3

In my research, i am attempting to develop a simulator that mimics the output of a vulnerability scanner, given a set of parameters (e.g., Network IP ranges, number of machines to scan, typical machine configuration, etc).

do these types of simulators exist?

scooter
  • 31
  • 1
  • To clarify, do you want to fake a vulnerability scan? I am sure most vendors would be able to provide a sample report if this will do – Bernie White Feb 15 '12 at 20:50
  • Bernie, thanks for your input. to answer your question, Yes. I'm interested in modeling a vulnerability scan on a "virtual" network. – scooter Feb 16 '12 at 16:37

3 Answers3

2

Why don't you just set up a virtual machine, with a virtual network, and run a real vulnerability scanner inside the virtual machine? That will generate realistic traffic: it's not a simulation, it is the real thing.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    I agree - there are so many free vuln scanners, you could actually perform a vuln scan and use it's report. So, I doubt a 'simulator' exists. – schroeder Feb 20 '12 at 19:29
0

Assuming you want to input parameters of a fake network, given IP ranges, a mix of machines and configurations, and have it spit out a fake report of a 'typical' network. I assume you want to do this without actually having a network at hand.

You could create your own simulator by grabbing 'typical' data from posted nmap scans and storing them, categorizing the results of various machine configurations (Windows, Linux, router, etc), and then parameterizing the IPs, machine names, etc. Then write a script that processes the variables you need (20 Win2k3 servers, 10 Red Hat Linux servers, 2 Cisco routers, ip range 192.168.1.0-255) and add in some randomization to the other scan results.

This would create a convincing nmap scan report and you could create as many reports in as many configurations that you need.

What I am NOT sure about is how useful such information would be ...

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • thanks schroeder. this was very helpful. the usefulness of such a tool is to help drive the implementation of better IT security policy and to use the tool to develop metrics that intern can be applied to justify policy change to senior managers. – scooter Feb 27 '12 at 15:29
  • Then use an actual vulnerability scanner. Nmap is free and has a lot of scripts you can use. 3rd party apps can extend the usefulness of nmap even further (pbnj, metasploit). OpenVAS is also free. If you want metrics, then use actual data. – schroeder Feb 27 '12 at 19:06
  • Thanks again. will let you know how this works out. but in theory, this is the best approach. – scooter Feb 27 '12 at 22:59
0

Recently saw a demo of CORE INSIGHT, which allowed for simulated and real-live exploitation of apps, systems, and networks. The INSIGHT portal can be configured to, and support scanning, for a variety of vulnerability scanning tools, such as (but not limited to): Rapid7 NeXpose, Qualys QG, Tenable Nessus, Tripwire IP360, HP WebInspect, IBM Appscan Standard, Trustwave App Scanner, and WhiteHat Security Sentinel.

There are many other vulnerability consolidation tools, but this was the only one I've seen that allowed for what-if support such as simulations.

atdre
  • 18,885
  • 6
  • 58
  • 107