background image


Chapter 4

Vulnerability scanners generally create a lot of traffic on a network and 

are therefore not typically used in a penetration test when one of the objec-
tives is to remain undetected. If, however, you are running a penetration test 
and stealth is not an issue, a vulnerability scanner can save you from having 
to probe systems manually to determine their patch levels and vulnerabilities.

Whether you use an automated scanner or do it manually, scanning is 

one of the most important steps in the penetration testing process; if done 
thoroughly, it will provide the best value to your client. In this chapter, we 
will discuss a number of vulnerability scanners and how they can be integrated 
within Metasploit. We’ll highlight some auxiliary modules in the Metasploit 
Framework that can locate specific vulnerabilities in remote systems.

The Basic Vulnerability Scan

Let’s look at how a scan works at the most basic level. In the following listing, 
we use 


 to grab a banner from the target 

Banner grabbing


is the act of connecting to a remote network service and reading the service 
identification (banner) that is returned. Many network services such as web, 
file transfer, and mail servers return their banner either immediately upon 
connecting to them or in response to a specific command. Here we connect 
to a web server on TCP port 80 and issue a 


 request that allows us to 

look at the header information that the remote server returns in response to 
our request.


nc 80


HTTP/1.1 400 Bad Request



The information returned at   tells us that the system running on port 80 

is a Microsoft IIS 5.1–based web server. Armed with this information, we could 
use a vulnerability scanner, as shown in Figure 4-1, to determine whether this 
version of IIS has any vulnerabilities associated with it and whether this par-
ticular server has been patched.

Of course, in practice, it’s not that simple. Vulnerability scans often con-

tain many 

false positives

 (reported vulnerability where none exists) and 



 (failure to log a vulnerability where one exists) due to subtle differ-

ences in system and application configurations. In addition, the creators of vul-
nerability scanners have an incentive to report positives: The more “hits” a 
vulnerability scanner finds, the better it looks to a potential buyer. Vulnera-
bility scanners are only as good as their vulnerabilities database, and they can 
easily be fooled by misleading banners or inconsistent configurations.

Let’s take a look at some of the more useful vulnerability scanners, 

including NeXpose, Nessus, and some specialized scanners.