VLAD the Scanner

Welcome to VLAD the Scanner, a freeware scanner that checks for common security problems. VLAD checks for the items referenced in the SANS Top Ten list of common security problems, found at http://www.sans.org/topten.htm.

VLAD the Scanner Installation

Nothing fancy. Gunzip and untar the archive file, cd into the VLAD directory just created, and type "make" (which will compile the three C programs). Assuming you have all the perl modules from CPAN, you are ready to go.

What CPAN (http://www.cpan.org/) modules are required? Here is a list of what VLAD uses:

• LWP::UserAgent
• HTTP::Request
• HTTP::Response
• Net::DNS::Resolver
• IO::Socket
• IO::Pty
• IO::Stty
• Socket
• Net::SNMP
• Net::Telnet
• Expect
• File::Spec
• Time::HiRes

By using "perl -MCPAN -eshell" to start an interactive shell you can type "install LWP::UserAgent", etc to download the needed modules and their dependencies. If you have never used the interactive shell before, the program may ask you a few questions. Unless you are extremely familiar with the CPAN interactive shell, choose the default selections.

About VLAD the Scanner

VLAD consists of seven modules that check for the possibility of risks associated with SANS' Top Ten list. The wrapper module vlad.pl will call each of the seven modules with the appropriate flags and parameters. Here is a list of the executable files:

Executable  SANS Item  Purpose
----------  ---------  ---------------------------------------------------------vlad.pl        All     Wrapper script that calls all the other modules.
dnsver.pl      #1      Checks for BIND weakness in nxt, qinv, named by checking
                       the version number. 
cgi.pl        #2,#4    Looks for CGI and related files with known security 
                       issues, including RDS.
rpc           #3,#6    Checks for the presence of rpc.ttdbserverd (ToolTalk), 
                       rpc.cmsd (Calendar Manager), rpc.statd, sadmind, and 
                       mountd.
sendmail       #5      Checks for older vulnerable versions of Sendmail.
netfs.pl       #7      Looks for services that export file sharing.
pwscan.pl    #8,#10    Tests for weak passwords and easily guessed SNMP 
                       community strings.
imap           #9      Checks for vulnerable versions of POP3 and IMAP daemons 
                       by checking the version number.

VLAD is not a full-featured scanner (check out BindView's HackerShield at http://www.bindview.com/products/hackershield/index.html for a good full-featured scanner) and was not intended for large-scale scanning, although with a few scripts to drive it you certainly can try.

You can run the individual modules by themselves if you wish. Most of them have handy options tailored for each particular thing you are checking.

Running VLAD

Once you've got VLAD ready to go, running it is simple:

  $ ./vlad.pl 192.168.1.1

If you are afraid of timeouts from the individual modules (the default is ten seconds for each module), use the -t switch to specify a timeout in seconds:

  $ ./vlad.pl -t 30 192.168.1.1

Before it tries to scan a host, VLAD will send a single ICMP Echo packet (ping) to the target. If the target does not respond, VLAD will not scan the target. If the target you are scanning is behind a firewall or router that blocks ICMP Echo packets but you still wish to have VLAD scan it, use the -n switch for no ping:

  $ ./vlad.pl -n 192.168.1.1

Because the CGI/RDS check (cgi.pl) and Password/SNMP check (pwscan.pl) can make a run of VLAD take a while, you can specify *not* to run them with a -c or -p respectively:

  $ ./vlad.pl -c -p 192.168.1.1

Behind the scenes, vlad.pl calls each of the modules with the following parameters:

  (module) -s -t (timeout) (target)

For each of the modules, the -s switch is the "sansmode" switch. This switch ensures that each module returns the proper information consistently to vlad.pl. However you can experiment with each of the modules individually by running them with a -h switch to see what else they can do.

Scanning Multiple Targets

While VLAD was originally designed for single-target scanning, it can be used to scan a large amount of hosts by using a shell script. Assuming you have created a list of hosts to scan in a text file called "targets.txt" with one IP address per line, the following script should do the job:

  #!/bin/sh
  #
  # run VLAD against a list of hosts
  TARGS=`cat targets.txt`
  for TARGET in $TARGS
   do
     ./vlad.pl $TARGET > $TARGET.scan
   done

This will create a series of files that start with the IP address of the target and end with .scan for you to check.

Of course if you know perl you can simply edit the vlad.pl script to your liking.

Unique Module Usage

While some of the modules are fairly simple, a couple of them are rather complex. The CGI scanner, cgi.pl, only checks for the existence of files on the target, but does a fairly interesting method of determining if the possible vulnerable file is there. By sending a query for a file we *know* is not there, and comparing the results to a query that we *think* might be there, we can tell if the file is in fact present. We do have to trap things in a special way for Cold Fusion, but other than that it is a fairly decent way of determining if a file is there or not. All queries results are stored in cache, so if we check for /cgi-bin/hackershield.cgi to compare against /cgi-bin/test.cgi, all subsequent /cgi-bin/*.cgi checks will not have to recheck /cgi-bin/hackershield.cgi.

This is stated because if you decide to add entries to the cgi.db database, you need to know how the CGI checks actually work. You may wish to add your own entries as you read about bugs reported in such forums as Bugtraq, or you could even use it to check for unwanted files unique to your organization. And if you add entries, let us know what you added at vlad@bos.bindview.com, so we can share them with others!

The pwscan.pl is another fairly interesting module. The account.db and password.db files are fairly straight-forward, and you may wish to edit or add your own names. Be forewarned -- since VLAD is automated, VLAD cares little for how long he takes to run. Add a list of 10,000 passwords and a VLAD run could take hours. You can also edit community.db to ensure that old SNMP community string names have been updated on all SNMP equipment (possibly to help enforce a security policy).

We have included a couple of larger-sized files (account60.db and password100.db) if you wish to use those. Simply rename these files to account.db and password.db (you may wish to back up the originals first) and start scanning.

When vlad.pl runs pwscan.pl, it calls it with the -p flag for checking things in protocol order. Vlad.pl also scans the ports pwscan.pl can check before it starts its run. This way pwscan.pl will stop scanning with an account/password pair if it gets a failure on one service (manually you can override this with the -f switch). Running pwscan.pl with the -p switch helps speed things up.

Feedback

Send us feedback! Let us know at vlad@bos.bindview.com how you are using VLAD and give us any bugs, patches, and additions so we can share it with the security community at large.

Credits

This scanner was put together by BindView Corporation's RAZOR security team. A careful look at the code reveals several different programming styles, but we feel we've put together a handy tool for checking the most commonly found problems. Any questions or comments, send a note to vlad@bos.bindview.com or visit the VLAD page at http://razor.bindview.com/tools/vlad/.