Candid Automated Vulnerability Scanner (CAVS)

Note: The OSVDB database updates were halted at source as of early 2012 - so results will not be current! CAVS is essentially discontinued as a result of this.

CAVS is a ruby ( scanner that basically takes output from nmap and correlates it with information in the Open Source Vulnerability Database. So, we do a TCP port scan and search for public disclosed vulnerability with the services found *.

At the moment we only do "well-known" services (the nmap default option when no -p value is specified), and we only do TCP.

Target IP address *:   

* - your public IP address is (your "real" address may be NAT'd / non-reachable from public networks).

What is CAVS?

So what is CAVS? CAVS is more than anything else is honest in it's assessment of your target. The fact is, if we are doing any sort of remote vulnerability assessment, we are extremely limited in what can be achieved by any methodology, that is of course unless we want to potentially destabilize production services in an unrestricted manual penetration test conducted by folk who are in extremely short supply in today's security arena: skilled penetration testers. Certainly if we are talking "automated" approaches, there is very little of any value we can realistically offer to the target owners. Where CAVS differs from others is we are honest in our assessment - a long overdue approach to information security service provision!!

CAVS basically does a port scan, while attempting to grab product and version strings from "visible" services. Then it takes this information and correlates it against information in the Open Source Vulnerability DataBase (OSVDB). Simple. What results is a lot less information than is output by commercial vulnerability scanners, less time is wasted, and the information is succinct and (in most cases) accurate. If there are public disclosed issues with your listening services, they will be listed.

Candid AVS is an honest scanner...

CAVS is a very simple, but honest, vulnerability scanner, hence the name. At this point you may be thinking "aren't all vulnerability scanners honest?". Well, most of them will tell you in a 300 page report that your servers are full of holes, with red colour warnings and so on, but...the vast majority of the information in the report will be what the security industry calls "false positives". You see, the illusion created by the security industry (to it's great detriment - for more detail see chapters 4 and 5 of my book Security De-engineering) is that the automated vulnerability scanners on the market today can be used in place of manual penetration testing efforts. Epic Fail ladies and gentlemen. Epic Fail.

So what do automated vulnerability scanners (examples would be Nessus and GFI Languard) actually do? Well, without going into heaps of details, which you don't have time for (chapter 5 of Security De-engineering covers it in full detail), they don't really do much at all. Mostly what they do is "grab some banners" to find product and version strings, then look up in their database of public disclosed vulnerability for vulnerability against the discovered service. The illusion that is created is that by the product vendors in the security industry is that vulnerability scanners are more advanced than what I have described....they apparently "intelligently probe, heuristically" for vulnerability. Whereas there is a scarce minority of vulnerabilities that these scanners can find with some reasonable level of reliability (examples would be default SNMP community strings, anonymous NULL sessions and a few others), in most cases there is no actual "probing" as such. What there is a lot of in the production of the tool output is guesswork, and I would not venture to say that the guesswork deployed is educated guesswork.

The result of the aforementioned empty promises? The uninitiated user uses these tools against their critical infrastructure. If the report was ever printed, resulting in the instant destruction of planet earth, it would be 300 pages of A4! And how much of that output is actually useful? In most cases none of it will have any corporate value whatsoever...but nonetheless significant resources are invested in running the tool and processing the output.


CAVS is my own personal effort coded mostly in Ruby ( with a MySQL backend database. Of course I stand on the shoulders of giants in my development, and credit is owed to the developers / maintainers of the following:


There are a few points to note with regard results accuracy and practical limitations:

Overall CAVS is a work in progress, and ideas for improvements or contribution in the way of results feedback or offer of collaboration are welcome...don't hesitate to contact me.

* - Please use CAVS only for your own personal benefit by scanning IP Addresses that you own. Please do not use CAVS for illegal purposes. CAVS is basically only using nmap to do a port scan, and then does some processing on the results. It can not directly be used to gain unauthorised access to private networks. Seven Stones is not liable for information security incidents that could arise as a follow-on step from using CAVS.