Comparison of LAN Scan Tools

    When I worked in several government organizations with quotation marks, a vegetable pentester, the harsh bearded uncles in sweaters taught me to use only Nmap to scan the network. After changing his place of work, Dobby became free from prejudice and decided to choose a scanner on the basis of pseudo-objective data comparing the real functionality of popular scanners that he could find on the network on his own, or by asking colleagues what their favorite scanner was. Actually, I decided to write an article about the results of the internal holivar comparing network scanners. I cannot guarantee objectivity, but I tried to do a quantitative analysis. Who cares what came of it, welcome to cat.

    Old and experienced wolfthe security guard suggested his favorite and familiar console Nmap. Another one of us from Gosuhi, combonik , said that there is no difference, open source or vendor, the main thing is the web interface for work. Our driver also said that vendor scanners are the best, arguing that such scanners have constant support, a convenient interface for work and constant updates.

    In order to smooth out our contradictions, it was decided to conduct a blitz test of network vulnerability scanners. Holivar among Pentecosters Hackenled us to a new task - to conduct a comparative characteristic according to the results of scanning. Four scanners were selected to compare scan performance: Rapid7 Nexpose, Tenable Nessus, OpenVAS 9, and Nmap. They were chosen based on analytics online publications and personal experience. Personally, I bet on Nessus, but alas, I did not guess.

    Rapid7 Nexpose is a vulnerability scanner that actively scans the IT infrastructure for erroneous configurations, holes, malicious codes, and provides recommendations for resolving them. Analysis includes all infrastructure components, including networks, operating systems, databases, and web applications. Based on the scan results, Rapid7 Nexpose classifies detected threats in priority mode and generates reports on their elimination. [2]

    Tenable Nessus Scanner is a scanner designed to assess the current state of protection of traditional IT infrastructure, mobile and cloud environments, containers, etc. Based on the scan results, it reports on the vulnerabilities found. Recommended for use as part of the Nessus Security Center. [3]

    OpenVASIs an open source vulnerability scanner. OpenVAS is designed to actively monitor computer network nodes for security-related problems, assess the severity of these problems, and to monitor their resolution. Active monitoring means that OpenVAS performs some actions with the host: scans open ports, sends specially formed packets to simulate an attack, or even logs on to the host, accesses the management console, and executes commands on it. OpenVAS then analyzes the data collected and concludes that there are any security issues. These problems, in most cases, relate to non-updated software installed on the node, in which there are known and described vulnerabilities, or insecurely configured software. [1,6]

    Nmap- A free utility designed for a variety of custom scanning of IP networks with any number of objects, determining the status of objects of a scanned network (ports and their corresponding services). Initially, the program was implemented for UNIX systems, but versions for many operating systems are now available. [4,5]

    Test environment

    For testing, I put together a test network on VMware Workstation 12 Pro in the circuit shown in Fig. 1.

    Fig. 1. Network Diagram

    Raised virtual machines:

    • Windows 7 with all installed updates, running the XAMPP application, deployed MySQL and Apache services. Also deployed test system DVWA.
    • Metasploitable 2 is an operating system with preinstalled vulnerable services and applications, which is used for testing.
    • Ubuntu 16.04 with installed IDS Suricata [10] and configured iptables [9].
    • Kali Linux is a Linux distribution that is used for penetration testing.
    • The list of vulnerable services in Metasploitable 2 is shown in Table 1.

    Table 1
    Vsftpd 2..four21Open
    OpenSSH four.7p1 Debian 8ubuntu 1 (protocol
    Linux telnetd service23Open
    Postfix smtpd25Open
    ISC BIND 9.four.253Open
    Apache httpd 2.2.eight Ubuntu DAV / 280Open
    A RPCbind service111Open
    Samba smbd .X139, 445Open
    r companies512, 513, 514Open
    GNU Classpath grmiregistry1099Open
    Metasploitable root shell1524Open
    A NFS service2048Open
    ProFTPD 1..12121Open
    PostgreSQL DB - eight..7
    VNC protocol v1.5900Open
    X11 service6000Open
    Unreal ircd6667Open
    Apache Jserv protocol 1.8009Open
    Apache Tomcat / Coyote JSP engine 1.18180Open

    In practice, when scanning internal networks on the firewall and IPS, rules are created that exclude blocking scanning. Therefore, Suricata was used in the detection mode, and permission rules were written on the firewall.

