is of little use for automated analysis. In addition, the administrator often knows the file name of the malicious program and only needs to check the presence or absence of this file, and, if present, quarantine it for analysis. In this case, you can use the following script:

// Enable watchdog timer for 10 minutes

ActivateWatchDog(60 * 10);

// Search for malware by name

QuarantineFile('%WinDir%\smss.exe', 'LdPinch.gen suspected');

QuarantineFile('%WinDir%\csrss.exe', 'LdPinch.gen suspected');

//Shutdown AVZ

This script uses the QuarantineFile function, which attempts to quarantine the specified files. The administrator only needs to analyze the contents of the quarantine (folder Quarantine\network_PC_name\quarantine_date\) for quarantined files. Please note that the QuarantineFile function automatically blocks quarantine of files identified by secure AVZ database or Microsoft EDS database. For practical use, this script can be improved - organize the loading of file names from an external text file, check the found files against AVZ databases and form a text protocol with the results of the work:

// Search for a file with the specified name

function CheckByName(Fname: string) : boolean;

Result:= FileExists(FName) ;

if result then begin

case CheckFile(FName) of

1: S:= ', file access blocked';

1: S:= ', identified as Malware ('+GetLastCheckTxt+')';

2: S:= ', suspected by file scanner ('+GetLastCheckTxt+')';

3: exit; // Ignore safe files

AddToLog('The file '+NormalFileName(FName)+' has a suspicious name'+S);

//Adding the specified file to the quarantine

QuarantineFile(FName,'suspicious file'+S);

SuspNames: TStringList; // List of names of suspicious files

// Checking files against the updated database

if FileExists(GetAVZDirectory + 'files.db') then begin

SuspNames:= TStringList.Create;

SuspNames.LoadFromFile('files.db');

AddToLog('Name database loaded - number of entries = '+inttostr(SuspNames.Count));

// Search loop

for i:= 0 to SuspNames.Count - 1 do

CheckByName(SuspNames[i]);

AddToLog('Error loading list of filenames');

SaveLog(GetAVZDirectory+'\LOG\'+

GetComputerName+'_files.txt');

For this script to work, it is necessary to create in the AVZ folder the Quarantine and LOG directories available for users to write, as well as the files.db text file - each line of this file will contain the name of the suspicious file. Filenames can include macros, the most useful of which are %WinDir% (the path to the Windows folder) and %SystemRoot% (the path to the System32 folder). Another direction of analysis can be an automatic study of the list of processes running on users' computers. Information about running processes is available in the system research protocol, but for automatic analysis it is more convenient to use the following script fragment:

procedure ScanProcess;

S:=''; S1:='';

// Update process list

RefreshProcessList;

AddToLog('Number of processes = '+IntToStr(GetProcessCount));

// Analysis cycle of the received list

for i:= 0 to GetProcessCount - 1 do begin

S1:= S1 + ',' + ExtractFileName(GetProcessName(i));

// Search for a process by name

if pos('trojan.exe', LowerCase(GetProcessName(i))) > 0 then

S:= S + GetProcessName(i)+',';

if S<>‘’then

AddLineToTxtFile(GetAVZDirectory+'\LOG\_alarm.txt', DateTimeToStr(Now)+' '+GetComputerName+' : '+S);

AddLineToTxtFile(GetAVZDirectory+'\LOG\_all_process.txt', DateTimeToStr(Now)+' '+GetComputerName+' : '+S1);

The examination of processes in this script is performed as a separate ScanProcess procedure, so it is easy to place it in your own script. The ScanProcess procedure builds two lists of processes: a complete list of processes (for later analysis) and a list of processes that, from the administrator's point of view, are considered dangerous. In this case, for demonstration, a process named 'trojan.exe' is considered dangerous. Information about dangerous processes is added to the _alarm.txt text file, data about all processes is added to the _all_process.txt file. It is easy to see that you can complicate the script by adding, for example, checking process files against the safe files database or checking the names of process executable files against an external database. A similar procedure is used in the AVZ scripts used in Smolenskenergo: the administrator periodically examines the collected information and modifies the script by adding the name of the processes of programs prohibited by the security policy, for example, ICQ and MailRu.Agent, which allows you to quickly check for the presence of prohibited software on the PCs under study . Another use of the process list is to find PCs that are missing a required process, such as an antivirus.

