Tsunami - Google's scalable security scanner
Google has unveiled the source code for the Tsunami scanner, a solution for detecting dangerous vulnerabilities with a minimum of false positives. Tsunami differs from hundreds of other crawlers (both commercial and free) in its development approach - Google took into account the needs of giant corporations.
When vulnerabilities or incorrect security configurations are actively exploited by attackers, organizations need to respond quickly to protect potentially vulnerable assets. As attackers increasingly invest in automation, the response time to a recently released high-risk vulnerability is usually measured in hours.
This poses a serious problem for large organizations with thousands or even millions of Internet-connected systems. In these large-scale environments, security vulnerabilities must be detected and ideally resolved in a fully automated manner. For this, information security teams should be able to deploy and deploy detectors to solve new security problems on a scale in a very short time.
In addition, it is important that the quality of detection is always very high. To solve these problems, Tsunami was created - an extensible network scanning engine for detecting high-risk vulnerabilities with a high degree of reliability without authentication.
How it works
“Under the hood”, the scanner has two fairly well-known utilities - nmap and ncrack, which allow you to divide the stages of work into two stages:
The first and main stage of Tsunami’s work is scanning. Perimeter reconnaissance is carried out, including the search for open ports and subsequent verification to accurately determine the protocols and services running on them (to prevent false-positive operations). This module is based on nmap, but also uses additional code.
The second stage works based on the results of the first. Interaction is performed with each device and its open ports: a list of vulnerabilities is selected for testing and safe exploits are launched to check whether the device is really vulnerable to attacks (PoC).
Also, Tsunami has an extensible plugin support mechanism. The current version of the scanner is equipped with plugins for checking open UIs (WordPress, Jenkins, Jupyter, Hadoop Yarn and so on), as well as weak credentials. To check for "weak" accounts, the ncrack utility is used, which helps to detect weak passwords used by various protocols and services, including SSH, FTP, RDP and MySQL.
Install the necessary dependencies:
nmap >= 7.80 ncrack >= 0.7
Install a vulnerable web application for verification, for example, an unauthenticated Jupyter Notebook server. The easiest option is through the docker image:
docker run --name unauthenticated-jupyter-notebook -p 8888:8888 -d jupyter/base-notebook start-notebook.sh --NotebookApp.token=''
Run the following command:
bash -c "$(curl -sfL https://raw.githubusercontent.com/google/tsunami-security-scanner/master/quick_start.sh)"
The quick_start.sh contains the following steps:
- Cloning the google/tsunami-security-scanner and google/tsunami-security-scanner-plugins repositories into $ HOME/tsunami/repos.
- Compile and move plugins and jar files to $ HOME/tsunami/plugins.
- Compile and move the Tsunami scanner Fat Jar to $ HOME/tsunami.
- Moving tsunami.yaml - an example of a config in $ HOME/tsunami.
- Try the Tsunami commands to scan 127.0.0.1 using the previously created settings.
Despite its direct relationship with the corporation, Tsunami will not be considered a Google-owned brand. The developer community will work together on the scanner and improve it, the results will be available to everyone.