{"id":35959,"date":"2020-07-08T17:16:14","date_gmt":"2020-07-08T17:16:14","guid":{"rendered":"http:\/\/e9c74c13-bc6d-417c-b1af-d571c547fcc3"},"modified":"2020-07-08T17:16:14","modified_gmt":"2020-07-08T17:16:14","slug":"google-open-sources-tsunami-vulnerability-scanner","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/google-open-sources-tsunami-vulnerability-scanner\/","title":{"rendered":"Google open-sources Tsunami vulnerability scanner"},"content":{"rendered":"
\"tsunami.jpg\"<\/span>
<\/span><\/figcaption><\/figure>\n

Google has open-sourced a vulnerability scanner for large-scale enterprise networks consisting of thousands or even millions of internet-connected systems.<\/p>\n

Named Tsunami, the scanner has been used internally at Google and has been made available on GitHub<\/a> last month.<\/p>\n

Tsunami will not be an officially-branded Google product but will instead be maintained by the open-source community, similarly to how Google first made Kubernetes (another Google internal tool) available for the masses.<\/p>\n

How Tsunami works<\/h3>\n

There are already hundreds of other commercial or open-sourced vulnerability scanners on the market, but what’s different about Tsunami is that Google built the scanner with mammoth-sized companies like itself in mind.<\/p>\n

This includes companies that manage networks that include hundreds of thousands of servers, workstations, networking equipment, and IoT devices that are connected to the internet.<\/p>\n

Google said it designed Tsunami to adapt to these extremely diverse and extremely large networks on the get-go, without the need to run different scanners for each device type.<\/p>\n

Google said it did this by first splitting Tsunami into two main parts, and then adding an extendable plugin mechanism on top.<\/p>\n

<\/section>\n

The first Tsunami component is the scanner itself — or the reconnaissance module. This component scans a company’s network for open ports. It then tests each port and attempts to identify the exact protocols and services running on each, in an attempt to prevent mislabelling ports and test devices for the wrong vulnerabilities.<\/p>\n

Google said the port fingerprinting module is based on the industry-tested nmap<\/a> network mapping engine but also uses some custom code.<\/p>\n

The second component is the one that’s more complex. This one runs based on the results of the first. It takes each device and its exposed ports, selects a list of vulnerabilities to test, and runs benign exploits to check if the device is vulnerable to attacks.<\/p>\n

The vulnerability verification module is also how Tsunami can be extended through plugins — the means through which security teams can add new attack vectors and vulnerabilities to check inside their networks.<\/p>\n

The current Tsunami version comes with plugins to check for:<\/p>\n