In conclusion, let's consider the last of the useful analysis scripts - the script for automatic quarantine of all files that are not recognized by the secure AVZ database and the Microsoft EDS database:

// Execute auto-quarantine

ExecuteAutoQuarantine;

Automatic quarantine examines running processes and loaded libraries, services and drivers, about 45 autostart methods, browser and explorer extension modules, SPI/LSP handlers, scheduler jobs, print system handlers, etc. A feature of quarantine is that files are added to it with retry control, so the auto-quarantine function can be called multiple times.

The advantage of automatic quarantine is that with its help the administrator can quickly collect potentially suspicious files from all computers on the network for their study. The simplest (but very effective in practice) form of studying files can be to check the received quarantine with several popular antiviruses in the maximum heuristics mode. It should be noted that the simultaneous launch of Auto-Quarantine on several hundred computers can create a high load on the network and on the file server.

Traffic research

Traffic research can be done in three ways:

• manually using sniffers;
• in semi-automatic mode - in this case, the sniffer collects information, and then its protocols are processed either manually or by some software;
• automatically using intrusion detection systems (IDS) such as Snort (http://www.snort.org/) or their software or hardware counterparts. In the simplest case, an IDS consists of a sniffer and a system that analyzes the information collected by the sniffer.

An intrusion detection system is the best tool because it allows you to create sets of rules to detect anomalies in network activity. Its second advantage is as follows: most modern IDSs allow you to place traffic monitoring agents on several network nodes - agents collect information and transmit it. In the case of using a sniffer, it is very convenient to use the tcpdump UNIX console sniffer. For example, to monitor activity on port 25 (SMTP protocol), just run the sniffer with a command line like this:

tcpdump -i em0 -l tcp port 25 > smtp_log.txt

In this case, packets are captured via the em0 interface; information about captured packets will be stored in the smtp_log.txt file. The protocol is relatively easy to analyze manually, in this example, the analysis of activity on port 25 allows you to calculate the PC with active spam bots.

Honeypot application

As a trap (Honeypot), you can use an outdated computer, the performance of which does not allow it to be used for solving production problems. For example, in the author's network, a Pentium Pro with 64 MB of RAM is successfully used as a trap. On this PC, you should install the most common operating system on the LAN and select one of the strategies:

• Install an operating system without service packs - it will be an indicator of the appearance of an active network worm on the network that exploits any of the known vulnerabilities for this operating system;
• install an operating system with updates that are installed on other PCs in the network - Honeypot will be an analogue of any of the workstations.

Each of the strategies has both its pros and cons; the author mostly applies the no-updates option. After creating the Honeypot, you should create a disk image to quickly restore the system after it has been damaged by malware. As an alternative to a disk image, you can use change rollback systems such as ShadowUser and its analogues. Having built a Honeypot, it should be taken into account that a number of network worms look for infected computers by scanning the IP range, counted from the IP address of the infected PC (common typical strategies are X.X.X.*, X.X.X+1.*, X.X.X-1.*), - therefore, Ideally, there should be a Honeypot on each of the subnets. As additional preparation elements, it is necessary to open access to several folders on the Honeypot system, and several sample files of various formats should be placed in these folders, the minimum set is EXE, JPG, MP3.

Naturally, having created a Honeypot, the administrator must monitor its operation and respond to any anomalies found on this computer. Auditors can be used as a means of registering changes, and a sniffer can be used to register network activity. An important point is that most sniffers provide the ability to configure sending an alert to the administrator if a given network activity is detected. For example, in the CommView sniffer, the rule involves specifying a "formula" that describes a network packet, or setting quantitative criteria (sending more than a specified number of packets or bytes per second, sending packets to unrecognized IP or MAC addresses) - fig. 2.

Rice. 2. Create and configure a network activity alert

The best way to alert is to use e-mail messages sent to the administrator's mailbox, in which case you can receive real-time alerts from all traps on the network. In addition, if the sniffer allows you to create several alerts, it makes sense to differentiate network activity by highlighting work with e-mail, FTP / HTTP, TFTP, Telnet, MS Net, increased traffic of more than 20-30 packets per second for any protocol (Fig. 3) .

