Network Computingwww.networkcomputing.com

Vulnerability Assessment Scanners

Our goal was to take five popular OS platforms to see just how thorough each scanner is in detecting published vulnerabilities and misconfigurations. Each scanner was run individually against all target hosts; afterward, all target hosts were rebooted before the next scanner was run. Where applicable, scanners were updated with the latest vulnerability checks immediately before they were used. All checks/tests were enabled (via custom policies or general configuration), except those specifically meant for gauging DoS (denial of service) attacks. All five vulnerable machines were scanned in unison, letting scanners leverage any "common" information discovered. We ran CyberCop Scanner, HackerShield and Retina from a Microsoft Windows NT 4.0 Server system. We ran Internet Scanner from an NT 4.0 Workstation; we launched Nessus Security Scanner, SAINT and SARA from a Red Hat Linux 6.2 workstation.

Hewlett-Packard Co. HP-UX 10.20 - 10.9.100.161

We let our trusty HP-UX box be our token "old misconfigured Sendmail" system. Besides obvious buffer overflows, we included Sendmail misconfigurations that are (ab)used by spammers to send unsolicited e-mail. Target vulnerabilities: various Sendmail buffer overflows (remote and local), SMTP mail relaying techniques, SMTP account harvesting (via EXPN, VRFY and so on), FTP allows anonymous chmod and FTP has world-writable /pub/ directory.

Microsoft Windows NT 4.0 - 10.9.100.78

We couldn't resist throwing a Windows NT server running IIS into the mix--we hoped it would serve as an easy target. To serve the SANS top-10 vulnerabilities chart, we installed Allaire Corp.'s ColdFusion 4.05 Enterprise. Target vulnerabilities: ColdFusion sample scripts, RDS vulnerability, general IIS sample scripts and information enumeration via null sessions/anonymous logins.

Novell NetWare 5.1 - 10.9.100.139

Knowing that not many vulnerabilities are published for NetWare, we decided to add NetWare to gauge the scanners' ability to work with an obscure host. And obscure is right: More than half of the scanners didn't pinpoint the OS. Target vulnerability: guessable SNMP read community name.

Red Hat Linux 5.2 - 10.9.100.64

Besides targeting the regular fare of vulnerabilities found in Red Hat Linux 5.2, we used this system to introduce misconfigurations in an effort to include vulnerabilities listed in the SANS chart. Also, we specifically upgraded the BIND version to 8.2 (via RPMs from Red Hat 6.0) to introduce the BIND NXT vulnerability. Target vulnerabilities: wu-ftpd buffer overflows; NFS export of root (/) directory, world mountable; guest user account with no password; and BIND NXT buffer overflow.

Sun Microsystems Solaris 2.6 - 10.9.100.23

It wouldn't be a vulnerability review without a venerable Solaris platform, bristling with RPC buffer overflows. Target vulnerabilities: buffer overflows in rpc.cmsd, rpc.sadmind and rpc.ttdbserver; and finger service vulnerabilities.