In-depth auditing and detection of network vulnerabilities

Rhyno Cybersecurity delivers the security auditing tools and expertise that you need to detect a wide range of vulnerabilities within the network services, operating systems and web servers.

Network Vulnerability Assessment

We help you discover outdated network services, missing security patches, badly configured servers and many other vulnerabilities.

The Network Vulnerability Assessment uses OpenVAS as our solution for assessing the network perimeter and for evaluating the external security posture of a company.

We perform an in-depth network vulnerability scan by using more than 57,000 plugins. We start by detecting the open ports and services, and then continue by querying a database for known vulnerabilities which may affect the specific software versions.

The network perimeter of a company is the ‘wall’ which isolates the internal network from the outside world. However, because the outside world needs to access various resources of the company (ex. the website), the network perimeter exposes some network services (ex. FTP, VPN, DNS, HTTP and others).

Our network audit uses OpenVAS as scanning engine. OpenVAS is the most advanced open source vulnerability scanner, which is able to actively detect thousands of vulnerabilities in network services such as: SMTP, DNS, VPN, SSH, RDP, VNC, HTTP and many more. OpenVAS does vulnerability detection by connecting to each network service and sending crafted packets in order to make them respond in certain ways. Depending on the response, the scanner reports the service as vulnerable or not.

How this audit is performed

What is OpenVAS?

OpenVAS is a fork of the old Nessus scanner, performed in 2005 when Nessus became a commercial product. OpenVAS is currently developed and maintained by Greenbone Networks with support from the community.

OpenVAS implements each test in a plugin called NVT (Network Vulnerability Test) which is written in a scripting language called NASL (Nessus Attack Scripting Language). It currently has more than 57000 active plugins which can detect a huge number of vulnerabilities for numerous services and applications.

OpenVAS Scanning Policy

While OpenVAS has multiple predefined policies, our scanner uses the one called Full and Fast. This policy uses the majority of the NVTs and it is optimized to use the information collected by the previous plugins. For instance, if a previous plugin detects the FTP service running on port 2121, it will run all the FTP related plugins on that port.

Open Ports Detection

We have configured OpenVAS to scan for a default list of ports containing the most common 6000 ports (TCP and UDP). However, please note that the scanner first attempts to detect if the host is alive or not before doing the port scan. If the host is not alive (ex. does not respond to ICMP requests) it will show zero open ports found.

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The Report includes:

  • A summary of the vulnerabilities found in your network, the risk rating, and CVSS score
  • Technical details for each vulnerability discovered
  • Risk level information for each network vulnerability
  • Recommendations and insights on how to remediate these security flaws

SSL/TLS Vulnerability Audit

Our SSL/TLS vulnerability audits include scanning for:

OpenSSL Heartbleed: The Heartbleed vulnerability affects all web servers that use OpenSSL versions 1.0.1-1.0.1f and permits an attacker to read up to 64k of server memory.

SSLv3 POODLE: This vulnerability may allow an attacker who is already man-in-the-middle (at the network level) to decrypt the static data from an SSL communication between the victim user and a vulnerable server. The attacker will probably try to obtain the HTTP cookies or other static data.

OpenSSL DROWN: The DROWN attack (Decrypting RSA With Obsolete and Weakened Encryption) can decrypt modern TLS sessions between a client and a server if that particular server (or another server that shares the same SSL certificate) supports SSLv2 cipher suites.

TLS ROBOT Attacks: The Return Of Bleichenbacher’s Oracle Threat (ROBOT) Attack is a variation of the classic Bleichenbacher attack against RSA – which is one of the encryption methods used by TLS. A successful attack permits an attacker to decrypt the communication between a user and a server if this communication was encrypted with an RSA cipher.

How this audit is performed

IP Setup

We setup an IP range, a single IP or a hostname. An IP range can be specified like Maximum 255 hosts can be scanned in a row. When a single IP/hostname is being scanned, the tool will try to read a piece of server memory in order to prove the vulnerability.


This is the service that will be scanned for SSL vulnerability. The protocols that are supported right now are: HTTPS (default), SMTP, IMAP, POP3 and FTP.

Reverse DNS

Our tool will attempt to do reverse DNS for each live IP in the IP range. It will return the hostname of that IP configured in DNS. This option slows down the scan and is disabled by default. In case of SMTP, IMAP, POP3 and FTP, the tool will send the STARTTLS command before initiating the TLS handshake.

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • The IPs and hostnames that were found vulnerable
  • Shows a memory dump from the vulnerable server
  • Shows if a realistic attack is possible or not (TLS)

TCP/UDP Port Audit

We detect open TCP/UDP ports, running services (including their versions) and does OS fingerprinting on a target IP address or hostname.

We map your network perimeter, check firewall rules and verify if your services are reachable from the Internet. Based on Nmap, it performs accurate port discovery and service detection.