Rice. 3. Notification letter sent
if packets are found that match the specified criteria

When organizing a trap, it is a good idea to place on it several vulnerable network services used on the network, or install their emulator. The simplest (and free) is the author's utility APS, which works without installation. The principle of operation of APS is reduced to listening to a set of TCP and UDP ports described in its database and issuing a predefined or randomly generated response at the time of connection (Fig. 4).

Rice. 4. The main window of the APS utility

The figure shows a screenshot taken during a real APS operation in the Smolenskenergo LAN. As you can see in the figure, an attempt was made to connect one of the client computers on port 21. An analysis of the protocols showed that attempts are periodic, fixed by several traps in the network, which allows us to conclude that the network is being scanned to find and hack FTP servers by guessing passwords. APS logs and can send messages to administrators reporting registered connections to monitored ports, which is useful for quick detection of network scans.

When building a Honeypot, it is also helpful to look at online resources on the subject, such as http://www.honeynet.org/. In the Tools section of this site (http://www.honeynet.org/tools/index.html) you can find a number of tools for recording and analyzing attacks.

Remote malware removal

Ideally, after detecting malware samples, the administrator sends them to the anti-virus laboratory, where they are quickly studied by analysts and the corresponding signatures are added to the anti-virus databases. These signatures get on users' PCs through automatic updates, and the antivirus automatically removes malicious programs without administrator intervention. However, this chain does not always work as expected, in particular, the following reasons for the failure are possible:

• for a number of reasons independent of the network administrator, images may not reach the anti-virus laboratory;
• insufficient efficiency of the anti-virus laboratory - ideally, it takes no more than 1-2 hours to study samples and add them to the databases, that is, within a working day, you can get updated signature databases. However, not all anti-virus laboratories work so quickly, and updates can be expected for several days (in rare cases, even weeks);
• high performance of the antivirus - a number of malicious programs, after activation, destroy antiviruses or otherwise disrupt their work. Classic examples are making entries in the hosts file that block the normal operation of the antivirus auto-update system, deleting antivirus processes, services and drivers, damaging their settings, etc.

Therefore, in these situations, you will have to deal with malware manually. In most cases, this is not difficult, since the results of the analysis of computers are known to be infected PCs, as well as the full names of malware files. It remains only to perform their remote removal. If the malicious program is not protected from removal, then it can be destroyed with an AVZ script of the following form:

// Delete file

DeleteFile('file name');

ExecuteSysClean;

This script deletes one specified file (or several files, since there can be an unlimited number of DeleteFile commands in the script) and then automatically cleans the registry. In a more complex case, a malicious program can protect itself from deletion (for example, by recreating its files and registry keys) or disguise itself using rootkit technology. In this case, the script becomes more complicated and will look like this:

// Anti-rootkit

SearchRootkit(true, true);

// AVZGuard control

SetAVZGuardStatus(true);

// Delete file

DeleteFile('file name');

// Enable BootCleaner logging

BC_LogFile(GetAVZDirectory + 'boot_clr.log');

// Import into the BootCleaner task a list of files deleted by the script

BC_ImportDeletedList;

// Activate BootCleaner

// Heuristic cleaning of the system

ExecuteSysClean;

RebootWindows(true);

This script includes active resistance to rootkits, the use of the AVZGuard system (this is a malware activity blocker) and the BootCleaner system. BootCleaner is a driver that removes specified objects from KernelMode during reboot, at an early stage of system boot. Practice shows that such a script is able to destroy the vast majority of existing malware. The exception is malware that changes the names of its executable files with each reboot - in this case, the files found during the study of the system can be renamed. In this case, you will need to disinfect the computer manually or create your own malware signatures (an example of a script that implements a signature search is described in the AVZ help).

Conclusion

In this article, we looked at some practical techniques for dealing with the LAN epidemic manually, without the use of antivirus products. Most of the described techniques can also be used to search for a foreign PC and Trojan bookmarks on users' computers. If you have difficulty finding malware or creating disinfection scripts, the administrator can use the "Help" section of the forum http://virusinfo.info or the "Fighting Viruses" section of the forum http://forum.kaspersky.com/index.php?showforum= eighteen. The study of the protocols and assistance in treatment are carried out on both forums free of charge, PC analysis is carried out according to the AVZ protocols, and in most cases, treatment comes down to executing an AVZ script on infected PCs, compiled by experienced specialists from these forums.

