- Mattia Campagnano & Wade Ma
Vulnerability Scanners and the SAINT Experience
Updated: Oct 8, 2020
A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. Vulnerability scanners assist in the identification and detection of vulnerabilities arising from misconfigurations or insecure coding within a network-based asset, such as a firewall, router, web server, application server, etc. Modern vulnerability scanners are typically available as SaaS (Software as a service), provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.
Vulnerability scanners can run two different types of scans:
Authenticated scans allow for the scanner to directly access network based assets using remote administrative protocols such as secure shell (SSH) or remote desktop protocol (RDP) and authenticate using provided system credentials. This allows the vulnerability scanner to access low-level data, such as specific services and configuration details of the host operating system. It's then able to provide detailed and accurate information about the operating system and installed software, including configuration issues and missing security patches.
Unauthenticated scans is a method that can result in a high number of false positives and is unable to provide detailed information about the assets operating system and installed software. This method is typically used by threat actors or security analysts trying to determine the security posture of externally accessible assets (Reference: Wikipedia).
Polito, Inc. uses a wide range of industry-standard vulnerability scanners for its vulnerability assessment and penetration testing engagements, including SAINT, which we will highlight here.
SAINT (Security Administrator’s Integrated Network Tool) is a well-known vulnerability scanner developed by Carson & SAINT, Corp.
SAINT allows to run a wide variety of vulnerability scans. In fact, SAINT supports information gathering scans, vulnerability scans, compliance scans with reference to multiple common regulatory frameworks (PCI, HIPAA, FISMA, etc.), legacy scans and pentesting scans. For a comprehensive overview of SAINT's scanning policies, check the official documentation.
SAINT also goes beyond what a traditional vulnerability scanner can do.
SAINT's Create New Scan Job interface
In fact, SAINT's Pentesting policy allows to combine a traditional vulnerability assessment with an automated penetration test against the selected target(s).
The terms vulnerability assessment and penetration test are often improperly used as if they were synonyms, while they're two different concepts.
A traditional vulnerability assessment reports vulnerabilities that could affect the selected target(s), but doesn't attempt to validate or exploit them, potentially allowing for false positives. A vulnerability assessment focuses on the potential impact for the organization from the issues that were detected.
A penetration test (or pentest), instead, validates and (if allowed by the client) attempts to exploit the vulnerabilities detected, ruling out false positives and adding value for the end client, because it shows their real impact on the client's business.
SAINT's Pentesting policy allows to perform an automated penetration test by running predefined exploits against the selected target. Said policy has different variants, ranging from a simple host discovery to a root penetration, running any available exploits against all selected targets.
An example of a root penetration scan report is presented below. A root penetration scan runs remote exploits for the detected operating system and services, starting with those least likely to cause crashes, until one succeeds in establishing a shell connection. Once obtained a command shell on the target, it then continues until the maximum privilege level is reached on the specific host. For Unix/Linux operating systems, the scan continues until a root shell is obtained; for Windows systems, it stops when access to an administrator account is achieved.
The root scan report presented above displays valuable information, such as the access level obtained, the vulnerabilities leveraged and their related CVEs.
SAINT reporting features allow executives to have an overview of what the most important issues are and of what access level an external attacker could gain by exploiting the vulnerabilities affecting an organization. SAINT's pentesting scan policy can help speed up the vulnerability validation/exploitation process and weed out false positives, which are a bane for any vulnerability scanners.
SAINT's pentesting scan policy is powered by SAINT's built-in penetration testing tool, SAINTexploit, now fully integrated in both Security Suite and SAINTCloud products and accessible via the Exploit menu option.
The Exploit functionality allows the user to verify the existence of vulnerabilities by exploiting them and gathering evidence of penetration. Unlike vulnerability and configuration scanning probes, which detect various types of vulnerabilities and configuration weaknesses, exploits run different probes which are meant to gain command execution access to targets. Detected vulnerabilities are displayed in the Analyze capabilities at the “record level of detail” and include a separate exploit column to highlight whether an exploit is available for the applicable vulnerability. Both solutions also provide a pre-packaged “Pen Test” scan policy option.
