Software vulnerabilities foe hackers are one of the main gateways for cybercriminals, but a misconfiguration of our services, and even the exposure of a TCP/UDP port to the Internet without any type of filtering, is also an attack vector. Hackers are constantly looking for new ways to attack any computer, server or network through these security flaws, for this reason, the companies’ own engineers, security researchers and ethical hackers are constantly analyzing the different programs in look for security flaws and report it so it can be fixed. The essential tool for this task with vulnerability scanners.
A vulnerability scanner is software designed to automatically scan any application, system, or network for any potential vulnerabilities that exist. Although these applications are not capable of detecting the vulnerability with total precision, they are capable of detecting certain elements that could trigger vulnerability, greatly facilitating the work of researchers and engineers. There are several types of vulnerability scanners, authenticated, in which tests and potential attacks are carried out from within the network itself, and unauthenticated, in which the researcher or ethical hacker attempts to impersonate a hacker by simulating an attack from the outside to see how far it is able to go analyzing (and exploiting) possible vulnerabilities.
In the network we can find a large number of vulnerability scanners, most of them very similar, but with some aspects that clearly differentiate them and make them better, or simply different, than others. Today in RedesZone we are going to see which are the most important and well-known to carry out a first pentesting.
Nmap
We cannot start a compilation with the best vulnerability scanners without mentioning one of the most powerful, complete and veteran that we can find on the net: Nmap. This software is one of the most use to search for hosts within a local network, but it also allows the discovery of hosts on the Internet to check if they are connect to the network, in addition, we can carry out extensive and advance port scans to check if we have any service running that is not protect by the firewall, and we can even see if we have a firewall on a certain host. Other options that we can carry out with this program is to know what operating system a specific host uses, if we scan a Windows computer it will tell us that we are indeed scanning a Windows operating system, and the same with Linux or Unix.
This program is open source and cross-platform
This program is open source and cross-platform, although the most common is to use it on Linux operating systems to carry out the pentesting task, it is the first step to carry out an intrusion into the systems and try to hack the computer correctly, always with ethical purposes to discover possible vulnerabilities. This software has a large number of advanced options, and, in addition, it has an optional graphical interface called Zenmap that we can use quickly and easily.
Although this tool was born as a port scanner, thanks to the NSE scripts that it includes by default (and that we can download from many web pages) it is possible to use it as a complete tool to search for vulnerabilities in networks and systems. The NSE scripts use the power of Nmap itself, but it is also capable of exploiting known vulnerabilities in certain programs, so it is very useful to update it frequently with the latest scripts.
NSE and Nmap
Both NSE and Nmap make a really powerful team to help the hacker do the pentesting. Some of the functions that we will be able to carry out are attacking Samba servers by trying hundreds of users and passwords, the same with FTP servers and even SSH servers, and we will be able to attack a large number of services to exploit vulnerabilities. When a public vulnerability comes out, the developers incorporate this exploit in Nmap NSE to exploit it easily and quickly, with the aim of helping pentesters with the task of exploiting the compromised system.
In the following Nmap manual we explain how to download it and how to use it to search for possible vulnerabilities in a network or software.
Aircrack-ng Suite
Wi-Fi networks are one of the weakest points of companies, and therefore it is one of the aspects that we must take care of the most. At this point, Aircrack-ng is undoubtedly the best tool to test the security of any Wi-Fi network in search of any possible vulnerability that could allow any unauthorized user to obtain the password of our network. This program is one of the most widely use in the world to crack WiFi networks, whether with WEP, WPA and even WPA2 encryption, however, it is normally use together with other programs to speed up the task of cracking different passwords.
Aircrack-ng is not really a single tool, but it is make up of several tools that are specifically dedicate to different tasks, when we install Aircrack-ng it will install all the additional tools that are specifically design for certain tasks.
Below, you can see all the tools in detail:
- Airmon-ng: It is in charge of putting the Wi-Fi network cards in monitor mode, to allow the capture of all the information by Airodump-ng.
- Airodump-ng: it is capable of capturing data and exporting all the information, to later deal with third-party tools and even with other tools of the Aircrack-ng suite.
- Aireplay-ng: This tool is use to perform replay attacks, client deauthentication, create fake APs, and other packet injection. An important detail is that the Wi-Fi card that we use must be compatible with packet injection, since many are not.
- Aircrack-ng: this program is the one in charge of cracking the WEP, WPA and WPA2 keys of the Wi-Fi networks, obtaining all the information obtained by the rest of the programs in the suite.