As you can see, there were enough of them and all of them are very dangerous for the systems affected by them. It is important not only to update the system on time to protect against new vulnerabilities, but also to be sure that your system does not contain vulnerabilities that have long been eliminated that hackers can use.

This is where Linux vulnerability scanners come to the rescue. Vulnerability analysis tools are one of the most important components of every company's security system. Checking applications and systems for old vulnerabilities is a must. In this article, we'll take a look at the best open source vulnerability scanners you can use to find vulnerabilities in your systems and programs. All of them are completely free and can be used both by ordinary users and in the corporate sector.

OpenVAS or Open Vulnerability Assessment System is a complete open source vulnerability discovery platform. The program is based on the source code of the Nessus scanner. Initially, this scanner was distributed open source, but then the developers decided to close the code, and then, in 2005, OpenVAS was created based on the open version of Nessus.

The program consists of server and client parts. The server that performs the main work of scanning systems runs only on Linux, and client programs support Windows, too, and the server can be accessed via a web interface.

The core of the scanner is more than 36,000 different checks for vulnerabilities and is updated every day with the addition of new, newly discovered ones. The program can detect vulnerabilities in running services, as well as look for incorrect settings, such as lack of authentication or very weak passwords.

2. Nexpose Community Edition

This is another open source linux vulnerability finder developed by Rapid7, the same company that released Metasploit. The scanner can detect up to 68,000 known vulnerabilities and perform over 160,000 network checks.

The Community version is completely free, but it has a limitation to scan up to 32 IP addresses at the same time and only one user. Also, the license must be renewed every year. There is no web application scanning, but it does support automatic updating of the vulnerability database and obtaining information about vulnerabilities from Microsoft Patch.

The program can be installed not only on Linux, but also on Windows, and management is performed through a web interface. With it, you can set scan parameters, ip addresses and other necessary information.

After the scan is completed, you will see a list of vulnerabilities, as well as information about the installed software and the operating system on the server. You can also create and export reports.

3. Burp Suite Free Edition

Burp Suite is a web vulnerability scanner written in Java. The program consists of a proxy server, a spider, a tool for generating requests and performing stress tests.

With Burp, you can check web applications. For example, using a proxy server, you can intercept and view all passing traffic, and also modify it if necessary. This will allow you to simulate many situations. The spider will help you find web vulnerabilities, and the request generation tool will help you find web server resilience.

4. Arachni

Arachni is a fully featured open source Ruby web application testing framework. It allows you to evaluate the security of web applications and websites by performing various penetration tests.

The program supports scanning with authentication, setting headers, support for Aser-Agent spoofing, support for 404 detection. In addition, the program has a web interface and command line interface, you can pause the scan and then re-route and in general, everything works very quickly .

5. OWASP Zed Attack Proxy (ZAP)

OWASP Zed Attack Proxy is another comprehensive tool for finding vulnerabilities in web applications. All standard features for this type of programs are supported. You can scan ports, check the structure of the site, look for many known vulnerabilities, check the correct handling of repeated requests or incorrect data.

The program can work on https, and also supports various proxies. Since the program is written in Java, it is very easy to install and use. In addition to the main features, there are a large number of plugins that allow you to greatly increase the functionality.

6. Claire

Clair is a linux vulnerability finder in containers. The program contains a list of vulnerabilities that can be dangerous for containers and warns the user if such vulnerabilities were found on your system. Also, the program can send notifications if new vulnerabilities appear that can make containers unsafe.

Each container is checked once and there is no need to run it to check it. The program can extract all the necessary data from the disabled container. This data is stored in a cache to be able to notify about vulnerabilities in the future.

7. Powerfuzzer

Powerfuzzer is a full featured, automated and highly customizable web crawler that allows you to test your web application's response to bad data and repeated requests. The tool only supports the HTTP protocol and can detect vulnerabilities such as XSS, SQL injection, LDAP, CRLF and XPATH attacks. It also supports tracking 500 errors, which may indicate a misconfiguration or even a danger, such as a buffer overflow.

