Review of 12 Vulnerability Scanners

← Back to Stories (view on slashdot.org)

Review of 12 Vulnerability Scanners

Posted by kdawson on Sunday December 31, 2006 @08:02AM from the poking-for-holes dept.

produke points us to a review of security vulnerability scanners. It's light on detail and not terribly well organized, but might provide a starting point for more research. From the article: "A few months back I did some intense testing of all the best vulnerability scanners out there... I had a couple nix boxes hooked up, as well as some dozers, and figured I could add clients to a 'once-a-week' scanning contract. So naturally, I wanted to use the scanner that was the best for my purpose... Better to use firewalk, hping3 (now with scripting!), nmap, etc., and leave these crutch-like tools alone."

55 comments

Min score:

Reason:

Sort:

Only 11 by nacturation · 2006-12-31 08:09 · Score: 4, Informative

Am I missing something? If you RTFA it's only 11 scanners, conveniently listed as 1 through 11:

1. ISS Internet Security Systems
2. SSS Shadow Security Scanner
3. Retina eEye
4. Nessus
5. GFI Languard Network Security Scanner
6. Qualys www.qualys.com
7. Nstealth Security Scanner www.nstalker.com
8. Nikto
9. Whisker
10. Infiltrator infiltration-systems.com
11. Nscan

--
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
1. Re:Only 11 by Timesprout · 2006-12-31 08:21 · Score: 5, Funny
  
  12 is actually a cloaked scanner for CIA/NSA uber secret scanning. Its there you just cant see it. Trust me.
  
  Also in the interests of national security forget you read this post.
  
  --
  Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
  What truth?
  There is no dupe
2. Re:Only 11 by null-sRc · 2006-12-31 08:41 · Score: 1
  
  I guess the poster codes in C and saw the last entry as 11
  
  --
  -judging another only defines yourself
3. Re:Only 11 by MagusSlurpy · 2006-12-31 09:52 · Score: 1
  
  Don't worry, my fifty-caliber memory erasure ray will clear it out of there.
  
  --
  My sister opened a computer store in Hawaii. She sells C shells by the seashore.
4. Re:Only 11 by dkleinsc · 2006-12-31 10:13 · Score: 1
  
  12. Fnord
  
  That's your answer on what happened to it.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
5. Re:Only 11 by Anonymous Coward · 2006-12-31 19:24 · Score: 1, Funny
  
  The twelfth scanner is you, the audience; without you we're nothing.
6. Re:Only 11 by markmier · 2007-01-02 06:47 · Score: 1
  
  This one goes to 12.
The sweet smell of FUD, nice one smitty by Gothmolly · 2006-12-31 08:09 · Score: 1

"once a week scanning contract" - do they make core architectural changes that often? Damn, if you signed someone up for that level of cash, I take my hat off to you, man. If all you're doing is running nmap from your cable modem, your cost is nothing more than rent to your parents for use of the basement, and your charge to your mark^Wcustomer is pure profit.

--
I want to delete my account but Slashdot doesn't allow it.
1. Re:The sweet smell of FUD, nice one smitty by GigsVT · 2006-12-31 08:12 · Score: 1
  
  People pay for stupider things. Like "service monitoring"... GET /index.html... 200, yep you are ok. Please pay my invoice!
  
  --
  I've had enough abrasive sigs. Kittens are cute and fuzzy.
2. Re:The sweet smell of FUD, nice one smitty by ScentCone · 2006-12-31 09:07 · Score: 1
  
  People pay for stupider things. Like "service monitoring"... GET /index.html... 200, yep you are ok. Please pay my invoice!
  
  Yeah. But the way I do it is to get a document that, in order for it to render, has to make database connections, deal with a web service, and report back the time it took perform those tasks... and log the results in a table that is used to drive a performance history, going back months. And, of course, e-mail and text messaging to the folks who need to be pleasantly informed if something's a little sluggish, vs. Completely Freaked Out if something bad (like db connection failure) happens.
  
  Of course, you still can't charge much for all of that... but you can keep your customers around for other services if that's part of what you bring to the table.
  
  --
  Don't disappoint your bird dog. Go to the range.
3. Re:The sweet smell of FUD, nice one smitty by kpharmer · 2007-01-01 05:07 · Score: 0
  
  > "once a week scanning contract" - do they make core architectural changes that often?
  
  Think of it this way - do they tell you when they make changes to their systems? Answer: of course not.
  
  So, either you scan monthly or quarterly - and leave vulnerabilities undetected, unreported and wide open to exploit for weeks or months. Or you scan much more frequently, and catch it when it happens.
  
  Just need a nice way to identify deltas so that they don't constantly have to wade through false positives.
"It's light on detail ..." by Bob+Cat+-+NYMPHS · 2006-12-31 08:17 · Score: 1

Therefore, it's perfect for SlashDot!

