When it comes to growing Vulnerability Scanning space, predominantly there are two classes of scanning. There is the “noisily scan – everything and look for all possible static signatures/holes” otherwise “quietly find for relevant signatures/holes”. Most adamant will always look for “aggressive” option in nmap rest want to be none-disruptive yet none intrusive methods, nevertheless today’s most IDS/IPS scanners would easily spot for any kind of noise generated by traditional scanners. In any case it is healthy to be under the radar as much as possible without getting highlighted in logs with thousands of nmap port scans.
For example, after few requests when you learn that the host is an MS IIS server (by using httprint by telnet-ting to the server port directly and issuing the proper commands or running some other web server fingerprinting tools out in the space hmap, 404print, webserverfp etc.) Let’s say for the moment by fool-proof fingerprinting method I have confirmed that the host is running IIS.
[In a different discussion I would like to further converse on Fingerprinting (reconnaissance stage in Ethical hacking lessons) coz many in the industry don't put their money on accuracy of fingerprinting]
So do I really require running exploits that only affect Apache? Or let’s say that the server does not support PHP, so do I need to scan for vulnerabilities related to PHP? Plausibly that is a something different above where most scanners are, as they usually aim for the noisy disruptive scans that request everything under the same. As I would prefer the second method, that it seriously reduces the time required performing the scan, and it significantly reduces the signatures probes against the server. But is there a reliable scanner/method can be trusted without missing the “reality check”? I did some extensive reading on this matter, according to an Article written by SPI Dynamics on Intelligent Engines – Next Generation Web Application Security they discuss about the how the combination of Intelligent Engine technology and Static checks would deliver most accurate results. Swift growth rate in the industry with the growing number of checks, vulnerability databases will have tens of thousands of static checks in a few years. With that many checks, application scans will simply take too long. Imagine your Nessus Scan with traditional application assessment static-check technology, running an automated test for vulnerability like Cross-site scripting could take up to three hours and yield results with many false positives. Using intelligent engine technology, that time can be reduced to 12 minutes with almost no false positives. Need for a new technology to revolutionize the process of finding vulnerabilities will not only speed up the web server security assessments but surely be able to perform more flexibly and more accurately by virtually eliminating false positives.
There are heaps of tools available freely and commercially – from nmap to nessus to Core Impact. But what matters is how effectively/quickly your IS Team want to mitigate risks identified by you? What will really happen to your fortnight/monthly scan results? Do you find the same in the next round? If yes, what action would you take? I know the question is somewhat political yet your hard work of finding holes in your infrastructure wouldn’t bring any edge to you or your network. The model that I’m working on is (obviously gotta start from grass-root) focus on `new systems` rather than existing. At least to make sure new systems come in to production networks are fully tested. The idea is to screen all new systems in a lab environment to make sure box is `clean` to sit in production. So what happen after commissioning? How does these responses to new vulnerabilities? In the long running cyclic process; once you receive new Vulnerability updates (from CVE or SANS @RISK) – must quickly act and update your daily vulnerability columns according to your platforms and recent vulnerabilities and conduct a stealth scan to assess the risk. Once prioritized according to old school method you know how to get things patched. Keep in mind your job isn’t finished until you finish your post-patch scan with “no more” holes. So if you have streamlined the process you wouldn’t be noisy nor spending hours to find new vulnerabilities against recent CVE update – literally you will be spending less than 10 minutes with one system for a thumbs up.
