Freeware Vulnerability Scanners
Gary Bahadur and Yen-ming Chen
Vulnerabilty scanners are all the rage in the security industry.
Some scan externally for weaknesses, and others perform host-based
scanning and everything in between. If you have ever used Cybercop
(http://www.nai.com) or ISS Safesuite (http://www.iss.net),
you know these products can be expensive. There are alternatives
that do not cost a lot of money, but how do you know which ones
are best and how do you find them?
In this article, we will briefly describe the methodology of using
vulnerability scanners and give some freeware options for the security-minded
administrator. There are a number of pros and cons to using freeware
versus commercial products, and the validity of even performing
security testing. The three products discussed in this article are
Nessus (http://www.nessus.org), Narrow Security Scanner (http://www.packetstorm.securify.com/UNIX/scanners/nss/),
and SAINT (http://www.wwdsi.com/saint/). The usage of these
products is placed in the context of performing a security review
and these are just a sample of available products.
To secure a site, a logical progression must be followed. Downloading
a scanner and executing it against your network is only part of
the solution. For a comprehensive security review, the following
steps must be taken:
1. Footprint Analysis -- Scan the environment for operating
systems, applications, and services running.
2. Vulnerability Analysis -- Determine potential vulnerabilities
in services, applications, and operating systems.
3. Penetration Testing -- Attempt to exploit vulnerabilities
found in the Vulnerability Analysis step.
4. Securing -- Fix the weaknesses found in the Penetration
Testing step and institute procedures to minimize future weaknesses
in the environment.
Footprint Analysis -- Possible Scanner Usage
In a previous Sys Admin article "Freeware Web Security
Tools" (March, 2001), we discussed how to perform the Footprint
Analysis step. This article was specific to Web server security,
but the same concepts can be applied to a network environment. Some
scanners can find footprinting information, but this step is geared
toward manual techniques or simple automated scripts.
Vulnerability Analysis -- Scanner Usage
The use of the scanner software becomes necessary in Vulnerability
Analysis. In Vulnerability Analysis, the data gathered in Step 1
is used to determine potential vulnerabilities. For example, if
we see port 21 (ftp) open, and it's running Wu-ftp 6.0,
we record this as potentially vulnerable based on a known published
exploit. Completing the Vulnerability Analysis involves mapping
out all potentially vulnerable services. Scanner software can be
used to scan all hosts and open ports to determine whether any may
be exploitable. These scanners will check against a list of known
vulnerabilities. If the target is running a service such as ftp,
and the version is known to be weak, the scanner will flag it as
vulnerable. This could be a severe weakness, but cannot be verified
until the Penetration Testing phase. One weakness of scanners is
that they are infrequently updated and do not find all weaknesses.
They will find about 70% of known bugs; manual tests must find the
The output from Vulnerability Analysis will be used in Penetration
Testing. Penetration Testing is usually a manual process. The person
doing the testing must check each potential vulnerability to determine
whether it is actually exploitable. Frequently, scanner products
will report a service as vulnerable when it is not -- a false
positive result. These scanner products can sometimes be used in
Penetration Testing in the area of brute force attacks. The scanners
can do these automated processes with little intervention from the
administrator. The intelligence has not yet been built into them
to carry out all the attacks to lead to a compromise. Scanner software
can be very beneficial if usage and limitations are understood.
Why Do Security Testing?
This may seem like an easy question to answer, but we have found
that many companies just don't see the value of spending the
money on the necessary tools, consultants, and time to perform these
tests. The benefits of security testing far outweigh any problems
that may arise.
- Know Thyself -- Your best defense against attacks is to
fix weaknesses before they are found by a hacker.
- Proactive Security -- Weaknesses can be fixed before the
whole underground has a chance to find them. We frequently see
product companies testing their products before they go live to
proactively fix bugs in the products.
- Gain Resources -- If a systems administrator can show major
weaknesses in a Production Internet site, more resources will
likely be dedicated to the IT department.
- Security Standards -- This would lead to all machines being
secured similarly and standards followed by everyone. If a network
has a number of different weaknesses across machines, a standard
for security is not being applied.