8.Nmap

Nmap is not exactly a vulnerability scanner for Linux. This program allows you to scan the network and find out which nodes are connected to it, as well as determine which services are running on them. This does not provide exhaustive information about vulnerabilities, but you can guess which software may be vulnerable, try to guess weak passwords. It is also possible to execute special scripts that allow you to identify some vulnerabilities in certain software.

conclusions

In this article, we reviewed the best linux vulnerability scanners, they allow you to keep your system and applications completely safe. We looked at programs that allow you to scan both the operating system itself or web applications and sites.

To finish, you can watch a video about what vulnerability scanners are and why they are needed:

Comparative analysis of security scanners. Part 1: Penetration Test (Short Summary)

Alexander Antipov

This paper presents the results of a comparison of network security scanners during penetration tests against network perimeter nodes.

Lepikhin Vladimir Borisovich
Head of the Network Security Laboratory of the Informzaschita Training Center

All materials of the report are objects of intellectual property of the Informzaschita training center. Replication, publication or reproduction of the materials of the report in any form is prohibited without the prior written consent of the Informzaschita Training Center.

Full text of the study:
http://www.itsecurity.ru/news/reliase/2008/12_22_08.htm

1. Introduction

Network security scanners are the perfect comparison. They are all very different. And due to the specifics of the tasks for which they are intended, and due to their "dual" purpose (network security scanners can be used both for protection and "for attack", and hacking, as you know, is a creative task), finally, also because behind each such tool is the flight of the “hacker” (in the original sense of the word) thought of its creator.

When choosing the conditions for comparison, the “task-based” approach was taken as the basis, so the results can be used to judge how suitable this or that tool is for solving the task assigned to it. For example, network security scanners can be used:

• for inventory of network resources;
• during the "penetration tests";
• in the process of checking systems for compliance with various requirements.

This paper presents the results of a comparison of network security scanners during penetration tests against network perimeter nodes. The following were evaluated:

• Number of vulnerabilities found
• Number of false positives (False Positives)
• Number of skips (False Negatives)
• Reasons for missing
• Completeness of the database of checks (in the context of this task)
• Quality of inventory mechanisms and software versioning
• The accuracy of the scanner (in the context of this task)

The listed criteria together characterize the “suitability” of the scanner for solving the task assigned to it, in this case it is the automation of routine actions in the process of monitoring the security of the network perimeter.

2. Brief description of the participants in the comparison

Before the start of the comparison, the portal conducted a survey, the purpose of which was to collect data on the scanners used and the tasks for which they are used.

About 500 respondents (portal visitors) took part in the survey.

When asked about the security scanners they use in their organizations, the vast majority of respondents said they use at least one security scanner (70%). At the same time, organizations that regularly use security scanners to analyze the security of their information systems prefer to use more than one product of this class. 49% of respondents answered that their organizations use two or more security scanners (Figure 1).

one . Distribution of respondent organizations by number of security scanners used

The reasons why more than one security scanner is used are because organizations are distrustful of solutions from one "vendor" (61%), and also in cases where specialized checks are required (39%), which cannot be performed by an integrated security scanner (Fig. 2).

2. Reasons for using more than one security scanner in the organizations of the interviewed respondents

Answering the question for what purposes specialized security scanners are used, the majority of respondents answered that they are used as additional tools for analyzing the security of Web applications (68%). In second place were specialized DBMS security scanners (30%), and in third place (2%) were self-developed utilities for solving a specific range of tasks for analyzing the security of information systems (Fig. 3).

3 . Purposes of using specialized security scanners in the organizations of the interviewed respondents

The result of a survey of respondents (Fig. 4) about end products related to security scanners showed that most organizations prefer to use Positive Technologies XSpider (31%) and Nessus Security Scanner (17%).

Rice. 4. Used security scanners in the organizations of the interviewed respondents

The scanners presented in Table 1 were selected to participate in the tests.