The main advantage of using an online version of the Nmap port scanner versus using it on your local machine is that it gives you an external view of your systems as they are seen by any hacker from the Internet. If you do the same scan from your internal network you may obtain different results because of various firewalls and network restrictions. Furthermore, our port audits are:

  • Already configured and ready to run
  • Periodically upgraded
  • Gives you a useful report that you can share with management or stakeholders

Even though UDP services are less popular than TCP services, having a vulnerable UDP service exposes the target system to the same risk as having a vulnerable TCP service.

Hence, discovering all open UDP ports is important in a penetration test for achieving complete coverage of the security evaluation.

Behind the curtains, Nmap sends UDP packets to each port specified in the parameters. If the target responds with ‘ICMP port unreachable’, Nmap can be sure that the port is closed. Otherwise (no response received), the scanner cannot know if the port is open, firewalled or if the packet was lost on the way. In this case, Nmap will show you the status open|filtered for that port.

How this audit is performed

Nmap host discovery

The first phase of a port scan is host discovery. Here the scanner attempts to check if the target host is live before actually probing for open ports. This phase is needed mainly when scanning a large range of IP addresses in order to optimize the time for the whole scan. It does not make any sense to waste time probing for open ports on a ‘dead’ host (ex. there is no server at a given IP).

Open ports detection

In order to determine if a TCP port is open, Nmap takes advantage of the Three way handshake mechanism used by TCP to establish a connection between a client and a server. There are two main methods for detecting open TCP ports: Connect-Scan (Nmap -sT) and SYN-Scan (Nmap -sS).

Nmap service detection

After Nmap has found a list of ports, it can do a more in-depth check to determine the exact type of service that is running on that port, including its version. This is needed because it is possible for common services to run on non-standard ports (ex. a web server running on port 32566). Service detection is enabled with the command Nmap -sV.

Nmap does service detection by sending a number of predefined probes for various protocols to the target port in order to see if it responds accordingly. For example, it sends:

  • SSL CLIENT HELLO – to check for SSL services
  • HTTP GET request – to check for HTTP service
  • SIP OPTIONS – to check for SIP/RTSP protocol
  • and many others

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • Shows the open TCP/UDP ports, services and version information
  • Includes operating system details and reverse DNS results
  • The original Nmap output is also included

Password Audit - Discover Weak Credentials

Our password auditor is an autonomous password auditing solution for network services and web applications.

Its purpose is to automate the manual work performed when using tools such as Medusa, Hydra or Ncrack by automatically detecting the services which require authentication and launching the password audit with the right parameters.

One of the unique advantages of our tool is that it automatically detects web forms in web applications and it automatically attempts to login with default and weak credentials. It has the capability to detect if a web form authentication was performed with success or not.

As a result, you can easily find web interfaces with weak passwords (ex. Jenkins, Tomcat, PhpMyAdmin, Cisco routers, etc) together with network services as SSH, FTP, MySQL, etc, having default credentials.

How this audit is performed


Our Password Auditor starts by doing a port scan and service discovery against the target system in order to discover which services require authentication.


The next step is to try common username/password combinations (taken from a predefined wordlist) for each service found in the previous step. In case the service is web based, Password Auditor automatically detects the login interfaces and parameters for authentication.


Our tool is capable of knowing if a web-form authentication was performed successfully or not.

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The Report includes:

  • Network services which were found reachable
  • Weak passwords that were found

Subdomain Takeover

Subdomain Takeover is a type of vulnerability which appears when an organization has configured a DNS CNAME entry for one of its subdomains pointing to an external service.

Examples include: Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc but the service is no longer utilized by that organization.

An attacker could register to the external service and claim the affected subdomain.

As a result, the attacker could host malicious code (ex. for stealing HTTP cookies) on the organization’s subdomain and use it to attack legitimate users.

How this audit is performed


Our tool uses all the techniques from Find Subdomains tool to identify existing subdomains for the target domain.


Then we searche for CNAME DNS entries pointing to external services and it tries to visit the web pages at those locations.


If the pages contain some specific keywords (depending on the external service), the subdomain is declared as vulnerable.

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • Subdomains found on the target domain
  • DNS CNAME records of each subdomain
  • HTTP response code for each subdomain (port 443)

DNS Zone Transfer

DNS servers should not permit zone transfers towards any IP address from the Internet.

Since zone files contain complete information about domain names, subdomains and IP addresses configured on the target name server, finding this information is useful for increasing your attack surface and for better understanding the internal structure of the target company (ex. find test servers, development servers, hidden domains, internal ip addresses, etc)

Information gathered from zone files can be useful for attackers to implement various attacks against the target company, like targeting test or development servers which are less secure.

How this audit is performed


Our tool first discovers all the name servers associated with your target domain.


Then, to each name server it sends a Zone Transfer (AXFR) DNS request and see if it is successful or not. In case of success, the full zone file will be displayed.

Detailed Reporting

We conveniently send you a detailed report with a summary of findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations.

The report includes:

  • All the name servers of target domain
  • The full DNS Zone file if accessible