Vulnerability Assessment Tools
Vulnerability assessment tools can be configured to automatically scan for vulnerabilities that create opportunities for threat actors. The most commonly used vulnerability assessment tools include web application scanners and protocol scanners.
Some of the most popular scanners include:
The Burp Vulnerability Scanner. The Burp Vulnerability Scanner is a tool used for testing web penetration. The Burp Vulnerability Scanner, part of the Burp Suite, is used by many cybersecurity professionals across the world. Many large retailers, banks, financial institutions, and government agencies use it to make information technology assets and applications more resilient to cyber threats. There is a free version that is capability limited. There are also Professional and Enterprise Editions, which have important additional features.
The Nexpose Vulnerability Scanner. The Nexpose vulnerability scanner is an automated penetration testing system. Nexpose can help you identify the open ports, applications, and services on each scanned machine. Nexpose will then seek vulnerabilities based upon the attributes of these discovered and known applications and services. Penetration testers generally work through a list of likely attack vectors and then observe and analyze the outcome of this activity. Vulnerability managers such as Nexpose methodically works through targeted vulnerabilities which might be appealing to hackers. Nexpose works continually to detect vulnerabilities. Each new component added to a system is checked. Also, new exploit data will, in turn, drive Nexpose activity. Nexpose is available in both paid and free versions.
The Nikto Web Scanner. The NIKTO scanner is an open source scanner widely used around the world today. As it turns out, a point of NIKTO trivia is to know that the name “NIKTO” came from a cult science fiction movie called “The Day the Earth Stood Still.” The word “NIKTO” was the last word in the code phrase, “Klaatu Barada NIKTO” which would stop Gort, a robot in the movie, from using his vast destructive powers on the earth.
Movie trivia aside, NIKTO works with literally any web server, although most use today is on Apache. The NIKTO scanner runs a comprehensive suite of tests that includes identifying over 6500+ malicious files and programs. It also checks for misconfigurations, also a source of vulnerability, as well as version level issues on over 250+ server types. NIKTO also checks for multiple index files and HTTP server options. It will also identify and enumerate both web servers and the software installed. The basic plugins are frequently updated, so you can use the automatic update feature in NIKTO to stay current.
The Tripwire IP360 Vulnerability Scanner. Tripwire Inc. headquartered in Portland, Oregon, is a leading global provider of security and compliance solutions for enterprises and industrial organizations. Tripwire has over 40+ patents and considerable intellectual property, which makes IP360 unique and highly capable. Tripwire IP360 is Tripwire’s vulnerability management solution which discovers assets, identifies vulnerabilities and helps to prioritize risks. Vulnerability management solutions enable cost-effective reduction of cyber threat risk by bringing attention to the highest risks and protection for the most critical assets.
The Metasploit Vulnerability Scanner. The Metasploit Framework is a complete software platform used for testing and executing exploits. Metasploit can also be used as a very flexible penetration testing system and is perhaps the most popular penetration testing tool used across the broad spectrum of ethical hackers, security researchers, and, unfortunately, malicious hackers. There are several editions of Metasploit. The Metasploit Framework edition is free and contains a basic command line (CLI), supports third-party import, and manual exploitation and brute force attacks. The free edition also includes Zenmap and a Ruby compiler. The professional edition includes many more features—check on the Rapid7 website here https://www.rapid7.com/products/metasploit/ to learn more about what is available in the product today. There are older editions of Metasploit still floating around, including a Community edition and an Express edition. Both of these have been discontinued.
The Kali Vulnerability Scanner. Kali Linux, released in 2013, is an open source Linux distribution which was designed to support penetration testing and related security auditing. Kali actually contains hundreds of tools to support activities such as penetration testing, computer forensics, reverse engineering and much more. Kali Linux is designed to support both information security professionals and even casual information security learners and students alike when used in the right environment. Kali Linux provides a competent and capable penetration testing experience and is attractive to all types of users. Kali Linux is based on the Debian development standards. Kali Linux users can also customize the operating system as required for special requirements and preferences.
The Qualys Vulnerability Scanner. Qualys is an advanced vulnerability scanner sold commercially around the world. Qualys is used to identify and quantify vulnerabilities. The goal is to prioritize these vulnerabilities, triage them, and then remediate them before they are exploited by threat actors. Qualys is also used to scan for vulnerabilities in deployed web applications. The Qualys Web Application Scanner (QWAS) is used to target web application vulnerabilities. QWAS may target based upon the use of the Open Web Application Security Project Top 10 list. The OWASP Top 10 list categorizes and prioritizes the most dangerous risks faced by web applications. The Qualys Web Application Scanner finds these vulnerabilities, including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection.
The Angry IP Vulnerability Scanner. Angry IP scanner is a freely available IP address and port scanner known for its ease-of-use, simplicity, and speed. Angry IP scanners can scan IP addresses in any range as well as any of their ports. It was designed to be cross-platform and very lightweight. Angry IP scanners can be freely copied and used anywhere – you can download Angry IP scanner here. The full source code is available. Operation is simple but comprehensive. Angry IP scanner pings each IP address to check status, and then optionally resolves its hostname, determines the MAC address, scans ports, and more. The amount of gathered data about each host can be extended with additional functionality through the use of plugins. Angry IP scanner has additional features to include NetBIOS information (computer name, workgroup name, and Windows user currently logged in), specified IP address ranges, web server detection, customizable openers, and more.