--
The latest Slashdot meme.
1. Re:"It's light on detail ..." by mordors9 · 2006-12-31 08:32 · Score: 1
  
  And short on ethics. We are advised one way to get a copy for testing is via warez. But we are also told not to use them for cracking so I guess it is okay.
Wow by bdigit · 2006-12-31 08:37 · Score: 4, Insightful

Holy shit. Did this really just make the front page. To summarize, the reviewer "really liked this one" oh and "this one was nice too". I think a third grader could write a better review then that steaming pile of shit. This is the epitome of blog spam.
1. Re:Wow by Tihstae · 2006-12-31 08:43 · Score: 3, Funny
  
  I think a third grader could write a better review then that steaming pile of shit. I think a third grader knows the proper usage of the words then and than.
2. Re:Wow by Anonymous Coward · 2006-12-31 08:43 · Score: 0
  
  Hey now! I think that there is no need to insult the lovely children of the 3rd grade class.
3. Re:Wow by Anonymous Coward · 2006-12-31 08:45 · Score: 1, Insightful
  
  I normally don't take the time to write useless "I concur!"-type comments--especially under AC--but it must be said. I have never seen an "article" this poorly written linked on slashdot. This is not a review, it is the drug-distorted rambling of a nine-year-old.
4. Re:Wow by maddskillz · 2006-12-31 08:52 · Score: 1
  
  I concur!
5. Re:Wow by JPriest · 2006-12-31 09:18 · Score: 1
  
  You didn't read the disclaimer in the article summary? I think the Internet would be quite a bit safer if more companies took an automated vuln scanner to their gear once in a while.
  
  --
  Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
6. Re:Wow by heson · 2006-12-31 09:21 · Score: 1
  
  Get real! Fourteen years old, maybe even fifteen.
7. Re:Wow by joe_cot · 2006-12-31 10:34 · Score: 1
  
  I have never seen an "article" this poorly written linked on slashdot.
  
  I have. You must not read slashdot very often.
8. Re:Wow by roger6106 · 2006-12-31 12:23 · Score: 1
  
  You must be new here.
9. Re:Wow by Master+of+Transhuman · 2006-12-31 12:43 · Score: 1
  
  Why?
  
  In my experience, there's never a reason not to insult monkey-children - there are no easier targets - except their parents (and George Bush).
  
  --
  Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
10. Re:Wow by AlamedaStone · 2007-01-01 06:09 · Score: 1
  
  monkey-children ... (and George Bush)
  
  Why the parent post isn't rated redundant I'm sure I don't know.
  
  --
  "All these years believing you're the signified monkey, only to find out you're just a big hunk of nobody cares."
Re:fp Goat by ScrewMaster · 2006-12-31 09:02 · Score: 1

Okay people, I think implementation of the Slashdot Semantic Analysis Filter is long, long overdue.

--
The higher the technology, the sharper that two-edged sword.
Re:Seriously? by Anonymous Coward · 2006-12-31 09:04 · Score: 0

Bob the Builder??
must be new years eve by Anonymous Coward · 2006-12-31 09:08 · Score: 0

Mmmm must be new years eve for such a lame story to hit the front page
http://otherthingsnow.blogspot.com/
Am I wrong? by flyneye · 2006-12-31 09:19 · Score: 2, Informative

Am I wrong to think that vulnerability could be tested from the Backtrack Live cd?
http://www.remote-exploit.org/index.php/BackTrack
If I'm wrong I apologize,If not,well,it's a free download fulla' tools.
maybe I'm missing something here,maybe not.

--
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Core Security by Heembo · 2006-12-31 09:24 · Score: 1

Guys, you missed Core Security; it's one of the most solid vulnerability assessment tools I've used in 2006. http://www.coresecurity.com/ Its BY FAR one of the best-of-breed tools out there.

--
Horns are really just a broken halo.
1. Re:Core Security by Anonymous Coward · 2006-12-31 10:10 · Score: 2, Informative
  
  Core's not a vulnerability scanner.
  
  Don't get me wrong, it's a great product, but Core Impact and Immunity's Canvas are in a class of their own (well, along with Metasploit of course). Different focus for the product, so an entirely different set of requirements you'd compare them against. They're built specifically for penetration testing. They don't just look for vulnerabilities, they actually try to exploit those vulnerabilities and use them to exploit other vulnerabilities.
  
  So if, for example, you were to compare the above three products with the 12 (11?) in the review, they'd look pathetic in terms of total number of exploit checks. That's a pretty important comparison for VA products, but not so much for pen-testing. For pen-testing, you want checks that you know you can actually use. For VA, you don't really care, you just want checks for things that someone might be able to use, even if you can't.
  
  Of course, for the attacks they do have pen-test products can do much more with them, but again, just a different focus for the products.
2. Re:Core Security by Heembo · 2006-12-31 11:03 · Score: 1
  
  That was a very insightful comment; thanks for chiming in! Canvas is decent, but you need to program in the exploits. In a Canvas vs. Core test, I'm preferential to core - but some of my old-school risk assessment friends swear by Canvas.
  
  Do you have any Canvas vs. Core thoughts, oh wise Anonymous one?
  
