Google has unveiled the source code for the Tsunami scanner, a scalable solution for detecting dangerous vulnerabilities with a minimum of false positives. The scanner is aimed at large corporate networks consisting of thousands or even millions of Internet-connected systems. Code already available on github.
Tsunami will not be registered as a Google product, but will be supported by the open source community. Earlier, the company acted in a similar way with its other internal tool, Kubernetes, which also became available to the masses.
As mentioned above, Tsunami differs from other similar tools in terms of scale, because Google created its own scanner for truly giant companies (such as herself). Including for companies that manage networks, which includes hundreds of thousands of servers, workstations, network equipment and IoT devices.
Tsunami is well adapted to large and heterogeneous networks of this kind and solves the problem of launching various scanners for each type of device. To do this, the scanner is divided into two main parts, and is also equipped with an extensible plug-in support mechanism.
The first and main component of Tsunami is the scanner itself or the intelligence module. It scans the company’s network for open ports, and then checks all the ports and determines the exact protocols and services running on them (to prevent incorrect port marking and not to scan devices for the wrong vulnerabilities). This fingerprint module is based on nmap, but also uses custom code.
The second component Tsunami works based on the results of the first. It interacts with each device and its open ports: it selects a list of vulnerabilities for testing and runs safe exploits to check whether the device is really vulnerable to attacks.
The capabilities of this module for checking for vulnerabilities can be expanded using plug-ins. The current version of the scanner comes with plug-ins for checking open strategic UIs (Jenkins, Jupyter, Hadoop Yarn and so on), as well as weak credentials. To implement the latter, Tsunami uses open source tools such as ncrack, which help to detect weak passwords used by various protocols and tools, including SSH, FTP, RDP and MySQL.
Google developers promise to expand the list of plugins for Tsunami in the coming months.
They will be published in a separate github repositories.