In the 1980s (the era of Pac-Man), a children’s cartoon called G.I. Joe repeated a bit of wisdom in every episode, “And knowing is half the battle.” Vulnerability scanners enumerate properties and search for security bugs on a single system or across a network. It’s one thing to know that a new vulnerability has been discovered in a piece of software. It’s another to know whether that vulnerable software is present on your (or someone else’s) network and, more importantly, how many systems are vulnerable and where those systems reside. Whether you’re trying to defend or attack the network, this is valuable information.
This chapter introduces some basic concepts and techniques shared by all vulnerability scanners. This overview will help you understand how scanners search for the security problems related to out–of-date and misconfigured software. Then it covers two major open source scanners, OpenVAS (the successor of Nessus, which you might already be familiar with) and Metasploit. These scanners automate many of the basic steps necessary to conducting a vulnerability assessment (when you want to draw a picture of what your network’s exposure to attack looks like) or a penetration test (when you want to find out the impact those vulnerabilities have on your network).