1. Field
The disclosed concept pertains generally to vulnerability assessment and, more particularly, to methods of remote vulnerability assessment. The disclosed concept also pertains to methods of resolving port binding conflicts. The disclosed concept further pertains to systems for vulnerability assessment.
2. Background Information
Proactive network security attempts to find holes in a network before attackers do. Vulnerability scanning helps to protect against both external threats, such as attackers and worms, and internal threats, such as malicious users within a network. A network scanner detects vulnerabilities which are or might be present.
Known vulnerability analysis software scans a network to detect various vulnerabilities that could allow an attacker to gain unauthorized access, create a denial-of-service, or gain sensitive information about the network. This can include, for example, network vulnerability assessment, automated penetration testing, client-side penetration testing, Payment Card Industry (PCI) compliance, content search, and professional report generation capabilities. The vulnerability analysis software can also include a number of exploit tools, which perform related information gathering and social engineering tasks, such as phishing and flash drive autoplay execution. Licenses can include the ability to test individual Internet Protocol (IP) addresses, full networks, or both. Both static licenses, which allow testing of a fixed set of IP addresses, and dynamic licenses, which allow testing of a variable set of IP addresses, are available.
Every live system on a network can be screened for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) services. For each service found running, a set of probes can be launched designed to detect known vulnerabilities. In addition to detecting vulnerabilities, the vulnerability analysis software can give the user the ability to fix weaknesses in network security before they can be exploited by intruders. The user can be provided with vulnerability information and links, in order to download patches or new versions of the software that will eliminate the detected vulnerabilities.
Known vulnerability analysis products run in a remote mode on a client system. FIGS. 1A-1B show a vulnerability analysis remote mode set-up process 2. For example, at 4, if a subscriber (a new customer) is not yet subscribed to a vulnerability analysis product, then they submit a purchase request (e.g., purchase order by facsimile or e-mail) for the product, specifying desired license parameters. Then, at 6, the vendor of that product sends the subscriber an account login ID and password. At 8, the subscriber uses the account login ID and password to access a personalized account manager interface (not shown) on the vendor's web server (not shown). Then, at 10, if payment (e.g., credit card; debit card) is pending, the subscriber clicks on a “Submit Payment” option to complete payment at 12.
Otherwise, or after 12, if this is the first time the subscriber logs in, at 14, then, at 16, the subscriber clicks on a “New Key” option to access a user interface for generating a license key. Next, at 18, the subscriber enters the number of IP addresses for test, and submits, at 20, a web form to register the number of IP addresses. The IP addresses can be, for example, network addresses or individual host addresses, depending on the license parameters. Then, at 22, the vendor's web server processes the request and presents the subscriber with a new license key through the user interface.
On the other hand, if at 14 it is determined that the subscriber had previously logged in, then, at 24, it is determined if the subscriber has a static license and needs to add a number of IP addresses to a corresponding license key. If so, then step 16 follows. Otherwise, or after 22, the subscriber clicks on a “Download” button, at 26, to download a program corresponding to desired vulnerability analysis software onto the client system (not shown). Then, at 28, the subscriber runs the downloaded program to install the vulnerability analysis software on the client system. Next, at 30, the subscriber starts the vulnerability analysis software in the remote mode, and sets authentication credentials (authentication passwords) when prompted. At 32, the vulnerability analysis software spawns an HTTP daemon listening on a specified port, and accepts connections from specified client IP addresses. Then, at 34, the subscriber connects to the HTTP daemon using a conventional web browser on the authorized client system. Next, at 36, the subscriber enters the previously set authentication credentials and is responsively granted access to a web interface of the vendor's web server. Then, at 38, the subscriber chooses “Configure Key” option from an administrative functions menu. Finally, at 40, the subscriber “pastes” the previously provided license key into a text entry field. This permits a previously existing vulnerability analysis software product to run in a remote (user interface) mode on a client system. Alternatively, the software can run locally on the user's desktop as well. Remote mode refers to the user interface. This allows the user to control the application which is running on a different computer than the one the user is interacting with.
The results of a scan depend on the placement of the scanner. A vulnerability can only be detected if the scanner has access to the vulnerable service. Since scanning through a router or firewall could hide internal vulnerabilities, it is best to place the scanner inside the firewall so it can scan for both internal and external vulnerabilities. This refers to the placement of the software and is not dependent on the user interface mode.
When running vulnerability analysis software in a remote mode on a client system, several functions (e.g., without limitation, reverse-shell exploit payloads; exploit servers; file transfers) have exclusive access to certain ports on the client system. However, this would present a problem if multiple instances of that software were to be run on the same server.
There is room for improvement in systems and methods of remote vulnerability assessment.