Comparison of LAN Scan Tools

When I worked in several government organizations with quotation marks, a vegetable pentester, the harsh bearded uncles in sweaters taught me to use only Nmap to scan the network. After changing his place of work, Dobby became free from prejudice and decided to choose a scanner on the basis of pseudo-objective data comparing the real functionality of popular scanners that he could find on the network on his own, or by asking colleagues what their favorite scanner was. Actually, I decided to write an article about the results of the internal holivar comparing network scanners. I cannot guarantee objectivity, but I tried to do a quantitative analysis. Who cares what came of it, welcome to cat.

Old and experienced wolfthe security guard suggested his favorite and familiar console Nmap. Another one of us from Gosuhi, combonik , said that there is no difference, open source or vendor, the main thing is the web interface for work. Our driver also said that vendor scanners are the best, arguing that such scanners have constant support, a convenient interface for work and constant updates.

In order to smooth out our contradictions, it was decided to conduct a blitz test of network vulnerability scanners. Holivar among Pentecosters Hackenled us to a new task - to conduct a comparative characteristic according to the results of scanning. Four scanners were selected to compare scan performance: Rapid7 Nexpose, Tenable Nessus, OpenVAS 9, and Nmap. They were chosen based on analytics online publications and personal experience. Personally, I bet on Nessus, but alas, I did not guess.

Rapid7 Nexpose is a vulnerability scanner that actively scans the IT infrastructure for erroneous configurations, holes, malicious codes, and provides recommendations for resolving them. Analysis includes all infrastructure components, including networks, operating systems, databases, and web applications. Based on the scan results, Rapid7 Nexpose classifies detected threats in priority mode and generates reports on their elimination. [2]

Tenable Nessus Scanner is a scanner designed to assess the current state of protection of traditional IT infrastructure, mobile and cloud environments, containers, etc. Based on the scan results, it reports on the vulnerabilities found. Recommended for use as part of the Nessus Security Center. [3]

OpenVASIs an open source vulnerability scanner. OpenVAS is designed to actively monitor computer network nodes for security-related problems, assess the severity of these problems, and to monitor their resolution. Active monitoring means that OpenVAS performs some actions with the host: scans open ports, sends specially formed packets to simulate an attack, or even logs on to the host, accesses the management console, and executes commands on it. OpenVAS then analyzes the data collected and concludes that there are any security issues. These problems, in most cases, relate to non-updated software installed on the node, in which there are known and described vulnerabilities, or insecurely configured software. [1,6]

Nmap- A free utility designed for a variety of custom scanning of IP networks with any number of objects, determining the status of objects of a scanned network (ports and their corresponding services). Initially, the program was implemented for UNIX systems, but versions for many operating systems are now available. [4,5]

Test environment

For testing, I put together a test network on VMware Workstation 12 Pro in the circuit shown in Fig. 1.


Fig. 1. Network Diagram

Raised virtual machines:

• Windows 7 with all installed updates, running the XAMPP application, deployed MySQL and Apache services. Also deployed test system DVWA.
• Metasploitable 2 is an operating system with preinstalled vulnerable services and applications, which is used for testing.
• Ubuntu 16.04 with installed IDS Suricata [10] and configured iptables [9].
• Kali Linux is a Linux distribution that is used for penetration testing.
• The list of vulnerable services in Metasploitable 2 is shown in Table 1.

Table 1

Service	Port	Status
Vsftpd 2..four	21	Open
OpenSSH four.7p1 Debian 8ubuntu 1 (protocol 2.zero)	22	Open
Linux telnetd service	23	Open
Postfix smtpd	25	Open
ISC BIND 9.four.2	53	Open
Apache httpd 2.2.eight Ubuntu DAV / 2	80	Open
A RPCbind service	111	Open
Samba smbd .X	139, 445	Open
r companies	512, 513, 514	Open
GNU Classpath grmiregistry	1099	Open
Metasploitable root shell	1524	Open
A NFS service	2048	Open
ProFTPD 1..1	2121	Open
MySQL 5.zero.51a-3ubuntu5	3306	Open
PostgreSQL DB eight..zero - eight..7	5432	Open
VNC protocol v1.	5900	Open
X11 service	6000	Open
Unreal ircd	6667	Open
Apache Jserv protocol 1.	8009	Open
Apache Tomcat / Coyote JSP engine 1.1	8180	Open

In practice, when scanning internal networks on the firewall and IPS, rules are created that exclude blocking scanning. Therefore, Suricata was used in the detection mode, and permission rules were written on the firewall.

Iptables configuration [9]:

#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -A FORWARD -i ens34 -o ens33 -j ACCEPT
iptables -t nat -A POSTROUTING -o ens33 -s 192.168.234.0/24 -j MASQUERADE
iptables -A FORWARD -i ens33 -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A FORWARD -i ens33 -o ens34 -j REJECT

Nessus Scanner ran in Basic Network Scanning mode. [3]
Rapid 7 Nexpose started in Full audit without Web Spider mode. [2]
OpenVAS 9 started in default mode. [1,6]
Nmap was launched by two commands: [4,5]

• nmap -sV -T4 -O -F --version-light 192.168.234.130-131
• nmap -Pn --script vuln 192.168.234.130-131

Test results

Nexpose detected 527 vulnerabilities (see Diagram 1), of which:
Report

167 - received the status “critical” - vulnerabilities must be closed first.
349 - received the status of “severe” - vulnerabilities are difficult to exploit, but can lead to serious consequences.
46 - received the status “moderate” - the vulnerabilities found can provide the attacker with information about the system, which he can use during the attack.

Vulnerabilities were found not only in tested systems, but also potential vulnerabilities in the virtualization system.


Tenable Nessus discovered 168 vulnerabilities (see Diagram 2), of which:
Report

3 - received the status “critical”
9 - received the status “high”
33 - received the status “medium”
5 - received the status “low”
118 received the status “info”

Vulnerabilities of the “critical” and “high” levels must be closed first.
Vulnerabilities of the “medium” level are difficult to operate, but if properly developed, they can be harmful.
Vulnerabilities of the “low” and “info” levels can provide an attacker with information about a system that he can use when conducting an attack through other vectors.


OpenVAS 9 detected 53 vulnerabilities (see Diagram 3), of which:
Report
IDS response results

16 - received the status “high”
33 - received the status “medium”
4 - received the status “low”

Vulnerabilities of the “high” level must be closed first of all .
Vulnerabilities of the “medium” level are difficult to operate, but if properly developed, they can be harmful.
Vulnerabilities of the “low” level can provide an attacker with information about a system that he can use when conducting an attack through other vectors.



Separately, it should be noted the results obtained using the Nmap scanner. Scanning was carried out by two commands, which were described above. The result of the execution was the output of information about the operating system, open services and found possible vulnerable services and links.

Using the vuln script identified the following types of vulnerabilities:

• open telnet
• http-csrf
• http-enum
• http-sql-injection
• http-vuln-cve2017-1001000
• rmi-vuln-classloader
• mysql-vuln-cve2012-2122
• ssl-ccs-injection
• ssl-dh-params
• ssl-poodle
• irc-botnet-channels
• http-cookie-flags

Nmap and IDS
Results Nmap Results Using the “vuln” and IDS Scripts

conclusions

To draw conclusions, I applied a quantitative method for assessing the total number of vulnerabilities found. As a result, it turned out that Nexpose conducts the greatest scanning depth. Nessus worked rather poorly, as in the network scan mode it issued a lot of service data about systems and services that only provide information for analytics. On a very weak side, the OpenVAS 9 scanner with the latest updates has shown itself. Nmap requires a separate word - a very good tool for conducting analytical testing with the ability to expand using NSE scripts.

During testing, IDS Suricata discovered NMap and OpenVAS scanners.

This test is not canonical, such as tests by Gartner or NSS Labs. But despite this, I think the article will be relevant for specialists in the field of system administration and technical audit.

PS And why was all this done?

It was necessary to adoptChoose a scanner for Hacken. In addition, the scanning of the internal network is regulated by information security management standards in commercial organizations, banking, energy and other fields of activity. Network scanning should be carried out not only to obtain certification for the organization, but also to manage vulnerabilities in the information and telecommunication system, control the updating of operating systems and other equally important tasks for managing information security. [8, 11]