The Aircrack-NG Wi-Fi Scanner. Aircrack-ng is a set of tools used to understand WiFi network security. This is the aircrack-ng.org download website. Aircrack-ng functionality includes:
- Monitoring through packet capture and export of data to text files.
- Attacking through deauthentication or fake access points.
- Testing by checking Wi-Fi cards and driver capabilities.
- Cracking various security standards such as WEP, WPA PSK (WPA 1 and 2).
Aircrack-ng is one of the penetration tester “tools of choice” available for cracking WEP and WPA-PSK in Windows. AirCrack-ng breaks WEP through the use of statistical mathematical analysis. Aircrack-ng breaks WPA PSK and WPA2 using brute-force attack techniques against known passwords.
The John the Ripper IP Scanner. The John the Ripper IP scanner (JTR) is a freely available open-source product employed by hackers, both ethical and otherwise, for password cracking. JTR is typically used in a UNIV/Linux and Mac OS X environment, where it can detect weak passwords.
John the Ripper jumbo supports many cipher and hash types. This includes the user passwords for all the Unix variants (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, network traffic captures (Windows network auth, Wi-Fi WPA-PSK, and more), encrypted private keys, file systems and disks, archive formats (ZIP, RAR, etc.), certain web applications such as WordPress, groupware, and database servers such as SQL and LDAP, and document files such as Adobe PDF, Microsoft 365 Office, and more. Ethical hackers and penetration testers prefer JTR because of its ability to detect password hash types automatically. JTR can run several types of attacks to include the classic dictionary attack as well as a brute force attack. JTR also offers a business version of the product called “John the Ripper Professional.”
Maltego. Maltego is a visualization tool used by security professionals, penetration testers, forensic investigators, researchers, and journalists to support a wide variety of investigative activity. Maltego enables graphical link analysis, which is used for real-time data mining. Maltego also provides for the display of this data on a node-based graph. This graphic display provides enhanced visualization of these connections between the data, which is then more easily identified. There are several Maltego solutions that include cybersecurity investigations, cyber crime investigations in support of law enforcement activity, and reducing fraud and insider threats.
Ettercap. Ettercap is an open-source tool that can be used to support man-in-the-middle attacks on networks. Ettercap can capture packets and then write them back onto the network. Ettercap enables the diversion and alteration of data virtually in real-time. Ettercap can also be used for the protocol analysis necessary to analyze network traffic. Ettercap has a nice Graphical User Interface (UI) as well as a command line interface. While Ettercap can support network traffic analysis, the most frequent use of Ettercap is to set up man-in-the-middle attacks using ARP poisoning. Penetration testing you can emulate includes man-in-the-middle attacks, credentials capture, DNS spoofing, and DoS attack. Ettercap also supports both active and passive deep analysis of many protocols and includes many features for network and host analysis. Many “sniffing” modes are available – this includes MAC based, IP based, ARP based (full duplex), and Public ARP based (half duplex). Ettercap can also detect a switched local area network (LAN) and use the OS fingerprints to determine the total geometry of the LAN. Ettercap is a necessary part of the tool inventory for any penetration tester or ethical hacker.
Netsparker. Netsparker is a leading web vulnerability management product used around the world by information technology, security operations, and development teams worldwide. Netsparker is a fully configurable Enterprise Dynamic Application Security Testing (DAST) tool. A DAST tool communicates with a web application using the web front-end in order to identify potential security vulnerabilities in the web application. DAST tools run automated scans that simulate external attacks on an application. DAST enables security operations teams to scan websites, web applications, and web services to identify security vulnerabilities. Netsparker automatically scans custom web applications for Cross-Site Scripting (XSS), SQL Injection, and other types of vulnerabilities. Netsparker can scan all types of web apps, independent of the platform or language in which they are coded. Netsparker can be integrated within the software development lifecycle (SDLC) or can operate on a standalone basis. Netsparker can be integrated with many of the leading CI/CD software environments and issue trackers. This enables you to use Netsparker in your DevOps and SecOps environments.
Nmap Vulnerability Scanner. Network Mapper (Nmap)is another outstanding open-source tool used for vulnerability scanning and related network discovery. Authorized users can utilize Nmap to identify the devices running on their systems, hosts and the services that may be available. Nmap does a wonderful job of finding open ports and detecting and identifying security risks. Nmap can scale from monitoring one host to large networks that may include hundreds of thousands of devices and subnets. Nmap has many features and capabilities, but fundamentally it is a port-scan tool. Nmap sends packets to ports, monitors responses and then tags the ports as open, closed, or perhaps protected by a firewall. Port scanning is a method of ascertaining which ports on a network may be open and involved with sending or receiving data. Port scanning is also referred to as port discovery or enumeration. Port scanning is different from sniffing, which is the term to more generally monitor traffic on a network. Port scanning is used to determine vulnerabilities on a system that is unknown.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.