Exploits included in SAINT target operating systems, desktop applications, databases, Web applications, protocols, and network devices.
The most common exploit types supported by SAINT include the following:
• Remote Exploit – These attacks are launched across the Internet or network against a vulnerable target without the user having previous access to the system.
• Client Exploit – The victim must access the attacker’s resource for a successful attack to take place. Common client exploits include e-mail forgery attacks, enticing the user to visit a Web site, or to open a file.
• Local Exploit – In order to launch a local attack, the attacker must have previous access to the victim. (Also known as privilege elevation and tunneling). In this case, the victim's machine is used as the launch pad for connecting to other vulnerable targets."
Polito testers used SAINT under different scenarios and were pleasantly impressed by its capabilities and its performance right off the bat.
However, pre-configured virtual machines for Windows are available for download at https://my.saintcorporation.com, and, unless for specific needs/situations, they're likely the easiest and fastest solution to have SAINT deployed on your network.
SAINT makes it easy to schedule multiple pre-configured scans based on industry and community standards and best practices (e.g, PCI, HIPAA, and OWASP Top Ten).
SAINT scans can be further customized to include specific password dictionaries (see figure below).
SAINT's Vulnerabilities by CVSS view allows to group hosts by vulnerabilities and further sort all the vulnerabilities by severity score. This simplifies the process of finding all hosts affected by a specific vulnerability and generating a report. If a new CVE/vulnerability comes out, it is quite easy to search for affected hosts by using this view.
SAINT also allows viewing results by hosts (Vulnerability Count by Host), providing a general overview of problematic hosts and endpoints that need to be prioritized for remediation. This feature allows for a better understanding of the general security posture/hygiene of a client's network by highlighting the areas to focus on, if threat hunting services are also required for the specific engagement.
SAINT is proficient when it comes down to grabbing banners, header information, leaked source, or other means of identifying metadata from services, and also in deriving specific software names and version numbers. The obtained version information is then used to identify all related CVEs and security bugs. SAINT signatures are updated frequently (at least twice per week), so the version information related to applicable CVEs/bugs is constantly kept up-to-date.
SAINT intelligently attempts to demonstrate the highest potential impact based on the CVEs/bugs related to a specific service version (e.g, user file read access and root access via buffer overflow) and then shows if the vulnerability was successfully validated, or not.
SAINT includes a Tutorial feature, describing in detail Impact, Background, Problem, and Resolution for each detected finding. The tutorial functionality also includes OS-specific commands/instructions that can be provided to administrators for remediation purposes, a feature Polito team finds to be greatly useful. The Background section supplies some interesting historical information on exploits/vulnerabilities, for security enthusiasts.
SAINT's Dashboard displays a high-level overview of the most important findings detected, through multiple visualizations. These charts and graphs can be very useful for reporting purposes, as they can be easily exported to a Word or PDF document.
SAINT allows auditing a client's network for unpatched software and outdated anti-virus signatures, too, helping administrators and maintenance teams to both inventory their current environment and quickly find unpatched systems. Administrators can use this easy GUI-based tool to accurately document their environments. Routine updates/patching assessments are also valuable for any client organization's network.
Following a framework that encompasses your full security stack is imperative. Within the NIST Cyber Framework: NIST 80-115, shows the symbiotic relationship between the gathering of information and combination of vulnerabilities provided by tools such as SAINT and the need for real world attack vectors discovered through professionally conducted penetration testing provided by Polito.
It's very important for any organizations to run periodic vulnerability scans, both for compliance reasons and in order to monitor the trend of their security challenges faced over time.
