A vulnerability scanner is an automated program designed to look for weaknesses in computers, computer systems, networks, and applications. The program probes a system by sending data to it over a network and analyzing the responses received, in an effort to enumerate any vulnerabilities present on the target by using its vulnerability database as reference.
Various operating systems tend to respond differently when sent particular network probes because of the different networking implementations in use. These unique responses serve as a fingerprint that the vulnerability scanner uses to determine the operating system version and even its patch level. A vulnerability scanner can also use a given set of user credentials to log into the remote system and enumerate the software and services to determine whether they are patched. With the results it obtains, the scanner presents a report outlining any vulnerabilities detected on the system. That report can be useful for both network administrators and penetration testers.
Vulnerability scanners generally create a lot of traffic on a network and are therefore not typically used in a penetration test when one of the objectives is to remain undetected. If, however, you are running a penetration test and stealth is not an issue, a vulnerability scanner can save you from having to probe systems manually to determine their patch levels and vulnerabilities.
Whether you use an automated scanner or do it manually, scanning is one of the most important steps in the penetration testing process; if done thoroughly, it will provide the best value to your client. In this chapter, we will discuss a number of vulnerability scanners and how they can be integrated within Metasploit. We’ll highlight some auxiliary modules in the Metasploit Framework that can locate specific vulnerabilities in remote systems.
Let’s look at how a scan works at the most basic level. In the following listing, we use netcat to grab a banner from the target 192.168.1.203. Banner grabbing is the act of connecting to a remote network service and reading the service identification (banner) that is returned. Many network services such as web, file transfer, and mail servers return their banner either immediately upon connecting to them or in response to a specific command. Here we connect to a web server on TCP port 80 and issue a GET HTTP request that allows us to look at the header information that the remote server returns in response to our request.
root@bt:/opt/framework3/msf3#nc 192.168.1.203 80GET HTTP 1/1HTTP/1.1 400 Bad RequestServer:
Microsoft-IIS/5.1
The information returned at tells us that the system running on port 80 is a Microsoft IIS 5.1–based web server. Armed with this information, we could use a vulnerability scanner, as shown in Figure 4-1, to determine whether this version of IIS has any vulnerabilities associated with it and whether this particular server has been patched.
Of course, in practice, it’s not that simple. Vulnerability scans often contain many false positives (reported vulnerability where none exists) and false negatives (failure to log a vulnerability where one exists) due to subtle differences in system and application configurations. In addition, the creators of vulnerability scanners have an incentive to report positives: The more “hits” a vulnerability scanner finds, the better it looks to a potential buyer. Vulnerability scanners are only as good as their vulnerabilities database, and they can easily be fooled by misleading banners or inconsistent configurations.
Let’s take a look at some of the more useful vulnerability scanners, including NeXpose, Nessus, and some specialized scanners.