Table 1. Network Security Scanners Used in the Comparison

Name	Version
		http://www.nessus.org/download
Max Patrol	8.0 (Build 1178)	http://www.ptsecurity.ru/maxpatrol.asp
Internet Scanner		http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027208
retinaNetwork Security Scanner		http://www.eeye.com/html/products/retina/index.html
Shadow Security Scanner (SSS)	7.141 (Build 262)	http://www.safety-lab.com/en/products/securityscanner.htm
NetClarity Auditor		http://netclarity.com/branch-nacwall.html

So, the first test is focused on the task of evaluating the security of systems for resistance to hacking.

3. Summing up

The results for the remaining nodes were calculated in a similar way. After calculating the results, the following table was obtained (Table 2).

Table 2. Final results for all scanned objects

Index		Internet Scanner			Shadow Security Scanner	NetClarity Auditor
Identification of services and applications, points
Vulnerabilities found, total
Of which false positives (false positives)
Found right (out of 225 possible)
Passes (false negatives)
Of these, due to the absence in the database
Of which caused by the need for authentication
For other reasons

3.1 Identification of services and applications

According to the results of the definition of services and applications, the points were simply summed up, while one point was deducted for an erroneous definition of a service or application (Fig. 5).

Rice. 5. Results of identifying services and applications

The highest score (108) was scored by the MaxPatrol scanner, slightly less (98) by the Nessus scanner. Indeed, in these two scanners, the procedure for identifying services and applications is implemented very efficiently. This result can be called quite expected.

The next result is for Internet Scanner and NetClarity scanners. Here we can mention that, for example, Internet Scanner focuses on the use of standard ports for applications, this largely explains its low result. Finally, the NetClarity scanner has the worst performance. Although it does a good job of identifying services (after all, it is based on the Nessus 2.x kernel), its overall poor result can be explained by the fact that it did not identify all open ports.

3.2 Vulnerability identification

On fig. Figure 6 shows the total number of vulnerabilities found by all scanners and the number of false positives. The largest number of vulnerabilities was found by the MaxPatrol scanner. The second (albeit already with a significant margin) was again Nessus.
The leader in the number of false positives was the Shadow Security Scanner. In principle, this is understandable, the examples of errors related just to its checks were given above.

Rice. 6. Found vulnerabilities and false positives

A total of 225 vulnerabilities were found by all scanners on all 16 nodes (and subsequently confirmed by manual verification). The results were distributed as in Fig. 7. The largest number of vulnerabilities - 155 out of 225 possible - was detected by the MaxPatrol scanner. The second was the Nessus scanner (its result is almost two times worse). Internet Scanner comes next, then NetClarity.
During the comparison, the reasons for missing vulnerabilities were analyzed and those that were made due to the lack of checks in the database were separated. The following diagram (Figure 8) shows the reasons why scanners miss vulnerabilities.

Rice. 7. Found vulnerabilities and omissions

Rice. 8. Reasons for missing vulnerabilities

Now a few indicators resulting from the calculations.

On fig. Figure 39 shows the ratio of the number of false positives to the total number of vulnerabilities found; in a certain sense, this indicator can be called the accuracy of the scanner. After all, the user, first of all, deals with the list of vulnerabilities found by the scanner, from which it is necessary to select those found correctly.

Rice. 9. The accuracy of the scanners

From this diagram, you can see that the highest accuracy (95%) was achieved by the MaxPatrol scanner. Although the number of false positives is not the lowest, this accuracy rate was achieved due to the large number of vulnerabilities found. Internet Scanner is next in terms of detection accuracy. It showed the lowest number of false positives. The SSS scanner has the lowest result, which is not surprising with such a large number of false positives that were noticed during the comparison.

Another calculated indicator is the completeness of the base (Fig. 10). It is calculated as the ratio of the number of vulnerabilities found correctly to the total number of vulnerabilities (in this case, 225) and characterizes the scale of "misses".

Rice. 10. Completeness of the base

This diagram shows that the base of the MaxPatrol scanner is the most adequate for the task.

4. Conclusion

4.1 Comments on leader results: MaxPatrol and Nessus

The first place according to all the criteria of this comparison goes to the MaxPatrol scanner, the second place is taken by the Nessus scanner, the results of other scanners are significantly lower.

Here it is appropriate to recall one of the documents prepared by the US National Institute of Standards and Technology (NIST), namely, "Guideline on Network Security Testing". It states that it is recommended to use at least two security scanners when monitoring the security of computer systems.

In the result obtained, in fact, there is nothing unexpected and surprising. It's no secret that XSpider (MaxPatrol) and Nessus scanners are popular among both security specialists and crackers. This is confirmed by the above results of the survey. Let's try to analyze the reasons for the clear leadership of MaxPatrol (this also partially applies to the Nessus scanner), as well as the reasons for the “losing” of other scanners. First of all, it is a qualitative identification of services and applications. Inference-based checks (of which quite a few were used in this case) are highly dependent on the accuracy of information collection. And the identification of services and applications in the MaxPatrol scanner is almost perfected. Here is one telling example.
The second reason for the success of MaxPatrol is the completeness of the database and its adequacy to the task and in general "today". According to the results, it is noticeable that the base of checks in MaxPatrol has been significantly expanded and detailed, it has been “tidy”, while the obvious “tilt” towards web applications is compensated by the expansion of checks in other areas, for example, the scan results of the router presented in comparison were impressive Cisco.

The third reason is a qualitative analysis of application versions, taking into account operating systems, distributions, and various “branches”. You can also add the use of different sources (vulnerability databases, notifications and vendor bulletins).

Finally, we can also add that MaxPatrol has a very convenient and logical interface that reflects the main stages of the work of network security scanners. And this is important. The link “node, service, vulnerability” is very convenient for perception (Ed. note, this is the subjective opinion of the author of the comparison). And especially for this task.

Now about shortcomings and "weak" places. Since MaxPatrol turned out to be the leader of the comparison, then criticism of it will be “maximum”.

First, the so-called "losing in the details." Having a very high-quality engine, it is important to offer an appropriate additional service, for example, a convenient toolkit that allows you to do something manually, vulnerability search tools, and the ability to fine-tune the system. MaxPatrol continues the tradition of XSpider and focuses on the ideology of "clicked and earned" as much as possible. On the one hand, this is not bad, on the other hand, it limits the “meticulous” analyst.

Secondly, some services remained "uncovered" (you can judge this from the results of this comparison), for example, IKE (port 500).

Thirdly, in some cases there is not enough elementary comparison of the results of two checks with each other, for example, as in the case with SSH described above. That is, there are no conclusions based on the results of several checks. For example, host4's operating system was classified as Windows, while the PPTP service "vendor" was classified as Linux. Can you draw conclusions? For example, in the report in the operating system definition area, indicate that this is a “hybrid” node.

Fourthly, the description of checks leaves much to be desired. But here it should be understood that MaxPatrol is in unequal conditions with other scanners: a high-quality translation into Russian of all descriptions is a very time-consuming task.

The Nessus scanner showed, in general, good results, and in a number of moments it was more accurate than the MaxPatrol scanner. The main reason Nessus lags behind is missing vulnerabilities, but not because of the lack of checks in the database, like most other scanners, but due to implementation features. Firstly (and this is the reason for a significant part of the gaps), the Nessus scanner has been developing towards “local” or system checks, which involve connecting with an account. Secondly, the Nessus scanner takes into account fewer (compared to MaxPatrol) sources of information about vulnerabilities. It is somewhat similar to the SSS scanner, based mostly on SecurityFocus.

5. Limitations of this comparison

During the comparison, the capabilities of scanners were studied in the context of only one task - testing network perimeter nodes for resistance to hacking. For example, if we draw a car analogy, we saw how different cars behave, say, on a slippery road. However, there are other tasks, the solution of which by the same scanners may look completely different. In the near future, it is planned to compare scanners in the course of solving such problems as:

• Conducting an audit of systems using an account
• PCI DSS Compliance Assessment
• Scanning Windows systems

In addition, it is planned to compare scanners according to formal criteria.

During this comparison, only the "engine" itself was tested, or, in modern terms, the "brain" of the scanner. Opportunities in terms of additional services (reports, recording information about the progress of the scan, etc.) have not been evaluated or compared in any way.

Also, the degree of danger and the possibility of exploiting the vulnerabilities found were not assessed. Some scanners limited themselves to “minor” low-severity vulnerabilities, while others revealed really critical vulnerabilities that allow access to the system.