Originally Published: Saturday, 13 May 2000 Author: Kapil Sharma
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Printable]

Security Scanners

"A scanner is a program that automatically detects security weaknesses in a remote or localhost." Scanners are important to Internet security because they reveal weaknesses in the network. This article explains well-known scanners as well as other scanners, and how they operate.

   Page 1 of 1  

The opinions expressed by contributors to Linux.com are their own.Linux.com bears no responsibility for its contributors' opinions.

Linux Security: Security Scanners

"A scanner is a program that automatically detects security weaknesses in a remote or localhost.". Scanners are important to Internet security because they reveal weaknesses in the network. System administrators can strengthen the security of networks by scanning their own networks. The primary attributes of a scanner should be:

1: The capability to find a machine or network. 2: The capability to find out what services are being run on the host ( once having found the machine). 3: The capability to test those services for known holes.There are various tools available for Linux system scanning and intrusion detection. I will explain some of the very famous tools available. I have divided the scanners into three categories viz. 1: Host Scanners 2: Network Scanners 3: Intrusion Scanners

Host scanners: Host scanners are software you run locally on the system to probe for problems.

Cops: COPS is a collection of security tools that are designed specifically to aid the typical UNIX systems administrator, programmer, operator, or consultant in the oft neglected area of computer security. COPS is available at:


Tiger: Tiger is a UNIX Security Checker. Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. You can get it from:


check.pl: Check.pl a perl script that looks through your entire filesystem, (or just the directory you tell it to) for suid, sgid, sticky, and writeable files. You should run it as a regular user maybe once a week to check for permission problems. It will output a list of questionable files to stdout which you can redirect wherever. It's available at:


Network scanners: Network scanners are run from a host and pound away on other machines, looking for open services. If you can find them, chances are an attacker can too. These are generally very useful for ensuring your firewall works.

NSS (Network Security Scanner): NSS is a perl script that scans either individual remote hosts or entire subnets of hosts for various simple network security problems. It is extremely fast. Routine checks that it can perform include the following:

1: sendmail 2: Anon FTP 3: NFS Exports 4: TFTP 5: Hosts.equiv 6: Xhost

NSS can be found at: http://www.giga.or.at/pub/hacker/UNIX

SATAN (Security Administrator's Tool for Analyzing Networks): SATAN is an automated network vulnerability search and report tool that provides an excellent framework for expansion.Satan scans remote hosts for most known holes: 1: FTPD vulnerabilities and writable FTP directories 2: NFS vulnerabilities 3: NIS vulnerabilities 4: RSH vulnerability 5: sendmail 6: X server vulnerabilities SATAN performs these probes automatically and provides this information in an extremely easy to use package. you can obtain SATAN from : http://www.fish.com/satan/

Strobe: Strobe is Super optimised TCP port surveyor. It is a network/security tool that locates and describes all listening tcp ports on a (remote) host or on many hosts in a bandwidth utilisation maximising, and pro- cess resource minimising manner. It is simple to use and very fast, but doesn't have any of the features newer port scanners have. Strobe is available at: ftp://suburbia.net/pub/.

Nmap: Nmap is a newer and much more fully-featured host scanning tool. Specifically, nmap supports: * Vanilla TCP connect() scanning * TCP SYN (half open) scanning * TCP FIN, Xmas, or NULL (stealth) scanning * TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters) * TCP ACK and Window scanning * UDP raw ICMP port unreachable scanning * ICMP scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning.

Nmap is available at: http://www.insecure.org/nmap/index.html.

Network Superscanner: http://members.tripod.de/linux_progz/

Portscanner: PortScanner is a Network Utility especially designed to "scan" for listening TCP ports. It uses a simple method to achieve its goal, and it is extremely compact taking in account all of the options available. It's opensource and free to use, you can get it at: http://www.ameth.org/~veilleux/portscan.html.

Queso: Queso is a tool to detect what OS a remote host is running with a pretty good degree of accuracy . Using a variety of valid and invalid tcp packets to probe the remote host it checks the response against a list of known responses for various operating systems, and will tell you which OS the remote end is running. You can get Queso from:


Intrusion Scanners: Intrusion scanners are software packages that will actually identify vulnerabilities, and in some cases allow you to actively try and exploit them.

Nessus: Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.Nessus is one of the best intrusion scanning tools. It has a client/server architecture, the server currently runs on Linux, FreeBSD, NetBSD and Solaris, clients are available for Linux, Windows and there is a Java client. Nessus supports port scanning, and attacking, based on IP addresses or host name(s). It can also search through network DNS information and attack related hosts at your request. Nessus is available from http://www.nessus.org/.

Saint: SAINT is the Security Administrator's Integrated Network Tool. Saint also uses a client/server architecture, but uses a www interface instead of a client program. In its simplest mode, it gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services. Saint produces very easy to read and understand output, with security problems graded by priority (although not always correctly) and also supports add-in scanning modules making it very flexible. Saint is available from:


Cheops: Cheops is useful for detecting a hosts OS and dealing with a large number of hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture of a domain, or IP block, what hosts are running and so on. It is extremely useful for preparing an initial scan as you can locate interesting items (HP printers, Ascend routers, etc) quickly. Cheops is available at: http://www.marko.net/cheops/.

Ftpcheck / Relaycheck: Ftpcheck and Relaycheck are two simple utilities that scan for ftp servers and mail servers that allow relaying. These are available from: http://david.weekly.org/code/.

BASS: BASS is the "Bulk Auditing Security Scanner" allows you to scan the Internet for a variety of well known exploits. You can get it from: http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz

Firewall scanners: There are also a number of programs now that scan firewalls and execute other penetration tests in order to find out how a firewall is configured.

Firewalk: Firewalking is a tool that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. System administrators should utilize this tool against their systems to tighten up security. Firewalk is available from: http://www.packetfactory.net/Projects/Firewalk/.


"Security is not a solution, it's a way of life". System Administrators must continuously scan their systems for security holes and fix the hole on detection. This will tighten the security of system and reduce the chance of security breaches. This process is a continuous process. The security vulnerabilities will keep on arising and process of fixing the security holes will never end! After all, "Precaution is better than cure".

Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux systems for more than 2 years.

   Page 1 of 1