- Awareness -- Successful testing results in making everyone
more aware of security needs and can lead to a corporate-wide
- Responsiveness -- Administrators who are aware of security
testing of the environment will learn to be responsive to attacks
and have a heightened sense of security. If we perform security
tests and flags are not raised, the test results usually cause
a major change in the environment.
- Credibility -- Security testing tells customers that a
proactive stance toward security has been taken and that customers
can feel secure using the site.
No matter what problem may arise, and there can be several, security
testing is a must. The problems listed below are minor and
should not stop security testing.
- Reality of Results -- Receiving incorrect data from a security
audit is just as bad as not doing any tests at all. One problem
is doing testing is the knowledge of the testers. Many organizations
must hire consultants because the administrators do not have the
time or experience to perform security tests. Be sure those consultants
are experienced and reputable.
- Tool Usage -- Minor vulnerabilities can lead to a large
weakness that a scanner tool may not be able to interpret. Just
downloading and running tools without understanding them completely
can lead to a false sense of security. Half the benefit of knowledgeable
security folks is how they interpret the results. The tools will
not link vulnerabilities together.
- Friendly Fire -- Even commercial scanners have been known
to cause problems. If the administrators running these tools do
not fully understand them, they may use them incorrectly and damage
- One-Time Attack -- Vigilance over time is essential to
security testing. Organizations cannot perform a security test
once and consider the site secure. Security is an ongoing process,
and new exploits come out daily.
A security review methodology is aimed at developing standards
for security, and ensuring that the organization conforms to those
standards. A good baseline standard for security should first be
developed before systems are put into production. A security baseline
is a set of standards applied to systems to ensure a minimum level
of security. Failing this, the first security review should be aimed
at finding and fixing vulnerabilities and defining a security baseline
Testing should first be done against the development environment.
You never know what can go wrong, especially with powerful products
such as vulnerability scanners. Production environments should only
be scanned after the development environment. Also, production environments
should be scanned only during off peak hours. Administrators should
be prepared for problems related to the scanning.
The freeware products discussed in this article have all been
compiled on FreeBSD 4.1. Most of the freeware scanners are UNIX
based, usually Linux. Most have to be compiled by the user, which
requires some knowledge of compiling programs and some in-depth
knowledge of the operating system if the compilation has errors.
The source code can usually be viewed and modified by the user.
Systems administrators must have a firm grasp of the operating
system to fully utilize these products in most cases. The results
will take more analysis and research than that of commercial products.
The real value of these products is the interpretation of the output.
The problems can't be fixed if you cannot interpret the output.
The three example scanners will now be discussed in detail. We
have broken down the analysis of the scanners into Installation,
Configuration, Scanning, and Reporting. As these programs report
weaknesses in the system, the report output should be restricted
Nessus is one of the best freeware scanners. It is built on client/server
architecture. Its plugin capabilities allow users to add their own
checks and expand development of the product. It currently has 558
The tar file includes the following:
These must then be compiled in the following order:
- cd nessus-libraries
- make install
This operation is repeated for nessus-core and nessus-plugins. For
Linux users, make sure that /usr/local/lib is in /etc/ld.so.conf,
and type ldconfig.
- cd libnasl
- make install
Nessus is a client/server architecture security scanner. You can
install a Nessus server on one machine, and use another machine
to control that Nessus server remotely. Using public key cryptography,
Nessus encrypts the communication between the managing client and
the Nessus server.
First of all, you need to assign a one-time password for the first
root# nessusd --make-user=nessustest,nessustest
Generating primes: ........q.....pg
The above command nessusd --make-user=nessustest,nessustest will
generate a one-time password for the user named nessustest
with password nessus!@#. And if you type:
You will get the output:
nessustest - user password
See Figure 1.
For further user management of Nessus, use nessus-adduser.
You'll need to add a user to access the Nessus daemon before
starting the Nessus daemon. To do this, use nessus-adduser,
and the program will prompt you for necessary information, including
login name, authentication method, source restriction, and scan
target rules. After using the Nessus client to connect to the Nessus
daemon, you can use the GUI to manage the users.
