Effectively detecting vulnerabilities in products and services is a multifaceted process that combines remote and authenticated detection mechanisms. In this article, we will explore the detection methodologies of how the network scan engine identifies products and services.
Remote Detection
1. Banner Grabbing
One of the primary methods for remote detection involves capturing information from network banners that services expose. Like many other vulnerability assessment tools, the scan engine examines these banners to determine the type and version of services running on remote systems. The data collected aids in identifying potential vulnerabilities associated with specific product versions.
2. Port Scanning
Port scanning is another fundamental technique used in remote detection. Scans for open ports on target systems to identify active services. The tool gains insights into the software stack running on the remote host by analyzing the combination of open ports and associated services. This information becomes crucial for assessing vulnerabilities related to specific services.
3. Directory Enumeration
The scan engine employs an iterative directory enumeration search through known subdirectories on the target machine. This method systematically explores common paths and directories where applications are typically installed. The tool identifies and catalogs installed services by carefully navigating through these predefined locations, contributing to a comprehensive vulnerability assessment.
4. OS (Operating System) Fingerprinting
It involves analyzing network packets to determine the underlying operating system on a remote machine. The scan can make educated guesses about the OS by examining subtle differences in how operating systems respond to certain network probes. This information is crucial for tailoring subsequent scans and identifying vulnerabilities specific to the detected OS.
Authenticated Detection
Authenticated scans involve using valid credentials to access the target system. When provided with proper credentials, a more in-depth assessment can be conducted by directly querying the system for installed software and configurations. This approach ensures a higher level of accuracy in identifying vulnerabilities associated with specific versions of products and services.
1. SSH Authentication for Linux Systems
The scan engine employs the SSH protocol for authenticated scans on Linux systems. This script logs in to the target machine and scans installed packages or extracts version information from binary files to identify the applications and their respective versions. While this is the primary method, alternative approaches, such as utilizing terminal commands to disclose system configurations, are also available to explore the target system comprehensively.
2. SMB Authentication for Windows Systems
The scan engine utilizes the SMB protocol for Windows systems during authenticated scans. This involves logging in to the target machine and searching through the registry for installed applications. Common registry search paths are, but not limited to 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' and 'SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall'. Those paths depend on how the application is registered in the Windows Registry. Some attributes that detect applications are DisplayName, DisplayVersion, and InstallLocation, providing comprehensive insights into the software landscape.
PowerShell commands in authenticated scanning
Certain plugins utilized in scans depend on the execution of PowerShell commands to determine the presence of installed applications. These commands are specifically designed for the Windows environment. For more detailed information on how PowerShell is utilized in network scans, please refer to the following link:
https://support.holmsecurity.com/knowledge/what-is-the-impact-of-powershell-commands-in-authenticated-network-scans