How to use a port scanner in a hostile manner

Question

Port scanners like nessus and openvas are basically used to identify the vulnerabilities of the network. My question is if someone with bad intentions is able to use these legal tools in a more hostile way? If this is possible which I think it is, what features of these kind of tools can someone exploit to attack someone else?

Answer 1

Those are vulnerability scanners, not just port scanners. People use them to find vulnerabilities in systems. It doesn't matter what their intentions are. If there are vulnerabilities, there's a fair chance the scanner will catch it. A hacker can chose to exploit any exploitable vulnerabilities. The scanners themselves don't exploit the systems; an attack would need another tool, such as Metasploit.

Answer 2

What DrDinosaur said is correct, about the tools widely used like nmap being exactly that - tools - without any intention of their own, they are given an intention of good or bad by the person who uses them. Let me explain further:

There are 4 stages of Security testing: - Recon - Mapping - Discovery - Exploitation

Each stage has a different aim of gaining knowledge about a target, and large number of different tools/techniques available.

What I think you are doing here, is what a lot of people do, and mixing up the Discovery and Exploitation phases.

E.g, if you already have completed Recon, and are scanning targets for open ports/to find which services are running, you are using a tool in a Mapping way, whether it is legal* or not.

After that, if you load up Metasploit, and attempt to exploit one of the services, you're using the tool in a Exploitation way.

Whichever tool you use, it's more about your intentions than anything.

*Port scanning is a bit of a grey legal area from what i know, it has been argued to be both legal and illegal. http://nmap.org/book/legal-issues.html

Edit: Also there are tools like w3af for web application testing, which has both Discovery and Exploitation in one.