A "vulnerability scanner" (sometimes called a "network analyzer") is a utility program that makes it possible to perform a security audit on a network by scanning for open ports on a given machine or an entire network. The scanning process uses probes (requests) that make it possible to determine the services that are running on a remote host.
Such a tool makes it possible to determine security risks. In general, with this type of tool, it is possible to launch an analysis over a range or a list of IP addresses in order to fully map a network.
How a scanner works
A vulnerability scanner is capable of determining the ports that are open on a system by sending successive requests to the various ports and analyzes the responses to determine which ones are active.
By thoroughly analyzing the structure of TCP/IP packets received, advanced security scanners are sometimes able to determine the remote machine's operating system as well as the versions of applications associated with the ports and, when applicable, to recommend necessary updates - this is referred to as version characterization.
Two methods are generally used:
- The active acquisition of information involves sending a large number of packets having characteristic headers that are usually not in line with the recommendations and analyzing the responses to determine the version of the application used. Since all applications implement protocols slightly differently, this makes it possible to distinguish them from one another.
- The passive acquisition of information (sometimes called passive scanning or non-intrusive scanning) is much less intrusive and therefore less likely to be detected by an intrusion detection system. Its operating principle is similar, except that it involves analyzing the fields of IP datagrams circulating on a network by using a sniffer. Passive version characterization analyzes changes in field values over a series of fragments, which requires a much longer analysis time. This type of analysis is therefore extremely difficult and sometimes even impossible to detect.
Why a scanner is useful
Security scanners are extremely useful tools for system and network administrators, letting them monitor the security of the computer population they are responsible for.
Conversely, this tool is sometimes used by hackers to determine flaws in a system.
This document, titled « Vulnerability scanners - Port scanning », is available under the Creative Commons
license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM