# Vulnerability scanning and the like.

## RBH

Because of a recent virus scare (not an actual virus - someone reported an incomplete analysis to, er, "sensationalist" management who obviously decided that the matrix was attacking, whereas it turned out to be a faulty service), I've decided to go rather pro-active on the whole network security thing at work. It's a fairly small network that includes a hardware net-facing firewall, decent anti-virus from Sophos and regularly updated ... Windows (both XP and Vista) user boxes. Before anyone suggests switching to Linux, please don't. The bulk of the users are possibly the most IT-illiterate people on the planet. I shit you not, I spend half of my time explaining how to move a file (which then moves on to what "drag and drop" means).

So, I'm taking an old laptop of mine into work some time this week, with the intention of basically scanning the hell out of anything on the LAN and determining what - if any - significant vulnerabilities there are.

Can anyone suggest any tools? Essentially my list so far consists of Nessus, which I've not really used before (besides a quick play with it at home tonight), but I don't really know what I can expect Nessus to notice. I'd also like to get Snort on there, but again that's a tool I'm very new to.

Anyone want to throw me any ideas they've mulled over or used in the past? Any suggestions would be worthwhile here, folks.

Thanks in advance  :Smile: 

----------

## massimo

nmap might come in handy too.

----------

## RBH

Good point, Nessus would be a bit too heavy for simple port scanning.

Anyone else? Anything would be helpful here - from recognising the trademarks of any virus infections to showing missing service packs etc etc.

----------

## lesourbe

 *RBH wrote:*   

> Good point, Nessus would be a bit too heavy for simple port scanning.
> 
> Anyone else? Anything would be helpful here - from recognising the trademarks of any virus infections to showing missing service packs etc etc.

 

that's what nessus do.

snort could reveal rogue network activity.

----------

## Hu

I do not intend this to sound disrespectful, but assuming you are the IT contact for the office, and based on the questions you ask, the Windows systems probably have a decent number of vulnerabilities.  The default Windows install errs far too much on the side of user friendly rather than secure, so if no one has actively tried to secure the Windows systems, there are holes available on them.  Unfortunately, this is not a particularly great venue to find people with expertise in closing those holes.

You ask about checking for service packs and patches.  I think Microsoft provides tools to do that, but I have never needed them, so I cannot say whether they are free (as in beer) or how easy they are to use.  Look for "Microsoft Baseline Security Analyzer" for details.  If you have not already, get the Windows machines into an Active Directory domain.  Domains allow for centralized policy management and will make your life much easier when you are ready to push out policy restrictions.  Also, if you have not already, get the users out of the Administrators group.  Windows is fragile enough that letting uninformed users run around with administrative rights is just asking for trouble.

Snort is a nice IDS.  For quick and dirty analysis, you may be better served using net-analyzer/tcpdump to capture traffic and net-analyzer/wireshark to view it.

If any of the Windows systems have wireless cards, check that none of them are being used as unauthorized ad hoc access points.  A scan of the wireless bands using iwconfig scan may detect some unauthorized access points, but auditing the machines from their respective consoles would be better if you have the manpower for it.

----------

## RBH

 *Hu wrote:*   

> I do not intend this to sound disrespectful, but assuming you are the IT contact for the office, and based on the questions you ask, the Windows systems probably have a decent number of vulnerabilities.  The default Windows install errs far too much on the side of user friendly rather than secure, so if no one has actively tried to secure the Windows systems, there are holes available on them.  Unfortunately, this is not a particularly great venue to find people with expertise in closing those holes.

 

No problem at all. All of the machines are on an AD domain complete with a local WSUS update server. All boxes are reporting in as up to date (or very close to it), and the Sophos anti-virus is equally current.

There are no signs that there are actually any viruses or significant holes on the network. However, presenting findings of that nature to a "non-computery" management team generally needs to be done in a professional-looking way. Tools such as Nessus and Snort can produce pretty reports to do this (while making my life simpler as well, to be honest).

Thanks for all suggestions!

----------

## think4urs11

annother option might be Qualys (non-free professional service).

They had e.g. the vuln-scan for the new Microsoft flaw last week within very short time after it beeing 'offical'.

Of course there are very good reporting capabilities included - as one can expect this service has a (not-too-cheap) price tag.

----------