Use nessusd -D to start your Nessus daemon (Server) first.
Then run "nessus" to start the client. If you created
the user, started the daemon, and the client, you are ready to begin
your scan. Of course, you must login first; in this case, "nessustest"
is our user name. Setting up the target host is the second step.
You must either specify the host(s) you want to scan in the input
field (using comma for delimiter for multiple hosts), or put the
host(s) you want to scan into a file and read them in.
Choose the plugins you want to use in the "Plugins"
tab. Some dangerous plugins (mostly DoS type) are disabled by default.
You can set some preferences after you've decided which plugins
you are going to use. Under the "Prefs" tab, you will
see options for some different scan methods, such as port scan,
SMB login, or imap account/password.
After you hit "Start the scan", you can sit back and
have a cup of coffee and wait for the results. Nessus tends to be
very "noisy". Use Nessus to scan your IDS or firewall
and see how many log entries you can get. More plugins will take
a longer time.
The reports can then be sorted either by host or by port. The
report can be saved as html, NSR, LaTeX and XML (experimental)
formats. The reports also make reference to CVE (Common Vulnerabilities
and Exposures) numbers to provide more detailed information regarding
the vulnerabilities found by Nessus. See Figure 2.
Nessus is a security scanner with an easy-to-use interface and
flexible architecture (client/server). The extensible plugins (NASL
modules and plugins automatic update program) make it easy to add
additional checks. Nessus has improved with each release and will
give the commercial scanners a run for their money.
Narrow Security Scanner
Narrow Security Scanner (NSS) is a middle-weight security scanner
that provides simple command-line control to scan more than 500
known vulnerabilities. For this article, we used NSS 2k-pre12.
NSS does not have a configuration installation like Nessus. The
installation of NSS only requires downloading the file, untarring
it and modifying the nss.conf file according to your platform.
Then you can begin using it.
The configuration file of NSS is pretty simple. You just choose
which plugins you want by changing the value to "1" in
the nss.conf file. Specify the path of "rpcinfo"
and "dig", then you are ready to run NSS.
To scan a single host, use: nss -s <IP>. You can
also list the hosts you want to scan in a file and use -h <file>
to read the file. -l can change the name of the log file,
as -m can mail the result to the email address specified
NSS will save the results of the scan into a file called <IP>.log
using the different IP addresses you specify. Here is one example
of the log file:
-< 2XX.XX.XX.XX >-< OS: Unknow
-< 2XX.XX.XX.XX >-< FTP Server: wu-2.6.0(1)
-< 2XX.XX.XX.XX >-< Authentication (auth) Service Running
-< 2XX.XX.XX.XX >-< "rlogin" Service Running
-< 2XX.XX.XX.XX >-< "shell" Service Running
-< 2XX.XX.XX.XX >-< FingerD Service Running
-< 2XX.XX.XX.XX >-< User(s) logged on:
Login Name Tty Idle Login Time Office Office Phone
core pts/0 49 Nov 22 13:34 (rduXX-XX-2XX.XX.XX.com)
root root *tty1 13d Nov 8 16:00
-< 2XX.XX.XX.XX >-< Never logged in user: lp
-< 2XX.XX.XX.XX >-< Never logged in user: named
-< 2XX.XX.XX.XX >-< Vulnerabilities Found: 5
The log file is very simple and clearly tells you where vulnerabilities
NSS is a small, fast scanner that can check for many known vulnerabilities.
It does not have a GUI interface, but is very easy to use by command
line. The code (written in Perl) is available for review and modification
by the user. There can be some compilation errors that may require
knowledge of Perl for a successful execution.
NSS does not generate a fancy report in different formats like
Nessus. It only points out where the vulnerabilities might be. Then
you must find the related information about the vulnerability. A
lot of research may be needed to fix the problems if the administrator
is not security savvy.
