Types of Scanning Tools

There are hundreds of network security scanning tools and scripts on
the market today. Each one of these tools, when used properly, will find different vulnerabilities. As network technology changes, accompanied by the
changing landscape of attacks and the advances in virus generation and other
attack tools, it is difficult for any one vulnerability tool or script to be useful
for a large collection of system vulnerabilities. So most security experts, to be
most effective, use a combination of these tools and scripts. The most commonly used tools usually have around 140 settings which are carefully used to
change the sensitivity of the tool or to target the tool to focus the scan.
For commercial vulnerability scanners and scripts, we will review the
most current tools and scripts. They are divided into two categories: network
based and host based. Network- based tools are meant to guard the entire network and they scan the entire network for a variety of vulnerabilities. They
scan all Internet resources including servers, routers, firewalls, and local- based
facilities. Since a large percentage of network security risk comes from within
the organization, from inside employees, host- based scanning, focuses on a
single host that is assumed to be vulnerable. It requires an installation on the
host to scan the operating system and hardware of the machine. At the operating system level, the scanner checks on missing security checks, vulnerable
service configurations, poor password policies, and bad or poor passwords.
One of the most commonly used scanners today is Nmap, a network port
8—Information Security Protocols and Best Practices 129
scanning utility for single hosts and small and large networks. Nmap supports
many scanning techniques including Vanilla TCP connect, TCP SYN (half
open), TCP FIN, Xmas or NULL, TCP FTP proxy (bounce attack), SYN/
FIN, IP fragments, TCP ACK and Windows, UDP raw ICMP port unreachable, ICMP (ping-sweep), TCP ping, direct (non-portmapper) RPC, remote
OS identification by TCP/IP fingerprinting, and reverse- identity scanning.
When fully configured, Nmap can perform decoy scans using any selection of TCP addresses desired by its operator. Nmap can also simulate a coordinated scan to target different networks in one country or a number of
countries all at the same time. It can also hide its activities in a barrage of what
appears to the user or system administrator to be multinational attacks. It can
spread out its attacks to hide below a monitoring threshold set by the system
administrator or the system security team. Nmap is extremely effective at identifying the types of computers running in a targeted network and the potentially vulnerable services available on every one of them.