Vulnerability Scanners

Popular Vulnerability Scanners

There are several different types of vulnerability scanners, so you must make sure to use the best one for the job. Vulnerability scanners exist for computer systems, networks and applications! The idea behind a vulnerability scanner is to assess potential weaknesses and help an business/organization improve their security.  This can be used in a pentest to help identify any protentional weakness or areas/systems we should focus our efforts on. Also, if the pentest is being done for compliances purposes it most likely would be required to use a vulnerability scanner. Finally, a vulnerability scanner used during a pentest would allow us to prioritize the vulnerabilities that should be fixed during the reporting stage.


Here are some of the common types of vulnerability scanners:


Network Scanners: Examine networked devices (routers, switches, firewalls)

Web Application Scanners: Examine web applications for SQL Injections, Cross-site Scripting (XSS) and other security flaws.

Host-Based Scanners: Scan an individual system (servers, personal computer, workstation) for any vulnerabilities.

Wireless Scanners: Focus on wireless networks an security issues that could be present in them.

Database Scanners: Evaluates databases for any vulnerabilities (authentication, access control or SQL Injections)

Cloud-Based Scanners: Focus on scanning cloud-based assets and systems for any misconfigurations or weaknesses.

Internet of Things (IoT) Scanners: Evaluates IoT devices and attempts to identify any vulnerabilities such as misconfigurations, default passwords or poor use of encryption. 

OpenVAS/GVM

OpenVAS/GVM is an open-source vulnerability scanner that focuses on networks.  It is easy to use and runs great on Kali Linux. In the video, I show how to set up OpenVAS/GVM and launch a vuln scan. 


I provide setup steps in the video, but to help make things easier, you can view the steps on this page

Nesses

Nessus is a commercially available scanner, but it does have a license we can use! Nessus is extremely powerful and has a lot of options. I highly recommend that you download and get a Nessus license. You can also view this guide to help get you started. Nessus will run on MacOS, Linux, and Windows. It will take a bit to download, install and build all the plugins. The Nessus Essentials provides a decent amount of options for us to use, but it does not have access to everything. I still highly recommend testing this version out and learning its capabilities. 

Web Vuln Scanners

To help keep things shorter, I am grouping three web vuln scanners into one video.

Wapiti: This is a web application vulnerability scanner. It looks for XSS, SQL injection, command injection, and more! 

Nikto: This is a web server vulnerability scanner. It looks at the web server for known vulnerabilities including running old versions, misconfigurations, and common web app vulnerabilities.

wpsan: This vulnerability scanner focuses on WordPress! It looks for security weaknesses and vulnerabilities in WordPress themes and WordPress Plugins!

nmap

Of course, Nmap can also do vulnerability scanning! With Nmap's scripting engine, we can provide additional functionality to Nmap and use various third-party scripts.

In the video, I'll show how to use Nmap's built-in vulnerability scanner, install and use Nmap-Vulners and install and use VulScan


Nmap vulscan install:

git clone https://github.com/scipag/vulscan scipag_vulscan

ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan


Install Nmap-Vulners:

cd /usr/share/nmap/scripts/

git clone https://github.com/vulnersCom/nmap-vulners.git

GVM in a Docker

If you want you can even run gvm as a container. I think this method is easier and quicker to get setup than doing the installation as I've shown in the video. I tested this method out and I was able to get it up and running in about 10 minutes.