Several days ago, the folks at Google made the decision to release the code from su Tsunami security scanner, Which was designed to check for known vulnerabilities of hosts on the network or identify problems with the configuration that affect the security of the infrastructure. The project code is written in Java and distributed under the Apache 2.0 license.
As we can read inside the repository, Google describes its scanner as follows:" Tsunami is a general purpose network security scanner with an extensible plug-in system to detect high severity vulnerabilities with high confidence. "
Tsunami highly dependent on your plugin system to provide basic scanning capabilities. All publicly available Tsunami plugins are hosted in a separate google / tsunami-security-scanner-plugins repository. "
About Tsunami Security Scanner
As such "Tsunami" provides a common and universal platform whose functionality is defined through plugins. Namely, there is a plugin for nmap-based port scanning and a plug-in for checking untrusted authentication parameters based on Ncrack, as well as plugins with vulnerability detectors in Hadoop Yarn, Jenkins, Jupyter, and WordPress.
The goal of the project is provide a tool for rapid vulnerability detection in large companies with extensive network infrastructures. By releasing information on critical new issues, a race ensues with attackers looking to attack business infrastructure before the issue is resolved.
Components of the problem should be identified by company employees as soon as possible, as the system can be attacked within hours after the vulnerability data is disclosed.
In companies with thousands of systems with Internet access, verification automation cannot be done without, and Tsunami is recognized as solving a similar problem.
Tsunami will allows you to quickly independently create the necessary vulnerability detectors or use ready-made collections to identify the most dangerous problems for which attacks have been recorded.
After scanning the network, Tsunami provides a report on the verification, which focuses on reducing the number of false positives so as not to take too long to analyze. Tsunami is also developed with scaling and verification automation in mind, allowing you to use it, for example, to regularly monitor the reliability of the authentication parameters used.
The verification process in Tsunami is divided into two stages:
- Collection of information about services on the network. At this stage, open ports are defined, as well as related services, protocols, and applications. Well established tools like nmap are used at this stage.
- Verification of vulnerability. Based on the information received in the first stage, the appropriate plug-ins for the identified services are selected and started. For final confirmation of the existence of a problem, fully functional neutralized exploits are used. Additionally, checking the reliability of typical credentials to determine weak passwords can be carried out using the ncrack program that supports various protocols, including SSH, FTP, RDP, and MySQL.
The project is in the early stages of alpha testing, but Google already uses Tsunami to continuously scan and protect all its services, whose access is open to external requests.
Among the closest plans to increase functionality, the implementation of new plugins to identify critical problems that lead to remote code execution, as well as adding a more advanced component to determine which applications to use (web application fingerprint) stand out, which will improve the logic of choosing one or another test plugin.
Of the distant plans, mention is made of the provision of tools to write plugins in any programming language and the ability to add plugins dynamically.
Finally if you are interested in knowing more about it of the project or be able to see the source code, you can do it from the link below.