Vulnerability scanners can help you automate security auditing and can play a crucial part in your IT security. They can scan your network and websites for up to thousands of different security risks, producing a prioritized list of those you should patch, describe the vulnerabilities, and give steps on how to remediate them. Some can even automate the patching process.
As an information security analyst/engineer, you will be expected to work with the following tools. The checkmark is hacktress’ own checklist identifier.
Article authored by Daniel Miessler:
- Burp Suite
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.Burp Suite contains the following key components:- An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
- An application-aware Spider, for crawling content and functionality.
- An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
- An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
- A Repeater tool, for manipulating and resending individual requests.
- A Sequencer tool, for testing the randomness of session tokens.
- The ability to save your work and resume working later.
- Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.
- HP WebInspect
An enterprise-focused tool suite that includes a scanner, proxy, and assorted other tools. - WebScarabNG
The latest version of this famous suite from OWASP. Includes a web services module that allows you to parse WSDLs and interact with their associated functions. - IBM AppScan
IBM’s enterprise-focused suite. - Acunetix
Acunetix’s enterprise-focused suite. - NTOSpider
NTObjectives’s enterprise-focused suite. - W3af
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. - Websecurify
Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. - Samurai
Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. - Skipfish
A fully automated, active web application security reconnaissance tool written by Michal Zalewski of Google. - RAFT (Response Analysis and Further Testing Tool)
RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage. - Zed Attack Proxy (ZAP)
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Other Web Application Scanners
Netsparker
Netsparker is the web security scanner which supports both exploitation and detection of vulnerabilities. It provides the result for only confirmed vulnerabilities after successful exploitation and testing.
Nikto
Nikto is an open source web security scanner tool which performs comprehensive scanning of web servers. It can scan multiple items on servers, including files and versions specific problems for servers. It can also check server’s configuration, making it a powerful tool to scan server’s security and related flaws.
Arachni Vulnerability Scanner
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.
It is free, with its source code public and available for review.
Vega
Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.
Free Tools
1. OpenVAS
The Open Vulnerability Assessment System (OpenVAS) is a free network security scanner platform, with most components licensed under the GNU General Public License (GNU GPL). The main component is available via several Linux packages or as a downloadable Virtual Appliance for testing/evaluation purposes. Though the scanner itself doesn’t work on Windows machines, they offer clients for Windows.
The main component of the OpenVAS is the security scanner, which only can run in Linux. It does the actual work of scanning and receives a feed updated daily of Network Vulnerability Tests (NVT), more than 33,000 in total.
The OpenVAS Manager controls the scanner and provides the intelligence. The OpenVAS Administrator provides a command-line interface and can act as full service daemon, providing user management and feed management.
There are a couple clients to serve as the GUI or CLI. The Greenbone Security Assistant (GSA) offers a web-based GUI. The Greenbone Security Desktop (GSD) is a Qt-based desktop client that runs on various OSs, including Linux and Windows. And the OpenVAS CLI offers a command-line interface.
OpenVAS isn’t the easiest and quickest scanner to install and use, but it’s one of the most feature-rich, broad IT security scanners that you can find for free. It scans for thousands of vulnerabilities, supports concurrent scan tasks, and scheduled scans. It also offers note and false positive management of the scan results. However, it does require Linux at least for the main component.
2. Retina CS Community
Retina CS Community provides vulnerability scanning and patching for Microsoft and common third-party applications, such as Adobe and Firefox, for up to 256 IPs free. Plus it supports vulnerabilities within mobile devices, web applications, virtualized applications, servers, and private clouds. It looks for network vulnerabilities, configuration issues, and missing patches.
The Retina CS Community software essentially provides just the patching functionality. Retina Network Community is the software that provides the vulnerability scanning, which must be separately installed before the Retina CS Community software.
Retina CS Community installs on Windows Server 2008 or later, requires the .Net Framework 3.5 to be installed, IIS server enabled, and Microsoft SQL 2008 or later to be installed. Keep in mind, installation on Domain Controllers or Small Business Servers is not supported.
Once the software is installed you’re provided with a GUI program for Retina Network Community component and a web-based GUI for the Retina CS Community component. It supports different user profiles so you can align the assessment to your job function.
To scan you can choose from a variety of scan and report templates and specify IP range to scan or use the smart selection function. You can provide any necessary credentials for scanned assets that require them and choose how you want the report delivered, including email delivery or alerts.