    Iptables configuration [9]:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -A INPUT -i lo -j ACCEPT
    iptables -I FORWARD -j ACCEPT
    iptables -A FORWARD -i ens34 -o ens33 -j ACCEPT
    iptables -t nat -A POSTROUTING -o ens33 -s -j MASQUERADE
    iptables -A FORWARD -i ens33 -m state --state ESTABLISHED, RELATED -j ACCEPT
    iptables -A FORWARD -i ens33 -o ens34 -j REJECT

    Nessus Scanner ran in Basic Network Scanning mode. [3]
    Rapid 7 Nexpose started in Full audit without Web Spider mode. [2]
    OpenVAS 9 started in default mode. [1,6]
    Nmap was launched by two commands: [4,5]

    • nmap -sV -T4 -O -F --version-light
    • nmap -Pn --script vuln

    Test results

    Nexpose detected 527 vulnerabilities (see Diagram 1), of which:

    167 - received the status “critical” - vulnerabilities must be closed first.
    349 - received the status of “severe” - vulnerabilities are difficult to exploit, but can lead to serious consequences.
    46 - received the status “moderate” - the vulnerabilities found can provide the attacker with information about the system, which he can use during the attack.

    Vulnerabilities were found not only in tested systems, but also potential vulnerabilities in the virtualization system.

    Tenable Nessus discovered 168 vulnerabilities (see Diagram 2), of which:

    3 - received the status “critical”
    9 - received the status “high”
    33 - received the status “medium”
    5 - received the status “low”
    118 received the status “info”

    Vulnerabilities of the “critical” and “high” levels must be closed first.
    Vulnerabilities of the “medium” level are difficult to operate, but if properly developed, they can be harmful.
    Vulnerabilities of the “low” and “info” levels can provide an attacker with information about a system that he can use when conducting an attack through other vectors.

    OpenVAS 9 detected 53 vulnerabilities (see Diagram 3), of which:
    IDS response results

    16 - received the status “high”
    33 - received the status “medium”
    4 - received the status “low”

    Vulnerabilities of the “high” level must be closed first of all .
    Vulnerabilities of the “medium” level are difficult to operate, but if properly developed, they can be harmful.
    Vulnerabilities of the “low” level can provide an attacker with information about a system that he can use when conducting an attack through other vectors.

    Separately, it should be noted the results obtained using the Nmap scanner. Scanning was carried out by two commands, which were described above. The result of the execution was the output of information about the operating system, open services and found possible vulnerable services and links.

    Using the vuln script identified the following types of vulnerabilities:

    • open telnet
    • http-csrf
    • http-enum
    • http-sql-injection
    • http-vuln-cve2017-1001000
    • rmi-vuln-classloader
    • mysql-vuln-cve2012-2122
    • ssl-ccs-injection
    • ssl-dh-params
    • ssl-poodle
    • irc-botnet-channels
    • http-cookie-flags

    Nmap and IDS
    Results Nmap Results Using the “vuln” and IDS Scripts


    To draw conclusions, I applied a quantitative method for assessing the total number of vulnerabilities found. As a result, it turned out that Nexpose conducts the greatest scanning depth. Nessus worked rather poorly, as in the network scan mode it issued a lot of service data about systems and services that only provide information for analytics. On a very weak side, the OpenVAS 9 scanner with the latest updates has shown itself. Nmap requires a separate word - a very good tool for conducting analytical testing with the ability to expand using NSE scripts.

    During testing, IDS Suricata discovered NMap and OpenVAS scanners.

    This test is not canonical, such as tests by Gartner or NSS Labs. But despite this, I think the article will be relevant for specialists in the field of system administration and technical audit.

    PS And why was all this done?

    It was necessary to adoptChoose a scanner for Hacken. In addition, the scanning of the internal network is regulated by information security management standards in commercial organizations, banking, energy and other fields of activity. Network scanning should be carried out not only to obtain certification for the organization, but also to manage vulnerabilities in the information and telecommunication system, control the updating of operating systems and other equally important tasks for managing information security. [8, 11]

    Also popular now: