All the vulnerabilities discussed in this section have been published on specialized news channels. Sources of information are software developers, independent experts, and ambitious hackers.

We would like to assume that any self-respecting security scanner includes a complete database of published vulnerabilities, with regular updates. This is a necessary feature, but it is not enough, for one simple reason: there are two other sources of vulnerabilities presenting a threat to information security that is every bit as serious.

Another issue to consider is the way vulnerabilities in the database are verified, which leads to two questions: 1) How do we know for sure which software version is referred to in the database, and 2) How can we find out without a doubt whether a particular vulnerability has been corrected using a patch? Regarding these questions, we cannot rely on the banners the different services use to provide information about themselves. We need a more reliable mechanism for detecting software versions. This is what MaxPatrol can do for you. Wherever possible, it also conducts a direct vulnerability check by simulating an attack and analyzing system response. This is the most reliable method, but because it is not entirely safe, you may wish to disable this feature using program settings.

We should also mention that any vulnerabilities database is incomplete by definition. As long as we continue to discover new vulnerabilities regularly in existing software, we cannot be confident that we are protected from outside attacks that may utilize as yet unpublished vulnerabilities. For this reason, it is a very good thing to have the capability of detecting "unknown" vulnerabilities at one's disposal. MaxPatrol has the intellectual ability to model probable attacks "on-the-fly," based on the configuration of the system being scanned. It is often successful (see EXAMPLE #3).

No one can predict these vulnerabilities. They appear when software deviates from its ideal configuration. This can occur due to error, lack of activities coordination, insufficient personnel training, and so on. The more "exhaustive" and "cunning" the scanner's software-configuration check, the more reliable its diagnosis of vulnerabilities.

MaxPatrol accomplishes this task as thoroughly as possible, and within reasonable periods of time (certain modes may require additional time, but provide more depth of reporting). EXAMPLE #4 offers a simple, yet topical scenario.

As you may have guessed, there is a great deal of variation among vulnerabilities. Fortunately, many of them (including those used most frequently by ill-wishers) fit certain classifications. Attacks are usually carried out through scripts hosted at web servers. MaxPatrol searches for several types of vulnerabilities, among which the most widespread are SQL-injections and code-injections. It should be noted that in each specific case, MaxPatrol models and analyzes only those attacks that apply to the node being tested. Statistics show that MaxPatrol detects injections of one kind or another in half the online databases currently published on the Internet.

MaxPatrol's ability to analyze Internet sites thoroughly enables its widespread use in automated express-penetration tests. On a price/value basis, this alternative makes much greater economic sense than contracting out to a consultant.

Scanning Stages

This is the simplest stage in scanning, and there would seem to be nothing to discuss. But that is not the case.

Suffice it to say that the possible range of port numbers is 65,000 for TCP ports, and the same number for UDP's. Of course, MaxPatrol does include a mode that tests all ports, without exception, but that requires a lot of time, and cannot be used in every situation. The problem is to determine an optimal list of ports that should be tested every time. MaxPatrol offers two possibilities for resolving it:

First, it can configure a list of ports employed by the user
2. Second, MaxPatrol offers a default port list painstakingly designed by experts, and based on many years of practical experience. Of course, if you set a service to use port 26872, it will not be found automatically (if this is the case, you should use the preceding alternative, or scan the entire range). Still, MaxPatrol almost always succeeds in detecting all open ports, not just those used by known services. Examples #1 and #2 give some idea of this feature. The default list of ports to be tested is updated whenever MaxPatrol experts receive new information.

In this stage of scanning, the program detects which services are operating at which ports. Accuracy in this stage is of utmost importance because the vulnerabilities diagnostics performed in the next stage are based on this information. Detection of port number 110 does not mean that the program should immediately start checking for vulnerabilities in POP3 service (even if the service responds with a banner stating the presence of a POP3 service). To ensure overall accuracy in scanning results, it is crucial to detect not just the service type, but its version, as well. In addition, detection should not be based on direct responses from services because service banners are often falsified for security purposes in an attempt to foil hackers.

This problem turns out to be rather complex. In fact, it has yet to be resolved with 100% accuracy. MaxPatrol approaches an optimal solution through the use of a series of special mechanisms:

First, it permits services to be assigned to non-standard ports
Second, it scans services in a certain order based on specially designed correlation matrices. This allows a high level of reliability while ensuring good scanning speed
Third, MaxPatrol uses a carefully constructed process for detecting services that frequently duplicates tests to confirm information
Fourth, MaxPatrol's developers have created heuristic algorithms designed to confirm different versions for many services: HTTP, FTP, SMTP, POP3, DNS, SSH. A positive result obtained using these algorithms is 100% reliable. If heuristic confirmation is not successful, the program gives a clear warning. On the average, these methods are 95% effective
" Fifth, developers have composed specific algorithms for RPC services. MaxPatrol can detect over 30 Windows services and about 200 Unix services at random ports with accuracy down to a specific service. This process required an original algorithm. For example, detection quality in Unix systems is not related to the availability of port mapping data.

The last scanning stage generates the scanner's final result. The quality of the report depends both on the preceding stages' work, and on the methods of vulnerability detection employed.

Because we have already had some discussion of vulnerability detection (section 1) and to avoid getting lost in the details, let's just have a short review of the basic methods used in vulnerability detection and of the types of vulnerabilities found, which is important in this stage of MaxPatrol's operation:

An original database of incorrect queries and network packets for more reliable detection of vulnerabilities that includes unregistered services
Direct testing capability for vulnerability to many known DoS-attacks (can be disabled if necessary)
Ability to model new DoS-attacks "on-the-fly"
Multiple brute-dictionaries specifically compiled for various service and vulnerability types (including unauthorized folder access)
Detection of vulnerabilities arising from configuration errors including cases of unprotected authorization, revealing of information by services, etc.
" Deep, intelligent website analysis for vulnerability to SQL- and code-injections, XSS, and receiving files. Investigation of original scripts developed for particular web applications take place at this step.

Download a demo version now!