Two Vulnerability Scanning Tools Evaluated

By Bozidar Spirovski, CISSP, MCSA, MCP

We have mentioned our favorite vulnerability scanning tools before.

But a lot of time has passed since, so it is time to put these tools against each other and evaluate the quality of the results received when scanning the same target.

The Test Environment

The tested vulnerability scanning tools were installed on a Windows 7 Pro PC.

• Nessus server and client were installed and updated to the latest plugins.
• Retina 5.10.18.2135 Evaluation version was downloaded and installed. The Evaluation version does not allow updates, so we used what updates are included in the build.

The target was Damn Vulnerable Linux (DVL) version 1.5 installed as a VMWARE host with bridged networking on the same host PC as the vulnerability scanning tools.

The network of the DVL target was bridged, and all firewalls (both of the host OS and the guest OS) were disabled.

The DVL was started with the following services, with default settings and content as included in the distro.

• MySQL
• HTTP
• IPP Printer sharing which was active by default

The Scanning Process

Both scanners were started with setting on full port scan, with disabled safety of scanning, and all available plugins were activated.

Performance

• The Nessus scanner took more then 88 minutes to complete the scan
• The Retina scanner took 38 minutes to complete the scan

Results

• Both scanners failed to identify the target operating system

• The Nessus scanner identified the expected open ports, concluded that MySQL does not accept connections from unauthorized IP’s. On the Web server, it identified a significant number of vulnerabilites, and collected information from HTTP through web mirroring. On a repeat scan, it regenerated the same results
• You can download the full report of the Nessus Scan Here
• The Retina scanner identified HTTP and TCP port 631 (IPP Printer Sharing). It did not identify the MySQL port as open. On the Web server, it identified a significant number of vulnerabilites, but did not collect any information from the HTTP server. On a repeat scan it missed the HTTP port and only identified the MySQL port.
• You can download the full report of the Retina Scan Here

Conclusions

Both scanners performed a very well vulnerability identification but missed the OS identification. Also, both manifested flaws:

1. Nessus missed the IPP port every time
2. Retina manifested erroneous scan results, identifying different ports and vulnerabilities during different sessions - while no configuration changes were made to the test environment.

In terms of speed, Retina performed much faster. In terms of scan depth, Nessus has a small advantage, since it includes a web mirroring tool that is very helpful in HTTP.

It can be clearly concluded that these tools cannot be used as the sole source of information when performing a vulnerability test.

One must also utilize network mapping (NMAP, LanGuard), OS identification (NMAP) and specific application vulnerability scanners (ParosProxy, WebScarab for Web) for maximum effect.

In a direct comparison, Nessus wins simply because Retina manifested erroneous results on repeat scans.

*   *   *

Stay Informed With ISR News Alerts:

Email:

by FeedBurner

*   *   *

Author: Bozidar Spirovski of Information Security Short Takes

• Occupation: Information Security Expert
• CISSP #301565
• MCSA, MCP ID# 2448347
• Send comments, requests or general inquiry to shortinfosec _at_ gmail dot com
• Visit my LinkedIn profile at http://www.linkedin.com/in/spirovskibozidar

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Filed under: Bozidar Spirovski, Breach, D&O Liability, FEATURE ARTICLE, Financial, PCI, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, malware, national security, privacy 

Comments

• ISR Headline Index

  • Infosec Island Security News Digest for 9-9-2010
  • Infosec Island Security News Digest for 9-8-2010
  • Infosec Island Security News Digest for 9-7-2010
  • Infosec Island Security News Digest for 9-3-2010
  • Infosec Island Security News Digest for 9-2-2010
  • Infosec Island Security News Digest for 9-1-2010
  • Infosec Island Security News Digest for 8-31-2010
  • Infosec Island Security News Digest for 8-30-2010
  • Infosec Island Security News Digest for 8-27-2010
  • Infosec Island Security News Digest for 8-26-2010
  • Infosec Island Security News Digest for 8-25-2010
  • Infosec Island Security News Digest for 8-24-2010
  • Infosec Island Security News Digest for 8-23-2010
  • Infosec Island Security News Digest for 8-20-2010
  • Infosec Island Security News Digest for 8-19-2010

• Recent Comments

  • Ford: Docs Stolen by Employee | justlikeme.nl on Ford: Docs Stolen by Former Employee
  • Ryan Aslett on Data Loss Prevention Has Jumped the Shark
  • Tom on (Lack Of) Encryption and The HITECH Act
  • ADMIN on Patriot Hacker Hits Jihad With DDoS Attacks
  • Robert Siciliano on Data Loss Prevention Has Jumped the Shark
  • Karen J. Cox on Data Loss Prevention Has Jumped the Shark
  • Scot McLeod on Outsourcing Breach Response Lowers Costs
  • John Marke on Gartner Tells CIOs to Embrace Social Media
  • Social Engineering and Enterprise Security | CIO – Blogs and … | Enterprise Engineering Addict on Gartner Tells CIOs to Embrace Social Media
  • From Russia, With Smartphones on Top 8 Social Media Security Threats
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (27)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (23)
  • Breach (540)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (26)
  • Class Action Lawsuit (111)
  • Cloud computing (429)
  • Coby Royer (5)
  • CTO Forum (9)
  • D&O Liability (917)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (7)
  • due diligence (626)
  • Fame Foundry (1)
  • FEATURE ARTICLE (428)
  • Financial (903)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (689)
  • Greg George (5)
  • H1N1 (15)
  • hackers (855)
  • healthcare (450)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (851)
  • IDExperts (17)
  • Ike Z. Devji (1)
  • Infosec Island Network (354)
  • Insider Threat (806)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (387)
  • ISR News (321)
  • Jacqueline Herships (2)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (2)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (21)
  • Larry Ketchersid (1)
  • Laton McCartney (7)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (817)
  • Mark Smail (1)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (3)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • MicroSolved (1)
  • Mike Duncan (3)
  • Mike Meikle (4)
  • Mike Spinney (1)
  • Military (527)
  • national security (769)
  • PCI (624)
  • PCI Security Standards Council (32)
  • Physical Security (11)
  • privacy (868)
  • Rachel James (10)
  • reach (327)
  • Rebecca Herold (16)
  • Richard Stiennon (44)
  • Robert Siciliano (34)
  • Sarbanes-Oxley (818)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (8)
  • The Privacy Professor (16)
  • Thomas R. Fox (8)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (14)
  • Tripwire (18)
  • Uncategorized (800)
  • virtualization (417)
  • Webcast (49)