Retina

Retina

Category: Vulnerability Scanners
Website: http://www.eeye.com/html/products/retina/index.html
Manufacturer: eEye
Operating System: Windows, Linux, Unix

6
Security Threat Rating

Description:
Retina is an award winning scanner that uses a large fingerprint database to look for common vulnerabilities. The database is updated frequently to include new attacks as they are discovered. It is an integrated part of a larger product suite that includes advanced reporting and remediation technologies, but will work just fine as a stand alone product. Retina is the standard of the industry and includes the following interesting features:
   · Can automatically fix simple problems that require only a registry change
   · Contains customizable reports for technical staff or executive-level consumption
   · Scanning is easy to schedule using a built in calendar and has many options for customization
   · When a vulnerability is found it is possible to send notification via email or instant messenger
   · Contains a plug-in interface allowing you to add your own c or c++ modules to the product
   · A browser view is included which shows a web page, html, and an outline of site structure. A site scan can be initiated from this interface, looking for common web-app and web-server vulnerabilities
   · A trace route tool is included
   · Scanner is very fast at ~1 minute per IP address
   · CHAM is a proactive AI based attack tool that when turned on goes one step further than the scanner, proactively seeking security bugs through dynamic attacks
   · You can add you own signatures to look for during the scan

Strengths:
   · Fast scanning
   · Easy to discover new machines
   · Risk scoring
   · Reactive scanner plus proactive attack engine
   · Customizable reporting
   · Some web-app tools
   · Scanning is customizable in several ways - options/policies, self created audits, plug-in modules
   · Automatic Fix-it for easy bugs
   · Easy UI for scheduling scans
   · Vulnerability notification over email or IM
   · Has won a large number of awards (Information Security, PCMag, Network World, etc.)
   · When a problem is found Retina will give additional information and link to bugtraq article.

Weaknesses:
   · For scheduled scan to run Retina needs to be running, no service mode
   · Web-app Miner is separate from standard scanner, requiring an additional step
   · Primarily dependant on a signature repository (outmoded anti-virus approach)
   · CHAM only focuses on protocol testing and then only on BO and format string attacks.
   · False positives. Many issues are raised with incomplete analysis. For instance my router was flagged as vulnerable to an openSSH problem. However there is no known exploit, nor is it possible unless you modify the configuration of this service to make it less secure. Retina did not check more than the fact that the service exists to flag it as a high-severity problem.

Target:
webservers

Mitigation/Recommendation:
patched server

Price:
$2550 for 64 IP Address Scans

Penetration (7):
Popular

Simplicity (8):
Beginner Requires very little skill to use for information gathering; scanning is automated and returns with a set of attack vectors a hacker could use on each ip address scanned. It takes moderate skill to turn a scanned vulnerability into a real exploit, though each vulnerability contains references for more information that could be used to formulate an attack. Script kiddies would have to spend time searching for an already built exploit. A real hacker should be able to build an exploit just with the information given. False positives will slow down the process but don't mitigate the fact that many real vulnerabilities will be in the scan report.

Damage Potential (1):
Minimal This is an ideal information gathering and attack planning tool. As the tool will report a huge variety of known vulnerabilities and vulnerability types the damage potential is high. The scanner will paint big bulls-eyes on any weakness left open on any accessible machine. The CHAM feature gives this tool added punch, upping the likelihood that a previously unknown bug will be discovered in the protocol layer. CHAM is most likely to find buffer overruns but it is possible it would find other bugs as well.