  --
  Horns are really just a broken halo.
3. Re:Core Security by ResidntGeek · 2006-12-31 11:52 · Score: 2, Funny
  
  That was a very insightful comment; thanks for chiming in!
  ...
  oh wise Anonymous one?
  Wow. Your sig is perfectly correct.
  
  --
  ResidntGeek
4. Re:Core Security by Heembo · 2006-12-31 11:57 · Score: 1
  
  Your mother sleeps with goats. Have a nice day!
  
  --
  Horns are really just a broken halo.
Is this the bottom? by ICA · 2006-12-31 09:35 · Score: 1

Have the stories here finally sunk as low as they can possibly go? Can it only go up from here? Let's hope so.

'nix and 'dozers was bad enough, but then a splog with nothing of substance was just too much.
1. Re:Is this the bottom? by Anonymous Coward · 2006-12-31 09:56 · Score: 0
  
  What exactly is a 'splog' please?
2. Re:Is this the bottom? by ChazeFroy · 2006-12-31 10:18 · Score: 1
  
  Why do people use "nix" or "*nix" when talking about Linux? "*nix" doesn't even glob to "Linux".
3. Re:Is this the bottom? by Master+of+Transhuman · 2006-12-31 12:47 · Score: 1
  
  splog = spam blog
  
  Google is your friend.
  
  Also Wikipedia http://en.wikipedia.org/wiki/Spam_blogs
  
  --
  Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
4. Re:Is this the bottom? by Darth+Android · 2006-12-31 15:21 · Score: 1
  
  I could crap on my keyboard and then submit that.
  
  --
  Do not meddle in the affairs of dragons for you are cruchy and good with ketchup.
5. Re:Is this the bottom? by produke · 2007-01-01 16:57 · Score: 1
  
  Why do people use "nix" or "*nix" when talking about Linux? "*nix" doesn't even glob to "Linux".
  
  nix is commonly used to referred to both Unix and Linux
Yes but by Watson+Ladd · 2006-12-31 10:40 · Score: 0, Troll

can they perform cunnilingus on a hardwood floor?

--
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
1. Re:Yes but by Anonymous Coward · 2006-12-31 10:56 · Score: 0
  
  I'm pretty damn sure "they" can, and if...
Iv'e played with a few of these. by Victor+Fors · 2006-12-31 10:59 · Score: 4, Informative

Granted, i don't consider myself to be in a proper position to write a review of them. However, a few points:

* Most of these are completely outdated, and easily miss newer security holes. (maybe apart from CORE, which is a commercial and expensive scanner).
* They are loud and noisy, and due to using well-known shellcode and attack patterns extremely prone to setting off IDS systems.
* They are, in comparison to Nmap + version scan + personal archive of public exploits, very slow.

Simply spidering public exploits off archive sites (milw0rm, packetstorm, etc...) and using custom shellcode (even without using tricks like polymorphism) would in my opinion result in much, much higher efficiency compared to using any of these programs.
Strangely, he links to a proper review by bcmm · 2006-12-31 11:50 · Score: 4, Informative

Here is the link, for those who don't want to give him any ad revenue.

--
# cat /dev/mem | strings | grep -i llama
Damn, my RAM is full of llamas.
1. Re:Strangely, he links to a proper review by Anonymous Coward · 2006-12-31 12:01 · Score: 0
  
  You still see ads when you browse the web? Did you personally know Abraham Lincoln?
2. Re:Strangely, he links to a proper review by strider44 · 2006-12-31 15:54 · Score: 1
  
  That link is dated from six years ago. I don't think that it should be counted as a good review of current software.
3. Re:Strangely, he links to a proper review by greginnj · 2007-01-02 05:14 · Score: 1
  
  ... You must LOOK UP to see the source of the GIANT WHOOSHING SOUND ...
  
  --
  Read the best of all of Slash: seenonslash.com
4. Re:Strangely, he links to a proper review by strider44 · 2007-01-02 13:01 · Score: 1
  
  Don't be idiotic. I got the joke and it was pretty irrelevant to what I said.
Hmmm by GregNorc · 2006-12-31 14:41 · Score: 1

I think I'll stick with the easy way... Knoppix STD and a very authentic looking janitor's uniform.
Where do people find this crap? by madsheep · 2007-01-01 06:51 · Score: 2, Interesting

I am baffled that someone even came across this article let alone posted it to Slashdot. This is probably one of the most juvenile reviews I have ever read. On top of that it's quite obvious it was written by a script kiddie. Who would actually do a [limited] review of security tools and talk about how they "can be tested for free, either through an evaluation or trial, or warez"?? This is by far one of the saddest reviews I have ever seen.

I pray that no one out there even considers using this person for a "scanning contract". This person is much more likely to do harm than any good. As mentioned it also seems the person is missing quite a few obvious vulnerability scanners from their top 11 list. Perhaps this is because our reviewer wasn't 31337 enough to get a cracked or evaluation version for these products. Core Impact or Foundstone Foundscan would easily rank about most or all(?) of these on the list. I mean Nikto is #8 on the list. Sure it's a neat tool, but it's simply a limited web application scanner. Our reviewer here does not have a clue.

Looks like 2007 is not off to a strong start! :(