SAINT (Security Administrator's Integrated Network Tool)
is a security assesment tool based on SATAN. Features include scanning
through a firewall, updated security checks from CERT and CIAC bulletins,
four levels of severity (red, yellow, brown, and green) and a feature-rich
HTML interface. We used SAINT 3.1 which checks for approximately
Before installing SAINT, you must have nmap (http://www.insecure.org)
and SMB-related tools (e.g., SAMBA on UNIX-like systems) on your
system. You can then go to the directory where you untarred the
files and execute the following:
Configuration After the installation, you should have all SAINT-related
files, /usr/local/saint, on your system. In the /usr/local/saint/config,
you can edit the saint.cf file. The sample of the saint.cf
file below would change the attack level.
# Default attack level (0=light, 1=normal, 2=heavy,
# 3=heavy+, 4=top10, 5=custom)
$attack_level = 0;
Once you have made any necessary modifications to the configuration
file, you can begin the scan by executing /usr/local/saint.
When you start SAINT, a browser window pops up with a menu of
"Data Management", "Target Selection", "Data
Analysis", "Config Management", "Documentation",
and "Trouble Shooting". You can keep the default setting
in the 'Data Management' section in the beginning. Before
you select your target, SAINT will notify you that when you use
your browser to connect to other WWW servers, some information might
be revealed during the process (see Figure 3). You can decide whether
to continue. After you decide on your target, you can choose the
attack level from Light, Normal, Heavy, Heavy+, Top10, or Custom.
You can begin with Normal and change the level as you go on. As
you change levels from Light to Heavy, more checks will be done.
The scan will collect data and store it for reporting.
The results can be categorized by Vulnerabilities, Host information,
or Trusted Hosts. You can easily identify vulnerabilities and find
related information by the hyperlinks to CVE or other places (see
Figure 4). There is a SAINT Writer that can generate customized
reports in HTML for you. SAINT Writer has just been released.
SAINT inherited many advantages from SATAN. It is very flexible,
like Nessus, because of its client/server architecture. The vulnerabilities
it can check are limited, however, and it is not as easy to pick
specific checks to scan. It is also not as easy to add modules for
SAINT, because there are no tools similar to NASL for Nessus. You
must know Perl to make your own changes to SAINT. Its speed is comparable
to NSS, and it is faster than Nessus. Solutions to the vulnerabilities
found will require some research, but SAINT provides some good information
to begin fixing the problems.
After looking at all these free scanners, here are some criteria
to consider for new similar programs/tools:
1. Flexible architecture. With client/server architecture, you
can run the control client behind a firewall and the server in front
2. Ease of use. If you can launch the scan by a one-line command,
it will be handy wherever you are.
3. Modular design. Ease of use in selecting checks and customization
of the program.
4. Reporting. Are the results and reports generated by the program
in clearly understood format? The solutions for found vulnerabilities
should be easy to find and understand. Reports should be flexible,
exportable, and easily modified.
With these four criteria in mind, you should be able to pick the
scanner you need in the future.
The outputs of these scans will point to a number of potentially
vulnerable services and programs. This data will lead to the next
step in the security methodology -- Penetration Testing. Just
because the scanners found a vulnerability doesn't mean it
actually exists. It could be a false positive.
These freeware products can be used by almost anyone, but administrators
who are not yet technically savvy are cautioned to use them carefully.
For systems administrators looking for inexpensive security products,
freeware scanner tools provide a viable alternative. They may not
be as easy to use, but the list of checks can be comprehensive and
accurate. The best part is you can test them out and become familiar
with scanner tools before you leap into purchasing those expensive
The vulnerability scanners assume security is a snapshot in time.
Security is an ongoing process and every day brings a new security
challenge. Periodic security scans will not keep your systems secure.
Scanners help, but are not the end-all solution. Continuous assessments
are needed to keep the organization secure.
Gary Bahadur is the Chief Information Officer for Foundstone
Inc (http://www.foundstone.com). Foundstone specializes
in security consulting and training. Gary had been performing Attack
and Penetration testing for more than five years. He can be reached
Yen-ming Chen is a security consultant with Foundstone Inc.
Yen-ming has been performing Attack and Penetration testing for
several years. He can be reached at: firstname.lastname@example.org.