Data Gathering > Vulnerability Scanning:
A relatively new class of hacking tools, Vulnerability Scanners, allows the hacker to enumerate many of the known vulnerabilities on a remote server. Most of the vulnerabilities are discovered by a challenge-response system whereby the scanner sends a constructed packet or request to the server and analyzes the response. In the case of web application vulnerabilities the scanner generally searches for errors within the server-side application such as SQL injection, cross site scripting, or buffer overflow errors. Web application scanners are generally limited to HTTP requests while server vulnerability scanners test every port and service for known vulnerabilities on the server. Some vulnerability scanners allow the hacker to scan a range of IP addresses broadening the number of vulnerabilities found. Scanners may also be scripted or modified to quickly search out widespread or new vulnerabilities. Scanners are becoming more popular in the hacking community because they can scan a number of hosts for thousands of possible known vulnerabilities very quickly.
Web Scanners can easily discover a wide variety of possible vulnerabilities on a web server. This information includes but is not limited to: User names and passwords, directory and file structure, helper files, java applets, Flash and ActiveX controls, Hidden form data, Query strings, cookie usage, hidden fields, client side input validation, and vulnerable scripts or helper applications. Many of these items can be used properly and without security concerns, however a web scanner can discover many of these items quickly, leaving the hacker with many possibilities for vulnerability discovery.
Server Vulnerability Scanners can be much more powerful for a hacker wanting to completely compromise a server. These scanners help discover vulnerabilities that are more likely to award the hacker an entry into the target server. Information gathered by Server Vulnerability Scanners includes but is not limited to: vulnerable scripts, web services and web applications, server management interfaces, server misconfigurations, server operating system, discovery of authentication mechanisms, discovery of firewalls and load balancing systems, discovery of backend database connectivity, and an enumeration of all services running on the server.
Techniques:
Technique |
Information Gathered |
Web Application Scanners |
Information regarding services and applications running on port 80 and over HTTP, HTTPS or on web services. Form problems and HTTP comments. |
Server Vulnerability Scanners |
Information regarding the server as a whole, including services, firewalls, and network topography. |
Tools:
Nessus – Nessus is one of the most popular open source vulnerability scanners on the internet today. It can scan thousands of vulnerabilities quickly as well as attack a server with some malicious requests. The Windows version of this tool is also available, it is sold as NeWT.
AppScan Audit Edition - Appscan can detect many common server misconfigurations as well as vulnerabilities. This scanner sets itself apart as a lockdown tool by providing great information on security reporting, best practices and real time assessment monitoring capabilities to regress security bugs found in the past.
Saint5 – Saint 5 is a non-intrusive network and system scanner. Saint is option rich but also complex and difficult to understand at first, requiring more expertise and knowledge than some of its competitors. It does, however, offer a more complete reporting solution than any other product on the market.
GFI LANguard – GFI LANguard is one of the leading tools on the market for server security scanning. It scans a machine or range of machines for known vulnerabilities, presents a clean report and offers links to help repair any problems.
WebInspect – WebInspect is a vulnerability scanner that sets itself apart from other scanners by attacking the server at every level. You can specify a number of scans to be run including intrusive scans that should only be run internally to complete external scans that will uncover both known and unknown vulnerabilities on a running production server.
Retina – Retina is an award winning scanner that uses a large fingerprint database to look for common vulnerabilities. The database is updated frequently to include new attacks as they are discovered.
Scando – After a complete website scan it goes back and assesses each page for a number of different vulnerabilities including parameter tampering, SQL injection, cookie tampering and a number of other common attacks.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next>> |
Provided by: Security Innovation, The Application Security Company