Retina CS Community is a great free offering by a commercial vendor, providing scanning and patching for up to 256 IPs free and supporting a variety of assets. However, some small businesses may find the system requirements too stringent, as it requires a Windows Server.
3. Microsoft Baseline Security Analyzer (MBSA)
Microsoft Baseline Security Analyzer (MBSA) can perform local or remote scans on Windows desktops and servers, identifying any missing service packs, security patches, and common security misconfigurations. The 2.3 release adds support for Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012, while also supporting previous versions down to Windows XP.
MBSA is relatively straightforward to understand and use. When you open it you can select a single Windows machine to scan by choosing a computer name from the list or specifying an IP address or when scanning multiple machines you can choose an entire domain or specify an IP address range. You can then choose what you want to scan for, including Windows, IIS and SQL administrative vulnerabilities, weak passwords, and Windows updates.
Once the scan is complete you’ll find a separate report for each Windows machine scanned with an overall security classification and categorized details of the results. For each item you can click a link to read details on what was scanned and how to correct it, if a vulnerability were found, and for some you can click to see more result details. The reports are automatically saved for future reference, but you can also print and/or copy the report to the clipboard.
Although free and user-friendly, keep in mind that MBSA lacks scanning of advanced Windows settings, drivers, non-Microsoft software, and network-specific vulnerabilities. Nevertheless, it’s a great tool to help you find and minimize general security risks.
4. Nexpose Community Edition
Nexpose Community Edition can scan networks, operating systems, web applications, databases, and virtual environments. The Community Edition, however, limits you to scanning up to 32 IPs at a time. It’s also limited to one-year of use until you must apply for a new license. They also offer a seven-day free trial of their commercial editions.
Nexpose installs on Windows, Linux, or virtual machines and provides a web-based GUI. Through the web portal you can create sites to define the IPs or URLs you’d like to scan, select the scanning preferences, scanning schedule, and provide any necessary credentials for scanned assets.
Once a site is scanned you’ll see a list of assets and vulnerabilities. You can see asset details including OS and software information and details on vulnerabilities and how to fix them. You can optionally set policies to define and track your desired compliance standards. You can also generate and export reports on a variety of aspects.
Nexpose Community Edition is a solid full-featured vulnerability scanner that’s easy to setup but the 32 IP limit may make it impractical for larger networks.
5. SecureCheq
SecureCheq can perform local scans on Windows desktops and servers, identifying various insecure advanced Windows settings like defined by CIS, ISO or COBIT standards. It concentrates on common configuration errors related to OS hardening, data protection, communication security, user account activity and audit logging. The free version, however, is limited to scanning less than two dozen settings, about a quarter of what the full version supports.
SecureCheq is a simple tool. After scanning the PC you’ll see a list of all the checked settings and a Passed or Failed result.
Click a setting and you’ll find links to references about the vulnerability, summary of the vulnerability, and how to fix it. Though you can’t save the results for later viewing in the application, you can print them or view/save the OVAL XML file.
Although SecureCheq is easy-to-use and scans for advanced configuration settings, it actually misses some of the more general Windows vulnerabilities and network-based threats. However, it complements the Microsoft Baseline Security Analyzer (MBSA) well; scan for basic threats and then follow up with SecureCheq for advanced vulnerabilities.
6. Qualys FreeScan
Qualys FreeScan provides up to 10 free scans of URLs or IPs of Internet facing or local servers or machines. You initially access it via their web portal and then download their virtual machine software if running scans on your internal network.
Qualys FreeScan supports a few different scan types; vulnerability checks for hidden malware, SSL issues, and other network-related vulnerabilities. OWASP is for auditing vulnerabilities of web applications. Patch Tuesday scans for and helps install missing software patches. SCAP checks computer settings compliance against the SCAP (Security Content Automation Protocol) benchmark provided by National Institute of Standards and Technology (NIST).
Though you first see just an online tool that appears to just do scanning via the Internet, if you enter a local IP or scan, it will prompt you to download a virtual scanner via a VMware or VirtualBox image. This allows you to do scanning of your local network. Once a scan is complete you can view interactive reports by threat or by patch.
Since Qualys FreeScan only provides 10 free scans, it’s not something you can use regularly. Consider using another solution for day-to-day use and periodically run Qualys FreeScan for a double-check.