Cyber Security Expo
About Us

ISW News & Events

Text Library

Submit Your Paper
Recommended Reading
Contact Us

Subscribe to our monthly newsletter and receive updates on:
Security/Hack Challenges
ISW's Monthly Contest Prizes & Winners
Recommended Security Books & Reviews
Recently Published Papers
Click here to subscribe/unsubscribe!

Opt-in Terms | Archives
What is the top security concern you have today?
Virtual System Attacks
Social Network

Best Security Papers of the Month Contest:

Contest FAQs

Prizes Catalog

Markus Jakobsson & Zulfikar Ramzan

Read the review here!


The OS Scan Project

OS Scan Results

About The OS Scan | Results

The study of security improvements of an OS via patches, and effectiveness of patches themselves.

Q Which Operating Systems reveal the greatest security improvements, that is, a reduction in vulnerabilities from an out-of-the-box (default) state to a patched state (via the latest vendor-patches)?

A Using Nmap and Nessus we will scan Operating Systems installed with default options that is, without any patches or configurations. Then we will scan them again with the latest patches and compare the scans of before and after.

Q Is a patch always effective in that they nullify all (high risk) vulnerabilities that were known prior to the patch release? Or do these patches sometimes overlook security holes and perhaps could do more damage?

A By looking at the progression of patches for each Operating System, (for example, from Windows 2000 Server SP1 to SP2 to SP3 to SP4) we will see specifically what threats were or weren’t eradicated between patches and thus help us better assess the effectiveness of a latter patch.

We picked several of the more popular Operating Systems and put them to the test...

What is NESSUS?
Nessus is a software package that performs Security Scanning of Operating Systems (OS) and networks. It is a free product and is very popular in the Security Industry. Many security professionals use it today to scan their systems looking for common vulnerabilities and companies like Enterasys are incorporating Nessus scanning into their Intrusion Detection products like Dragon and Squire.

Nessus will allow you to save the information it has discovered in several formats, including but not limited to: XML, HTML, Text, and etc. We provide you with the HTML format with a small paragraph at the beginning of the scan to introduce the scan. In the beginning of the scan results, you will see a reference to the following: Security holes, Security Notes, and Security Warnings. We could not find a definition of any of these in the MAN pages or on their site, so we emailed Renaud Deraison, one of the developers of NESSUS and asked for his definitions of the three. He responded with:

Basically, Security Notes are just "nits". It's information that may be valuable in itself (i.e.: the name of the remote operating system, and so on), but it does not make the host more prone to be victim of an attack.

Security warnings advices we recommend you to follow, or a bug waiting to be exploited in conjunction with another vulnerability. A service that is historically known to be buggy is likely to get such a warning, even if the tested release was considered as bug free. A service which operates in clear text may also get a warning and so on. In one word, I'd call them "disasters waiting to happen". Meaning that they're not fatal now, but they might be some day.

Security holes means that a cracker can get instant access on your box (either read any file or walk thru the filesystem or even have a shell prompt).

Nessus offers much functionality, some of which consist of:

  • Up-to-date security vulnerability database- We mostly focus on the development of security checks for recent security holes. Our security checks database is updated on a daily basis, and all the newest security checks are available here and on your FTP servers and mirrors.NASL- The Nessus Security Scanner includes NASL, (Nessus Attack Scripting Language) a language designed to write security test easily and quickly. (security checks can also be written in C)
  • Smart Service Recognition- Nessus does not believe that the target hosts will respect the IANA assigned port numbers. This means that it will recognize a FTP server running on a non-standard port (31337 say), or a web server running on port 8080
  • Cracker Behavior- Nessus does not believe that version x.y.z of a given software is immune to a security problem. 95% of the security checks will actually perform their job - they'll try to overflow your buffers, relay some mails, and even to crash down your computer !

The above information and additional information on Nessus can be found at

What is NMAP?
NMAP is a port scanner and OS detection tool. NMAP was written by a hacker known as FYODOR. He has, throughout the years, with input from other hackers and security experts, written and developed this tool used by both, the security administrators and the hackers/crackers. Nmap offers some the following:

  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, pings sweeps, and more.
  • Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -O -sS targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the GNU General Public License (GPL).

The above and additional information can be found at

What are Vulnerabilities?
According to Microsoft:

A security vulnerability is a flaw in a product that makes it infeasible – even when using the product properly – to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming un-granted trust.

Common Vulnerabilities and Exposures defines the word vulnerability as:

A universal vulnerability is a state in a computing system (or set of systems) which either

  • allows an attacker to execute commands as another user
  • allows an attacker to access data that is contrary to the specified access restrictions for that data
  • allows an attacker to pose as another entity
  • allows an attacker to conduct a denial of service

What is a default Install?
A default install as used for this report is defined as an installation of an OS without changing, adding, or subtracting from the installation menus. In other words, just clicking ‘Next’ as the install asks.

The Procedure
For our test, we used RedHat 7.2 on a Compaq Deskpro 233MMX machine. We installed Nessus 1.0.9 and Nmap 2.54BETA22. This was connected via a hub to each target machine.

For the Nessus scan, we choose the option “Enable all but dangerous plugins”. This option will scan the system for known vulnerabilities in it’s database and skip those that “may harm the remote host by disabling the attacked service or by crashing the host.” The scan was run and the results for Nessus were saved as html with charts.

NESSUS uses NMAP to do a default scan, and that is what is displayed with the results from NESSUS. However, we performed an NMAP scan of our own on some of the scans just to confirm the results. When we performed the additional scan, we used the following command:

nmap –v –sS target > (machine name)

This command tells Nmap to perform a vanilla SYN scan and be verbose about it. We had the results piped to a file that represented the machines name.

See the OS Scan Results here.

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.