SAINT can be a viable and user-friendly option for organizations of any type and size to develop their internal vulnerability scan management program, as SAINT can be easily deployed through pre-built virtual machines and is available for Windows, Linux and macOS. SAINT also has cloud-hosted offerings; distributed architecture to help assess and pentest internal networks as an insider threat and options for running a centrally managed scan and pentest service from a pre-configured offerings in the AWS marketplace.
SAINT can help achieve additional insights about an organization's environment that traditional vulnerability scanners don't normally provide.
In fact, SAINT's pentesting policy allows combining the findings returned by a traditional vulnerability assessment with those detected through an automated penetration test. SAINT reports can be generated in PDF, XML and CSV formats. Polito testers find PDF reports to be very user-friendly, as they generate a number of graphs and charts that executives will surely find to be very informative. Creating customized reports by adding specific fields or indicators of interests is also easy and can be done pretty quickly.
SAINT can be a good choice for any types of organizations, included those lacking internal security teams and needing to comply with multiple regulatory frameworks enforcing periodic reviews of their security posture (PCI, HIPAA, etc.). SAINT also supports integration with Splunk through a SAINT Add-on for Splunk, downloadable from Splunk.com.
SAINT can assist organizations in running a vulnerability scan management program for monitoring their security posture over time. Organizations can leverage SAINT to stay abreast of their actual and potential security challenges and proactively remove any attack avenues that could lead to severe breaches or compromises in the future, if left unremediated.
SAINT's PENTESTING policy can be very helpful to quickly validate the most important findings from a typical vulnerability scan, and verify how far an external attacker could go in compromising the organization's network.
Though the Polito team is positively impressed by SAINT's performance and capabilities, we believe vulnerability scanning, even when combined with an automated pentest, can not and should not be considered a substitute for a full-fledged penetration test performed by experienced testers. These are separate functions that should be used to strengthen each other’s results. Cyber security requires layers and checks and balances. As a best practice, you must have a detailed and healthy Vulnerability Management program that should be complemented with periotic automated penetration testing and the results of these programs and your overall cyber security maturity require challenges and verifications contained within a professional in-depth pentest.
Additionally, most in-depth penetration testing "is typically done using a more interactive process than vulnerability scanning; using information learned from initial scanning and analysis, to devise attack strategies to obtain a connection to vulnerable targets, and possibly initiate multiple attack methodologies (exploits, exploit tools, social engineering, etc.) to obtain a complete picture of a host environment’s weaknesses" (SAINT documentation, page 28).
A full-fledged penetration test can show real business impact from its potential findings, ruling out false positives and providing the client with added value.
This concept can be fully understood considering how each penetration testing engagement relates to a one of a kind context.
In other words, no two penetration tests are created equal.
They can differ based on the specific characteristics of the client's network/business, on the individual services that were requested (internal vs external pentest, web app pentest vs network pentest, phishing/social engineering, physical security, etc.) on the time frames and testing windows agreed upon with the client (wide vs small scope(s), longer vs shorter engagements, testing at any time vs testing after hours only, or different testing time windows depending on whether the in-scope machines/web apps belong to a production or a non-production environment, etc.), and so on.
An experienced pentester can account for all the above variables and choose the best course of action for the particular engagement, making an informed decision on:
what exploits should work the best in the particular case;
which exploits should be run carefully because they might crash the client's server(s), and:
which exploits should be completely avoided, unless in case of a client's specific request to that extent (e.g. DoS exploits).
Conversely, an automated penetration test, though surely more useful than a simple vulnerability assessment, can overlook some issues and potentially cause problems, crashing production servers and applications, if not carefully fine-tuned.
The Polito team is here to help you handle your security challenges in the most efficient and cost-effective way for your organization.
Our team members have extensive professional experience in handling vulnerability assessments, penetration tests and a wide range of possible attack scenarios.
We can help you every step of the way, whether you need Penetration Testing, Incident Response, or Threat Hunting services. Our penetration testers are certified professionals who go the extra mile to provide a real service to our customers. We strive for excellence and take great pride in the work we do for our clients.
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.