KBTAG: kben10000059
URL: http://www.securityportal.com/lskb/10000050/10000059.html
Date created: 17/07/2000
Date modified: 07/10/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Network based security scanners
Keywords: Network
Scanning networks for problems is a quick way to build up a list of problems that need fixing, and for tracking the "health" of your network. Intrusion scanners are one evolutionary step up from network scanners. These software packages will actually identify vulnerabilities, and in some cases allow you to actively try and exploit them. If your machines are susceptible to these attacks, you need to start fixing things, as any attacker can get these programs and use them.
kben10000153 - Firewalker - a firewall intrusion scanner
Nessus is relatively new but is fast shaping up to be one of the best intrusion scanning tools. It has a client/server architecture, the server currently runs on Linux, FreeBSD, NetBSD and Solaris, clients are available for Linux, Windows and there is a Java client. Communication between the server and client is ciphered for added security all in all a very slick piece of code. Nessus supports port scanning, and attacking, based on IP addresses or host name(s). It can also search through network DNS information and attack related hosts at your bequest. Nessus is relatively slow in attack mode, which is hardly surprising. However it currently has over 200 attacks and a plug-in language so you can write your own. Nessus is available from http://www.nessus.org/.
Saint is the sequel to Satan, a network security scanner made (in)famous by the media a few years ago (there were great worries that bad people would take over the Internet using it). Saint also uses a client/server architecture, but uses a www interface instead of a client program. Saint produces very easy to read and understand output, with security problems graded by priority (although not always correctly) and also supports add-in scanning modules making it very flexible. Saint is available from: http://www.wwdsi.com/saint/.
While not a scanner per se, it is useful for detecting a hosts OS and dealing with a large number of hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture of a domain, or IP block, what hosts are running and so on. It is extremely useful for preparing an initial scan as you can locate interesting items (HP printers, Ascend routers, etc) quickly. Cheops is available at: http://www.marko.net/cheops/.
Two simple utilities that scan for ftp servers and mail servers that allow relaying, good for keeping tabs on naughty users installing services they shouldnt (or simply misconfiguring them), available from: http://david.weekly.org/code/.
Security Auditors Research Assistant (SARA) is a tool similar in function to SATAN and Saint. SARA supports multiple threads for faster scans, stores its data in a database for ease of access and generates nice HTML reports. SARA is free for use and is available from: http://www.www-arc.com/sara/.
BASS is the Bulk Auditing Security Scanner allows you to scan the internet for a variety of well known exploits. It was basically a proof of concept that the Internet is not secure. You can get it from: http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz