“Vulnerability scanners are a class of tool that allow you or an attacker to quickly scan a remote host by checking for known vulnerabilities, exploits or server misconfigurations. Often called a ‘hacker-in-a-box’ these tools represent an efficient mechanism for quickly learning about a large number of potential vulnerabilities on a target server. Most vulnerabilities are discovered by a challenge-response system, where the vulnerability scanner sends a message to the remote server and listens for a response. In the case of web application vulnerabilities the scanner generally searches for errors within the server-side application which might allow an attacker to gain access or deface the website. Web application vulnerability scanners are generally limited to http requests, while server vulnerability scanners test every port, service and vulnerability on a server. Often a server vulnerability scanner can scan a range of IP addresses broadening the number of vulnerabilities found. Through the course of this report we will make a distinction between web scanners and server scanners. Web scanners are tools focused on web applications and the web server code running behind them. Server scanners are tools focused on the general makeup of a server including machine configuration, running services, open ports, operating system vulnerabilities, and any other vulnerable applications running. It is best to think of web scanners as a specialization of the more general server scanner.
Vulnerability scanners are a very popular first attack on a server. Hackers use these scanners because they are easy to deploy, easily scriptable, and can reveal hundreds of possible vulnerabilities within hours.
Vulnerability scanners can discover a large amount of information about a server, especially if that server is misconfigured or poorly secured by the server administrator.”  (Security Innovation Newsletter, 2004)
“A scanner is a program that automatically detects security weaknesses in a remote or localhost. Scanners are important to Internet security because they reveal weaknesses in the network. System administrators can strengthen the security of networks by scanning  their own networks.
The primary attributes of a scanner should be:
1: The capability to find a machine or network.
2: The capability to find out what services are being run on the host (once having found the machine).
3: The capability to test those services for known holes. There are various tools available for  Linux system scanning and intrusion detection. I will explain some of the very famous tools available. I have divided the scanners into three categories:
 1: Host Scanners 2: Network Scanners 3: Intrusion Scanners
Host scanners
Host scanners are software you run locally on the system to probe for problems.
COPS is a collection of security tools that are designed specifically to aid the typical UNIX systems administrator, programmer, operator, or consultant in the oft neglected area of computer security. COPS is available at:
Tiger is a UNIX Security Checker. Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. You can get it from:
Network scanners 
     Network scanners are run from a host and pound away on other machines, looking for open services. If you can find them, chances are an attacker can too. These are generally very useful for ensuring your firewall works.
     Strobe is Super optimized TCP port surveyor. It is a network/security tool that locates and describes all listening TCP ports on a (remote) host or on many hosts in a bandwidth utilization maximizing, and process resource minimizing manner. It is simple to use and very fast, but doesn’t have any of the features newer port scanners have.
Strobe is available at:
    Nmap is a newer and much more fully-featured host scanning tool. Specifically, nmap supports:
Vanilla TCP connect scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning Direct (non portmapper), RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap is available at:

Firewall scanners
     There are also a number of programs now that scan firewalls and execute other penetration tests in order to find out how a firewall is configured.

     Firewalking is a tool that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. System administrators should utilize this tool against their systems to tighten up security. Firewalk is available from:
Security is not a solution! It’s a way of life”. System Administrators must continuously scan their systems for security holes and fix the hole on detection. This will tighten the security of system and reduce the chance of security breaches. This process is a continuous process. The security vulnerabilities will keep on arising and process of fixing the security holes will never end! After all, Precaution is better than cure.  (by Kapil Sharma, 2000)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s