This chapter is from the book
This chapter is from the book
This chapter is from the book
General Scanners
There are several scanners that are general vulnerability scanners. These should be a part of your toolset for penetration testing. We will look at a few of the more common scanners in this section.
MBSA
Microsoft Baseline Security Analyzer is not the most robust vulnerability scanner. However, it is a free download, and in addition to finding vulnerabilities, it is useful in finding configuration issues with Windows machines. You can download MBSA from:
In addition to being free, it is very easy to use. You can see the output from MBSA in Figure 8-10.
MBSA is a limited vulnerability scanner. It is primarily used just to find common, basic Microsoft issues; however, it is a free download and remarkably easy to use. For that reason, it should certainly at least be considered.
)
FIGURE 8-10 MBSA Output.
Nessus
Nessus is a well-known vulnerability scanner. It has been used for many years. Unfortunately, it is not free. The license is over $2,100 per year and can be obtained from https://www.tenable.com/. Its price has been a barrier for many penetration testers. The primary advantage of Nessus is that the vendor is constantly updating the vulnerabilities it can scan for. Nessus also has a very easy-to-use web interface as shown in Figure 8-11.
)
FIGURE 8-11 Nessus Main Screen.
The first step is to select New Scan. You then are given a number of options, shown in Figure 8-12.
)
FIGURE 8-12 Nessus Scan Options.
For our purposes, select a Basic Network Scan. The basic settings are intuitive. You have to name your scan and select a range of IP addresses, as demonstrated in Figure 8-13.
)
FIGURE 8-13 Nessus Options.
Then you can either schedule the scan to run later, or launch it now. A Nessus scan can take some time to run, because it is quite thorough. The results are presented in a very organized screen, as you can see in Figure 8-14.
)
FIGURE 8-14 Nessus Results.
You then drill down on any item of interest. First you double-click on a specific IP address, which will show you the details for that IP, as displayed in Figure 8-15.
)
FIGURE 8-15 Nessus Results: Detailed.
You can then double-click on any individual item for more details. This will provide you with details on the issue, and how to remediate the issue.
Nexpose
Nexpose is another commercial product. It is from Rapid7, the vendors who distribute Metasploit. You can find Nexpose at https://www.rapid7.com/products/nexpose/. There is a free trial version that you can download and experiment with. This tool is a Linux virtual machine and takes some effort to learn. Given that it is distributed by the same people who distribute Metasploit, it has received significant market attention.
SAINT
SAINT is a well-known vulnerability scanner. It is available at http://www.saintcorporation.com/. You can request a free trial version. It will scan the network for any TCP or UDP services, then scan those machines for any vulnerabilities. It uses Common Vulnerabilities and Exposures (CVE) as well as CERT advisories as references.
