Vulnerability Scanners Review

A few months back I did some intense testing of all the best vulnerability scanners out there.. I had a couple unix boxes hooked up, as well as some windows machines, and figured I could add clients to a "once-a-week" scanning contract. So naturally, I wanted to use the scanner that was the best for my purpose.

You might be looking for the article: Top 5 best Vulnerability Port scanners

I tested the following (trying to only list automated vulnerability scanners):

  1. ISS Internet Security Systems
  2. SSS Shadow Security Scanner
  3. Retina eEye
  4. Nessus
  5. GFI Languard Network Security Scanner
  6. Qualys
  7. Nstealth Security Scanner
  8. Nikto
  9. Whisker
  10. Infiltrator
  11. Nscan

I was looking at 3 main areas while evaluating the scanners.

  1. Comprehensiveness of the testing: including how many options are allowed for different scanning, IDS evasion, and types of scans. Also in this category is the availability for the latest exploits and a custom exploit option to allow me to plug in custom exploits.
  2. Quality of the program: included in this category is availability of updates, speed of various variables, efficiency, "smartness" or "AI" of the program while scanning/reporting, security- (does running this version of this vuln scanner leave me vulnerable?), scheduling capabilities, alert and message capabilities, quaility of exploits, reactions to "false positives", and overall feature and capabilities.
  3. Reporting Capabilities: How easy is it to create a report? The quality and design of the report. The comprehensiveness and personalization of the reports..

My findings

All of these programs can be tested for free, either through an evaluation or trial. I believe that the availability of these programs on the net (cracked versions) represents the conspiracy to aid script-kiddies everywhere so that these companies will then profit after an intrusion (or even a loud scan). Any of these programs are not to be used for cracking... Nothing serious at least.. using these programs is akin to knocking on every window of a house, while simultaneously ringing the doorbell and playing loud music in the driveway.. Some of the programs allow for easy use of anonymous socks and web proxys, but we all know by now that to achieve any real anonymity takes much more work than that.

After several months testing

It became clear to me which ones I liked the best. The top pick all-around (for windows) has to be retina's eeye, the company has a bunch of hackers and you can tell by their awesome product. Another great scanner (windows -web) are the different products offered by nstalker... very good web vuln scanner. Free for download.. A close 2nd would be the SSS, I love it, its great, but eEye's is better. The best choice for me however is nessus. Although it has a few negatives compared to some of the other products, it is the best solution for anything serious. Set-up up a couple of nessus servers around the globe and try attacking the same location through different networks for some real eye-opening fun. Also good to practice tracking and tracing. Qualys is poised to be super-rich, just check out their site... great if you don't want to mess with a scanner yourself. ISS is way to expensive and I didn't like the fact that I had to try for awhile until I could download it. But it is considered to be the best scanner and I admit the anti-pirating features and licensing of their software is pretty darn good. GFI is another top contender. It was just prone to crashing... A money place to get some other cool tools (Especially a professional SSL encryption tester) are available for free at Get them soon, make a foundstone toolkit.... mcafee bought them so expect the free stuff to get yanked shortly... (I can't believe foundstone is almost gone...) Unless you are using these tools on yourself, or to check your friends pc or company (use scheduling with alerts to email or pager), there is no sane or logical reason to use these tools on any pc that you do not have express permission to use against.

Remember these tools are the noisiest tools in a security testers arsenal and if you use it just once on an unknown host, your ISP can yank your account, you can face legal action, etc.. Better to use firewalk, hping3 (now with scripting!), nmap, etc, and leave these crutch-like tools alone. Also check out , for the best product I have found so far.

A few pointers..

If you have a network of your own, and you don't have the time or resources to set up a nessus installation at a remote site to repeatedly test your network, the best solution IME is Qualys. I am not affiliated in any way, I checked it out merely to examine the competition in the marketplace... after experiencing their free trial, unheard of amounts of documentation, and extremely skilled marketing team, I am still very jealous. What an easy concept but they took it to that level and it stands alone, IMHO. So if you need that kind of simple, safe, comprehensive fix, check out qualys. Still, you would ultimately save a lot of money (even after computing time and costs) by setting up your own remote server somewhere to automatically check the network for you. Multiple locations of course are ideal (go through different networks etc..) The major lack of enthusiasm I have for most of these "vulnerability scanners" is the fact that so many of them run on windows and nothing else. The benefits to running from (almost anything else) a linux type platform are enormous. IOW, nessus can only continue to get better and better, while the only advantage eeye, ISS, and the rest of the dozer boys have is better knowledge of exploits. This is really a small point (in the big picture) because of the fact that it is sooo easy to copy an exploit (for those that do that sort of thing). So if you are out there, go help out the excellent people who give us nessus, go give them a donation, help them develop the software, test it out and email them detailed feedback of your likes and dislikes, do what you can to keep it around. I see it as having the most potential. There are also vuln scanners that operate locally, many professionals use these to scan a lan of windows hosts for example. These are hard to find, so if you know of any, post.

Also, after months of testing all the different vuln tools, including tons not listed above, still failed to find a bug that allowed me root on a particular server I was testing for a friend. It was the mole.cfm script that finally got me in... an old exploit that none of the scanners tried. So if you are serious about keeping your data safe, hire a real expert (like foundstone or coresecurity) and do not rely on a commericial marketing solution alone.

Other Good Vulnerability Scanner Review here.. (12+ pages)